UL’s Central Station Service Certification Program – Resiliency in Central Station Operations In January 2016, UL recently published two Certification Requirement Decisions (CRDs) that facilitate acceptance of contemporary technology and business practice in the professional monitoring industry. Collectively, they: Provide requirements that address virtual technologies so these can be used to help provide resilient, economically feasible delivery of services Recast automation system resiliency requirements in performance terms, enabling industry to make use of the latest technologies quickly, without the need to change prescriptive solutions enumerated in a Standard Provide a framework for collaborative partnering and resource sharing between service providers that leverages the latest NIST Cloud Computing recommendations Publication of these CRDs gives UL’s customers immediate compliance options – essentially a parallel path to compliance. They express UL’s interpretation of the intent of current requirements in a manner that may be more conducive to flexible application in contemporary monitoring centers. UL customers that have fashioned a compliance strategy around the existing UL 827 language will be unaffected by these CRDs as they simply present alternative options to, not replacements for, existing requirement language. UL will immediately enter these CRDs into UL’s Collaborative Standards Development System as revision proposals for full STP consideration and formal integration into UL 827. Technical Specifics The 8th edition of UL 827 was published in October 2014. The objective of the Standards Technical Panel (STP) was to revise 7th edition language so that contemporary issues were better addressed. The resulting framework is a much better fit for a modern central station. Occasionally, however, specific language and a “prescriptive” approach to requirements proved to be limiting in application. In response UL has published a pair of Certification Requirement Decisions (CRDs). The language of the CRDs presents the intended performance levels out of the prescriptive language. The intent is to more clearly define outcomes, without specifying the required technology or specific methods of achieving those outcomes. Certification Requirement Decision Overview Note - In all cases, please see the CRDs for exact language to be used for certification decisions. Virtual Machine (VM) Technology A conflict of correlation regarding VM technology exists between the language of UL 827, 8th edition and that of UL 1981, Standard for Central Station Automation Systems, 3rd edition. UL 827, clause 17.6.2.2 states that a VM cannot be used as a substitute for a separate computer system required for resiliency UL 1981, clause 7.5.1 allows virtualization under defined conditions, including guaranteed resources and priority for an automation system; and when redundancy requires, that the VM reside on a separate whole hardware system Based on a review of standards development documents for UL 827 and discussion with STP members, the intent of UL 827, clause 17.6.2.2 is better expressed by the language of UL 1981, clause 7.5.1. The CRD covering UL 827, clause 17.6.2.2 resolves the conflict of correlation by using the referenced UL 1981 language as a base. UL will accept use of VM technology that complies with the CRD. Minimum Monitoring Equivalent Weight (MEW) factor resiliency requirements Clause 17.6 presents a tiered set of computer system redundancy and operational requirements built on a MEW factor framework. In general, as MEW factor increases, a Central Station becomes responsible for elements of security impacting a larger constituency. This means that the consequences of a large Central Station failure represent an increased risk to the community at large. Requirements of clause 17.6 mitigate that increasing risk with measures that increase service resiliency with Central Station size. Unfortunately, the resilience requirement language in UL 827, 8th edition uses prescriptive language that has not changed as quickly as developments in technology. It is difficult to apply language tailored for equipment commonly used in central stations 10 years ago to contemporary technology and practices. The CRD covering clause 17.6 pulls out and highlights the essential performance elements from the current language. Performance-based requirements are presented as an alternative to the current language for those Central Stations using more contemporary equipment and methods. While UL believes that arrangements that comply with the current language would also comply with the alternative performance-based requirements, the current language will be kept in place in the interest of clarity. The Collaborative Standards Development Process will allow engagement with the wider community on appropriate final language for the future. Type of Automation System Employed None - Manual Signal Processing Susceptible to single fault failure Maximum MEW Second Fault Fail-over Accommodation Section Reference for Details None None 17.6.1 Manual None 17.6.1 Automation System Automation System Automation System Manual 17A.6.2 Automation System* 17A.6.3 Automation System* 17A.6.4 999 999 Single-fault tolerant 9,999 Two-fault tolerant Two-fault tolerant, with redundant site First Fault Fail-over Accommodation 99,999 Unlimited * Central Station not required to maintain manual signal handling capability Facilitating Business Partnerships Clause 17.8.4 currently prohibits intercompany sharing of computer equipment that hosts automation systems. Research shows that this requirement was added to UL 827 in the mid-1990s after an incident where one partner in a disaster recovery shared equipment scenario used the system to give its own customers inappropriate signal handling priority. While the risk of nonperformance by a business partner can never be eliminated completely, business practices around shared IT resources and business models based on cloud computing have matured significantly in the last 20 years. In May 2012, NIST published Special Publication 800-146, Cloud Computing Synopsis and Recommendations, which codified appropriate risk mitigation factors. Cloud computing business models enable new services and efficiencies that can benefit all stakeholders in a professionally monitored alarm service. The CRD language for clauses 17.8A.3 & 17.8A.4 permits IT resource sharing under the generally accepted risk mitigation principles of NIST 800-146, as they apply to Central Station partnering arrangements. This approach, when combined with the third party oversight of the UL Certificate Service Program, enables technologically advanced services & efficiencies, while also providing stakeholders with contemporary risk controls. Communication Path Diversity Clause 12.1.5 specifies the use of two independent Internet service providers (ISPs) or two independent managed voice facilities network (MVFN) providers for receipt of signals from monitored alarm systems. Based on review of standards development documents and discussion with STP members, the intent was to assure a degree of communication path diversity into a central station. While the prescription of two independent providers will likely provide a degree of path diversity, it is also possible to provision diversity directly via some providers. UL considers the intent of clause 12.1.5 met when contracts are in place that lock in defined path diversity similar to that which would be obtainable through the use of independent providers. Clause 12.1.7 addresses voice communication channel diversity in a similar manner. UL considers the intent met when contracts with a single provider are in place as described for signal path communications. Summary The net effect of these Certification Requirement Decisions is that central stations will be able to use up-to-date technology and employ IT best practices to achieve compliance with UL 827 resiliency requirements. For more information please contact UL at alarmcertificates@ul.com or visit ul.com/alarmcertificates.