Achilles Level 2 Certification and ISASecure
In a previous post, we described Level 2 Certification, explained how it differs from Level 1 Certification and presented reasons to get Achilles Level 2 Certified. Among those reasons was “Vendors can satisfy additional emerging standards and requirements such as ISASecure because Level 2 Certification meets the ISASecure Communication Robustness Testing requirements.” In this week’s post, we will explain more about ISASecure and Level 2.
What is ISASecure
ISASecure is a set of certification specifications based on the ISA99 Standards Roadmap. It was developed by the ISA Security Compliance Institute (ISCI) to promote the cyber security of industrial automation products and practices.
The first ISASecure certification, Embedded Device Security Assurance (EDSA), examines the security of embedded devices. It contains three technical elements:
- Functional Security Assessment (FSA) - determines that the device or system under test incorporates a minimum set of security features to prevent common security threats.
- Software Development Security Assessment (SDSA) - determines that software for the device or system under test was developed following appropriate engineering practices to minimize software errors that could cause security vulnerabilities.
- Communication Robustness Testing (CRT) - measures how well network protocol implementations on an embedded device protect against unusual or intentionally malicious network traffic.
The ISASecure specification allows different test tools to be accredited to perform the CRT element. The advantage of allowing multiple tools perform testing to a defined specification is that it prevents the certificate being tied to a particular company. The disadvantage is that different tools will send different traffic, and so testing is not guaranteed to be repeatable between tools - a device may pass CRT with one tool but fail with another.
The Achilles Satellite as an ISCI Test Tool
The Achilles Level 2 test suite is recognized as satisfying ISASecure's CRT requirements and the Achilles™ Satellite is currently the only ISCI accredited test tool.
Our Industry Advantage
While test tools that meet the ISCI accreditation criteria will be generally similar, they will not generate the same traffic and therefore the quality of testing by different tools will not necessarily be the same. The power of a test suite lies in the approach taken, the depth of testing and how systematic it is. The Achilles™ Satellite, with its powerful grammar engine, has evolved through many years of industry experience and Achilles tests are part of an established certification program that tests for communication robustness.
Wurldtech's Achilles Level 1 Certification is a communication robustness certification that is required by major oil and gas companies as an industry recognized standard. Achilles Level 2 Certification is Wurldtech's next generation communication robustness certification. You might remember from our previous post that Level 2 Certification employs more tests and monitoring requirements than Level 1 Certification. It covers the same protocols as Level 1, but each protocol is tested in greater depth. In addition, the communication robustness of the device is tested under both extreme and common conditions. Level 2 includes all ISA CRT and Achilles Level 1 tests.
Finally, since the Achilles Level 2 tests and requirements are a superset of Achilles Level 1, achieving Level 2 Certification results in the achievement of Level 1 Certification. It also satisfies the ISA CRT component.
What is the difference between Level 2 and ISASecure?
Why would you choose Level 2 rather than ISASecure?
There are a couple of practical reasons for choosing one certification over the other.
- A customer requires a specific certificate. A leading reason for Vendors to get certified is to meet procurement requirements. Many industry leaders recognize the Achilles certification family in their procurement processes.
- You are primarily interested in the communication robustness elements of ISASecure rather than the process related components, and want to demonstrate the robustness of your product with an impartial third-party test certification. In this case, it makes sense for you to apply for Achilles Level 2. You might, for instance, be already getting your security practices certified by Wurldtech’s Achilles Practices Certification program. Or you might have no customer requirements to demonstrate compliance with security practices and so have no need to undergo FSA and SDSA certification.
Why would you choose ISASecure rather than Level 2? - A customer requires the ISASecure certificate.
- You are interested in the process related components and the communication robustness elements of ISASecure.
Where can you find additional information? For more information about the Level 2 ACC Program, click here.