System Security Assurance (SSA) Certification
SSA requirements for certification include all control system requirements in the ISA/IEC 62443-3-3 standard.
SSA Certification Versions
Ordered most recent first.
SSA Version 4.0.0
SSA Version 3.0.0
SSA Version 2.1.0
SSA Version 2.0.0
System Security Assurance (SSA) - version 4.0.0
Effective 28 August 2019
*See ISASecure-117 for version transition details*
Scope
The SSA requirements for certification include all control system requirements in IEC 62443-3-3 "Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels” and all process requirements in IEC 62443-4-1 “Security for industrial automation and control systems – Secure product development requirements.” The certifier also performs vulnerability identification testing.
ISASecure SSA is a certification program for a particular subset of control systems. A control system product that meets all of the following criteria may be certified under the SSA program:
- The control system consists of an integrated set of components and includes more than one component.
- The control system is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers.
- The control system may have a fixed component and zone layout, or may be scalable, that is, may support replication of components and of zones in order to scale for small and large installations.
- The system product is under configuration control and version management.
The specification SSA-300 further specifies the architectural similarity required between layouts that are to be certified under a single SSA certificate. SSA-300 also provides examples and additional discussion of the types of systems that may be certified under the SSA program.
Technical ISASecure SSA evaluation criteria
In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle process assessment (SDLPA-S). Based upon this assessment, an ISASecure SDLA process certification is granted as described in SDLA-100. A supplier may already hold an SDLA process certification when they apply for an SSA certification, or may apply for SSA and SDLA certification in parallel.
ISASecure SSA certification of systems has four additional elements:
- Security Development Artifacts for systems (SDA-S);
- Functional Security Assessment for systems (FSA-S); and
- Vulnerability identification Testing for systems (VIT-S).
SDA-S examines the artifacts that are the outputs of the supplier’s secure product development lifecycle processes as they apply to the system to be certified. FSA-S examines the security capabilities of the system. VIT-S scans all components of a system for the presence of known vulnerabilities. The following figure illustrates the elements of ISASecure SSA certification.
Figure 1 - Evaluation Elements for ISASecure SSA Certification
A system submitted for certification is comprised of one or more security zones. The supplier identifies a desired capability security level for each zone to be demonstrated by the certification. The SDLPA-S assessment does not have an associated level. SDA-S and VIT-S are the same for all certification levels with the exception of allowable residual risk for known security issues. The FSA-S evaluation is applied to each security zone; required security capabilities will differ based upon the zone capability security level. The ISASecure SSA certificate for a system will name the security zones and their certified capability security levels.
To certify a scalable control system where several layouts of this system are to be certified under one certificate, tests performed by the certifier as part of FSA-S or for VIT-S will be performed on a reference system, whose associated reference layout meets criteria specified in SSA-300. Analyses performed by the certifier will take into account all layouts to be evaluated under the certification.
Relationship of the SSA program to IEC 62443
A goal for the SSA certification program is to offer a compliance program for the ANSI/ISA/IEC 62443 series of standards, which address security for IACS. ISASecure SSA certification incorporates requirements that apply to a control system, which is the hardware and software for an IACS.
It is the intent that the ISASecure program align terminology, concepts and reference architectures with those used by the ANSI/ISA/IEC 62443 effort, in particular as presented in IEC 62443-1-1. Definitions for terms will be published in the technical report currently under development: ISA TR 62443-1-2 "Security for industrial automation and control Systems - Master glossary of terms and abbreviations."
The SSA specifications define and use the notions of security zone, conduit and security level introduced in IEC 62443-1-1, to be discussed further in the planned ANSI/ISA/IEC standard 62443-3-2 “Security for industrial automation and control systems Part 3-2: Risk assessment and design,” which is currently under development.
The SSA FSA-S requirements for certification include all requirements in IEC 62443-3-3 “Security for industrial automation and control systems Part 3-3: System security requirements and security levels.” The capability security levels for the FSA-S evaluation of a security zone within a system, align with the IEC 62443-3-3 capability security levels and associated requirements. ANSI/ISA has published this standard as ANSI/ISA-62443-3-3.
The ISASecure evaluation requirements for SDLA certification and SDA-S artifact assessment performed for SSA certification, align with the requirements in the standard IEC 62443-4-1 “Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements.” ANSI/ISA has published this standard as ANSI/ISA- 62443-4-1.
Certified systems
The supplier for a system that has been evaluated under the ISASecure SSA certification program and shown to meet these technical criteria may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures. Certification applies to a particular version of a system, a specific layout or (for a scalable system) a set of layouts, and references a 3-digit certification version that identifies the set of ISASecure specifications used for the certification. For example, system model 234, version 1.9 with layouts as described in a named reference document, might be certified to ISASecure SSA 4.0.0. The ISASecure SSA certificate for a system will name its security zones and the levels to which they have been certified.
The SSA program defines procedures to maintain certification for later versions of the system that incorporate updates (such as bug fixes) and upgrades (new functionality) which may include further scalability options, to later versions of the ISASecure evaluation program, and to higher capability security levels.
Subject to permission of each system supplier, ISCI will post the names of certified systems on its web site http://www.ISASecure.org.
Certification Program Documentation
ISASecure® SSA Conformance Scheme Fees
SSA Certification Registration Fee (Annual Fee) | $1,200 |
System Security Assurance (SSA) Certification Scheme Description
SSA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-102 Baseline Document Versions and Errata | View/Download Resource |
Transition Policy
ISASecure-117 Transition to CSA 1.0.0 and SSA 4.0.0 | View/Download Resource |
Initial Certification and Maintenance of Certification Policies and Criteria
SSA-204 Use of ISASecure Symbol and Certificates | View/Download Resource |
SSA-300 ISASecure Certification Requirements | View/Download Resource |
SSA-301 Maintenance of ISASecure Certification | View/Download Resource |
ISASecure-120 Relabeled Policy | View/Download Resource |
ISASecure-130 Product Family Policy | View/Download Resource |
Certification Requirements Specifications for SSA (4 Assessment Categories SDLPA, SDA, FSA, VIT)
SSA-311 Functional Security Assessment for Systems (FSA-S) | View/Download Resource |
SSA-312 Security Development Artifacts for Systems (SDA-S) | View/Download Resource |
SDLA-312 Security Development Lifecycle Assessment (SDLA) | View/Download Resource |
SDLA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-420 Vulnerability Identification Test (VIT) Specification | View/Download Resource |
System Security Assurance (SSA) - version 3.0.0
Effective 10 October 2018
*See ISASecure-116 for version transition details*
Scope
The SSA requirements for certification include all control system requirements in IEC 62443-3-3 "Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels” and all process requirements in IEC 62443-4-1 “Security for industrial automation and control systems – Secure product development requirements.” The certifier also performs System Robustness Testing, which includes fuzz testing, network traffic load testing, and vulnerability scanning. In addition, embedded devices and other components included in the control system under test must be EDSA certified or meet the EDSA requirements for certifier testing and functional assessment at the time of certification.
ISASecure SSA is a certification program for a particular subset of control systems. A control system product that meets all of the following criteria may be certified under the SSA program:
- The control system consists of an integrated set of components and includes more than one device.
- The control system is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers.
- The control system may have a fixed device and zone layout, or may be scalable, that is, may support replication of devices and of zones in order to scale for small and large installations.
- The system product is under configuration control and version management.
SSA-300 further specifies the architectural similarity required between layouts that are to be certified under a single SSA certificate. SSA-300 also provides examples and additional discussion of the types of systems that may be certified under the SSA program.
Technical ISASecure SSA evaluation criteria
In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle process assessment (SDLPA). Based upon this assessment, an ISASecure SDLA process certification is granted as described in SDLA-100. A supplier may already hold an SDLA process certification when they apply for an SSA certification, or may apply for SSA and SDLA certification in parallel.
ISASecure SSA certification of systems has four additional elements:
- Security Development Artifacts for systems (SDA-S);
- Functional Security Assessment for systems (FSA-S);
- Functional Security Assessment for embedded devices (FSA-E); and
- System robustness testing (SRT).
SDA-S examines the artifacts that are the outputs of the supplier’s security development processes as they apply to the system to be certified. FSA-S examines the security capabilities of the system. FSA-E examines the security capabilities of any embedded devices that are components of the system, in accordance with ANSI/ISA-62443-4-2 that in some cases requirements for security functionality may be met by integrating the device into a system. SRT has three major elements - Vulnerability Identification Testing (VIT), Communication Robustness Testing (CRT), and Network Stress Testing (NST). VIT scans all components of a system for the presence of known vulnerabilities. CRT and NST verify that the system adequately maintains essential functions while being subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions) at its network interfaces.
The following figure illustrates the elements of ISASecure SSA certification.
Figure 1 - Evaluation Elements for ISASecure SSA Certification
The SSA certification process for a system may leverage prior ISASecure EDSA certifications for embedded devices that are components of that system. In particular, if a component of a system is a certified ISASecure EDSA embedded device, then FSA-E and the CRT aspect of SRT need not be performed on that device as part of the SSA certification process. This is due to the fact that these assessments will have been performed previously under the ISASecure EDSA certification process.
A system submitted for certification is comprised of one or more security zones together with desired capability security levels for each zone to be demonstrated by the certification, which are the zone certification levels. The notions of security zone, security level and capability security level are introduced in ANSI/ISA-62443-1-1. The SDLPA and SDA-S assessments are the same for all certification levels with the exception of allowable residual risk for known security issues. FSA-E increases in rigor level for certification levels 2, 3, and 4, as does VIT. CRT criteria are the same regardless of certification level.
For scalable systems, tests performed by the certifier as part of FSA or SRT will be performed on a reference system, whose layout meets criteria specified in SSA-300. Analyses performed by the certifier will take into account all layouts to be evaluated under the certification.
Relationship of the SSA program to IEC 62443
A goal for the SSA certification program is to offer a compliance program for the ISA 62443 series of standards. ISA 62443 standards address security for IACS. ISASecure SSA certification incorporates requirements that apply to control systems, which are the hardware and software components of IACS.
It is the intent that the ISASecure program align terminology, concepts and reference architectures with those used by the ISA 62443 effort, in particular as presented in ANSI/ISA-62443-1-1. Definitions for terms will be published in the technical report currently under development: ISA TR 62443-1-2 "Security for industrial automation and control Systems - Master glossary of terms and abbreviations."
The SSA specifications define and use the notions of security zone, conduit and security level introduced in ANSI/ISA-62443-1-1, to be discussed further in ISA 62443-3-2 “Security for industrial automation and control systems Part 3-2: Risk assessment and design,” which is currently under development.
The SSA FSA-S requirements for certification include all requirements in ANSI/ISA 62443-3-3 “Security for industrial automation and control systems Part 3-3: System security requirements and security levels.” The certification levels for the FSA-S evaluation of a security zone within a system, align with the ANSI/ISA- 62443-3-3 capability security levels and associated requirements. The IEC has separately approved this standard as IEC 62443-3-3.
The SSA FSA-E requirements apply to embedded device components of the system to be certified. They include all level 1 requirements in ANSI/ISA-62443-4-2 “Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components.”
The ISASecure process evaluation requirements for SDLA certification and SDA-S artifact assessment align with the requirements in the approved standard ANSI/ISA-62443-4-1 “Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements.” The IEC has separately approved this standard as IEC 62443-4-1.
Certified systems
The supplier for a system that has been evaluated under the ISASecure SSA certification program and shown to meet these technical criteria may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures. Certification applies to a particular version of a system, a specific layout or (for a scalable system) a set of layouts, and references a 3-digit certification version that identifies the set of ISASecure specifications used for the certification. For example, system model 234, version 1.9 with layouts as described in a named reference document, might be certified to ISASecure SSA 2.6.1. The ISASecure SSA certificate for a system will name its security zones and the levels to which they have been certified.
The SSA program defines procedures to maintain certification for updated versions of the system (possibly with further scalability options), to later versions of the ISASecure evaluation program, and to higher certification levels.
Subject to permission of each system supplier, ISCI will post the names of certified systems on its web site http://www.ISASecure.org.
