The ISASecure certification scheme includes product testing as part of the overall product assessment process. Vulnerability Identification Testing (VIT) and Communication Robustness Testing (CRT) / System Robustness Testing (SRT) are the two broad categories of product testing performed today.
The ISA Security Compliance Institute operates a structured Communication Robustness Testing (CRT) tool recognition program to identify CRT tools acceptable for use by certification bodies (CB) in ISASecure certification programs. The CRT tools must be capable of supporting published ISASecure cybersecurity certification test requirements. CRT tool recognition requirements and ISASecure product certification test requirements are described in ISASecure specifications, available for download on this website.
CRT and SRT Testing
CRT and SRT testing ensures that devices and systems meeting ISASecure certification requirements are robust against network attacks.
CRT test tools that have been recognized by ISCI are the only tools that may be used by ISCI accredited labs (CB) during the CRT testing and System Robustness Testing (SRT) portions of the ISASecure EDSA and SSA certifications.
IEC 62443 product security development practices require suppliers to use CRT test tools during the internal product development and testing lifecycle phases to identify and correct network based security vulnerabilities. While not required, using recognized CRT tools during the development process can aid suppliers in preparing for the formal ISASecure certifications.
CRT and SRT Test Tools
A list of ISCI Recognized CRT and SRT test tools can be found using the link below. ISCI is in constant contact with cybersecurity test tool suppliers and new CRT and SRT test tools will be added in the future.
Listing of ISCI Recognized CRT Test Tools
Vulnerability Identification Testing
The purpose of Vulnerability Identification Testing (VIT) is to scan the device under test (DUT) with a commercially available tool to identify known vulnerabilities. The device supplier must correct known vulnerabilities discovered during the VIT scan to meet the ISASecure product certification requirements.
The ISASecure program uses the US-CERT National Vulnerability Database (NVDB) as the reference list for identifying known vulnerabilities, providing objectivity and transparency for the ISASecure assessment process. Known vulnerabilities in the US-CERT NVDB are organized into globally accepted Common Weakness Enumeration (CWE) categories and the NVDB is updated on an on-going basis as new vulnerabilities are identified and verified.
The VIT test is run when devices are evaluated for ISASecure certification and the time and date of the scan is recorded. This allows the suppliers and end-users to know which NVDB vulnerabilities were included in the scan.
ISCI recommends that end-users require their suppliers to re-run the VIT during factory acceptance testing (FAT) and site acceptance testing (SAT). These procurement steps ensure that new vulnerabilities that may have been discovered and added to the US-CERT NVDB during the time interval between the ISASecure certification VIT scan date and commissioning date are identified.
Information about the US-CERT NVDB may be found on the Unites States NIST website at: http://nvd.nist.gov
Information about the CWE categories may be found on the US NIST website at: http://nvd.nist.gov/cwe.cfm
VIT Test Tools
ISCI evaluates commercially available VIT test tools and recognizes them for use by ISASecure CB’s for formal product testing and certification. VIT tools are selected based upon several factors including but not limited to; broad availability/support, industry acceptance, and, tight linkages with the US-CERT NVDB.
A list of ISCI Recognized VIT test tools can be found using this link:
Listing of ISCI recognized Vulnerability Identification Testing Tools
For Cybersecurity CRT Test Tool Suppliers – How to Get Your CRT Test Tool Recognized
Companies wishing to include their CRT test tool in the ISASecure certification scheme must submit their tools to ISCI for evaluation. Click on the link below for a description of the submittal process.
ISCI CRT Test Tool Recognition Process
Test Tool Providers
185 Berry Street, Suite 6500
San Francisco, CA 94107 USA
US (800) 873-8193
International +1 (415) 321-5237
Contact: Chris Clark
Email : firstname.lastname@example.org
Url : www.synopsys.com/software
Wurldtech Security Technologies
19925 Stevens Creek Blvd.
Cupertino, CA 95014
Links to Global Offices / Contact Information
Suite 2000 - 1055 Dunsmuir St.
PO Box 49133
Vancouver, BC V7X 1J1 Canada
Phone: (604) 669-6674
Fax : (604) 669-2902
email : email@example.com
url : www.wurldtech.com
CNCERT/CC(National Computer Network Emergency Response Technical Team/Coordination Center of China)
Address: No. A3 Yumin Road, Chaoyang District, Beijing
Phone: 0086 10 82990212
Beijing Xinlian Kehui Technology Co., LTD
Address: Room 313, Building 2, No. 28 Zhenxing Road, Science Park Changping District, Beijing
Phone: 0086 10 85926718
Beijing Winicssec Technologies Co.Ltd.
Address: Room 901, Building F, Jiahua Building, Shangdi 3rd Street, Haidian District, Beijing, China
Tenable Network Security
7021 Columbia Gateway Drive
Columbia, MD 21046
North America: +1 (410) 872-0555
LATAM: +1 (4403) 545-2278
Tenable Network Security
8 The Square
Stockley Park, Uxbridge
Middlesex, UB11 1FW
+44 (0) 203-178-4247
Tenable Network Security
600 North Bridge Road
#09-06 Parkview Square