ISA Security Compliance Institute Issues Update To ISASecure EDSA And SSA Cybersecurity Certifications

New version of EDSA and SSA certification requirements to become effective 1 February 2016

The ISA Security Compliance Institute, which manages the ISASecure cybersecurity certification scheme for industrial automation and control systems (IACS), announced recently updates to certification requirements for the Embedded Device Security Assurance (EDSA) certification and System Security Assurance (SSA) certification.

ISASecure certifies to the international IEC 62443 series of IACS cybersecurity standards. Products are evaluated for conformance by independent labs accredited by JAB, ANSI/ANAB and, DaKKS. Lab accreditation requirements include ISO 17065, ISO 17025 and scheme-specific ISASecure requirements.

The new EDSA and SSA certification requirements were posted on the www.isasecure.org website in June 2015 and are generally referred to as Version 2. The new requirements are effective for any products submitted on or after 1 February 2016.

The EDSA and SSA requirements specifications on the website include documents that provide details and guidance on the transition to Version 2 (ISASecure-112 Transition Guidance to EDSA 2.0.0 and SSA 2.0.0) and related policies (ISASecure-113 Transition Policy to EDSA 2.0.0 and SSA 2.0.0) respectively.

Updates include expanded requirements for vulnerability identification test (VIT) scans of products submitted for certification. In addition, the certification specification requirements documents have been simplified for use by certification labs and suppliers. A key change includes references to a security development lifecycle assurance (SDLA) requirements document, which is used in both the EDSA v2 and SSA v2 certifications.

Additional important changes to requirements are included in the transition and policy documents referenced above:ISASecure-112 Transition Guidance to EDSA 2.0.0 and SSA 2.0.0 and ISASecure-113 Transition Policy to EDSA 2.0.0 and SSA 2.0.0.

Changes impact ISASecure communication robustness tool (CRT) providers and technical readiness for ISASecure certification bodies (CB).

About The ISA Security Compliance Institute (ISCI)
Founded in 2007, the ISA Security Compliance Institute’s mission is to provide the highest level of assurance possible for the cyber security of industrial automation control systems (IACS).

The Institute was established by thought leaders from major organizations in the industrial automation controls community seeking to improve the cyber security posture of Critical Infrastructure for generations to come. ISCI Members include Chevron, ExxonMobil, Aramco Services, Honeywell, Invensys (now Schneider Electric), Yokogawa, exida, Codenomicon, CSSC, and IPA-Japan.

The Institute’s goals are realized through industry standards compliance programs, education, technical support, and improvements in suppliers’ development processes and users’ life cycle management practices. The ISASecure designation ensures that IACS products conform to industry consensus cyber security standards such as ISA/ IEC 62443, providing confidence to users of ISASecure products and systems and creating product differentiation for suppliers conforming to the ISASecure specification. For more information, visit www.isasecure.org.