The ISA Security Compliance Institute, which manages the ISASecure industrial cybersecurity certification scheme for industrial automation and control systems (IACS), announced updates to certification requirements for the Embedded Device Security Assurance (EDSA) certification and System Security Assurance (SSA) certification.
Changes impact ISASecure communication robustness tool (CRT) providers and technical readiness for ISASecure certification bodies (CB).
ISASecure certifies to the international IEC 62443 series of IACS cybersecurity standards. Products are evaluated for conformance by independent labs accredited by JAB, ANSI/ANAB and, DaKKS. Lab accreditation requirements include ISO 17065, ISO 17025 and scheme-specific ISASecure requirements.
The new EDSA and SSA industrial cybersecurity certification requirements are posted on www.isasecure.org and are generally referred to as Version 2. The new requirements are effective for any products submitted on or after Feb. 1 2016.
The EDSA and SSA requirements specifications on the website include documents that provide details and guidance on the transition to Version 2 (ISASecure-112 Transition Guidance to EDSA 2.0.0 and SSA 2.0.0) and related policies (ISASecure-113 Transition Policy to EDSA 2.0.0 and SSA 2.0.0) respectively.
Updates include expanded requirements for vulnerability identification test (VIT) scans of products submitted for certification. In addition, the certification specification requirements documents have been simplified for use by industrial cybersecurity certification labs and suppliers. A key change includes references to a security development lifecycle assurance (SDLA) requirements document, which is used in both the EDSA v2 and SSA v2 certifications.
Additional important changes to requirements are included in the transition and policy documents referenced above: ISASecure-112 Transition Guidance to EDSA 2.0.0 and SSA 2.0.0 and ISASecure-113 Transition Policy to EDSA 2.0.0 and SSA 2.0.0.