Cybersecurity is more than just a word; it’s a measurement

By Mike Bacidore

Aug 08, 2018

Founded in 2007, the mission of the ISA Security Compliance Institute (ISCI) is to provide the highest level of assurance possible for the cybersecurity of industrial automation control systems. It also functions as an operational group within the Automation Standards Compliance Institute (ASCI). “Founding members included Invensys Process Systems, now part of Schneider Electric; BP; Chevron; ExxonMobil Research and Engineering; Honeywell; Siemens; Yokogawa; Rockwell Automation; and ISA,” explained Andre Ristaino, managing director of ASCI. He explained his organization’s role and the benefits of ISASecure certification at Foxboro User Group conference this week in San Antonio.

ISCI’s goals are realized through industry standards compliance programs, education, technical support and improvements in suppliers’ development processes and users’ lifecycle management practices. The ISASecure designation ensures that industrial automation control products conform to industry-consensus cybersecurity standards, providing confidence to users of ISASecure products and systems and creating product differentiation for suppliers conforming to the ISASecure specification.

Certification of conformance to IEC 62443

“ISASecure is the IEC 62443 conformance certification,” explained Ristaino. “The International Society of Automation (ISA) has been around for more than 65 years. They’ve published more than 150 standards. In 2007, they set up the Automation Standards Compliance Institute, which I run. We operate as a consortium. The dues and fees we receive fund development and expansion.”

The way the certification works is that asset owners specify ISASecure in procurement specifications and/or choose from the list of certified products on ISASecure website.

“Suppliers submit products to an ISASecure certification body of choice,” explained Ristaino. “We use three existing labs—TÜV Rheinland in Cologne, Germany; exida, which was accredited in 2011; and CSSC, which was set up after the Fukushima incident in Japan. We write accreditation requirements for the labs, which must meet ISO/IEC 17065 conformance scheme and ISO/IEC 17025 lab operations by international ISO/IEC 17011 accreditation bodies.”

Why certify commercial, off-the-shelf (COTS) products? “Security capabilities are independently assessed and certified by experts at accredited ISASecure labs,” explained Ristaino. “It reduces the effort end users must make to validate and verify security capabilities. And it provides an objective metric for security capabilities based on industry standards.”

ISASecure is one specification, one service mark and one assessment. “The standards are well-articulated,” said Ristaino.

End user benefits include:

  • Simplified procurement specification process,
  • Easier-to-understand, standards-based cybersecurity capabilities;
  • Capabilities independently validated by third party;
  • Confidence that security features will evolve over time; and,
  • A forum in which end users can ensure that ISA/IEC 62443 standards are implemented as intended.

Supplier benefits include:

  •  Differentiation of solutions;
  •  Assurance to customers that products meet standards-based cybersecurity requirements;
  •  Assurance to customers that security is maintained over the product lifecycle;
  •  Cybersecurity as a dimension of product quality; and
  •  Third-party verification in the face of product liability accountability.

“You can’t talk about security if you don’t look at it in the concept of the control system lifecycle,” explained Ristaino. “Cybersecurity is a shared responsibility.”

Certification variations

Based on the 13 documents in the IEC 62443 standard family, three ISASecure certifications are available. Embedded Device Security Assurance (EDSA) is a vulnerability identification test. System Security Assurance (SSA) is for product certification. And Security Development Lifecycle Assurance (SDLA) is process certification.

“Our certification is more than just testing,” said Ristaino. “It’s 360° product testing, including the product development process audit; functional security capabilities assessment; and device communication robustness and vulnerability test.”

EDSA is a certification that the supplier’s product is robust against network attacks and is free from known security vulnerabilities. It meets the requirements of IEC 62443-4-1 and IEC 62433-4-2.

SSA certifies the supplier’s product, such as an off-the-shelf industrial control system, is robust against network attacks.

SDLA is for product development sites that have work processes and includes security considerations throughout the lifecycle. “It’s based on industry-recognized security development lifecycle processes,” explained Ristaino. “We used Microsoft’s SDL as a basis for our SDLA. We had to modify it for OT (operational technology) situations because it was created primarily for IT environments. We donated that to the standards committee, and it was probably the fastest one to come out of the committee process.”

Four different security levels exist for ISASecure product certifications.

“We have a tool recognition process, too,” added Ristaino. “ISASecure test tool specifications and recognition process ensure that all test tools meet ISASecure requirements and provide consistent test outcomes. As each test lab uses a test tool, the outcome will be consistent. We’re the only program that does that.”

Looking forward, ASCI has plans to collaborate with building-control-system (BCS) stakeholders to ensure IEC 62443 and ISASecure certifications properly address BCS. It has also collaborated with the European Union on a conformity assessment program and is reaching out to other stakeholders including UL and industry groups such as ASHRAE, LOGIIC, CABA and NAMUR.

“Certification growth started slowly, but now it’s taking off,” explained Ristaino.