FAQs

The Institute provides market awareness, technical support, education, and compliance for the ISASecure industrial automation control systems (IACS) security requirements that are based on ISA99 and other relevant IACS security standards.

The Institute operates as a Forum within the Automation Standards Compliance Institute, a non-profit entity established and owned by ISA for the purpose of creating linkages between IACS industry standards and market adoption / adherence to those standards.

No.  The Institute is a consortium whose members are comprised of organizations, not individuals.  The Institute is part of ASCI a non-profit 501 (c) (6) corporation owned by ISA.

No.  The Institute is not a Standards Development Organization (SDO) while the ISA99 Standards Committee is a standards development initiative within ISA, an ANSI accredited SDO.  The Institute promotes the adoption of work products resulting from efforts of the ISA99 Standards Committee and other relevant IACS SDO’s.

The Institute was founded by members associated with ISA99 Standards efforts and will include ISA99 Standards as the basis for ISASecure conformance requirements.  However, the Institute recognizes the value of other IACS Security initiatives and is chartered to include their output in the ISASecure conformance requirements based upon consensus from Institute’s Technical Committee Members.

ISA is an individual membership organization whose mission does not include compliance programs and as a mature industry organization ISA has over 14,000 dues paying members. The Institute is an industry consortium comprised of companies/organizations and will manage compliance programs that typically experience high funding requirements during startup. The Institute is expected to have 200-300 members when the program matures.

The Institute provides value to the IACS community over the full life cycle of control systems.  This includes the development process for control system products, the control system devices/systems and, the deployment and life cycle management of control systems at user sites.  As such, users/asset owners benefit from the ISASecure program over and above assurances of product conformance.

Building test labs is not part of the Institute’s launch and growth strategy.  Labs require extensive capital investments and intensive planning and development.  The Institute seeks to use existing relationships between suppliers and testing labs in combination with developing business agreements with established labs who meet the qualifications to conduct conformance testing on behalf of the ISA Security Compliance Institute.  A key objective is to minimize the cost and inconvenience to suppliers associated with establishing new relationships with testing entities.

The Automation Standards Compliance Institute owns the ISASecure specification.

The ISA Security Compliance Institute uses a technical steering committee comprised of volunteer members who evaluate and vote upon the specification in a process similar to the ISA Standards committees.  The initial work products are completed by working groups comprised of individuals from member organizations, retained subject matter experts and third party reviewers.  The Institute will post approved specifications for public comment.  We are currently evaluating approaches to gain broader input, such as a User Advisory Board.

A formal liaison exists between the ISA99 standards committee and the Institute at the Governing Board level and on the Institute’s Technical Steering Committee to assure that the work of the Institute can benefit from the work of the committee and vice-versa.

The Institute abides by the ASCI IP Policies and Procedures which includes a RAND option.  By default, all member contributions to the ISASecure specification become the property of ASCI royalty free unless specifically identified with proper notification according to the ASCI Patent Disclosure and LOA policy.

Yes, with the caveat that some details of technical tests will not be posted to a public web site for download so as not to tip off bad guys. 

The ISASecure specification is a protected brand to provide assurances to the marketplace that devices carrying the ISASecure logo have been tested and certified by a trusted third party. 

Organizations desiring to build products and operate sites that are designated ISASecure will receive the full specification in advance, as part of their overall effort to establish conformant products / operations.  However, the ISASecure logo may only be claimed if an ASCI accredited test entity completes independent testing for the organization’s product / operation.

We are using classic product launch and marketing approaches to promote ISASecure including: a dedicated website, press releases, product demonstrations, speaking engagements, trade shows and conferences,  webinars, and email correspondence.

Early adopters include BP, Chevron, ExxonMobil Research and Engineering, Honeywell, Siemens, Invensys, Yokogawa, Rockwell Automation, Industrial Defender, Mu Security, Wurldtech Security and, others.

ISASecure is a global program.  The list of early adopters is a fair representation of the global nature of the participants.

Yes.  We have members of the ISA99 Standards Committee in the Institute and a Board level formal liaison the ISA99 Standards Committee.  The Institute expects to develop additional collaborations in the future and is open to invitations from globally recognized entities in the IACS community.

Since the Institute expects to use existing testing entities, the conformance tests are anticipated to be in line with existing fees for similar device testing.  The ISASecure Embedded Controller Security Assurance certification is the first formal test being offered by the Institute.  It is similar in scope to a Safety Instrumented Systems certification (ISO/IEC 61508) and conducting the certification will entail several weeks of field work by subject matter experts and a hands-on test of the embedded device.  The first ISASecure device certification may range in cost from$50,000-$75,000 US Dollars and is established by the marketplace.

The Institute expects to use existing testing entities, selected based on input from suppliers.  We will seek testing entities with demonstrated track records for reasonable turnaround and service levels so as not to adversely affect a vendor’s ability to go to market according to their product release schedules.  A first time ISASecure EDSA test may require several weeks due to the organization reviews.  However, subsequent ISASecure EDSA tests may only require a week or so.

The Institute will publish definitions that describe thresholds which will trigger product re-testing.  The thresholds will be organized by product changes and changes in the ISASecure specification.

At the supplier’s preference, the Institute will publish conformant products on the Institute’s public facing website.  The Institute will also participate in joint promotion activities such as press releases and product demonstrations.

No.  It is a matter of circumstance that the early adopters are from the process industries.  However, the ISASecure specification is a horizontal technology specification with applicability across most industry sectors.  We have interest from organizations in many sectors including discrete manufacturing.  Over time, we expect full industry participation.

Conformant products may carry the ISASecure logo on the physical device, associated packaging and, documentation. Conformant products will be registered at the Institute by vendor model number and serial number (and other details) and ISASecure specification version number.

No.  The Institute must maintain public confidence that products carrying the ISASecure designation will perform/behave according to the ISASecure specification.  Any claims of conformance must be supported by successful completion of ISASecure conformance testing by an ASCI accredited certification authority.  Conformant products will be listed on the Institute’s conformant products register, available on the ISASecure website.  The Institute will vigorously protect the ISASecure brand to protect the value for participating suppliers and the consuming marketplace.

Yes. Product submissions, submission dates, test results and, feedback are considered proprietary and confidential.  This process creates a fiduciary relationship between the supplier organization and the Institute’s Accredited test entities.

Supplier members will pay a registration fee to have a device certified but will NOT pay per unit royalties to use the ISASecure specification. Suppliers who are NOT members of the Institute will pay a slightly higher registration fee to have a device certified.

Yes.  A non-member may submit products for ISASecure conformance testing and receive the ISASecure designation.  However, membership carries many benefits including reduced pricing for the Institute’s products and services.  Non-member companies are encouraged to join the ISA Security Compliance Institute and benefit from better understanding of the conformance requirements.