Update to ISASecure® EDSA and SSA cybersecurity certifications!

The ISA Security Compliance Institute, which manages the ISASecure cybersecurity certification scheme for industrial automation and control systems (IACS), announced today updates to certification requirements for the Embedded Device Security Assurance (EDSA) certification and System Security Assurance (SSA) certification.

ISASecure certifies to the international IEC 62443 series of IACS cybersecurity standards. Products are evaluated for conformance by independent labs accredited by JAB, ANSI/ANAB and, DaKKS. Lab accreditation requirements include ISO 17065, ISO 17025 and scheme-specific ISASecure requirements.

The new EDSA and SSA certification requirements were posted on the website in June 2015 and are generally referred to as Version 2. The new requirements are effective for any products submitted on or after 1 February 2016.

The EDSA and SSA requirements specifications on the website include documents that provide details and guidance on the transition to Version 2 (ISASecure-112 Transition Guidance to EDSA 2.0.0 and SSA 2.0.0) and related policies (ISASecure-113 Transition Policy to EDSA 2.0.0 and SSA 2.0.0) respectively.

Updates include expanded requirements for vulnerability identification test (VIT) scans of products submitted for certification. In addition, the certification specification requirements documents have been simplified for use by certification labs and suppliers. A key change includes references to a security development lifecycle assurance (SDLA) requirements document, which is used in both the EDSA v2 and SSA v2 certifications.

Additional important changes to requirements are included in the transition and policy documents referenced above: ISASecure-112 Transition Guidance to EDSA 2.0.0 and SSA 2.0.0 and ISASecure-113 Transition Policy to EDSA 2.0.0 and SSA 2.0.0.

Changes impact ISASecure communication robustness tool (CRT) providers and technical readiness for ISASecure certification bodies (CB).