ISA's Compliance Institutes have been busy.

Sept. 1, 2009

In a flurry of press releases the last few days, ISA's compliance institutes have been busy.

Yes, they are ISA's compliance institutes, even though ISA went to great lengths to distance them from ISA proper. ISA owns the Automation Federation. The Automation Federation owns the umbrella for all the compliance institutes, ASCI, which in turn, owns the compliance institutes.

Dizzy yet? Anyway, it all traces back to ISA.

In a flurry of press releases the last few days, ISA's compliance institutes have been busy.

Yes, they are ISA's compliance institutes, even though ISA went to great lengths to distance them from ISA proper. ISA owns the Automation Federation. The Automation Federation owns the umbrella for all the compliance institutes, ASCI, which in turn, owns the compliance institutes.

Dizzy yet? Anyway, it all traces back to ISA.

Wilson Mohr company is the latest member of the Wireless Compliance Institute, according to a press release we received last week. We found it interesting that Wilson Mohr is a distributor for a much larger member of the board of WCI. But apparently, since Wilson Mohr isn't a voting member, there's no way anyone can suggest packing the membership.

There are a number of people, including end users and general interest members of ISA100 who are very uneasy about the relationship between WCI and ISA100...ISA100.11a, for example, does not mandate interoperability and interchangeability between devices of different vendors. "WCI will take care of that!" was what the ISA100.11a team told us.  But WCI is a wholly owned subsidiary of ISA's business side...and to have WCI controlling the final expression of the standard, some say, is a really big potential conflict of interest.

Today, we received another press release...this time about ISCI, the very first compliance institute, and the one I helped get started.

The ISA Security Compliance Institute (ISCI) has formally approved an Embedded Controller Security Assurance (ECSA) Framework.
 
The ECSA Framework establishes important foundational definitions necessary for completion of the ISASecure ECSA test specification. It establishes the scope of the ISASecure test specification, and identifies the embedded controller testing approach and high level criteria for passing or failing the ISASecure tests.
 
A publicly available version of the ISASecure ECSA Framework describing the ECSA certification program will be published and posted on the ISCI website (
www.isa.org/ISASecure) this month.
 
The detailed ISASecure ECSA certification includes three broad areas of assessment for embedded controllers – Security Functional Assessment, Protocol Robustness Testing, and Software Development Security Assessment. The ECSA test specification will undergo an independent review and is slated for completion at the end of Q3 2009.
 
Johan Nye, Chairman of the ISCI Governing Board commented, “This is an important first milestone towards our original vision for the ISCI. The ISASecure certification program will provide assurances to owner/operators that products meet known cyber security requirements based on industry standards.”
 
The ISASecure test specification is designed to be used by suppliers in their product development and manufacturing processes to facilitate baseline security levels in Industrial Automation Control Systems (IACS) products. The same ISASecure test specification will also be used by ISCI accredited independent labs to certify cyber security characteristics of IAC products using ISCI accredited test tools. ISASecure certification testing will commence in First Quarter 2010.
 
Visit the ISA Security Compliance Institute website at
www.isa.org/isasecure to learn more about the ISASecure program and how to join this important industry initiative.
 

Questions were immediately raised about whether this ECSA certification actually will be better than theother embedded controller tests that are being used as de-facto standards...Achilles springs to mind, as does Mu Security, Byres Security and others. One commentator suggested that this was an overt effort to tap the revenue streams from these companies, by "certifying" existing technology.