ISASecure SSA Certification for DeltaV and DeltaV SIS

1 ISAS ecure SSA Certification for DeltaV and DeltaV SIS. Frequently Asked Questions This FAQ addresses questions around the scope and relevance of the ISAS ecure System Security Assurance Certification applied to DeltaV and DeltaV SIS products version ISAS ecure SSA Certification for DeltaV and DeltaV SIS May 2018. 1. When will the ISAS ecure System Security Assurance certificate be available for DeltaV and DeltaV SIS? DeltaV is the first release to be ISAS ecure System Security Assurance Level 1 certified. The Certification includes DeltaV Live and Smart Commissioning features as well, therefore the final audits and tests will only happen when all DeltaV features are available. This means the certificates will only be available after all the DeltaV features are released to customers in the near future. 2. What is the scope of this Certification and what does it really mean? The ISAS ecure security Certification has three programs available: System Security Assurance (SSA), Embedded Devices Security Assurance (EDSA) and Security Development Lifecycle Assurance (SDLA).

2 The DeltaV and DeltaV SIS products are ISAS ecure SSA. Level 1 certified in version , which includes ISAS ecure SDLA Level 1 for the processes used to develop all new code introduced in DeltaV development as per the version of the ISAS ecure standards that match the ISA/IEC 62443 -4-1 standard; and Functional Security Assessment (FSA) Level 1 as per the ISA/IEC 62443 -3-3 standard (already published); as well as System Robustness Testing (SRT) as per the ISAS ecure own standards for testing a system. The overall Certification process involves the following: a. Validation of revised development procedures, and the application of the new security development processes on the new code created in the targeted system release ( DeltaV in this case) SDLA. b. Verification of system security features and functions as per the Level 1 requirements listed in the ISA/IEC 62443 -3-3 standard. A reference architecture was designed and considered for the generation of artifacts to prove the protections are implemented per the available documentation FSA.

3 C. Test of the components in the reference architecture in different layers: asset discovery, vulnerability identification, network stress and communication robustness. Tests are performed and the success criteria is checked by making sure the documented essential functions are not affected during an attack SRT. The ISAS ecure SSA Certification means the DeltaV is an attested product that can be used to deploy a control system architecture that can be certified following the security best practices documented in the ISAS ecure standards. 3. Which Certification body is responsible to issue the ISAS ecure Certification for DeltaV exida is the Certification body Emerson is using to obtain the ISAS ecure SSA Certification for DeltaV . 4. What is the correlation between the ISAS ecure standards and the ISA/IEC 62443 standards? The ISAS ecure standards are based on the ISA/IEC 62443 -3-3, 62443 -4-1 and 62443 -4-2 standards. Since the ISA/IEC 62443 -4-1. and 62443 -4-2 standards are not published yet, the versions of those standards used by the ISA Security Compliance Institute are based on drafts issued in 2016 which will need to be revised once the ISA/IEC 62443 standards are officially published.

4 2. ISAS ecure SSA Certification for DeltaV and DeltaV SIS May 2018. 5. Is an ISAS ecure SSA Level 1 certified system fully compliant with the ISA/IEC 62443 series of standards? No, but the ISAS ecure SSA Certification covers important standards of the ISA/IEC 62443 series . The full ISA/IEC 62443 series of standards include basic principles of security applied to industrial control systems, guidelines for service organizations, instructions for users, patching recommendations as well as the already mentioned standards in this FAQ that relate to vendors, such as: a. Security development lifecycle b. Functional security c. Embedded devices security It is also important to emphasize that there are four levels of Certification , and the ISAS ecure SSA Level 1 is the first level. The ISAS ecure SSA is a system Certification and it is more comprehensive than the ISAS ecure SDLA or EDSA certifications alone. 6. Are DeltaV and DeltaV SIS products ISAS ecure EDSA certified?

5 No. In the DeltaV release, Emerson has not opted to obtain individual product's ISAS ecure EDSA Certification . However, Emerson still provides products with the Achilles Certification , The ISAS ecure EDSA Certification is based on the ISA/IEC 62443 -4-2. standard and it is an adaptation of the functional security requirements described in the ISA/IEC 62443 -3-3 standard, but applied to embedded devices. 7. Is Emerson ISAS ecure SDLA certified? In the DeltaV release, Emerson will also provide ISAS ecure SDLA Certification as part of the all encompassing ISAS ecure SSA. Level 1 Certification . 8. What other steps should users follow to design, implement and maintain an ISAS ecure certified industrial control system? The DeltaV and DeltaV SIS products Certification is just one of the steps to have an ISAS ecure SSA Level 1 certified system here called the preparation phase which is Emerson's responsibility: provide products with components, features and functions that allow a fully deployed system to be certified against the ISAS ecure SSA standards.

