See Our Certifications and How They Help Reduce Risk in Your Industry

View Certified Devices

Contact Us Now

IEC 62443 - SSA Certification

System Security Assurance (SSA) - version 3.0.0

Effective 10 October 2018

*See ISASecure-116 for version transition details*

Scope

The SSA requirements for certification include all control system requirements in IEC 62443-3-3 "Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels”  and all process requirements in IEC 62443-4-1 “Security for industrial automation and control systems – Secure product development requirements.” The certifier also performs System Robustness Testing, which includes fuzz testing, network traffic load testing, and vulnerability scanning. In addition, embedded devices and other components included in the control system under test must be EDSA certified or meet the EDSA requirements for certifier testing and functional assessment at the time of certification.  

ISASecure SSA is a certification program for a particular subset of control systems. A control system product that meets all of the following criteria may be certified under the SSA program:
 
  • The control system consists of an integrated set of components and includes more than one device.
  • The control system is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers.
  • The control system may have a fixed device and zone layout, or may be scalable, that is, may support replication of devices and of zones in order to scale for small and large installations.
  • The system product is under configuration control and version management.
SSA-300 further specifies the architectural similarity required between layouts that are to be certified under a single SSA certificate.  SSA-300 also provides examples and additional discussion of the types of systems that may be certified under the SSA program. 

Technical ISASecure SSA evaluation criteria

In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle process assessment (SDLPA).  Based upon this assessment, an ISASecure SDLA process certification is granted as described in SDLA-100. A supplier may already hold an SDLA process certification when they apply for an SSA certification, or may apply for SSA and SDLA certification in parallel. 
ISASecure SSA certification of systems has four additional elements:
 
  • Security Development Artifacts for systems (SDA-S);
  • Functional Security Assessment for systems (FSA-S);
  • Functional Security Assessment for embedded devices (FSA-E); and
  • System robustness testing (SRT).
SDA-S examines the artifacts that are the outputs of the supplier’s security development processes as they apply to the system to be certified. FSA-S examines the security capabilities of the system. FSA-E examines the security capabilities of any embedded devices that are components of the system, in accordance with ANSI/ISA-62443-4-2 that in some cases requirements for security functionality may be met by integrating the device into a system.  SRT has three major elements - Vulnerability Identification Testing (VIT), Communication Robustness Testing (CRT), and Network Stress Testing (NST). VIT scans all components of a system for the presence of known vulnerabilities. CRT and NST verify that the system adequately maintains essential functions while being subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions) at its network interfaces.
The following figure illustrates the elements of ISASecure SSA certification.



Figure 1 - Evaluation Elements for  ISASecure SSA Certification

 

The SSA certification process for a system may leverage prior ISASecure EDSA certifications for embedded devices that are components of that system. In particular, if a component of a system is a certified ISASecure EDSA embedded device, then FSA-E and the CRT aspect of SRT need not be performed on that device as part of the SSA certification process. This is due to the fact that these assessments will have been performed previously under the ISASecure EDSA certification process.

A system submitted for certification is comprised of one or more security zones together with desired capability security levels for each zone to be demonstrated by the certification, which are the zone certification levels. The notions of security zone, security level and capability security level are introduced in ANSI/ISA-62443-1-1.  The SDLPA and SDA-S assessments are the same for all certification levels with the exception of allowable residual risk for known security issues. FSA-E increases in rigor level for certification levels 2, 3, and 4, as does VIT. CRT criteria are the same regardless of certification level. 

For scalable systems, tests performed by the certifier as part of FSA or SRT will be performed on a reference system, whose layout meets criteria specified in SSA-300. Analyses performed by the certifier will take into account all layouts to be evaluated under the certification.

Relationship of the SSA program to IEC 62443

A goal for the SSA certification program is to offer a compliance program for the ISA 62443 series of standards. ISA 62443 standards address security for IACS. ISASecure SSA certification incorporates requirements that apply to control systems, which are the hardware and software components of IACS.

It is the intent that the ISASecure program align terminology, concepts and reference architectures with those used by the ISA 62443 effort, in particular as presented in ANSI/ISA-62443-1-1. Definitions for terms are found on the ISA 99 wiki at http://isa99.isa.org/ISA99%20Wiki/Master-Glossary.aspx and will be published in the technical report currently under development: ISA TR 62443-1-2 "Security for industrial automation and control Systems - Master glossary of terms and abbreviations."

The SSA specifications define and use the notions of security zone, conduit and security level introduced in ANSI/ISA-62443-1-1, to be discussed further in ISA 62443-3-2 “Security for industrial automation and control systems Part 3-2: Risk assessment and design,” which is currently under development.

