Besides its longstanding ISA99 standard, the ISA's Security Compliance Institute (ISCI) recently developed and launched its ISASecure Certification program.
"ISCI is a consortium of asset owners, suppliers and industry organizations formed in 2007 under the ISA Automation Standards Compliance Institute (ASCI)," says Leigh Weber, CISSP, senior security engineer at exida Consulting in Sellerville, Pa. "Its mission is to establish a set of well-engineered specifications and processes for testing and certifying critical control systems products, as well as decrease the time, cost and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers and other stakeholders."
Similar to well-know safety integrity level (SIL) certifications, ISASecure is a recognizable designation that suppliers can achieve for their products by allowing them to be thoroughly tested.
ISASecure is an Embedded Device Security Assurance (EDSA) certification, and its evaluation process has three steps. A supplier submits device to an ANSI A-CLASS charted lab, and the lab:
- Physically evaluates device for functional security (FSA)
- Conducts communication robustness test (CRT) using ISCI-approved test tools; and
- Completes supplier audit (SDSA) on software development practices.
"These devices get every kind of malformed bit stream thrown at them to see, and then the lab sees if they're still standing when it's over," adds Weber. "Then, the lab issues a final assessment report and certification upon successful test and audit. The next step is for ISASecure is System Security Assurance to look at security across whole systems, and it's being developed now."