What does the ISA Security Compliance Institute do?
The Institute provides market awareness, technical support, education, and compliance for the ISASecure industrial automation control systems (IACS) security requirements that are based on ISA99 and other relevant IACS security standards.
Who owns the ISA Security Compliance Institute?
The Institute operates as a Forum within the Automation Standards Compliance Institute, a non-profit entity established and owned by ISA for the purpose of creating linkages between IACS industry standards and market adoption / adherence to those standards.
Are ISA Members automatically members of the Institute?
No. The Institute is a consortium whose members are comprised of organizations, not individuals. The Institute is part of ASCI a non-profit 501 (c) (6) corporation owned by ISA.
Isn’t the ISA Security Compliance Institute duplicating the efforts of the ISA99 Standards Committee?
No. The Institute is not a Standards Development Organization (SDO) while the ISA99 Standards Committee is a standards development initiative within ISA, an ANSI accredited SDO. The Institute promotes the adoption of work products resulting from efforts of the ISA99 Standards Committee and other relevant IACS SDO’s.
Is the Institute ensuring conformance to the ISA99 Standards only or will the ISASecure designation include requirements from other sources?
The Institute was founded by members associated with ISA99 Standards efforts and will include ISA99 Standards as the basis for ISASecure conformance requirements. However, the Institute recognizes the value of other IACS Security initiatives and is chartered to include their output in the ISASecure conformance requirements based upon consensus from Institute’s Technical Committee Members.
Why are the Institute’s membership fees so much higher than ISA’s membership fees?
ISA is an individual membership organization whose mission does not include compliance programs and as a mature industry organization ISA has over 14,000 dues paying members. The Institute is an industry consortium comprised of companies/organizations and will manage compliance programs that typically experience high funding requirements during startup. The Institute is expected to have 200-300 members when the program matures.
Why do users have to pay a membership fee?
The Institute provides value to the IACS community over the full life cycle of control systems. This includes the development process for control system products, the control system devices/systems and, the deployment and life cycle management of control systems at user sites. As such, users/asset owners benefit from the ISASecure program over and above assurances of product conformance.
Will the Institute build testing labs to perform ISASecure device conformance testing?
Building test labs is not part of the Institute’s launch and growth strategy. Labs require extensive capital investments and intensive planning and development. The Institute seeks to use existing relationships between suppliers and testing labs in combination with developing business agreements with established labs who meet the qualifications to conduct conformance testing on behalf of the ISA Security Compliance Institute. A key objective is to minimize the cost and inconvenience to suppliers associated with establishing new relationships with testing entities.
Who owns the ISASecure specification?
The Automation Standards Compliance Institute owns the ISASecure specification.
Who determines what goes into the ISASecure specification and how?
The ISA Security Compliance Institute uses a technical steering committee comprised of volunteer members who evaluate and vote upon the specification in a process similar to the ISA Standards committees. The initial work products are completed by working groups comprised of individuals from member organizations, retained subject matter experts and third party reviewers. The Institute will post approved specifications for public comment. We are currently evaluating approaches to gain broader input, such as a User Advisory Board.
How do you ensure that the efforts of the ISA99 Standards Committee are properly considered in the ISASecure program and how will the Institute provide marketplace feedback to the ISA99 Standards Committee?
A formal liaison exists between the ISA99 standards committee and the Institute at the Governing Board level and on the Institute’s Technical Steering Committee to assure that the work of the Institute can benefit from the work of the committee and vice-versa.
Does the Institute use a RAND policy or do all member contributions to the specification become the property of the Institute royalty free?
The Institute abides by the ASCI IP Policies and Procedures which includes a RAND option. By default, all member contributions to the ISASecure specification become the property of ASCI royalty free unless specifically identified with proper notification according to the ASCI Patent Disclosure and LOA policy.
Will the ISASecure specification be published and available for free like the ISA Standards?
Yes, with the caveat that some details of technical tests will not be posted to a public web site for download so as not to tip off bad guys.
The ISASecure specification is a protected brand to provide assurances to the marketplace that devices carrying the ISASecure logo have been tested and certified by a trusted third party.
Organizations desiring to build products and operate sites that are designated ISASecure will receive the full specification in advance, as part of their overall effort to establish conformant products / operations. However, the ISASecure logo may only be claimed if an ASCI accredited test entity completes independent testing for the organization’s product / operation.
