Authors: Emerson’s Alexandre Peixoto, International Society of Automation (ISA)’s Andre Ristaino
Selecting, engineering, implementing, and operating a control system is a significant, long-term investment. Applying a defense-in-depth strategy to protect the process from cybersecurity risks is another significant, long-term investment that can be made more complicated if the inherent security features of the control system are not strong.
Emerging cybersecurity standards can help project personnel recognize process control systems that are cybersecure-ready. Working with automation suppliers and their customers, the International Society of Automation (ISA) developed the ANSI/ISA 62443 family of standards (the International Electrotechnical Commission standardized them internationally as IEC 62443 standards) to guide end users (or asset owners) in the best-practice application of cybersecurity principles and in choosing the control system possessing the features and functionality that help make it ready to be defendable against cyberattacks.
ISA has also established a cybersecurity conformity assessment program under the ISASecure brand that certifies commercial off the shelf (COTS) product security capabilities to the ISA/IEC 62443 standards.
Certifications Lead to Compliance
ISASecure product certifications help assure asset owners that their systems and automation products possess the security features required to deploy a defendable integrated control and safety system (ICSS), process control system (PCS), or safety instrumented system (SIS).
Currently, ISA offers three ISASecure conformance certifications, each aligned with the applicable ISA/IEC 62443 series of standards with four security assurance levels for products as defined in ISA/IEC 62443. The ISASecure product certifications give asset owners assurance that the products/systems are offered as a cyber-defendable solution and conform to the ISA/IEC 62443 standards.
- ISASecure Security Development Lifecycle Assurance (SDLA)
- ISASecure Component Security Assurance (CSA)
- ISASecure System Security Assurance (SSA)
A Good Start with SDLA and CSA Certifications
The ISASecure SDLA is a certification of the manufacturer’s development and release processes. It assures that the development processes used by the system manufacturer meet the security requirements of ISA/IEC 62443-4-1 using the ISASecure assessment specifications. It also assures that other processes exist within the supplier’s organization that support incident response/communication plans and product update processes for keeping the certified product secure and up to date.
Assessments are conducted by ISO/IEC 17065 accredited certification bodies (CB) on behalf of the ISASecure program. ISASecure CBs include globally recognized companies like TUV Rheinland, TUV SUD, CSA Group, and exida so asset owners know that the ISASecure certifications are credible, fair, and consistent.
The ISASecure CSA product certification applies to individual industrial control systems components as defined in the standard including embedded devices, applications, network devices, and host devices. Embedded devices include PLCs and individual controllers. It assures that the required security features of a component are met based on the ISA/IEC 62443-4-2 and the product development process is in conformance with ISA/IEC 62443-4-1. This is important for asset owners that are building their production capability from individual PLCs to have assurance of some level of cybersecurity capabilities of the component itself.
Note: Prior to June 2019, Embedded Devices Security Assurance (EDSA) component level certification was the only component certification offered under the ISASecure brand. In June 2019 EDSA was renamed to CSA (Component Security Assurance) to reflect full alignment with ISA/IEC 62443-4-2 and provides coverage for all four component types defined in the standard: host devices, network devices, embedded devices, and applications.
ISASecure SSA Certification Leads to Savings in Security and Engineering
To achieve the ISASecure SSA—a product certification that applies to ICSS, PCS, and SIS—a system as a whole must go through the rigor of assessments to assure it provides a defendable solution.
The SSA assessment process includes an audit of the product development process, assessment of security capability level for the product’s intended use, and finally testing for known vulnerabilities and communication robustness. The ISASecure audit also examines the product documentation to ensure that it includes deployment guides that describe how to securely commission and maintain the system over its useful life and in decommissioning.
Components within a system are subjected to robustness testing in the SSA certification program based on the ISA/IEC 62443-3-3 and IEC 62443-4-1 standards. The goal of this certification is to make sure the control system reference architecture (COTS version) is designed such that the declared essential functions are protected at all times.
As an industrial control system certification, SSA is more comprehensive than the SDLA or CSA certifications alone. Its scope indicates hardening of the control and safety system, not just the individual components and addresses all attack surfaces of the system as a whole.
An overall system architecture testing for the ISASecure certification involves making sure endpoints such as controllers are tested to verify that the system is defendable against common network cyberattacks such as malformed input message attacks. It also certifies that the system manufacturer has institutionalized their security response plans and procedures to address and resolve cybersecurity issues discovered after end users have begun to use the system at operating sites.
This kind of system-level cybersecurity strength means more than fending off attacks, it brings higher availability, integrity, and network/communications security to the system and facility.
Cybersecurity is a Shared Responsibility
Organizations such as the ISA99 committee create standards outlining a roadmap for system manufacturers and asset owners to prioritize cybersecurity across the system spanning the facility lifecycle. Although it simplifies choices, certification is just one of many dimensions of risk management applied towards achieving a fully deployed system that both conforms to the ISA/IEC 62443 security standards and contributes to a cybersecure solution.
After the engineering teams and asset owners ascertain that their chosen system has the proper certifications, they must assure correct implementation.
Independent certification bodies verify and award the certifications to system manufacturers. Their work reduces the effort required by the asset owner to know that the ICSS or other automation product—when properly used—can be a strong part of a process automation system that meets the security standard.
Sharing the responsibility, control system manufacturers, the integrators, and the end users must deliver, install, commission, and maintain the control system according to the guidelines. The asset owner is responsible for requesting, implementing, and maintaining security features as recommended by the vendor to continue to follow the security standards.
To implement systems securely, end users must follow the certified reference architecture, a sample that includes almost all available system components. The final architecture must be deployed by engineering project teams and maintained by users that understand the standards used in the ISASecure SSA certification.
Strong Certified Control Systems
The ISA standards and ISASecure certifications help ensure and promote that facilities have strong cybersecurity foundations to defend and protect the process at the control-system level. Certifications help validate the strength of the control system layer of protection and provide the basis for selecting strong compensating controls where necessary.
A certified process control system not only helps reduce the risks cyberattacks pose, but also aids a project team as they plot out the path toward cybersecurity. In partnership with the standards and the certified system, the project team and the asset owner take responsibility to form a critical layer of protection contributing to a well-designed and defendable process and facility.
Alexandre Peixoto is the product marketing manager for cybersecurity for DeltaV automation systems at Emerson. In 2019, the DeltaV distributed control system became the first control system to receive ISASecure SSA Level 1 certification.
Andre Ristaino is a managing director for ISA and has more than a decade with ISA helping manage and develop automation standards.