The ISASecure certification scheme includes product testing as part of the overall product assessment process. Vulnerability Identification Testing (VIT) and Communication Robustness Testing (CRT) / System Robustness Testing (SRT) are the two broad categories of product testing performed today.
The ISA Security Compliance Institute operates a structured Communication Robustness Testing (CRT) tool recognition program to identify CRT tools acceptable for use by certification bodies (CB) in ISASecure certification programs. The CRT tools must be capable of supporting published ISASecure cybersecurity certification test requirements. CRT tool recognition requirements and ISASecure product certification test requirements are described in ISASecure specifications, available for download on this website.
CRT and SRT Testing
CRT and SRT testing ensures that devices and systems meeting ISASecure certification requirements are robust against network attacks.
CRT test tools that have been recognized by ISCI are the only tools that may be used by ISCI accredited labs (CB) during the CRT testing and System Robustness Testing (SRT) portions of the ISASecure EDSA and SSA certifications.
IEC 62443 product security development practices require suppliers to use CRT test tools during the internal product development and testing lifecycle phases to identify and correct network based security vulnerabilities. While not required, using recognized CRT tools during the development process can aid suppliers in preparing for the formal ISASecure certifications.
CRT and SRT Test Tools
A list of ISCI Recognized CRT and SRT test tools can be found using the link below. ISCI is in constant contact with cybersecurity test tool suppliers and new CRT and SRT test tools will be added in the future.
Listing of ISCI Recognized CRT Test Tools
Vulnerability Identification Testing
The purpose of Vulnerability Identification Testing (VIT) is to scan the device under test (DUT) with a commercially available tool to identify known vulnerabilities. The device supplier must correct known vulnerabilities discovered during the VIT scan to meet the ISASecure product certification requirements.
The ISASecure program uses the US-CERT National Vulnerability Database (NVDB) as the reference list for identifying known vulnerabilities, providing objectivity and transparency for the ISASecure assessment process. Known vulnerabilities in the US-CERT NVDB are organized into globally accepted Common Weakness Enumeration (CWE) categories and the NVDB is updated on an on-going basis as new vulnerabilities are identified and verified.
The VIT test is run when devices are evaluated for ISASecure certification and the time and date of the scan is recorded. This allows the suppliers and end-users to know which NVDB vulnerabilities were included in the scan.
ISCI recommends that end-users require their suppliers to re-run the VIT during factory acceptance testing (FAT) and site acceptance testing (SAT). These procurement steps ensure that new vulnerabilities that may have been discovered and added to the US-CERT NVDB during the time interval between the ISASecure certification VIT scan date and commissioning date are identified.
Information about the US-CERT NVDB may be found on the Unites States NIST website at: http://nvd.nist.gov
Information about the CWE categories may be found on the US NIST website at: http://nvd.nist.gov/cwe.cfm
VIT Test Tools
ISCI evaluates commercially available VIT test tools and recognizes them for use by ISASecure CB’s for formal product testing and certification. VIT tools are selected based upon several factors including but not limited to; broad availability/support, industry acceptance, and, tight linkages with the US-CERT NVDB.
A list of ISCI Recognized VIT test tools can be found using this link:
Listing of ISCI recognized Vulnerability Identification Testing Tools
For Cybersecurity CRT Test Tool Suppliers – How to Get Your CRT Test Tool Recognized
Companies wishing to include their CRT test tool in the ISASecure certification scheme must submit their tools to ISCI for evaluation. Click on the link below for a description of the submittal process.
ISCI CRT Test Tool Recognition Process