How are you promoting the ISASecure program?
We are using classic product launch and marketing approaches to promote ISASecure including: a dedicated website, press releases, product demonstrations, speaking engagements, trade shows and conferences, webinars, and email correspondence.
Which companies have joined the ISA Security Compliance Institute so far?
Early adopters include BP, Chevron, ExxonMobil Research and Engineering, Honeywell, Siemens, Invensys, Yokogawa, Rockwell Automation, Industrial Defender, Mu Security, Wurldtech Security and, others.
Is the ISASecure program for the United States only or is it an international program?
ISASecure is a global program. The list of early adopters is a fair representation of the global nature of the participants.
Are you working with other international standards organizations or other certification authorities?
Yes. We have members of the ISA99 Standards Committee in the Institute and a Board level formal liaison the ISA99 Standards Committee. The Institute expects to develop additional collaborations in the future and is open to invitations from globally recognized entities in the IACS community.
How much will it cost to have a device / system tested for ISASecure conformance?
Since the Institute expects to use existing testing entities, the conformance tests are anticipated to be in line with existing fees for similar device testing. The ISASecure Embedded Controller Security Assurance certification is the first formal test being offered by the Institute. It is similar in scope to a Safety Instrumented Systems certification (ISO/IEC 61508) and conducting the certification will entail several weeks of field work by subject matter experts and a hands-on test of the embedded device. The first ISASecure device certification may range in cost from$50,000-$75,000 US Dollars and is established by the marketplace.
How long will it take to have a device tested?
The Institute expects to use existing testing entities, selected based on input from suppliers. We will seek testing entities with demonstrated track records for reasonable turnaround and service levels so as not to adversely affect a vendor’s ability to go to market according to their product release schedules. A first time ISASecure EDSA test may require several weeks due to the organization reviews. However, subsequent ISASecure EDSA tests may only require a week or so.
What will trigger the need to re-test a product that is already ISASecure compliant?
The Institute will publish definitions that describe thresholds which will trigger product re-testing. The thresholds will be organized by product changes and changes in the ISASecure specification.
How will the marketplace know that a supplier’s product has earned the ISASecure designation?
At the supplier’s preference, the Institute will publish conformant products on the Institute’s public facing website. The Institute will also participate in joint promotion activities such as press releases and product demonstrations.
Is the ISASecure designation limited to process industries?
No. It is a matter of circumstance that the early adopters are from the process industries. However, the ISASecure specification is a horizontal technology specification with applicability across most industry sectors. We have interest from organizations in many sectors including discrete manufacturing. Over time, we expect full industry participation.
How are compliant products tracked and identified?
Conformant products may carry the ISASecure logo on the physical device, associated packaging and, documentation. Conformant products will be registered at the Institute by vendor model number and serial number (and other details) and ISASecure specification version number.
Can a non-member, or member for that matter, build product that conforms to the ISASecure specification and publicly claim the product is ISASecure without the Institute testing it?
No. The Institute must maintain public confidence that products carrying the ISASecure designation will perform/behave according to the ISASecure specification. Any claims of conformance must be supported by successful completion of ISASecure conformance testing by an ASCI accredited certification authority. Conformant products will be listed on the Institute’s conformant products register, available on the ISASecure website. The Institute will vigorously protect the ISASecure brand to protect the value for participating suppliers and the consuming marketplace.
Will the Institute assure suppliers confidentiality of product submissions and test results?
Yes. Product submissions, submission dates, test results and, feedback are considered proprietary and confidential. This process creates a fiduciary relationship between the supplier organization and the Institute’s Accredited test entities.
Will suppliers have to pay a royalty to use the ISASecure specification?
Supplier members will pay a registration fee to have a device certified but will NOT pay per unit royalties to use the ISASecure specification. Suppliers who are NOT members of the Institute will pay a slightly higher registration fee to have a device certified.
Can a non-member submit a product for conformance testing and receive a valid ISASecure designation?
Yes. A non-member may submit products for ISASecure conformance testing and receive the ISASecure designation. However, membership carries many benefits including reduced pricing for the Institute’s products and services. Non-member companies are encouraged to join the ISA Security Compliance Institute and benefit from better understanding of the conformance requirements.
Interested in Learning More?
The ISASecure certifications are based on the ISA/IEC 62443 standards and are trusted worldwide. Learn all about them below.