6 Then you have the implementation phase where the services organization responsible to deploy the system using certified products shall follow the ISAS ecure standards to implement the system without affecting its overall security protections. And finally, there is the maintenance phase where the user, or asset owner, needs to understand the ISAS ecure SSA standards and make sure any changes to the system are validated before implemented so that the security protections are maintained during the lifecycle of the DeltaV system. 9. How does the Achilles Certification fit in the ISAS ecure SSA Certification scheme? There are different Achilles certifications : one dedicated to embedded and network devices (the Achilles Communication Certification ) and one designed for services (the Achilles Practices Certification ). The Achilles Communication Certification is an accepted test platform to validate system components in the System Robustness Testing phase of the ISAS ecure SSA Certification .

7 Achilles Level 2 or ISAS ecure EDSA Level 1 test platforms can be used. The Achilles Communications Certification does not require the vendor to enhance development processes mandatorily, therefore the ISAS ecure EDSA or SSA certifications (based on the ISA/. IEC 62443 -4-1 and 62443 -4-2 standards) are more comprehensive than the Achilles Communications Certification . 3. ISAS ecure SSA Certification for DeltaV and DeltaV SIS May 2018. 10. Can ISAS ecure SSA certified systems be re-configured / manipulated after they are deployed following the security best practices? Yes. However, the user needs to validate the changes to make sure the attack surface has not increased, or any security protections have not been defeated. The security policies and procedures of an ISAS ecure SSA certified system need to be revisited so that exceptions are treated appropriately, and approved by a security team that is conscious about the ISAS ecure SSA standards. 11.

8 What DeltaV system components are not included in the ISAS ecure SSA Certification , if any? The DeltaV system reference architecture considered in the ISAS ecure SSA Certification includes most of the available components provided by Emerson for DeltaV systems. The architecture includes all new features added in the DeltaV release as well as pre-existing components that can pass Achilles Level 2 Certification . With that said, the following components are not included in the reference architecture for the ISAS ecure SSA Certification of DeltaV : a. DeltaV Virtual I/O Modules (VIM). b. Any of the Migration Controllers c. Any of the DeltaV Connect products d. Standalone DeltaV PK Controllers (before they join the balance of the plant). e. Standalone DeltaV SIS. f. DeltaV MD+ and SD+ Controllers (already in supported status). g. Components in retired status h. CHARM I/O Card version 1 (CIOCv1) hardware released which is not Achilles Level 2 certified i.

9 WirelessHART Gateways (Rosemount 1410 and 1420, or Cisco 1552WU). 12. Are the Smart Logic Solvers SLS1508 included in the DeltaV and DeltaV SIS ISAS ecure SSA Certification ? Yes. All DeltaV SIS components are part of the reference architecture subjected to the ISAS ecure SSA Certification . This includes, but not limited to: Smart Logic Solvers SLS1508, SISNet Repeaters, CHARM Smart Logic Solvers (CSLS), Local Safety Network Bridges (LSNB), SZ Controllers, DeltaV Safety Switches, etc. 13. Does the ISAS ecure SSA Certification apply to individual DeltaV hardware components? The ISAS ecure SSA is a comprehensive Certification scheme which is comprised of: functional security assurance, security development lifecycle assurance and system robustness testing it is an industrial control system related security Certification . Part of the Certification process includes individual products testing, but the objective is an overall system Certification rather than an individual components Certification .

10 14. Does the ISAS ecure SSA Certification apply to standalone DeltaV PK Controllers or standalone DeltaV SIS deployments? No. The standalone implementation of the DeltaV PK Controllers and DeltaV SIS were not included in the attested reference architecture for ISAS ecure SSA Certification . The standalone components still have Achilles Communications Level 2 Certification , and they run the same software at the embedded devices level as when they are deployed integrated in a DeltaV system. The security boundaries for the standalone deployments and the protections associated to them are not the same as the ones used on a full-blown DeltaV system architecture. 4. ISAS ecure SSA Certification for DeltaV and DeltaV SIS May 2018. 15. Do I need to deploy a system with the same components as the reference architecture used for the DeltaV ISAS ecure SSA Certification to have a certifiable system? No. The reference architecture is a sample of almost all components DeltaV systems can have so that variations of the architecture can still be considered by users in different applications.