Establishment of ISASecure Japanese Scheme and Publication of ISASecure Embedded Device Security Assurance Certification Program Specifications in Japan

-Promotion of Pilot Project for establishment and promotion of ISASecure® EDSA scheme-

As part of enforcement of industrial control systems (ICS) security, IPA（Information-technology Promotion Agency, Japan）has officially published the future plans for promotion of ISASecure EDSA and specifications for the ISASecure® EDSA certification scheme English-Japanese version on the website of ISCI (USA) and IPA starting April 15th, 2013.

URL： http://www.ipa.go.jp/security/fy25/reports/edsa/index.html

 

Organizations have increasingly utilized general purpose platforms such as Windows and UNIX in control systems and, network and external media have been increasingly utilized for cost reduction and convenience.

However, the use of general purpose technology has increased the levels of cyber-attack threats on critical systems in Japan. In response, IPA has initiated the implementation of unified security standards and is promoting their adoption to ensure the security of control systems such as in critical infrastructure.

 

In response to increasing cyber security threats, IPA is promoting a pilot project in Japan incorporating the ISASecure EDSA certification program for ICS. 
 

In September 2012, IPA and the ISA Security Compliance Institute (ISCI) agreed on mutual cooperation to establish the ISASecure EDSA certification scheme in Japan. In October 2012, IPA made a proposal for more globalized ISASecure EDSA certification scheme and entered into a formal agreement with ISCI to proceed with this important initiative.
 

In March 2013, ISCI, the American National Standards Institute (ANSI)/ACLASS, Japan Accreditation Board (JAB) and IPA met at ANSI headquarters in Washington DC and discussed plans for establishment of an ISASecure EDSA accreditation body in Japan; concluding with an agreement and plan to proceed forward. The group also discussed publication of the ISASecure EDSA specifications Japanese translation.
 

 

 Four Party Meeting（ISCI, ANSI, JAB and, IPA）[March 18, 2013, at USA ANSI HQ]

 

Key details resulting from the meeting at ANSI headquarters include:

 

The ISASecure EDSA certification scheme currently uses an ANSI/ACLASS accredited North American test lab (certification body)to assess ICS devices.  To facilitate support for the ISASecure EDSA scheme in Japan and the nearby region, IPA is developing lab accreditation capabilities through the JAB and will establish an accredited ISASecure EDSA testing lab in Japan. 

In March 2013, by utilizing the international mutual approval framework of the IAF (International Accreditation Forum) / ILAC (International Laboratory Accreditation Cooperation)at the four party(ISICI, ANSI/ACLASS, JAB and IPA) meeting, registration of JAB as the local ISASecure EDSA accreditation body was proposed and discussed, concluding in an agreement. JAB will be the first formal accreditation body for ISASecure EDSA test labs (certification body) in Japan and the JAB and ISCI drafted a MOU (memorandum of understanding) formalizing the relationship. 

 

2. Publication of ISASecure® EDSA specifications Japanese translation
 

The ISASecure EDSA certification consists of about 20 specifications (including ISCI internal documents) that establish requirements for testing, assessment and, certification for control system security. The specifications also include recognition requirements for test tools and accreditation requirements for test labs (certification bodies). IPA expects that publication of the Japanese translation would encourage adoption of the ISASecure EDSA scheme in Japan.  It will also enable all interested parties in Japan including control device/ system vendors and users to make proposals to the international standards community more smoothly. The English version of the ISASecure EDSA specifications and the Japanese translation are both available for viewing and download from the ISCI website at www.isasecure.org.

 

JAB plans to start the first formal ISASecure EDSA accreditation assessment for an applicant test lab (certification body) located in Japan during fiscal 2013.  The Japan based test lab will begin ISASecure EDSA certifications in fiscal 2014.

IPA is established to undertake matters deemed essential to the interest of the general public, including ensuring stability in people’s lives, society and the economy. IPA activities are aimed at fulfilling three missions: 1) Assuring the security and reliability of social IT services and systems 2) Strengthening international competitiveness 3) Cultivating highly skilled world-class IT human resources. www.ipa.go.jp
 

The ISASecure program has been developed by the ISA Security Compliance Institute (ISCI) with a goal to accelerate industry-wide improvement of cybersecurity for Industrial Automation and Control Systems (IACS). It achieves this goal by offering a common industry-recognized set of device and process requirements that drive device security, simplifying procurement for asset owners and device assurance for equipment vendors.

 

ISASecure Embedded Device Security Assurance Certification (ISASecure EDSA), the first ISASecure certification, focuses on security of embedded devices and addresses device characteristics and supplier development practices for those devices. Through this certification, an embedded device that meets the requirements of the ISASecure specifications receives the ISASecure EDSA certification—a trademarked designation that provides instant recognition of product security characteristics and capabilities. ISASecure EDSA offers three certification levels for a device based on increasing levels of device security assurance: ISASecure Level 1 for Devices, ISASecure Level 2 for Devices, and ISASecure Level 3 for Devices.
 

The ISASecure EDSA certification is an ISO/IEC Guide 65 conformance scheme supporting ISCI’s goal to operate a globally recognized industrial automation controls cybersecurity certification program. This third-party accreditation by ANSI/ACLASS enhances the credibility and value of the ISASecure certification by attesting to the competence and qualification of ISCI certification bodies and laboratories. Visit www.ansi.org/isasecure for details on the ISASecure ANSI/ACLASS accreditation process.
 

Founded in 2007, the ISA Security Compliance Institute’s mission is to provide the highest level of assurance possible for the cyber security of industrial automation control systems.
 

The Institute was established by thought leaders from major organizations in the industrial automation controls community seeking to improve the cyber security posture of Critical Infrastructure for generations to come. Founding Members include Chevron, ExxonMobil Research and Engineering, Honeywell, Invensys, Siemens, and Yokogawa. Key Technical Members include exida and RTP Corp.
 

The Institute’s goals are realized through industry standards compliance programs, education, technical support, and improvements in suppliers’ development processes and users’ life cycle management practices. The Institute’s ISASecure™ designation ensures that industrial automation control products conform to industry consensus cyber security standards, providing confidence to users of ISASecure™ products and systems and creating product differentiation for suppliers conforming to the ISASecure™ specification. www.isasecure.org.
 

ISASecure EDSA Certification is a trademark of the ISA Security Compliance Institute.