Full Report
ISA has announced the upcoming rollout of the ISASecure Industrial Automation Control System Security Assurance (ACSSA) inspection and certification scheme.
Analysis Summary
# Industry News: ISASecure Launches ACSSA Scheme for IACS Security Assurance
## Summary
ISASecure, backed by the International Society of Automation (ISA), has announced a new Industrial Automation and Control Systems Security Assurance (ACSSA) inspection and certification scheme. This scheme is designed to rigorously evaluate asset owners' control systems against key specifications within the globally recognized ISA/IEC 62443 series of standards, marking a significant step in standardizing OT security compliance for end-users.
## Key Details
- Date: Announcement made in June 2025 (based on article context).
- Companies Involved: ISASecure, International Society of Automation (ISA).
- Category: Program/Standard Launch (Conformity Assessment Scheme).
## The Story
ISASecure has launched its new ACSSA scheme to provide assurance for the cybersecurity of Operational Technology (OT) environments, specifically Industrial Automation and Control Systems (IACS). This program is rooted in the ISA/IEC 62443 series of standards. The ACSSA scheme specifically enables the evaluation of asset owners' control systems against controls defined in ISA/IEC 62443-2-1 (Policies and Procedures for IACS Security), 2-4 (Procedures for specifying security requirements for IACS components), 3-2 (Security risk assessment and risk reduction), and 3-3 (System security requirements). The program leverages an established ecosystem that includes major players in the industrial sector like Chevron, Honeywell, and Schneider Electric.
## Business Impact
### For the Companies Involved
- **ISASecure/ISA:** Establishes a new revenue stream and strengthens its role as the central authority for IACS cybersecurity certification, expanding assurance from just product vendors to asset owners.
### For Competitors
- Competitors offering proprietary or less comprehensive OT security assessment services may face pressure to align their offerings with the formalized, internationally recognized ISA/IEC 62443 structure promoted by ACSSA.
### For Customers
- Asset owners (end users in critical infrastructure, manufacturing) now have a standardized, third-party method to prove that their implemented security practices meet international benchmarks, aiding in compliance and risk management reporting.
### For the Market
- This formalizes the shift in focus within industrial cybersecurity from solely product certification to comprehensive system and organizational assurance for the operational environment, driving maturity in OT risk management.
## Technical Implications
The scheme directly targets critical sections of the ISA/IEC 62443 framework, specifically focusing on risk assessment (3-2), system requirements (3-3), and the processes governing security management (2-1) and component specifications (2-4). This ensures that assurance is applied across policy, design, implementation, and risk reduction phases within the asset owner's environment.
## Strategic Analysis
- Market Positioning: ISASecure significantly enhances its market position by moving up the value chain from certifying components to certifying the *management* of security within the live IACS environment itself, aligning closely with operator due diligence requirements.
- Competitive Advantage: Leveraging the broad industry adoption and governance of ISA provides inherent trust and authority, making ACSSA a potentially default standard for OT assurance programs.
- Challenges: Achieving broad adoption will require significant effort across diverse industrial sectors, and the certification must prove to be both rigorous and practical for operational environments.
## Industry Reactions
- Analyst opinions are likely to view this as a necessary maturity step, acknowledging that securing systems requires assessing the integrator/owner's processes, not just the ICS device itself.
- Market response will depend on initial uptake by large asset owners, particularly those already investing heavily in ISA/IEC 62443 adherence.
## Future Outlook
- Expect greater demand for security consultants specializing in helping asset owners prepare for ACSSA assessments, particularly concerning ISA/IEC 62443-2-1 policy requirements.
- Future iterations may expand to cover specific regulatory frameworks built atop the 62443 base.
## For Security Professionals
Practitioners supporting asset owners must familiarize themselves with the specific requirements outlined in 62443-2-1, 2-4, 3-2, and 3-3, as these will form the objective standard for proving organizational and system security posture under the new ACSSA scheme.