Certification Program Documentation
Figure 2 - ISASecure SSA Documents
ISASecure® SSA Conformance Scheme Fees
SSA Certification Registration Fee (Annual Fee) | $1,200 |
System Security Assurance (SSA) Certification Scheme Description
SSA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-102 Errata | View/Download Resource |
Transition Policy
ISASecure-116 Transition to EDSA 3.0.0 and SSA 3.0.0 | View/Download Resource |
Initial Certification and Maintenance of Certification Policies and Criteria
SSA-300 ISASecure Certification Requirements | View/Download Resource |
SSA-301 Maintenance of ISASecure Certification | View/Download Resource |
EDSA-301 Maintenance of ISASecure Certification | View/Download Resource |
Scope SSA Certification Requirements (5 Categories of Assessment)
SSA-310 Requirements for System Robustness Testing (SRT) | View/Download Resource |
EDSA-310 Embedded Device Robostness testing | View/Download Resource |
SSA-311 Functional Security Assessment for Systems (FSA-S) | View/Download Resource |
CSA-311 Functional Security Assessment for Components | View/Download Resource |
SSA-312 Security Development Artifacts for Systems (SDA-S) | View/Download Resource |
SDLA-312 Security Development Lifecycle Assessment (SDLA) | View/Download Resource |
SDLA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-420 Vulnerability Identification Test (VIT) Policy Specification | View/Download Resource |
CRT Test Requirements for Protocols
EDSA-401 Ethernet robustness test specification | View/Download Resource |
EDSA-402 ARP robustness test specification | View/Download Resource |
EDSA-403 IPv4 robustness test specification | View/Download Resource |
EDSA-404 ICMPv4 robustness test specification | View/Download Resource |
EDSA-405 UDP robustness test specification | View/Download Resource |
EDSA-406 TCP robustness test specification | View/Download Resource |
System Security Assurance (SSA) - version 2.1.0
Effective 13 February 2018
*See ISASecure-115 for version transition details*
Scope
The SSA requirements for certification include all control system requirements in IEC 62443-3-3 "Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels” and all process requirements in IEC 62443-4-1 “Security for industrial automation and control systems – Secure product development requirements.” The certifier also performs System Robustness Testing, which includes fuzz testing, network traffic load testing, and vulnerability scanning. In addition, embedded devices and other components included in the control system under test must be EDSA certified or meet the EDSA requirements for certifier testing and functional assessment at the time of certification.
ISASecure SSA is a certification program for a particular subset of control systems. A control system product that meets all of the following criteria may be certified under the SSA program:
- The control system consists of an integrated set of components and includes more than one device.
- The control system is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers.
- The control system may have a fixed device and zone layout, or may be scalable, that is, may support replication of devices and of zones in order to scale for small and large installations.
- The system product is under configuration control and version management.
SSA-300 further specifies the architectural similarity required between layouts that are to be certified under a single SSA certificate. SSA-300 also provides examples and additional discussion of the types of systems that may be certified under the SSA program.
Technical ISASecure SSA evaluation criteria
In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle process assessment (SDLPA). Based upon this assessment, an ISASecure SDLA process certification is granted as described in SDLA-100. A supplier may already hold an SDLA process certification when they apply for an SSA certification, or may apply for SSA and SDLA certification in parallel.
ISASecure SSA certification of systems has four additional elements:
- Security Development Artifacts for systems (SDA-S);
- Functional Security Assessment for systems (FSA-S);
- Functional Security Assessment for embedded devices (FSA-E); and
- System robustness testing (SRT).
SDA-S examines the artifacts that are the outputs of the supplier’s security development processes as they apply to the system to be certified. FSA-S examines the security capabilities of the system. FSA-E examines the security capabilities of any embedded devices that are components of the system, recognizing that in some cases security functionality is provided by other system components. SRT has three major elements - Vulnerability Identification Testing (VIT), Communication Robustness Testing (CRT), and Network Stress Testing (NST). VIT scans all components of a system for the presence of known vulnerabilities. CRT and NST verify that the system adequately maintains essential functions while being subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions) at its network interfaces.
The following figure illustrates the elements of ISASecure SSA certification.
Figure 1 - Evaluation Elements for ISASecure SSA Certification
The SSA certification process for a system may leverage prior ISASecure EDSA certifications for embedded devices that are components of that system. In particular, if a component of a system is a certified ISASecure EDSA embedded device, then FSA-E and the CRT aspect of SRT need not be performed on that device as part of the SSA certification process. This is due to the fact that these assessments will have been performed previously under the ISASecure EDSA certification process.
A system submitted for certification is comprised of one or more security zones together with desired capability security levels for each zone to be demonstrated by the certification, which are the zone certification levels. The notions of security zone, security level and capability security level are introduced in ANSI/ISA-62443-1-1. The SDLPA and SDA-S assessments are the same for all certification levels with the exception of allowable residual risk for known security issues. FSA-E increases in rigor level for certification levels 2, 3, and 4, as does VIT, since pass/fail criteria for VIT reference applicable FSA-S requirements. CRT criteria are the same regardless of certification level.
For scalable systems, tests performed by the certifier as part of FSA or SRT will be performed on a reference system, whose layout meets criteria specified in SSA-300. Analyses performed by the certifier will take into account all layouts to be evaluated under the certification.
Relationship of the SSA program to IEC 62443
A goal for the SSA certification program is to offer a compliance program for the ISA 62443 series of standards. ISA 62443 standards address security for IACS. ISASecure SSA certification incorporates requirements that apply to control systems, which are the hardware and software components of IACS.
It is the intent that the ISASecure program align terminology, concepts and reference architectures with those used by the ISA 62443 effort, in particular as presented in ANSI/ISA-62443-1-1. Definitions for terms are found on the ISA 99 wiki and will be published in the technical report currently under development: ISA TR 62443-1-2 "Security for industrial automation and control Systems - Master glossary of terms and abbreviations."
The SSA specifications define and use the notions of security zone, conduit and security level introduced in ANSI/ISA-62443-1-1, to be discussed further in ISA 62443-3-2 “Security for industrial automation and control systems Part 3-2: Risk assessment and design,” which is currently under development.
The SSA FSA-S requirements for certification include all requirements in ANSI/ISA 62443-3-3 “Security for industrial automation and control systems Part 3-3: System security requirements and security levels.” The certification levels for the FSA-S evaluation of a security zone within a system, align with the ANSI/ISA- 62443-3-3 capability security levels and associated requirements. The IEC has separately approved this standard as IEC 62443-3-3.
The ISASecure process evaluation requirements for SDLA certification and SDA-S artifact assessment align with the requirements in the approved standard ANSI/ISA-62443-4-1 “Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements.” The IEC has separately approved this standard as IEC 62443-4-1.
Certified systems
The supplier for a system that has been evaluated under the ISASecure SSA certification program and shown to meet these technical criteria may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures. Certification applies to a particular version of a system, a specific layout or (for a scalable system) a set of layouts, and references a 3-digit certification version that identifies the set of ISASecure specifications used for the certification. For example, system model 234, version 1.9 with layouts as described in a named reference document, might be certified to ISASecure SSA 2.6.1. The ISASecure SSA certificate for a system will name its security zones and the levels to which they have been certified.
The SSA program defines procedures to maintain certification for updated versions of the system (possibly with further scalability options), to later versions of the ISASecure evaluation program, and to higher certification levels.
Subject to permission of each system supplier, ISCI will post the names of certified systems on its web site http://www.ISASecure.org.
