UL 2900-1-2020 pdf free download.Software Cybersecurity for Network- Connectable Products, Part 1: General Requirements.
8.7The product shall enforce the principle of least privilege for every authorized role or user that can beauthenticated.
8.8 lf a communication session over a remote interface is lost or terminated, the product shall requirerenewed authentication prior to allowing access over the remote interface.Stored data from the previoussession shall not be used to simplifylease/partially bypass authentication/authorization mechanismsduring a new session creation.
8.9lf the product uses other mechanisms for authentication besides username and password,themechanism shall be such that the product’s authentication method cannot be bypassed using anyprocedure that uses less computation than exercising all elements of the set of values necessary forsystematic deduction of the authentication’s secret value(s).
NOTE 1:For example, if a key is used for authentication, then it shall require at least as many operations to circumvent the key as itis to determine the key.
NOTE 2: This requirement is intended to address the difficulty of bypassing. brute-forcing.or otherwise circumventing theauthentication system of the product.
Remote Communication
9.1 The product shall ensure the integrity and authenticity of all data communicated over any remoteinterface.For this, the product shall use security functions complying with the requirements in Appendix C.
Exception: Remote interfaces that report status, do not provide command and control functionality or donot transmit sensitive data, etc., may not require integrity and authenticity but will need to be documentedas per Section 12, Vendor Product Risk Management Process.
NOTE:Remote interface describes interaction points outslide the defined boundaries of the product subject to the requirements ofthis standard.
10Sensitive Data
10.1 The product shall ensure the confidentiality of all sensitive data and personally identifiable datainformation generated,stored, used or communicated by the product. The product shall use a securemechanism complying with the requirements in Appendix B to store the sensitive data and personallyidentifiable data information.
10.2 For the purposes of 10.1, the vendor shall identify and document which data is to be consideredsensitive.
10.3 The product shall utilize only cryptographic algorithms listed in Appendix C for any security protocol.
10.4 The product shall use a separate cryptographic key for each service,operation,or function (e.g.data at rest encryption, transport layer encryption, operator role authentication, remote software upgradeimage integrity). The vendor shall clearly document the intended purpose of each key used by the product.Rationale shall be documented in accordance with Vendor Product Risk Management Process,Section12.UL 2900-1 pdf download.