Cybersecurity Certification

IEC 62443 Cybersecurity Certification

Cybersecurity has quickly become a serious issue for professionals in the process and critical infrastructure industries.

An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. There are well established strategies and techniques that automation professionals can employ to discover and mitigate security vulnerabilities and improve the inherent security of their products and systems. Learning and adopting these strategies will help companies stay ahead of potential vulnerabilities.

IEC 62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.

exida has comprehensive knowledge of  the IEC 62443 standards and have developed a robust certification scheme that helps make their client's products safer and enjoy strong market recognition.

exida is accredited per IEC/ISO 17065 by the American National Standards Institute (ANSI) to certify to a series of exida certification schemes for cybersecurity based on the IEC 62443 series of standards. A certification scheme specifies all requirements that must be met and the procedures that must be used in a certification project. These requirements and procedures are documented in a “Security Case.”

The IEC 62443 standards are recently created as a result of a strong global committee effort and are rapidly becoming recognized world-wide. Many automation users consider the IEC 62443 standard to be required. The ISCI schemes will likely be updated to IEC 62443 in the future. A table of the various cybersecurity certification scheme certifications offered by exida is shown below: 

Classification Program Name Source Based On
Product Test/Evaluation EDSA ISA Security Compliance Institute ISCI Specification
  eSDC exida IEC 62443‐4‐1, ‐4‐2
System Test/Evaluation SSA ISA Security Compliance Institute ISCI Specification
  eSSC exida IEC 62443‐4‐1, ‐4‐2
Process Evaluation – Product SDLA ISA Security Compliance Institute ISCI Specification
  eSDP exida IEC 62443‐4‐1, ‐4‐2
Process Evaluation – System System Integrator Wurldtech (G.E.) IEC 62443‐2‐4
  eSSP exida IEC 62443‐2‐4 plus

The exida schemes go beyond IEC 62443 and require:

  • that the product manufacturer perform network robustness testing during development for a product and for every revision to security critical software. It is not sufficient for a test lab to perform testing after a product is ready for production release. This type of requirement does not identify issues in time for corrective action. Normally the manufacturer will need to establish a cybersecurity test lab and perform frequent testing. exida will witness a sample set of tests before production release.
  • the software development process used to create the product meet requirements of the cybersecurity maturity level.
  • surveillance audits be performed by the CB at regular intervals to ensure testing is being performed and security monitoring in the field / security response systems are working well.
  • security defense mechanisms required by the referenced standards have been implemented as required.
  • equipment failure modes are evaluated per their impact on cybersecurity features.
  • practical system level cybersecurity requirements needed for the product are published in a user document. The information required by exida goes beyond existing standards per the advice of our end user Advisory Board. 

Request a Proposal       Security Certification Scheme   


ISASecure Embedded Device Security Assurance

exida has been accredited by the ISA Security Compliance Institute to offer security certification of automation products per the ISASecureEmbedded Device Security Assurance program.

This vetted, approved compliance specification provides a holistic assessment of the functional security of an embedded device that builds upon but goes well beyond industry recognized network robustness testing. In addition to network robustness testing the assessment includes an evaluation of the security features and functions supported by the device and an audit of the supplier’s software development practices. Similar to the well-established IEC 61508 functional safety certification, the ISASecure EDSA program will certify a product to one of three capability levels (ISASecure Level 1, 2 or 3).

For more information on the program please visit www.isasecure.org.

Request a Proposal