The SSA FSA-S requirements for certification include all requirements in ANSI/ISA 62443-3-3 “Security for industrial automation and control systems Part 3-3: System security requirements and security levels.” The certification levels for the FSA-S evaluation of a security zone within a system, align with the ANSI/ISA- 62443-3-3 capability security levels and associated requirements. The IEC has separately approved this standard as IEC 62443-3-3.

The SSA FSA-E requirements apply to embedded device components of the system to be certified. They include all level 1 requirements in ANSI/ISA-62443-4-2 “Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components.” 

The ISASecure process evaluation requirements for SDLA certification and SDA-S artifact assessment align with the requirements in the approved standard ANSI/ISA-62443-4-1 “Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements.” The IEC has separately approved this standard as IEC 62443-4-1.

Certified systems

The supplier for a system that has been evaluated under the ISASecure SSA certification program and shown to meet these technical criteria may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures. Certification applies to a particular version of a system, a specific layout or (for a scalable system) a set of layouts, and references a 3-digit certification version that identifies the set of ISASecure specifications used for the certification. For example, system model 234, version 1.9 with layouts as described in a named reference document, might be certified to ISASecure SSA 2.6.1. The ISASecure SSA certificate for a system will name its security zones and the levels to which they have been certified.

The SSA program defines procedures to maintain certification for updated versions of the system (possibly with further scalability options), to later versions of the ISASecure evaluation program, and to higher certification levels. 

Subject to permission of each system supplier, ISCI will post the names of certified systems on its web site http://www.ISASecure.org

Certification Program Documentation


Figure 2 - ISASecure SSA Documents

System Security Assurance (SSA) Certification Scheme Description

SSA-100 ISASecure Certification Scheme View / Download PDF
SSA-102 Errata View / Download PDF

Transition Policy

ISASecure-116 Transition to EDSA 3.0.0 and SSA 3.0.0                                                 View / Download PDF

Initial Certification and Maintenance of Certification Policies and Criteria

SSA-300 ISASecure Certification Requirements View / Download PDF
SSA-301 Maintenance of ISASecure Certification View / Download PDF
EDSA-301 Maintenance of ISASecure Certification View / Download PDF

Scope SSA Certification Requirements (5 Categories of Assessment)

 
SSA-310 Requirements for System Robustness Testing (SRT) View / Download PDF
EDSA-310 Embedded Device Robostness testing View / Download PDF
SSA-311 Functional Security Assessment for Systems (FSA-S) View / Download PDF
CSA-311 Functional Security Assessment for Components View / Download PDF
SSA-312 Security Development Artifacts for Systems (SDA-S) View / Download PDF
SDLA-312 Security Development Lifecycle Assessment (SDLA) View / Download PDF
SDLA-100 ISASecure Certification Scheme View / Download PDF
SSA-420 Vulnerability Identification Test (VIT) Policy Specification View / Download PDF

CRT Test Requirements for Protocols

 
EDSA-401 Ethernet robustness test specification View / Download PDF
EDSA-402 ARP robustness test specification View / Download PDF
EDSA-403 IPv4 robustness test specification View / Download PDF
EDSA-404 ICMPv4 robustness test specification View / Download PDF
EDSA-405 UDP robustness test specification View / Download PDF
EDSA-406 TCP robustness test specification View / Download PDF

ISASecure® SSA Conformance Scheme Fees

 
SSA Certification Registration Fee -Member (billed when passed) $7,500
SSA Certification Registration Maintenance Fee - Member (billed when passed) $2,500
SSA Certification Registration Fee - non-Member (billed when passed) $12,500
SSA Certification Registration Maintenance Fee - non-Member (billed when passed) $3,000

System Security Assurance (SSA) - version 2.1.0

Effective 13 February 2018

*See ISASecure-115 for version transition details*

Scope

The SSA requirements for certification include all control system requirements in IEC 62443-3-3 "Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels”  and all process requirements in IEC 62443-4-1 “Security for industrial automation and control systems – Secure product development requirements.” The certifier also performs System Robustness Testing, which includes fuzz testing, network traffic load testing, and vulnerability scanning. In addition, embedded devices and other components included in the control system under test must be EDSA certified or meet the EDSA requirements for certifier testing and functional assessment at the time of certification.  

ISASecure SSA is a certification program for a particular subset of control systems. A control system product that meets all of the following criteria may be certified under the SSA program:
 
  • The control system consists of an integrated set of components and includes more than one device.
  • The control system is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers.
  • The control system may have a fixed device and zone layout, or may be scalable, that is, may support replication of devices and of zones in order to scale for small and large installations.
  • The system product is under configuration control and version management.
SSA-300 further specifies the architectural similarity required between layouts that are to be certified under a single SSA certificate.  SSA-300 also provides examples and additional discussion of the types of systems that may be certified under the SSA program. 