Certification Program Documentation
Figure 2 - ISASecure SSA Documents
ISASecure® SSA Conformance Scheme Fees
SSA Certification Registration Fee (Annual Fee) |
$1,200 |
System Security Assurance (SSA) Certification Scheme Description
SSA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-102 Errata | View/Download Resource |
Lab Accreditation Requirements
ISASecure-115 Transition to SDLA 2.0.0, EDSA 2.1.0 and SSA 2.1.0 | View/Download Resource |
Initial Certification and Maintenance of Certification Policies and Criteria
SSA-300 ISASecure Certification Requirements | View/Download Resource |
SSA-301 Maintenance of ISASecure Certification | View/Download Resource |
EDSA-301 Maintenance of ISASecure Certification | View/Download Resource |
Scope SSA Certification Requirements (5 Categories of Assessment)
SSA-310 Requirements for System Robustness Testing (SRT) | View/Download Resource |
EDSA-310 Embedded Device Robostness testing | View/Download Resource |
SSA-311 Functional Security Assessment for Systems (FSA-S) | View/Download Resource |
EDSA-311 Functional Security Assessment for Embedded Devices | View/Download Resource |
SSA-312 Security Development Artifacts for Systems (SDA-S) | View/Download Resource |
SDLA-312 Security Development Lifecycle Assessment (SDLA) | View/Download Resource |
SDLA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-420 Vulnerability Identification Test (VIT) Policy Specification | View/Download Resource |
CRT Test Requirements for Protocols
EDSA-401 Ethernet robustness test specification | View/Download Resource |
EDSA-402 ARP robustness test specification | View/Download Resource |
EDSA-403 IPv4 robustness test specification | View/Download Resource |
EDSA-404 ICMPv4 robustness test specification | View/Download Resource |
EDSA-405 UDP robustness test specification | View/Download Resource |
EDSA-406 TCP robustness test specification | View/Download Resource |
System Security Assurance (SSA) - version 2.0.0
(Valid until 2/13/2019)
Scope
The SSA FSA-S requirements for certification include all requirements in IEC 62443-3-3 “Security for industrial automation and control systems – System security requirements and security levels.” The security levels for the FSA-S evaluation of a security zone within a system, align with the IEC 62443-3-3 security levels.
ISASecure SDLA process evaluation requirements and levels will be revised as necessary to align with the requirements and levels in IEC 62443-4-1 “Security for industrial automation and control systems – Product development requirements” when it is published and maintained. In addition, embedded devices and other components included in the control system under test must be EDSA certified or meet the EDSA requirements at the time of certification. The IEC 62443 standards relevant to the EDSA cybersecurity requirements are IEC 62443-4-1 and IEC 62443-4-2.
ISASecure SSA is a certification program for a particular subset of control systems. A control system product that meets all of the following criteria may be certified under the SSA program:
- The control system consists of an integrated set of components and includes more than one device.
- The control system is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers.
- The supplier has assigned a unique product identifier to the control system which the supplier uses in the marketplace to refer to the integrated set of components as a whole.
- The system product is under configuration control and version management.
[SSA-300] provides examples and additional discussion of the types of systems that may be certified under the SSA program.
Technical ISASecure SSA evaluation criteria
In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle process evaluation. This evaluation may be performed as part of the SSA evaluation, or may have been completed previously if the supplier holds an ISASecure SDLA process certification, as described in [SDLA-100]. A supplier may at their option apply for SSA and SDLA certification in parallel. ISASecure SSA certification of systems has four additional elements:
- Security Development Artifacts for systems (SDA-S);
- Functional Security Assessment for systems (FSA-S);
- Functional Security Assessment for embedded devices (FSA-E); and
- System robustness testing (SRT).
SDA-S examines the artifacts that are the outputs of the supplier’s security development processes as they apply to the system to be certified. FSA-S examines the security capabilities of the system. FSA-E examines the security capabilities of any embedded devices that are components of the system, recognizing that in some cases security functionality is provided by other system components. SRT has three major elements - Vulnerability Identification Testing (VIT), Communication Robustness Testing (CRT), and Network Stress Testing (NST). VIT scans all components of a system for the presence of known vulnerabilities. CRT and NST verify that the system adequately maintains essential functions while being subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions) at its network interfaces.
The following figure illustrates the elements of ISASecure SSA certification.
Figure 1 - Evaluation Elements for ISASecure SSA Certification
The SSA certification process for a system may leverage prior ISASecure EDSA certifications for embedded devices that are components of that system. In particular, if a component of a system is a certified ISASecure EDSA embedded device, then FSA-E and the CRT aspect of SRT need not be performed on that device as part of the SSA certification process. This is due to the fact that these assessments will have been performed previously under the ISASecure EDSA certification process.
A system submitted for certification is comprised of one or more security zones together with desired capability security levels for each zone. The notions of security zone, security level and capability security level are introduced in [ISA 62443-1-1]. Evaluation criteria for SDA-S and FSA-S increase in rigor for higher security levels.
