ISA Security Compliance Institute

ISASecure Embedded Device Security Assurance Certification

Membership Prospectus - PDF Download

Providing Industrial Control Systems Security Standards Compliance

• Program Description
• Technical Scope
• Financials
• Membership
• Contact
• Press Releases

Program Overview

Industry leaders from a number of major control system users and manufacturers have investigated the feasibility of creating an organization to establish a set of well-engineered specifications and processes for the testing and certification of critical control systems products. The mission of the proposed organization is:

"The organization's mission is to decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders to:

• "Facilitate the independent testing and certification of control system products to a defined set of control system security standards;
• Use existing control system security industry standards, where available, develop or facilitate development of interim standards where they don't already exist, and adopt new standards when they become available;
• Accelerate the development of industry standards that can be used to certify that control systems products meet a common set of security requirements.

The standards, tests, and conformance processes for control systems products will allow the products to be securely integrated. An ultimate goal is to push the conformance testing into the product development life cycle so that the products are intrinsically secure."

Current members of the ISA Security Compliance Institute include:

Founding Members

• Chevron
• ExxonMobil Research and Engineering
• Honeywell
• Invensys
• Siemens
• Yokogawa

Technical Members

• Exida
• Mu Dynamics
• Rockwell Automation
• Wurldtech

Informational Members

• Egemin

ISCI Governing Board

• Exxon Mobile - Johan Nye - Chairman
• Chevron - Ivan Susanto - Vice Chairman
• IPS Invensys - Ernie Rakaczky - Marketing Chairman
• Honeywell - Kevin Staggs - Technical Chairman
• Siemens - Axel Gruner
• Yokogawa - Tatsuaki Takebe
• ISA99 Liason - Eric Cosman

For more details on the history of the ISA Security Compliance Institute initiative, including the feasibility study describing the market needs, visit www.isa.org/isasecure/history.

Compliance Program Benefits

The rewards to the automation controls industry and your company are significant.

For asset owners, a well designed and managed product security certification process results in reduced costs and time commitment in product selection and deployment. Key benefits include:

• Certification saves time and costs for validation and verification of security capabilities.
• Certification provides assurances that products are more secure 'out of the box', leading to improved process reliability and safety.
• The security certification stamp provides instant recognition of product characteristics and capabilities.
• Asset owners are able to specify and successfully procure compliant products that interoperate.
• Certification can mitigate government security compliance regulation with full industry participation.
• Organizations are positioned favorably for insurance requirements that may be emerging for security compliance levels.
• The same kind of assurance "stamp" that exists for safety will exist.
• The program leverages industry capabilities for reduced overall cost of delivery.

For suppliers and integrators, the certification process provides a single compliance framework and an industry stamp of approval, resulting in faster time to market and lower development and integration costs. Key benefits include:

• Suppliers are able to make and substantiate clear claims of compliance to a consensus open, industry standard.
• Certification responds to a common need for a shared security vision to be executed by suppliers, asset owners, and consultants. This helps suppliers build what users want.
• The program provides security requirements guidance from industry to suppliers based on testing standards.
• The program addresses the security characteristics of the product that allow it to be integrated into a larger system.

Finally, for the standards bodies and government agencies developing industrial security specifications, the result will be better, field-tested standards that are clearly being followed by industry.

Program Description

The ISA Security Compliance Institute establishes an ISASecure designation which identifies and promotes security standards compliant products and systems. Certification provides the formal recognition of a product's compliance to an industry standard security specification, creating a key differentiator for the product. Compliant products are entitled to carry the ISASecure designation, providing instant recognition of the product's security characteristics to asset owners, integrators, and the buying public.

Compliance Testing Process

ISA Security Compliance Institute members, working with technical staff retained by the ISA Security Compliance Institute, are developing a set of compliance requirements based on ISA99 security standards and other relevant standards (such as IEC or DHS recommendations). Using the compliance requirements, the ISA Security Compliance Institute will derive and publish compliance test specifications.

In addition to establishing a way of certifying compliant products, the ISA Security Compliance Institute will establish a means of certifying compliant tests and test agencies. Compliance testing approaches will be determined for each product based upon the cost effectiveness and assurances for maintaining the integrity of the compliance designation. Options include self-assessments by suppliers as well as testing by independent test agencies.

