InTech Home Departments Association News
Bookmark and Share
November 2009

Embedded controller framework approved

The ISA Security Compliance Institute (ISCI) has been working hard to help ensure the security of control systems throughout the industry. One significant milestone in the past month is the approval of the ISASecure Embedded Controller Security Assurance (ECSA) test specification framework, which establishes the scope of the ISASecure test specification and identifies the embedded controller testing approach and high level criteria for passing or failing the ISASecure tests.

Embedded controllers are the “last line of defense in the cyber security paradigm,” said Bryan Singer, principal consulting engineer at Kenexis Consulting in Pelham, Ala. “While networks and host system protection comprise primary defenses, the reliability and robustness of the end devices is critical to maintaining safe and efficient operation. The embedded controller is a single-purpose device with on-board operating systems that control production equipment in real time. If an attacker on an industrial process makes it through all the independent protection layers of defense and gets to the embedded controller (the last line of defense), the ISASecure designation gives you a demonstrable and verifiable assurance of how resistant a certified device will be to anomalous network events or intentional attack.”

The ECSA approval signifies a key milestone in developing the ISASecure industrial cyber security certification program for suppliers, owner, and operators, as well as smart grid customers. With loyal followers and newcomers, the interest among companies highlights a consensus-based effort by the industrial automation controls community to achieve this important milestone.

ISCI was established by leaders from major organizations in the industrial automation controls community seeking to improve the cyber security posture of critical infrastructure for generations to come. Founding members include Chevron, ExxonMobil Research and Engineering, Honeywell, Invensys Process Systems, Siemens, and Yokogawa. Key technical members include exida, Mu Dynamics, Rockwell Automation, and Wurldtech Security Technologies.

Find a publicly available version of the ISASecure ECSA Framework describing the ECSA certification program at www.isa.org/ISASecure.

ISA Wireless Compliance Institute adds members

In August, ISA announced two new members to the ISA100 Wireless Compliance Institute: Gastronics and Wilson-Mohr. Gastronics, a supplier of wireless gas sensors, pioneered the wireless gas monitor by developing what is now known as true wireless gas detection, a standard for many companies due to its high reliability and significant cost savings. The companies are mentioning the ISA100.11a industrial wireless standard more frequently, and “it just seemed like the right time to look into it,” said Bud Dungan, president of Gastronics. “The concept of an industrial wireless communication standard with true interoperability and mesh networking capabilities is compelling. We are anxious to add ISA100.11a capabilities to our gas sensors and have high expectations for market uptake of these products.”

Wilson-Mohr, a provider of building automation and industrial process control solutions, serves the chemical, oil and gas, utility, pulp and paper, and commercial building development industries in the energy region of the U.S. “Our customers’ operating sites are seeking operational excellence and improved effectiveness through the use of leading technologies and practices, and early adopters are asking for industrial control products based on ISA100.11a industrial wireless technology,” said Andrew Neeb, the company’s wireless business leader. “We believe the characteristic of interoperability and the ISA100 standards evolution plans provide huge advantages of product innovation and established the technology foundation for the future of industrial controls.”

ISCI maintains their original plan to develop and maintain consensus-based ICS cyber security test specifications only; not test tools and laboratories. ISCI encourages test agencies, auditors, and test-tool vendors to develop products and services and test to the ISASecure specification.

 

ECSA significance

  • The detailed ISASecure Embedded Controller Security Assurance (ECSA) certification includes three broad areas of assessment for embedded controllers—Security Functional Assessment, Protocol Robustness Testing, and Software Development Security Assessment. The ECSA test specification will undergo an independent review and is slated for completion at the end of Q3 2009.
  • The ISASecure ECSA Framework document is the first publicly available ISA Security Compliance Institute (ISCI) work product describing specific content and structure of the ISASecure certification program for ICS cyber security.
  • The framework includes ISASecure program requirements addressing the security development lifecycle, planned for future phases that ISCI accelerated into the first ISASecure rollout. It was developed on a consensus-based ICS cyber security testing blueprint by a cross-section of industry interests, plus input from leading subject-matter experts, ICS product auditors, and ICS test-tool vendors.
  • ISASecure establishes a known baseline of security requirements for products that have been certified.

Coming Next

Ask The Experts

Read questions answered by our experts or join the email list.

Feedback Hub

ISA Jobs

All contents copyright of ISA © 1995-2012 All rights reserved.
Find Local Sections | ISA Home | Report a Problem | Privacy & Legal Policies | Site Map | Help | Contact Us
ISA  |  67 T.W. Alexander Drive, Research Triangle Park, NC 27709 USA  |  (919) 549-8411