This wiki page describes the policies and recommendations with Cyber security standard for industry (IEC62443-4), in order to meet Industrial Grade requirements.

Note: This page shows the results of previous investigation on IEC62443-4. The latest information is shared on the CIP Security working group page.

This slide describes that what and how to apply IEC-62443 certificate

The first ISASecure certification, Embedded Device Security Assurance (EDSA) focuses on the security of embedded devices and addresses device characteristics and supplier development practices for those devices. The EDSA certification is designed to certify to international standard IEC 62443-4-1 Security for industrial automation and control systems Part 4-1: Secure product development requirements and to the international standard IEC 62443-4-2 Security for industrial automation and control systems Part 4-1: Technical security requirements for IACS components once that standard is approved.

An embedded device that meets the requirements of the ISASecure EDSA specification earns the ISASecure EDSA certification; a trademarked designation that provides instant recognition of product security characteristics and capabilities, and provides an independent industry stamp of approval similar to a ‘Safety Integrity Level’ Certification (ISO/IEC 61508).

ISASecure EDSA is a certification program for embedded devices, where a product is considered to be an embedded device if it satisfies the definition provided in 3.1.18 of EDSA-100. (Embedded device: special purpose device running embedded software designed to directly monitor, control or actuate an industrial process).

In order to obtain ISASecure EDSA certification, a supplier must pass a security development lifecycle process assessment (SDLPA). Based upon this assessment, an ISASecure SDLA process certification is granted as described in SDLA-100. A supplier may already hold an SDLA process certification when they apply for an EDSA certification, or may apply for EDSA and SDLA certification in parallel. ISASecure certification of embedded devices has three additional elements:

• Security Development Artifacts for embedded devices (SDA-E);
• Functional Security Assessment for embedded devices (FSA-E); and
• Embedded device robustness testing (ERT).

SDLPA and SDA-E both assess development process, hence are grouped under “Security Development Assessment”. SDA-E examines the artifacts that are the outputs of the supplier’s security development processes as they apply to the embedded device to be certified. FSA-E examines the security capabilities of the device, while recognizing that in some cases security functionality may be allocated to other components of the device’s overall system environment.

ERT has two major elements - Vulnerability Identification Testing (VIT) and Communication Robustness Testing (CRT). VIT scans the device for the presence of known vulnerabilities. CRT examines the capability of the device to adequately maintain essential functions while being subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions).

The program offers three certification levels for a device, offering increasing levels of device security assurance. These certifications are called ISASecure EDSA Level 1, ISASecure EDSA Level 2, and ISASecure EDSA Level 3.

All levels of certification include the certification elements above. The SDLPA and SDA-S assessments are the same for all certification levels with the exception of allowable residual risk for known security issues. FSA-E and VIT increase in rigor for levels greater than 1; pass/fail criteria for VIT reference applicable FSA-E requirements. CRT criteria are the same regardless of certification level.

• EDSA-100 ISASecure Certification Scheme v3.3

1. Security Development Lifecycle Process Assessment (SDLPA)
2. Security Development Artifacts for embedded devices (SDA-E)
3. Functional Security Assessment for embedded devices (FSA-E)
4. Embedded device robustness testing (ERT)

References:

[1] http://www.isasecure.org/en-US/Certification/IEC-62443-EDSA-Certification