Relationship of the SSA program to IEC 62443
A goal for the SSA certification program is to offer a compliance program for the IEC 62443 series of standards. IEC 62443 standards address security for IACS. ISASecure SSA certification incorporates requirements that apply to control systems, which are the hardware and software components of IACS.
It is the intent that the ISASecure program align terminology, concepts and reference architectures with those used by the IEC 62443 effort, in particular as presented in IEC 62443-1-1. Definitions for terms are found on the ISA 99 wiki and will be published in the technical report currently under development: ISA TR 62443-1-2 "Security for industrial automation and control Systems - Master glossary of terms and abbreviations."
The SSA specifications define and use the notions of security zone, conduit and security level introduced in IEC 62443-1-1, to be discussed further in IEC 62443-3-2 “Security for industrial automation and control systems – Risk assessment and design,” which is currently under development.
The SSA FSA-S requirements for certification include all requirements in IEC 62443-3-3 “Security for industrial automation and control systems – System security requirements and security levels.” The security levels for the FSA-S evaluation of a security zone within a system, align with the IEC 62443-3-3 security levels.
In the future, the ISASecure SDLA process evaluation requirements and levels will be revised as necessary to align with the requirements and levels in the planned standard IEC 62443-4-1 “Security for industrial automation and control systems – Product development requirements.” This standard is under development.
Certified systems
The supplier for a system that has been evaluated under the ISASecure SSA certification program and shown to meet these technical criteria may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures. Certification applies to a particular version of a system, and references an ISASecure certification version. The ISASecure certification version number includes the year that the ISASecure version was released by ISCI, and a sequence number within that year. For example, system model 234, version 1.9 might be certified to ISASecure SSA 2014.1, which is the first ISASecure SSA version released in 2014. The ISASecure SSA certificate for a system will name its security zones and the security levels to which they have been certified.
The SSA program defines procedures to maintain certification for updated versions of the system, to later versions of the ISASecure evaluation program, and to higher certification levels.
Subject to permission of each system supplier, ISCI will post the names of certified systems on the Registered Device List.
Certification Program Documentation
Figure 2 - ISASecure SSA Documents
ISASecure SSA Conformance Scheme Fees
SSA Certification Registration Fee -Member (billed when passed) | $7,500 |
SSA Certification Registration Maintenance Fee - Member (billed when passed) | $2,500 |
SSA Certification Registration Fee - non-Member (billed when passed) | $12,500 |
SSA Certification Registration Maintenance Fee - non-Member (billed when passed) |
$3,000 |
System Security Assurance (SSA) Certification Scheme Description
SSA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-102 Errata | View/Download Resource |
Lab Accreditation Requirements
ISASecure-115 Transition to SDLA 2.0.0, EDSA 2.1.0 and SSA 2.1.0 | View/Download Resource |
Initial Certification and Maintenance of Certification Policies and Criteria
SSA-300 ISASecure Certification Requirements | View/Download Resource |
SSA-301 Maintenance of ISASecure Certification | View/Download Resource |
EDSA-301 Maintenance of ISASecure Certification | View/Download Resource |
Scope SSA Certification Requirements (5 Categories of Assessment)
SSA-310 Requirements for System Robustness Testing (SRT) | View/Download Resource |
EDSA-310 Embedded Device Robostness testing | View/Download Resource |
SSA-311 Functional Security Assessment for Systems (FSA-S) | View/Download Resource |
EDSA-311 Functional Security Assessment for Embedded Devices | View/Download Resource |
SSA-312 Security Development Artifacts for Systems (SDA-S) | View/Download Resource |
SDLA-312 Security Development Lifecycle Assessment (SDLA) | View/Download Resource |
SDLA-100 ISASecure Certification Scheme | View/Download Resource |
SSA-420 Vulnerability Identification Test (VIT) Policy Specification | View/Download Resource |
CRT Test Requirements for Protocols
EDSA-401 Ethernet robustness test specification | View/Download Resource |
EDSA-402 ARP robustness test specification | View/Download Resource |
EDSA-403 IPv4 robustness test specification | View/Download Resource |
EDSA-404 ICMPv4 robustness test specification | View/Download Resource |
EDSA-405 UDP robustness test specification | View/Download Resource |
EDSA-406 TCP robustness test specification | View/Download Resource |