The Control System Security Center (CSSC, President: Seiichi Shin), established by a collaboration of industry, academia and government organizations in Japan, operates an independent organization called the CSSC certification laboratory (CSSC-CL) which has been accredited to Guide 65 by the Japan Accreditation Board (JAB). The laboratory held a certification adjudication committee on July 14th, 2014 and judged that the Hitachi HISEC 04/R900E Controller for industrial control systems and the Yokogawa CP461 module for CENTUM® VP’s field control station met the required criteria to earn the ISASecure® (*1) EDSA (*2) industrial control systems certification.
The two certified industrial control system (ICS) products are now registered as certified devices with the ISA Security Compliance Institute (ISCI(*3)). They will be published in Japan on the CSSC-CL registered devices web page (http://www.cssc-cl.org) and in the USA on the ISCI registered devices web page (www.isasecure.org).
Two important missions of the CSSC and CSSC-CL are to strengthen the security of Japan’s critical infrastructures and to boost the international competitiveness of Japan’s vendors who develop and export industrial control systems and devices. By offering the ISASecure® cybersecurity certification in Japan, it is easier for Japanese vendors to achieve the globally recognized cybersecurity certification for devices such as DCS (Distributed Control System) and PLC (Programmable Logic Controller). Based on the Tohoku Region, the CSSC-CL plans to grow the certification programs to better serve Japan.
More information about the ISASecure® certified products can be found on the following websites in Japan and the USA:
-CSSC-CL website URL: http://www.cssc-cl.org (Japanese version)
-CSSC-CL website URL: http://www.cssc-cl.org/en (English version)
-USA ISCI website URL: http://www.ISASecure.org/End-User-Resources.aspx
ISASecure® EDSA related activities in Japan
CSSC works towards strengthening the cybersecurity of industrial automation and control systems (IACS) comprising Japan’s critical infrastructure through four major program areas including promotion of R&D, certification/validation technologies, propagation of research results and human resource development.
Major global oil and gas companies are now encouraging suppliers to certify control systems to ISA(*4)/IEC(*5) 62443 international industrial cybersecurity standards. In Japan, control system vendors are seeking a globally recognized cybersecurity certification such as ISASecure®, which align with ISA/IEC 62443 standards.
In response, the CSSC has been promoting the ISASecure® EDSA certification after establishing CSSC certification laboratory (CSSC-CL) in August 2013. CSSC-CL is physically located in Tohoku Tagajo Headquarters but operationally independent from CSSC.
Figure 1. Certification Laboratory in CSSC
The CSS-CL was independently evaluated by the Japan Accreditation Board in 2013 and earned the ISO/IEC Guide 65 and ISO/IEC 17025 designations for independent certification bodies (CB) and laboratory operations as well as specialized ISCI requirements for conducting ISASecure EDSA certifications.
The CSSC-CL is the Japan’s first ISCI ISASecure® EDSA certification body accredited to conduct cybersecurity certifications for industrial control devices and the second of two independently accredited ISCI ISASecure® certification bodies globally.
Mutual recognition arrangements (MRA) (see Figure 2) among the lab accreditation bodies (AB) such as the JAB and ANSI/ACLASS provide the foundation for global recognition of CSSC-CL ISASecure® EDSA certifications. Global recognition of ISASecure® certifications increase the competitiveness of Japan’s control system vendors who develop and export products conforming to the ISASecure® certification requirements.
On 14 July 2014, CSSC-CL held a certification adjudication committee and concluded that the Hitachi and Yokogawa industrial control devices met ISASecure® EDSA certification criteria. Based on the committee’s decision, today on July 15th the CSSC-CL officially announced the first two products to be certified by CSSC-CL and posted the product registrations on the websites both in Japanese and English.
Figure 2. Globally Common EDSA Certification by International Mutual Recognition
Under the slogan of “Secure World and Future, By Secure Control Systems,” CSSC and CSSC-CL strives to strengthen the security of Japan’s critical infrastructures and the global competitiveness of Japan’s control systems vendors.
-------------------------------------------------------------------------------------------------------------------------
■Contact: CSSC Certification Laboratory, Control System Security Center
Phone: +81-22-353-6751(Oyamada)
e-mail: info@cssc-cl.org
Web site: http://www.cssc-cl.org/en
Background and References
Overview of Control System Security Center
Cyber attacks (*6) against Iranian nuclear facilities discovered in 2010 brought the “Safety Myth” for control systems to end. At the same time, control systems have been moving towards open systems, using COTS operating systems and standard protocols such as Ethernet and TCP/IP. This trend is making control systems that manage production operations increasingly susceptible to the same software attacks as those present in business/administrative information technology systems
Based on the proposals by the METI supporting study group (*7), CSSC was established in March 2013 through cooperation among industry, academia and, government organizations. Two key missions of the CSSC and CSSC-CL are to strengthen the security of Japan’s critical infrastructures and to enhance the international competitiveness of Japan’s vendors who develop and export industrial control systems and devices. Based in Tagajo-city in Tohoku region, CSSC is now promoting control system security R&D, verification technologies for evaluation/assessment, contribution to standards development, testbed construction (Figure-3), human resource development and security awareness.
Figure 3. Simulated Plant in Tagajo Testbed - Drainage/Sewage Treatment Plant
Figure 4. Simulated Plant in Tagajo Testbed - Assembly Plant
Overview of Control System Security Standards and Certification Programs
CSSC has aligned industrial control cybersecurity requirements with ISA/IEC62443, general purpose international standards for control system security, and promotes ISASecure®, a certification scheme for control systems and devices based on the ISA/IEC62443 standards.
ISCI launched the ISASecure® EDSA certification in 2010 and released two additional control systems cybersecurity certifications in the first half of 2014, including the System Security Assurance (SSA) certification for control systems and the Security Development Lifecycle Assurance (SDLA) for vendor organizations. CSSC-CL is expected to start SSA and SDLA certifications in the near future.
In Japan, development of the Cyber Security Management System (CSMS) certification in 2013, security management system for control system user, was led by Ministry of Economy, Trade and Industry (METI) and Information-technology Promotion Agency, Japan (IPA). In April 2014 Japan Institute for Promotion of Digital Economy and Community (JIPDEC) conducted a pilot CSMS certification and subsequently launched the CSMS certification. At present, two companies have earned the CSMS certificates.
The CSSC and CSSC-CL in collaboration with other organizations promotes three types of certifications (organization, system/device and human resource) to strengthen the security of Japan’s critical infrastructures and enhance the global competitiveness of Japanese control system products.
NOTE
(*1) certification scheme for control systems and devices, promoted by ISCI
(*2) Embedded Device Security Assurance: certification scheme related to security assurance for control devices(embedded devices)
(*3) ISA Security Compliance Institute: scheme owner(scheme operating organization) of EDSA certification founded by ISA member consortium
(*4) International Society of Automation
(*5) International Electrotechnical Commission: an organization that develops international standards in electrical and electronic engineering fields
(*6) Stuxnet, discovered in 2010, is a highly infectious computer virus and was reportedly involved in illegal manipulation of specific control systems.
(*7) Announcement of interim report by the Study Group on Cyber Security and Economy: Office for IT Security Policy, Commerce and Information Policy Bureau, METI
http://www.meti.go.jp/press/2011/08/20110805006/20110805006.html
Announcement of interim report by the Task Force on Control System Security:
Office for IT Security Policy, Commerce and Information Policy Bureau, METI
http://www.meti.go.jp/committee/kenkyukai/shoujo/controlsystem_security/report01.html