Technical ISASecure SSA evaluation criteria

In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle process assessment (SDLPA).  Based upon this assessment, an ISASecure SDLA process certification is granted as described in SDLA-100. A supplier may already hold an SDLA process certification when they apply for an SSA certification, or may apply for SSA and SDLA certification in parallel. 
ISASecure SSA certification of systems has four additional elements:
 
  • Security Development Artifacts for systems (SDA-S);
  • Functional Security Assessment for systems (FSA-S);
  • Functional Security Assessment for embedded devices (FSA-E); and
  • System robustness testing (SRT).
SDA-S examines the artifacts that are the outputs of the supplier’s security development processes as they apply to the system to be certified. FSA-S examines the security capabilities of the system. FSA-E examines the security capabilities of any embedded devices that are components of the system, recognizing that in some cases security functionality is provided by other system components. SRT has three major elements - Vulnerability Identification Testing (VIT), Communication Robustness Testing (CRT), and Network Stress Testing (NST). VIT scans all components of a system for the presence of known vulnerabilities. CRT and NST verify that the system adequately maintains essential functions while being subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions) at its network interfaces.
The following figure illustrates the elements of ISASecure SSA certification.



Figure 1 - Evaluation Elements for  ISASecure SSA Certification

 

The SSA certification process for a system may leverage prior ISASecure EDSA certifications for embedded devices that are components of that system. In particular, if a component of a system is a certified ISASecure EDSA embedded device, then FSA-E and the CRT aspect of SRT need not be performed on that device as part of the SSA certification process. This is due to the fact that these assessments will have been performed previously under the ISASecure EDSA certification process.

A system submitted for certification is comprised of one or more security zones together with desired capability security levels for each zone to be demonstrated by the certification, which are the zone certification levels. The notions of security zone, security level and capability security level are introduced in ANSI/ISA-62443-1-1.  The SDLPA and SDA-S assessments are the same for all certification levels with the exception of allowable residual risk for known security issues. FSA-E increases in rigor level for certification levels 2, 3, and 4, as does VIT, since pass/fail criteria for VIT reference applicable FSA-S requirements. CRT criteria are the same regardless of certification level.

For scalable systems, tests performed by the certifier as part of FSA or SRT will be performed on a reference system, whose layout meets criteria specified in SSA-300. Analyses performed by the certifier will take into account all layouts to be evaluated under the certification.

Relationship of the SSA program to IEC 62443

A goal for the SSA certification program is to offer a compliance program for the ISA 62443 series of standards. ISA 62443 standards address security for IACS. ISASecure SSA certification incorporates requirements that apply to control systems, which are the hardware and software components of IACS.

It is the intent that the ISASecure program align terminology, concepts and reference architectures with those used by the ISA 62443 effort, in particular as presented in ANSI/ISA-62443-1-1. Definitions for terms are found on the ISA 99 wiki at http://isa99.isa.org/ISA99%20Wiki/Master-Glossary.aspx and will be published in the technical report currently under development: ISA TR 62443-1-2 "Security for industrial automation and control Systems - Master glossary of terms and abbreviations."

The SSA specifications define and use the notions of security zone, conduit and security level introduced in ANSI/ISA-62443-1-1, to be discussed further in ISA 62443-3-2 “Security for industrial automation and control systems Part 3-2: Risk assessment and design,” which is currently under development.

The SSA FSA-S requirements for certification include all requirements in ANSI/ISA 62443-3-3 “Security for industrial automation and control systems Part 3-3: System security requirements and security levels.” The certification levels for the FSA-S evaluation of a security zone within a system, align with the ANSI/ISA- 62443-3-3 capability security levels and associated requirements. The IEC has separately approved this standard as IEC 62443-3-3.

The ISASecure process evaluation requirements for SDLA certification and SDA-S artifact assessment align with the requirements in the approved standard ANSI/ISA-62443-4-1 “Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements.” The IEC has separately approved this standard as IEC 62443-4-1.

Certified systems

The supplier for a system that has been evaluated under the ISASecure SSA certification program and shown to meet these technical criteria may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures. Certification applies to a particular version of a system, a specific layout or (for a scalable system) a set of layouts, and references a 3-digit certification version that identifies the set of ISASecure specifications used for the certification. For example, system model 234, version 1.9 with layouts as described in a named reference document, might be certified to ISASecure SSA 2.6.1. The ISASecure SSA certificate for a system will name its security zones and the levels to which they have been certified.

