ISASecure Program Description
ISCI developed ISASecure certifications specifications using the framework of the ISA99 Standards Roadmap. The ISASecure Program scope and direction is based on the security lifecycle concept for automation controls, organized into three broad lifecycle phases including:
Devices and Systems - Conform to ISASecure Requirements (products constructed to secure characteristics and behaviors)
Supplier Practices - Product Development Life Cycle (Design for Security)
User Practices -Integration/Deployment, Operations, Life Cycle Management (Manage for Security).
The first ISASecure certification, Embedded Device Security Assurance (EDSA) focuses on the security of embedded devices and addresses device characteristics and supplier development practices for those devices.
An embedded device that meets the requirements of the ISASecure EDSA specification earns the ISASecure EDSA certification; a trademarked designation that provides instant recognition of product security characteristics and capabilities, and provides an independent industry stamp of approval similar to a ‘Safety Integrity Level’ Certification (ISO/IEC 61508).
The ISASecure EDSA certification offers three levels of recognition for a device, reflecting increasing levels of device security assurance. The levels include ISASecure Level 1 for Devices, ISASecure Level 2 for Devices, and ISASecure Level 3 for Devices. All levels of security certification granted under this program contain the following technical elements:
- Functional Security Assessment (FSA)
- Software Development Security Assessment (SDSA)
- Communication Robustness Testing (CRT)
FSA and SDSA evaluation requirements increase in rigor for levels 2 and 3 while CRT criteria are the same regardless of certification level. The ISASecure Embedded Device Security Assurance Certification brochure (see below), provides a description of the three technical certification elements, certification levels, and the certification program.
ISASecure EDSA Conformance Scheme Definition Documents
There are five major categories of ISASecure EDSA program documents:
· Technical specifications, shown in solid light blue, that describe the technical criteria applied to determine whether a device will be certified.
NOTE ISASecure EDSA program development has followed and leveraged the parallel ISA99 standards effort underway for embedded device cyber security requirements. When the ISA-99.04.01 standard is completed, the ISASecure Embedded Device certification technical specifications will be updated to serve as a compliance program for that standard.
· Accreditation/recognition, shown in gold diagonal stripe, that describe how an organization can become a chartered laboratory or a tool supplier can obtain recognition for a CRT tool
· Symbol and certificates, shown in blue horizontal stripe, covers the topic of proper usage of the ISASecure symbol and certificates
· Structure, shown in an orange brick pattern, used to describe and operate the overall program.
· External references, shown in solid dark grey, are documents that exist outside of this particular program that are referenced by ISASecure EDSA program documents.
The ISASecure EDSA detailed formal specifications are listed in the table below and available for download.
Embedded Device Security Assurance (EDSA) Certification Specification
| ISASecure EDSA Certification Program Description Brochure |
View PDF |
| EDSA-100 ISASecure Certification Scheme |
View PDF |
|
EDSA-200 Chartered Lab Operations and Accreditation
|
View PDF |
|
EDSA-201 Recognition Process for Communication Robustness Testing Tools
|
View PDF |
| EDSA-202 Chartered Lab Application and Contract |
View PDF |
|
EDSA-300 ISASecure Certification Requirements
|
View PDF |
| EDSA-301 Maintenance of ISASecure Certification |
View PDF |
|
EDSA-311 Functional Security Assessment(v1_4) (FSA)
|
View PDF |
|
EDSA-312 Software Development Security Assessment(v1_4) (SDSA)
|
View PDF |
|
EDSA-310 Common Requirements for Communication Robustness Testing (CRT)
|
View PDF |
| EDSA-401 Ethernet robustness test spec(v1_7) |
View PDF |
|
EDSA-402 ARP robustness test spec(v2_1)
|
View PDF |
|
EDSA-403 IPv4 robustness test spec(v1_1)
|
View PDF |
|
EDSA-404 ICMPv4 robustness test spec(v1_1)
|
View PDF |
|
EDSA-405 UDP robustness test spec(v2_1)
|
View PDF |
|
EDSA-406 TCP robustness test spec(v1_1)
|
View PDF |
| ASCI Policies and Procedures 24 June 2010 |
View PDF |
Public Comment Submissions for ISASecure Specifications
The ISA Security Compliance Institute endorses the efforts of the ISA99 Standards Committee for Industrial Automation Control Systems Security and has respectfully donated published ISCI specifications to the committee for consideration in their standards development process. As such, ISCI recommends that review comments should be submitted to the ISA-99 Standards committee who follow an open consensus ANSI standards development process. We will forward comments submitted via this web site to the ISA-99 Committee Co-chairman on your behalf.