The ISA Security Compliance Institute will establish a means for registering compliant products and tests, such as a web portal listing compliant products.

As part of the specification development process, the Institute’s working groups may uncover gaps, deficiencies, and/or clarifications needed in the existing security standards used to derive the compliance requirements. Through the use of appropriate technical experts retained by the ISA Security Compliance Institute, the findings and recommendations will be conveyed to the appropriate standards organizations, including ISA99 with the goal of more rapidly facilitating development of relevant, comprehensive international consensus standards.

Technical Scope of ISA Security Compliance Institute Compliance Testing

Strategically, the technical scope of the program extends from the device level to the gateways (Level 0 to Level 3 plus the gateway interface between Level 3 and Level 4) as reflected by this ISA99 reference model.

ISA Security Compliance Institute compliance requirements development and testing will be deployed in phases starting with the following devices in priority sequence:

1. Wired IP network devices
2. Wireless IP network devices
3. Windows-based devices

Commencing with the second year of operations, the ISA Security Compliance Institute compliance profiles will be expanded based on tactical (near term) and strategic (long term) compliance topics.

ISASecure Milestones

Program milestones and dates for the launch and operations phases are:

Q4 2009 - Embedded Controller Certification Program Operational

Q4 2009 - Process Early Adopter Certifications

Q1 2010 - ISASecure Certification open to public

The membership fee structure is designed to fund the work necessary to continue the ISA Security Compliance Institute's strategic objectives, such as broadening coverage of standards in the compliance certification program.

Membership Levels and Fees

The ISA Security Compliance Institute strives to represent a cross section of the automation controls community, using policies and guidelines to ensure that the organization maintains a balance of asset owners, suppliers, and other significant stakeholders. To this end, the ISA Security Compliance Institute offers membership levels and fees to encourage full participation from the automation controls community.

A membership prospectus describing the ISASecure program is available for download at: www.isa.org/ISASecure/history.

Strategic Member

Voting Member - Appeals to companies who wish to set the strategic objectives of the consortium.

Entitlements

Strategic Members are entitled to a voting seat o the Institute’s Governing Board, set the strategic objectives of the consortium and, provide leadership and guidance for the Institute. Strategic Members also enjoy all privileges of lower categories of membership.

Founding Strategic Members joined ISCI during 2007 and committed to a two year membership at the Strategic level and provided the vision and guidance to the Institute during the development phase.

Annual Dues

Technical Member

Voting Member - Appeals to companies who wish to influence compliance specifications and processes. Technical members determine and manage the detailed tasks necessary to develop specifications for compliance programs, develop procedures and software tools needed for compliance testing, establish technical support programs for suppliers and asset owners, and promote outreach activities necessary to operate the ISASecure compliance program.

Entitlements

Technical Committee Members receive full, voting participation in all technical processes and enjoy all privileges of all categories of membership other than Strategic Membership. Annual membership dues are based on corporate revenues according to the table below:

Informational Member

Non-voting Member - Appeals to academics, consultants, analysts, and individuals

Entitlements

Informational Members receive periodic information regarding technical specifications and other ISASecure program updates, but may not actively engage in formal technical meetings of the ISA Security Compliance Institute.

Annual Dues

$1,500

How to Join

Contact us for more information on this prospectus. Interested organizations may join at any time. Organizations who desire to join at the Founding Strategic Membership level must return completed membership applications with payment to ASCI by December 31, 2007.

Membership application forms, showing member fees and mailing instructions, are available for download at http://www.isa.org/ISASecure/join.

Contact Information

Andre Ristaino

Managing Director, Automation Standards Compliance Institute
ISA
67 Alexander Drive
PO Box 12277
Research Triangle Park, NC 27709
Direct (919)-990-9222
Fax (919)-549-8288
Email: aristaino@isa.org
www.isa.org

Press Releases

• 14 September: exida Joins ISA Security Compliance Institute
• 1 September: ISA Security Compliance Institute Approves the ISASecure Embedded Controller Security Assurance Certification Framework
• ISA Security Compliance Institute Starts Recruitment for All Membership Levels
• ISA Finalizing Distribution Agreement for Critical Infrastructure Cyber Security Tool
• ISA Security Compliance Institute Names Founding Strategic Members
• ISA Security Compliance Institute Proposed
• ISA Announces Creation of Automation Standards Compliance Institute