On Tuesday, September 18, I attended a Standards Technical Panel meeting at Underwriters Laboratories in Northbrook, Illinois. This particular STP is charged with reviewing and updating eleven different standards dealing with safes, vaults, ATMs, locks and alarm systems. Representatives from industry, trade associations, standards organizations, hardware manufacturers, and concerned citizen groups are members of the STP that provide input into the standards process.
UL, which has been in existence for more than a century, is responsible for about 900 standards for fire, electrical and security related products. The non-profit organization was originally established by insurance underwriters. Its purpose was to determine and reduce the potential risk and thus the financial exposure for products for which insurance coverage was offered to the public. UL has been instrumental in discovering design defects and being the impetus for engineering improvements that result in safer and more efficient designs.
Today, UL deals with an incredible array of products and has a world-class testing facility to insure the safety and security of thousands of different pieces of hardware. Virtually every consumer item that is related to the risk of fire or powered by electricity or can in any way create a hazard is designed, manufactured, regulated and performs to designated standards. The process to develop these standards is quite complex and requires a broad range of input and consensus from all affected groups.
On the agenda for this STP was lock bumping. I met earlier this summer with the chairman of the panel to discuss the inclusion of this topic at the meeting and it was agreed that it was important for UL to look at this issue in the context of UL437. For those of you that are not familiar with UL437, this is the “higher security” standard for cylinders that are employed in government, business and by some consumers. These cylinders are by definition supposed to be resistant to covert and forced methods of entry for specified minimum times. UL437 is touted by high security lock manufacturers as one of the primary criteria to assure certain minimum levels of physical security in their rated cylinders.
Resistance against forced entry is a minimum of five minutes for specified tools and techniques. However, as I noted at the meeting, some UL certified locks can be opened in significantly less time and I suggested that this issue also needed to be addressed if the public is to rely upon these standards as a selection criteria for physical security protection.
Resistance against covert entry under UL437 is specified at a minimum of ten minutes. This means that the lock should resist picking and related attacks for at least this period of time. As many readers are aware, some UL certified locks do not meet this specification and can be opened in one or two minutes notwithstanding the requirements of the standard. This is one of the reasons that I felt it was important to provide input at the meeting.
The ANSI/BHMA high security lock standard, 156.30 is even more stringent in its requirements and also refers to UL437 with regard to pick resistance. Neither standard presently addresses bumping although one might argue that bumping is a form of picking which of course is covered. In Europe, bumping has been incorporated into testing protocols because of the widespread recognition of the security risk posed by the technique.
UL437 and ANSI/BHMA 156.30 are important because most organizations are not capable of testing the security products that they employ to protect their facilities, assets and personnel. They rely upon the standards organizations to determine levels of security for specified products and to insure that they meet those standards with regard to performance criteria. In this way, all affected sectors can deploy such hardware with the understanding and assurance that specified criteria will be met by the specific product or system. The insurance industry can also confidently provide insurance based upon defined security standards. The problem is when a product or system, although certified to a certain security performance level, does not actually meet those expectations. Then any entity that relies upon such performance criteria may be at risk. This is precisely the issue with lock bumping and related attacks especially in high security facilities or critical targets which have been the basis of recent articles in the media and on this website.
In my brief presentation, I explained to the panel members that certain high security locks could be compromised by bumping and that I thought this issue needs to be addressed. After some discussion about bumping attacks there was a consensus that a task force should be formed to analyze the current standard and determine if it would be appropriate to add bumping as a test for high security locks. ASTM is also working on standardized performance tests to assess the bump resistance of cylinders.
At present the task force is comprised of ten members (including myself) that represent several lock manufacturers, a standards organization, special trade organization that deal with security and insurance interests of their members, and a representative of government. The first meeting of the task force has not been scheduled as yet. Industry and consumers alike should welcome this decision because it should lead to the adoption of relevant guidelines for manufacturers to insure that their locks are secure against bumping attacks.