The SSA program defines procedures to maintain certification for updated versions of the system (possibly with further scalability options), to later versions of the ISASecure evaluation program, and to higher certification levels.

Subject to permission of each system supplier, ISCI will post the names of certified systems on its web site http://www.ISASecure.org

Certification Program Documentation


Figure 2 - ISASecure SSA Documents

System Security Assurance (SSA) Certification Scheme Description

SSA-100 ISASecure Certification Scheme View / Download PDF
SSA-102 Errata View / Download PDF

Lab Accreditation Requirements

ISASecure-115 Transition to SDLA 2.0.0, EDSA 2.1.0 and SSA 2.1.0                                                 View / Download PDF

Initial Certification and Maintenance of Certification Policies and Criteria

SSA-300 ISASecure Certification Requirements View / Download PDF
SSA-301 Maintenance of ISASecure Certification View / Download PDF
EDSA-301 Maintenance of ISASecure Certification View / Download PDF

Scope SSA Certification Requirements (5 Categories of Assessment)

 
SSA-310 Requirements for System Robustness Testing (SRT) View / Download PDF
EDSA-310 Embedded Device Robostness testing View / Download PDF
SSA-311 Functional Security Assessment for Systems (FSA-S) View / Download PDF
EDSA-311 Functional Security Assessment for Embedded Devices View / Download PDF
SSA-312 Security Development Artifacts for Systems (SDA-S) View / Download PDF
SDLA-312 Security Development Lifecycle Assessment (SDLA) View / Download PDF
SDLA-100 ISASecure Certification Scheme View / Download PDF
SSA-420 Vulnerability Identification Test (VIT) Policy Specification View / Download PDF

CRT Test Requirements for Protocols

 
EDSA-401 Ethernet robustness test specification View / Download PDF
EDSA-402 ARP robustness test specification View / Download PDF
EDSA-403 IPv4 robustness test specification View / Download PDF
EDSA-404 ICMPv4 robustness test specification View / Download PDF
EDSA-405 UDP robustness test specification View / Download PDF
EDSA-406 TCP robustness test specification View / Download PDF

ISASecure® SSA Conformance Scheme Fees

 
SSA Certification Registration Fee -Member (billed when passed) $7,500
SSA Certification Registration Maintenance Fee - Member (billed when passed) $2,500
SSA Certification Registration Fee - non-Member (billed when passed) $12,500
SSA Certification Registration Maintenance Fee - non-Member (billed when passed) $3,000

System Security Assurance (SSA) - version 2.0.0

(Valid until 2/13/2019)

Scope

The SSA FSA-S requirements for certification include all requirements in IEC 62443-3-3 “Security for industrial automation and control systems – System security requirements and security levels.” The security levels for the FSA-S evaluation of a security zone within a system, align with the IEC 62443-3-3 security levels.

ISASecure SDLA process evaluation requirements and levels will be revised as necessary to align with the requirements and levels in IEC 62443-4-1 “Security for industrial automation and control systems – Product development requirements” when it is published and maintained.  In addition, embedded devices and other components included in the control system under test must be EDSA certified or meet the EDSA requirements at the time of certification.  The IEC 62443 standards relevant to the EDSA cybersecurity requirements are IEC 62443-4-1 and IEC 62443-4-2.

ISASecure SSA is a certification program for a particular subset of control systems. A control system product that meets all of the following criteria may be certified under the SSA program:
 
  • The control system consists of an integrated set of components and includes more than one device.
  • The control system is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers.
  • The supplier has assigned a unique product identifier to the control system which the supplier uses in the marketplace to refer to the integrated set of components as a whole.
  • The system product is under configuration control and version management.
[SSA-300] provides examples and additional discussion of the types of systems that may be certified under the SSA program.

Technical ISASecure SSA evaluation criteria

In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle process evaluation.  This evaluation may be performed as part of the SSA evaluation, or may have been completed previously if the supplier  holds an ISASecure SDLA process certification, as described in [SDLA-100]. A supplier may at their option apply for SSA and SDLA certification in parallel. ISASecure SSA certification of systems has four additional elements:
 
  • Security Development Artifacts for systems (SDA-S);
  • Functional Security Assessment for systems (FSA-S);
  • Functional Security Assessment for embedded devices (FSA-E); and
  • System robustness testing (SRT).
SDA-S examines the artifacts that are the outputs of the supplier’s security development processes as they apply to the system to be certified. FSA-S examines the security capabilities of the system. FSA-E examines the security capabilities of any embedded devices that are components of the system, recognizing that in some cases security functionality is provided by other system components. SRT has three major elements - Vulnerability Identification Testing (VIT), Communication Robustness Testing (CRT), and Network Stress Testing (NST). VIT scans all components of a system for the presence of known vulnerabilities. CRT and NST verify that the system adequately maintains essential functions while being subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions) at its network interfaces.

