ISA Security Compliance Institute
2014 Year in Review
Before charging into the challenges of 2015, the ISA Security Compliance Institute (ISCI) would like to take a few moments to reflect on 2014 accomplishments and significant events affecting ISASecure. 2014 was a busy year for ISCI, highlighted by dedication and hard work from volunteer members, resulting in a number of noteworthy milestones.
Welcome to the new Governing Board officers
ISCI is led by a Governing Board that sets the strategy and direction for the ISA Security Compliance Institute. Governing Board officers serve two-year terms and host/attend monthly status teleconferences to ensure adherence to annual plans and attend all-hands conferences. Officers typically engage in many other meetings and industry events as part of their overall role and responsibilities, such as major trade shows and collaboration with other consortiums. Volunteering for a governing board officer position requires a large commitment from the individual and generous support from their respective sponsoring companies.
ISCI would like to thank the outgoing officers: Johan Nye, Chairman; Ed Crawford, Vice-Chairman; Kevin Staggs, TSC Chairman; and Graham Speake, Marketing Chairman. Johan has provided steady leadership for ISCI and ensured that ISCI maintained focus on the long-term vision of the organization.
ISCI is also grateful to Eric Cosman, ISA99 Committee Liaison to ISCI, for his contributions both from an asset-owner perspective and in his formal liaison capacity to ensure that ISCI programs align with the ISA /IEC 62443 standards. Eric will continue in this capacity during 2015.
Please welcome the incoming 2015-2016 ISA100 ISCI Board Officers: Ed Crawford (Chevron), Chairman; Johan Nye (ExxonMobil), Vice-Chairman; Paul Forney (Schneider-Electric), TSC Chairman; and Kevin Staggs (Honeywell), Marketing Chairman. We are sure that Ed Crawford will be enthusiastically supported by members as the new ISCI Board Chairman and look forward to his leadership over the next two years.
ISASecure Certification lab added in 2014
The first quarter of 2014 was marked by the formal launch of the CSSC lab in Japan. This new certification body is formally known as the CSSC-CL and received JAB IEC Guide 65 accreditation in Q1 2014. Becoming an ISCI-accredited lab is challenging to achieve. The process requires organization building in addition to staff development, such as ensuring that test engineers/assessors earn professional cybersecurity designations.
The general CSSC facility was dedicated in May 2013 and the CSSC achieved accreditation for the CSSC-CL less than 12 months later! CSSC’s ongoing contributions to the ISASecure certification programs are noteworthy and ISCI is grateful for the CSSC team’s hard work and attention to important details.
New CRT Tool added in 2014
In Q1 2014 the FFRI Raven CRT tool achieved formal ISCI recognition as a CRT test tool eligible for use by certification bodies and product suppliers as a test platform for use in ISASecure certifications. Raven is the third tool gaining this designation, broadening the available choices of ISCI recognized CRT test platforms for the IACS cybersecurity market.
Two New ISASecure Certifications Added in 2014
In the second quarter of 2014 ISCI members celebrated the completion of the System Security Assurance (SSA) certification and the Security Development Lifecycle Assurance (SDLA) certification.
The SSA is aligned with, and certifies to, requirements from the IEC 62443-3-3 standard. While the SSA was originally slated for 2013 launch, the final IEC 62443-3-3 standard was published in early 2013. In keeping with ISCI’s commitment to align ISASecure with the IEC 62443 standards, the ISCI technical team updated the SSA certification requirements to align with the completed IEC 62443-3-3 standard. The final SSA is a well-articulated IACS certification for the globally recognized IEC 62443-3-3 IACS cybersecurity standard.
The SDLA stand-alone certification for organizations provides economic efficiencies to suppliers certifying IACS products. Suppliers’ development organizations gain recognition through SDLA certification for security lifecycle practices that contribute to cyber-secure products. Organizations achieving the SDLA certification may use the following designation: ‘An ISASecure SDLA certified development organization.
ISASecure SDLA certification requirements for products are designed to certify to IEC 62442-4-1. The SDLA certification specifications harmonized the security lifecycle requirements for embedded devices (EDSA) with requirements for systems (SSA). SDLA specifications are now published in a single, convenient SDLA-312 document referenced by both the SSA and EDSA certification programs.
All ISASecure certification requirements are publicly available for download from the www.isasecure.org
website in pdf format.
Four devices achieve EDSA certification in 2014
In a sign that the ISASecure certification scheme is gaining momentum, in 2014 four embedded devices were certified from IACS suppliers including: Azbil, Hitachi, Schneider Electric and Yokogawa. ISCI now lists nine ISASecure EDSA certifications from six suppliers with additional certifications underway for 2015.
Looking forward to 2015
With three ISASecure certification schemes completed, the IACS community has much to look forward to in 2015. The launch of ISASecure SSA and SDLA along with EDSA is expected to generate added interest in ISASecure. Expect to see more outreach describing how the ISASecure certifications fit into asset owner/operator’s comprehensive cybersecurity program. Keep informed by visiting the ISASecure website at www.isasecure.org