ISA Security Compliance Institute
Membership Prospectus - PDF Download
Providing Industrial Control Systems Security Standards Compliance
- Program Description
- Technical Scope
- Financials
- Membership
- Contact
- Press Releases
Program Overview
Industry leaders from a number of major control system users and manufacturers have investigated the feasibility of creating an organization to establish a set of well-engineered specifications and processes for the testing and certification of critical control systems products. The mission of the proposed organization is:
"The organization's mission is to decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders to:
- "Facilitate the independent testing and certification of control system products to a defined set of control system security standards;
- Use existing control system security industry standards, where available, develop or facilitate development of interim standards where they don't already exist, and adopt new standards when they become available;
- Accelerate the development of industry standards that can be used to certify that control systems products meet a common set of security requirements.
The standards, tests, and conformance processes for control systems products will allow the products to be securely integrated. An ultimate goal is to push the conformance testing into the product development life cycle so that the products are intrinsically secure."
For more details on the history of the ISA Security Compliance Institute initiative, including the feasibility study describing the market needs, visit www.isa.org/isasecure/history.
Compliance Program Benefits
The rewards to the automation controls industry and your company are significant.
For asset owners, a well designed and managed product security certification process results in reduced costs and time commitment in product selection and deployment. Key benefits include:
- Certification saves time and costs for validation and verification of security capabilities.
- Certification provides assurances that products are more secure 'out of the box', leading to improved process reliability and safety.
- The security certification stamp provides instant recognition of product characteristics and capabilities.
- Asset owners are able to specify and successfully procure compliant products that interoperate.
- Certification can mitigate government security compliance regulation with full industry participation.
- Organizations are positioned favorably for insurance requirements that may be emerging for security compliance levels.
- The same kind of assurance "stamp" that exists for safety will exist.
- The program leverages industry capabilities for reduced overall cost of delivery.
For suppliers and integrators, the certification process provides a single compliance framework and an industry stamp of approval, resulting in faster time to market and lower development and integration costs. Key benefits include:
- Suppliers are able to make and substantiate clear claims of compliance to a consensus open, industry standard.
- Certification responds to a common need for a shared security vision to be executed by suppliers, asset owners, and consultants. This helps suppliers build what users want.
- The program provides security requirements guidance from industry to suppliers based on testing standards.
- The program addresses the security characteristics of the product that allow it to be integrated into a larger system.
Finally, for the standards bodies and government agencies developing industrial security specifications, the result will be better, field-tested standards that are clearly being followed by industry.
Program Description
The ISA Security Compliance Institute is expected to establish an ISASecure designation which identifies and promotes security standards compliant products and systems. Certification provides the formal recognition of a product's compliance to an industry standard security specification, creating a key differentiator for the product. Compliant products are entitled to carry the ISASecure designation, providing instant recognition of the product's security characteristics to asset owners, integrators, and the buying public.
Compliance Testing Process
ISA Security Compliance Institute members, working with technical staff retained by the ISA Security Compliance Institute, will develop a set of compliance requirements based on ISA99 security standards and other relevant standards (such as IEC or DHS recommendations). Using the compliance requirements, the ISA Security Compliance Institute will derive and publish compliance test specifications.
In addition to establishing a way of certifying compliant products, the ISA Security Compliance Institute will establish a means of certifying compliant tests and agencies. Options include self-assessments by suppliers as well as testing by independent test agencies.
The ISA Security Compliance Institute will establish a means for registration of compliant products and tests, such as a web portal listing compliant products.
As part of the process, the committees may uncover gaps, deficiencies, and/or clarifications needed in the existing security standards used to derive the compliance requirements. Through the use of appropriate technical experts retained by the ISA Security Compliance Institute, the findings and recommendations will be conveyed to the appropriate standards organizations, including ISA99 with the goal of more rapidly facilitating development of relevant, comprehensive international consensus standards.
Technical Scope of ISA Security Compliance Institute Compliance Testing
Strategically, the technical scope of the program extends from the device level to the gateways (Level 0 to Level 3 plus the gateway interface between Level 3 and Level 4) as reflected by this ISA99 reference model.
ISA Security Compliance Institute compliance requirements development and testing will be deployed in phases starting with the following devices in priority sequence:
- Wired IP network devices
- Wireless IP network devices
- Windows-based devices
Commencing with the second year of operations, the ISA Security Compliance Institute compliance profiles will be expanded based on tactical (near term) and strategic (long term) compliance topics.
ISASecure Milestones
The ISA Security Compliance Institute will be developed and launched over a 21 month timeframe, requiring a total investment of $1,500,000 during that period. The subsequent annual operating budget for certification program management is estimated at $750,000. Program milestones and dates for the launch and operations phases are:
| Milestone Date |
Milestone |
| December 31, 2007 |
Founding Strategic Membership Close Date |
| January 30, 2008 |
ISA Security Compliance Institute Formal Launch |
| May 30, 2008 |
Technical Direction, Scope, and Approach Determined |
| August 31, 2008 |
Compliance Profiles Completed |
| November 30, 2008 |
Certification Program Operations, Polices, and Processes Complete |
| May 30, 2009 |
Certification Program Operational |
| June 1, 2009 |
Start Processing Certification Requests |
| June 1, 2010 |
ISASecure in Procurement Requirements |
The membership fee structure is designed to fund the work necessary to continue the ISA Security Compliance Institute's strategic objectives, such as broadening coverage of standards in the compliance certification program.
Membership Levels and Fees
The ISA Security Compliance Institute strives to represent a cross section of the automation controls community, using policies and guidelines to ensure that the organization maintains a balance of asset owners, suppliers, and other significant stakeholders. To this end, the ISA Security Compliance Institute offers membership levels and fees to encourage full participation from the automation controls community.
A membership prospectus describing the ISASecure program is available for download at: www.isa.org/ISASecure/history.
Strategic Member
Voting Member - Appeals to companies who wish to set the strategic objectives of the consortium.
Entitlements
- The initial Board (Founding Members) will define the Board structure (size, composition), governing rules and operations.
- Founding Strategic Members set the strategic objectives of the consortium and receive a guaranteed board seat. Strategic Members enjoy all privileges of lower categories of membership.
Founding Strategic Members are those who sign up by December 31, 2007 with an initial two year commitment. They will influence the initial direction of the Institute and determine how to achieve a balanced view of asset owners and suppliers. No limit will be set on the size of the initial Governing Board comprised of Founding Strategic Members.
Annual Dues
| $50,000 |
Corporate Membership regardless of company revenues |
| $133,650 |
Discounted multi-year Corporate Membership for 3 years paid in full |
The annual membership fee for a Founding Strategic Member is $50,000 with an initial two year commitment. Founding Strategic Members may commit to a 3 year membership for $133,650, reflecting a nominal discount for the multi-year commitment.
Technical Member
Voting Member - Appeals to companies who wish to influence compliance specifications and processes. Technical members determine and manage the detailed tasks necessary to develop specifications for compliance profiles, develop procedures and software tools needed for compliance testing, establish technical support programs for suppliers and asset owners, and other outreach activities necessary to operate the ISASecure compliance program.
Entitlements
Technical Committee Members receive full, voting participation in all technical processes and enjoy all privileges of all categories of membership other than Strategic Membership. Annual membership dues are based on corporate revenues according to the table below:
| Annual Dues | Annual Corporate Revenues |
| $25,000 |
Over $1,000,000,000 |
| $20,000 |
$500,000,000 - $1,000,000,000 |
| $15,000 |
$100,000,000 - $500,000,000 |
| $10,000 |
$50,000,000 - $100,000,000 |
| $ 5,000 |
Less than $50,000,000 |
Informational Member
Non-voting Member - Appeals to academics, consultants, analysts, and individuals
Entitlements
Informational Members receive periodic information regarding technical specifications and other ISASecure program updates, but may not actively engage in formal technical meetings of the ISA Security Compliance Institute.
Annual Dues
$1,500
How to Join
Contact us for more information on this prospectus. Interested organizations may join at any
time. Organizations who desire to join at the Founding Strategic Membership level must return
completed membership applications with payment to ASCI by December 31, 2007.
Membership application forms, showing member fees and mailing instructions, are available for
download at http://www.isa.org/ISASecure/join.
Contact Information
Andre Ristaino
Managing Director, Automation Standards Compliance Institute
ISA
67 Alexander Drive
PO Box 12277
Research Triangle Park, NC 27709
Direct (919)-990-9222
Fax (919)-549-8288
Email: aristaino@isa.org
www.isa.org
Press Releases
|