The following figure illustrates the elements of ISASecure SSA certification.


Figure 1 - Evaluation Elements for  ISASecure SSA Certification


The SSA certification process for a system may leverage prior ISASecure EDSA certifications for embedded devices that are components of that system. In particular, if a component of a system is a certified ISASecure EDSA embedded device, then FSA-E and the CRT aspect of SRT need not be performed on that device as part of the SSA certification process. This is due to the fact that these assessments will have been performed previously under the ISASecure EDSA certification process.

A system submitted for certification is comprised of one or more security zones together with desired capability security levels for each zone. The notions of security zone, security level and capability security level are introduced in [ISA 62443-1-1]. Evaluation criteria for SDA-S and FSA-S increase in rigor for higher security levels.

Relationship of the SSA program to IEC 62443

A goal for the SSA certification program is to offer a compliance program for the IEC 62443 series of standards. IEC 62443 standards address security for IACS. ISASecure SSA certification incorporates requirements that apply to control systems, which are the hardware and software components of IACS.

It is the intent that the ISASecure program align terminology, concepts and reference architectures with those used by the IEC 62443 effort, in particular as presented in IEC 62443-1-1. Definitions for terms are found on the ISA 99 wiki and will be published in the technical report currently under development: ISA TR 62443-1-2 "Security for industrial automation and control Systems - Master glossary of terms and abbreviations."

The SSA specifications define and use the notions of security zone, conduit and security level introduced in IEC 62443-1-1, to be discussed further in IEC 62443-3-2 “Security for industrial automation and control systems – Risk assessment and design,” which is currently under development.

The SSA FSA-S requirements for certification include all requirements in IEC 62443-3-3 “Security for industrial automation and control systems – System security requirements and security levels.” The security levels for the FSA-S evaluation of a security zone within a system, align with the IEC 62443-3-3 security levels.

In the future, the ISASecure SDLA process evaluation requirements and levels will be revised as necessary to align with the requirements and levels in the planned standard IEC 62443-4-1 “Security for industrial automation and control systems – Product development requirements.” This standard is under development.

Certified systems

The supplier for a system that has been evaluated under the ISASecure SSA certification program and shown to meet these technical criteria may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures. Certification applies to a particular version of a system, and references an ISASecure certification version. The ISASecure certification version number includes the year that the ISASecure version was released by ISCI, and a sequence number within that year. For example, system model 234, version 1.9 might be certified to ISASecure SSA 2014.1, which is the first ISASecure SSA version released in 2014. The ISASecure SSA certificate for a system will name its security zones and the security levels to which they have been certified.

The SSA program defines procedures to maintain certification for updated versions of the system, to later versions of the ISASecure evaluation program, and to higher certification levels.

Subject to permission of each system supplier, ISCI will post the names of certified systems on the Registered Device List.

Certification Program Documentation


Figure 2 - ISASecure SSA Documents

System Security Assurance (SSA) Certification Scheme Description

SSA-100 ISASecure Certification Scheme View / Download PDF
SSA-102 Errata View / Download PDF

Initial Certification and Maintenance of Certification Policies and Criteria

SSA-300 ISASecure Certification Requirements View / Download PDF
SSA-301 Maintenance of ISASecure Certification View / Download PDF

Scope SSA Certification Requirements (5 Categories of Assessment)

 
SSA-310 Requirements for System Robustness Testing (SRT) View / Download PDF
SSA-311 Functional Security Assessment for Systems (FSA-S) View / Download PDF
SSA-312 Security Development Artifacts for Systems (SDA-S) View / Download PDF
SDLA-312 Security Development Lifecycle Assessment (SDLA) View / Download PDF
SSA-420 Vulnerability Identification Test (VIT) Policy Specification View / Download PDF

Lab Accreditation Requirements

ISASecure-112 Transition to EDSA 2.0.0 and SSA 2.0.0                                                                         View / Download PDF

ISASecure® SSA Conformance Scheme Fees

 
SSA Certification Registration Fee -Member (billed when passed) $7,500
SSA Certification Registration Maintenance Fee - Member (billed when passed) $2,500
SSA Certification Registration Fee - non-Member (billed when passed) $12,500
SSA Certification Registration Maintenance Fee - non-Member (billed when passed) $3,000