Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Keeping IIoT Components Secure with ISASecure

The industrial internet of things (IIoT) has enabled the digital transformation of industrial facilities the world over. But with that power comes great responsibility, and unfortunately even greater risk for cyberattack. Industry has made clear its need for a conformance scheme that will assure and demonstrate the security of IIoT components.  

ISASecure-logo-1In September 2022, ISASecure announced its IIoT Component Security Assurance (ICSA) certification, developed by ISA Security Compliance Institute (ISCI) member companies and inspired by recommendations published in the 2021 study: “IIoT Component Certification Based on the 62443 Standard.”

The study, published jointly by ISCI and the International Society of Automation (ISA) Global Security Alliance (ISAGCA), addressed the urgent need for industry-vetted IIoT certification programs, with the goal of determining the applicability of the ISA/IEC 62443 series of standards and certifications to IIoT components and systems. The study examined whether existing ISA/IEC 62443 requirements (and the methods for validating those requirements) were sufficient for the IIoT environment. The results of the study confirmed the feasibility of ISA/IEC 62443-4-1 and ISA/IEC 62443-4-2 for the IIoT environment, with manageable program enhancements (watch the webinar). 

ICSA Certification Program Readiness 

Many organizations support ISCI, including asset owners from the oil and gas industry and other tier one suppliers across many different industry sectors. 

There are nine ISO/IEC 17065/17025 accredited ISASecure certification bodies, offering worldwide ISASecure certification services, as shown in table below. 

Certification Body 

Geographic Coverage 

Accreditation Status 

CSSC 

Japan 

Accredited 

Exida 

USA/Global 

Accredited 

TUV Rheinland 

Germany/Global 

Accredited 

FM Approvals 

USA/Global 

Accredited 

TUV SUD 

Singapore/Global 

Accredited 

BYHON 

Italy/Global 

Accredited 

Bureau Veritas 

Taiwan/Global 

Accredited 

TrustCB 

Netherlands/Global 

In progress 

Ikerlan 

Spain/Global 

In progress 

 

ISASecure has agreements in place with seven ISO/IEC 17011 accreditation bodies worldwide, streamlining the accreditation process for new ISASecure certification bodies. They are listed below: 

  • ANSI/ANAB-North America, Global 
  • DAkkS, Germany
  • Japan Accreditation Council, Japan
  • RvA Dutch Accreditation Council, Netherlands 
  • Singapore Accreditation Council, Singapore 
  • Taiwan Accreditation Foundation 
  • A2LA, USA/Global 

ICSA Certification Program Description and Scope 

There are two types of products that can be certified under ICSA: an IIoT device (i.e., a measurable/influential interface to physical processes and an interface to untrusted networks such as the Internet), and an IIoT gateway (i.e., an intermediary that connects devices on control networks with untrusted networks). Often, IIoT products are both devices and gateways, and therefore an ICSA certification would need to satisfy requirements for both types. 

As discovered in the study, the existing ISA/IEC 62443-4-1 and ISA/IEC 62443-4-2 certifications cover about 90% of the desired criteria for IIoT certification. The final 10% of the criteria needed for the ICSA certification includes the following: 

  • A slight restructuring of capability security levels by creating two certification security level tiers instead of four, as seen in the table below. 
  •  Adding new certification requirements, including:
    • 23 new functional requirements, including seven on compartmentalization. Others include supplier root trust in hardware, remote updates and upgrades, and protection from untrusted management traffic. 
    • New lifecycle requirements, including secure design practices supporting devices failing securely, advanced notification of withdrawal from security update processes, and the Security Maintenance Audit (SMA) as described in more detail below. 
  • Removing some existing certification requirements in ISA/IEC 62443-4-2, including: 
    • CR 1.7 RE(1), or the requirement of password generation and lifetime restrictions for human users, due to periodic password changes no longer being considered a best practice; 
    • CR 2.1 RE(3), or the requirement of supervisor override, due to it not being useful for limited device functionality (which introduces risk); 
    • CR 2.1 RE(4), or the requirement of dual approval, due to its lack of use in many cases; and 
    • CR 3.9 RE(1), or the requirement of audit records on write-once media, due to records typically being sent to other systems. 
    • For existing requirements being used for the ICSA certification, refining the evaluation methods specifically for the IIoT environment.
    • For example, a 4-2 requirement states that if you are subject to a denial of service (DoS) attack, you cannot lose the operation of essential functions in your product. 
    • Here, in an ICSA certification context, the certifier should verify that if there is a DoS attack that takes out the interface to the untrusted network, that essential functions of that component are still operational (i.e., the same requirement, but specific to an IIoT use case). 

Transforming ISA/IEC 62443 Capability Security Levels into ICSA Certification Tiers 

As seen in the table below, security levels are determined by the potential attacker and the circumstances of the attack, and security features are allocated to those levels. For example, a Level 1 attack may be a “mistake,” in that it may not be intentional or is otherwise very low risk. On the other hand, a Level 4 attacker may potentially be a nation state that is very highly motivated and skilled to disrupt control systems. Chart showing security levels from the ISA/IEC 62443 series of standards, classifying from level 1 to level 4 in order of severityUpon review, it was determined that certifiers are looking more towards intentional, oftentimes sophisticated attacks. For that reason, a “core” tier for basic ICSA certification does not focus on Level 1 and instead begins a little above Level 2 into Level 3 for existing ISA/IEC 62443-4-2 requirements. The “advanced” tier addresses the requirements of 4-2 with the intention to protect against the highest level of adversary, as seen with Level 4. 

Introducing the Security Maintenance Audit (SMA) 

The addition of SMA to the ICSA certification addresses the concerns that end-users/asset owners typically have on the “security future” of a product years after certification. (Note that passing SMA is required to maintain an ICSA certification.) 

The security maintenance audit (SMA) recommends that the certifier provides ongoing surveillance of the maintenance of product security years into the future, since certain practices in ISA/IEC 62443-4-1 cannot be fully evaluated for the future in the initial ICSA certification, such as defect management (DM) or security update management (SUM). The inclusion of SMA into the ICSA certification provides a time-driven evaluation of specific, key DM/SUM practices for products after the initial ICSA certification, typically one year after, then every three years thereafter. For example, if the supplier had a pattern of not addressing user-reported security issues or fixing known vulnerabilities in a reasonable timeframe, that would be an issue for the SMA. 

Further Resources 

Additional resources and information about the ISASecure IIoT Component Security Assurance (ICSA) certification are available:

Liz Neiman
Liz Neiman
Liz Neiman is the managing director of strategic engagement for the International Society of Automation (ISA), with oversight of marketing, communications, PR, events, and outreach activities. Prior to joining ISA, Liz led marketing, communications, and events activities for the American National Standards Institute (ANSI), as well as for edtech nonprofit MIND Research Institute. She is a graduate of Johns Hopkins University.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM