The International Society of Automation announced June 18 the upcoming rollout of the ISASecure certification program’s Industrial Automation Control System Security Assurance (ACSSA) inspection and certification scheme.
ACSSA will offer a common, industry-vetted method for evaluating conformance of an industrial automation and control system (IACS) with ISA/IEC 62443 standards, including all policies and procedures, service providers and technical security controls. It will let asset owners’ control systems be evaluated against ISA/IEC 62443-2-1, 2-4, 3-2 and 3-3.
ISASecure program manager Dr. Mark DeAngelo shared early details about the initiative at ISA’s OT Cybersecurity Summit on June 18-21 in Brussels, Belgium. The event’s 250 visitors attended 35 sessions on improving OT/IT relationships, Europe’s cybersecurity regulations, supply-chain risks and other topics.
“ISASecure is proud to announce our newest program—ACSSA,” says DeAngelo. “It includes asset owners, insurance providers, product suppliers, service providers, conformity assessment bodies and government bodies, and allows all to share a common understanding of facility risks.”
ACSSA helps bridge lingering gaps in operational site assurance. Despite ISASecure’s cybersecurity programs, asset owners often continue to rely on patchworks of internal policies and third-party audits that vary across sites. This leads to inconsistent security postures, compliance gaps, increased risk exposures, more liability and regulatory non-compliance.
“Staff coming from the information technology (IT) side need to understand the unique requirements of operations technology (OT) on the plant-floor,” says Scott Reynolds, ISA president and senior security and network engineering manager at Johns Manville, during the OT cybersecurity event. “For example, where IT can deploy software patches to its systems any time, OT needs to first manage availability, downtime and safety requirements. IT is often ignorant about these issues, and needs to understand their impact.
“Likewise, OT needs to learn that having backup files for system recovery isn’t the same as having redundant equipment that lets operations continue. If IT and OT systems were able to communicate previously, and fail due to ransomware, then redundancy won’t save the OT side. This is why OT and IT must work together to address them, and regulate IT’s activities in OT spaces.”
Reynolds reports that ACSSA will help users coordinate their cybersecurity efforts because, instead of certifying individual products as complying with ISA/IEC 62443, it will inspect and certify the compliance of overall assets and systems like production lines and water treatment plants. “ACSSA is part of our focus on leveraging ISA standards to enable users’ environments, so they can more easily meet current and future regulatory requirements by following ISA/IEC 62443 standards and best practices for cybersecurity.”
ISASecure’s ACSSA aligns all stakeholders around a consistent, standards-based program, contributing to more secure and resilient environments for asset owners. It evaluates conformity with ISA/IEC 62443’s requirements by verifying processes, procedures, support by service providers, and configuration and utilization of control systems’ capabilities. Just as ISA/IEC 62443’s framework offers a risk-based approach, ACSSA evaluation begins with reviewing the asset owner’s risk assessment process and the results of that process.
The first, three-day training course for ACSSA will be launched in early fall 2025 at ISA’s headquarters in Durham, N.C. An online version of the course will be offered in late 2025. Anyone interested in learning more about upcoming ACSSA training courses can sign up here.
