International Society of Automation

Industry Panel: ISASecure ISA/IEC 62443

Site Assessment (ACSSA) Program -
Perspectives & Updates

May 8th 2024

 • Welcoming Remarks
• Panelist Intro
Agenda • ISASecure Site Assessment Overview &
Updates
• Panel Discussion

Questions, comments, thoughts? Type them in chat

• Ted Gutierrez
• CEO & Co-Founder, SecurityGate
• Ensuring critical sectors are safe,
reliable, and profitable
• Host of Business of Cyber Podcast
• Andre Ristaino
• Managing Director, Consortium &
Alliances, ISA
• Provides staff leadership for ISA’s
conformance certification programs,
including the ISASecure control systems
certification program.
• An international presenter on the
ISA/IEC 62443 standards and control
systems certification
• Carol Muehrcke
• Program Manager, ISASecure
• 26 years experience in cybersecurity
• Manages, develops and rolls out
ISASecure certification programs
• Rahul Gupta
• Global OT Cybersecurity & Functional
Safety Leader, UL
• Interested in integrating Tech &
Business Strategy
• ISA/IEC 62443 Expert
• Alan Raveling
• OT Architect - Cybersecurity, Interstates
• Helping organizations find
understanding and direction in the
complex maze that is the cybersecurity
journey is his passion.
• Over 15 years experience in
cybersecurity
International Society of Automation

Automation and Control Systems

Security Assurance (ACSSA) Certification
Based on ISA/IEC 62443

For Asset Owners

May 2024
Mission
Publish a consensus
specification and establish a
global scheme for assessing
and certifying the
cybersecurity of automation
and control systems in use at
asset owner sites based on
the Asset Owner series of
ISA/IEC 62443 standards.
Vision
The assessment specification
and resulting standard report
will become the de-facto
foundational document of
reference for assessing and
certifying OT cybersecurity,
globally, by asset owners,
consultants, certification
bodies and public policy
makers….much like the GAAP
standards developed by FASB
for financial accounting.
 Who will use the ACSSA Assessment Specification?

Asset Owners Consultants Certification Public Policy

Bodies Makers
... for self assessments or ... when doing ... to conduct conformity ... such as regulatory and
for consultants and other assessments for clients, assessments to the ACSSA legislative authorities,
third parties doing the resulting in an industry specification, certifying ACSSA becomes the
assessments on the asset standard assessment conformance to the definitive reference
owner’s behalf to process and report. referenced ISA/IEC 62443 program when creating
standardize the process asset owner standards. public cybersecurity policy.
and reports.
 2023/2024 Membership Additions
Strategic Members Certification Bodies
GSK (asset owner)
Trane (technology provider) Kaizen (India)
UL Solutions (Global)
AC&E (Italy/Global)
Automation Suppliers and Service
Providers
Technical Associate / Government
SecurityGate (technical) Arnoud Soullie
Secudea (technical) John Kingsley
Walnut Creek Consulting (Technical) RBJ Consultancy
Zuonet
Arcadis (Technical)
Industrial Technology Research Institute (ITRI)
Peloton Cybersecurity (technical)
Enaxy (technical) – Taiwan Government
Optiva (technical) MIAN

Supporter
Generac(supporter)
Interstates (supporter)
Armexa (supporter)
Securing Things (supporter)
CyberPrism (supporter)
IACS Consulting (supporter)
 Use-cases for
ACSSA
Assess cybersecurity of production assets and
control systems at asset owner site:
in steady-state
recently upgraded (Brownfield)
site commissioning stage (Greenfield)
Phase One – Develop Core ACSSA Scheme from ISA/IEC 62443
ISA/IEC 62443 Asset “Core” ISASecure ACSSA Program
Owner Standards
(345 requirements)
Assessment Certification

62443-2-1 – Security
program requirements Assessment Specification Certification Definition
Standardized assessment methods, Pass/fail
tools, assessor guidance Program policies and procedures
ISASecure TSC
62443-3-2 – Risk assessment
Develops
and system design Assessor Company
Specifications Three-day Training Class
Accreditation
Asset owner standards, ACSSA
ISO 17020 and scheme specific
assessment methodology
62443-3-3 – System requitements
requirements and security
levels Assessor Personnel
Specification Licensing
Credential Program
Agreements
Profile, education, experience,
62443-2-4 – Service provider End-users, consultants, CB, other
certifications
Requirements
 Phase II “Core” ISASecure ACSSA
Certification Specification used to create sector
assessment profiles

Scope is Automation and Control Systems in Operation

• Security Requirements
• Detailed assessor guidance
• Use of tools and methods
• Certification definition
• Policies and procedures
• Pass / Fail metrics
Other
Railways
Sectors

Building Electric
Pipelines Ports
Controls Sector

Water /
Wastewater
 ACSSA Project Organization
ISASecure Program
Manager
Carol Muehrcke

Green Team Blue Team

Program Definition and Assessment Specification
Accreditation Requirements Development
Leader-Carol Muehrcke Co-leaders Johan Nye and
Kevin Staggs

• Work commenced Q3 2023

• Biweekly Blue Team meetings
• Biweekly Green Team meetings
• Meetings interleaved so WG team members can attend both
meetings if desired.
Planned Milestone Dates for Phase One
• Q4 2024 – ACSSA assessment specifications complete

• Q4 2024 – ACSSA program definition, policies/procedures, CB accreditation

specifications
• Q1 2025 – Assessor Training class complete (3-day class)
• 1H 2025 – ACSSA available for asset owners, consultants, certification bodies
 Cybersecurity Resources at ISA
ISASecure product certifications – https://www.isasecure.org/en-US/
ISASecure web page with ACSSA program details https://isasecure.org/isasecure-site-
assessment-0

ISA Global Cybersecurity Alliance - https://isagca.org/

ISAGCA Blogs (tons of great info and free downloads) - https://gca.isa.org/blog
ISA/IEC 62443 Training - https://www.isa.org/training-and-certification/isa-training
In 2021, ISA established a cybersecurity incident command system for industrial
control systems. www.ics4ics.org
Andre Ristaino
ISA Managing Director
Consortia and Conformity Assessment
[email protected] O: +1 919-990-9222 M: +1 919-323-7660

Elevating OT cybersecurity from an art, to a science, to an engineering discipline