The International Society of Automation (ISA) Security Compliance Institute (ISCI) announced today that IriusRisk SL has joined ISCI as a Technical Member in support of the ISASecure® Cybersecurity Conformance Scheme.
IriusRisk has worked with several organizations to help them overcome the complexity of manual threat modeling with the IriusRisk Automated Threat Modeling platform, an automation engine, extensive security standards, and integration with major issue trackers. As a result engineering teams have access to a self-service tool for designing secure applications. This automation process can guide each company’s approach to compliance, and prioritize risk, based on each unique security, governance, and compliance requirement.
The ISASecure certification program is an industry-led effort composed of the leading stakeholders in the process industry. It assesses ICS products and systems to ensure they are robust against network attacks, free from known vulnerabilities, and meet the security capabilities defined in the ISA/IEC 62443 standards.
A key differentiator of the ISASecure program is its inclusion of end users in its certification development process. End user members directly contribute to ISASecure certification development, ensuring their needs are reflected in the certification requirements.
Charles Marrow, Head of Center of Excellence at IriusRisk, comments: “ISCI’s pursuit of better security standards across a broad range of industries is such important work. Threat modeling and risk assessments can also play a pivotal role in this: all organizations operating in the industrial, automotive, transport and medical industries should be doing it on a regular basis, building in security from the very beginning of the software development lifecycle.”
Andre Ristaino, ISA Managing Director, Consortia and Conformance Programs welcomes IriusRisk as a new ISASecure member: “Companies like IriusRisk are key to enabling adoption of the ISA/IEC 62443 standards for supplier companies. Commercial tools that simplify the threat analysis and compliance tasks during product development remove barriers to applying the ISA/IEC 62443 standards.”
Founded in 2007, the ISA Security Compliance Institute’s (ISCI) mission is to provide the highest level of assurance possible for the cybersecurity of automation control systems. ISCI has been conducting ISASecure® certifications on automation and control systems since 2011 through its network of ISO/IEC 17065 accredited certification bodies.
The Institute was established by thought leaders from major organizations in the automation controls community, seeking to improve the cyber security posture of critical Infrastructure for generations to come. Prominent ISASecure supporters include Chevron, ExxonMobil, Saudi Aramco, Shell, Honeywell, Schneider Electric, Carrier, JCI, TUV Rheinland, Yokogawa, YPF, exida, GE Digital, Synopsis, CSSC, Bureau Veritas, BYHON, TUV SUD, DNV, FM Approvals and others. The Institute’s goals are realized through ISASecure® compliance programs, education, technical support, and improvements in suppliers’ development processes and users’ lifecycle management practices. The ISASecure® designation ensures that automation products conform to industry consensus cyber security standards such as IEC 62443, providing confidence to users of ISASecure products and systems and creating product differentiation for suppliers conforming to the ISASecure specification. Learn more at www.isasecure.org.
About IriusRisk SL
IriusRisk is the industry’s leading threat modeling and secure design solution in Application Security. With enterprise clients including Fortune 500 banks, payments, and technology providers, it empowers security and development teams to ensure applications have security built-in from the start – using its powerful open threat modeling platform that incorporates comprehensive ISA 62443 libraries (including 3-3 and 4-2 controls).
Users can generate an initial threat model in minutes – complete with recommended and required countermeasures – based on each organization’s own internal security policies with specific actionable advice. Infrastructure as Code (IaC) from cloud orchestration and diagramming tools is also possible, from programs such as AWS CloudFormation, HashiCorp Terraform and Microsoft Visio. This code can be imported via the IriusRisk API to automatically generate a threat model of that architecture.
Whether teams are implementing threat modeling from scratch, or scaling-up existing operations, the IriusRisk approach results in improved speed-to-market, collaboration across security and development teams, and the avoidance of costly security flaws. IriusRisk is methodology-agnostic, meaning that if a specific threat modeling methodology is being used, such as STRIDE or OCTAVE®, or even if there is no approach being followed at all, the IriusRisk platform can cater to all organizations requirements. www.iriusrisk.com