The ISA Security Compliance Institute (ISCI) has formally approved an Embedded Controller Security Assurance (ECSA) Framework.
ISA99 work products define an embedded controller as a device containing embedded software that communicates over a network interface (wired or wireless) and which monitors, controls or actuates an industrial process.
Certifying embedded controllers is an industry priority because they directly control the production equipment in manufacturing processes and are the last line of defense for cyber security of industrial automation controls. The ECSA Framework establishes important foundational definitions necessary for completion of the ISASecure ECSA test specification. It establishes the scope of the ISASecure test specification, and identifies the embedded controller testing approach and high level criteria for passing or failing the ISASecure tests.
A publicly available version of the ISASecure ECSA Framework describing the ECSA certification program will be published and posted on the ISCI website (www.isa.org/ISASecure) this month.
The detailed ISASecure ECSA certification includes three broad areas of assessment for embedded controllers. These are Security Functional Assessment, Protocol Robustness Testing, and Software Development Security Assessment. The ECSA test specification will undergo an independent review and is slated for completion at the end of Q3 2009.
ISCI Vice Chairman, Ivan Susanto from Chevron commented that ‘This is an important milestone towards our original vision for ISCI. The ISASecure certification program will provide assurances to owner/operators that products meet a known baseline cyber security requirement, reducing the complexity and costs for procuring automation control products.’
The ISASecure test specification is designed to be used by suppliers in their product development and manufacturing processes to facilitate baseline security levels in Industrial Automation Control Systems (IACS) products. The same ISASecure test specification will also be used by ISCI accredited independent labs to certify cyber security characteristics of IAC products using ISCI accredited test tools. ISASecure certification testing will commence in First Quarter 2010.
Visit the ISA Security Compliance Institute website at www.isa.org/isasecure to learn more about the ISASecure program and how to join this important industry initiative.
About the ISA Security Compliance Institute Founded in 2007, the ISA Security Compliance Institute’s mission is to provide the highest level of assurance possible for the cyber security of industrial automation control systems.
The Institute was established by thought leaders from major organizations in the industrial automation controls community seeking to improve the cyber security posture of Critical Infrastructure for generations to come. Founding Members include Chevron, ExxonMobil Research and Engineering, Honeywell, Invensys Process Systems, Siemens, and Yokogawa. Key Technical Members include Exida, Mu Dynamics, Rockwell Automation, and Wurldtech Security Technologies.
The Institute’s goals are realized through industry standards compliance programs, education, technical support and, improvements in suppliers’ development processes and users’ life cycle management practices. The Institute’s ISASecure designation ensures that industrial automation control products conform to industry consensus cyber security standards, providing confidence to users of ISASecure products and systems and creating product differentiation for suppliers conforming to the ISASecure specification. www.isa.org/isasecure