Overview of ISASecure certifications including SDLA, CSA, ICSA, SSA and ACSSA. Learn about their requirements and typical application areas.
ISASecure and IEC 62443
ISASecure is based on the standards of the IEC 62443 series, which define internationally recognized best practices for industrial cybersecurity. ISASecure certifications are designed to meet and implement the requirements of these standards in practice. This enables companies to demonstrate their conformity with IEC 62443 while benefiting from a structured certification process.
ISASecure and the ISA
ISASecure was launched by the International Society of Automation (ISA). The ISA is a global non-profit organization dedicated to promoting technical competence and excellence in the automation industry. ISASecure is an important part of the ISA’s efforts to establish and promote standards and best practices for industrial cybersecurity.
ISASecure certifications at a glance
ISASecure offers several certifications that cover different aspects of industrial cybersecurity:
- Security Development Lifecycle Assurance (SDLA)
SDLA focuses on the product and system development process. It is based on IEC 62443-4-1 and ensures that security aspects are considered throughout the entire lifecycle. Successful SDLA certification is a prerequisite for product or system certification under CSA, ICSA or SSA. - Component Security Assurance (CSA)
This certification focuses on the security of software applications, embedded devices, host devices and network devices as defined in IEC 62443-4-2. - IIoT Component Security Assurance (ICSA)
ICSA is a product certification specifically for IIoT components, built on IEC 62443-4-2 and extended with IIoT-specific requirements. - System Security Assurance (SSA)
SSA certification covers all requirements for control systems according to IEC 62443-3-3. - ISASecure IACS Security Assurance (ACSSA)
The ACSSA program is a new certification under development for operators of industrial facilities in accordance with IEC 62443-2-1, 2-4, 3-2 and 3-3.
Providers of ISASecure certifications
ISASecure certifications are carried out by authorized certification bodies. Some well-known providers include:
- TÜV Rheinland
- TÜV SÜD
- Bureau Veritas
It is important to note that the list of authorized certification bodies can change. A complete overview and up-to-date information can be found on the official ISASecure website.
Significance and adoption of ISASecure
ISASecure has gained particular importance in the oil and gas industry. This is largely due to the active participation of major companies such as ExxonMobil, Chevron and Saudi Aramco, which are represented as asset owners in the ISA Security Compliance Institute (ISCI). Thanks to this strong influence, ISASecure has become especially established in the oil and gas sector, with a clear emphasis on the United States.
ISASecure certifications are highly regarded in this sector and are often viewed as a gold standard. However, it is important to note that in Europe and Asia, certifications that are based directly on IEC 62443 without using the specific ISASecure framework have predominantly prevailed. This regional differentiation shows that, despite the global importance of the underlying standards, implementation and certification can vary depending on geographic and industry context.
Classification and outlook
ISASecure has established itself as a leading certification program for industrial cybersecurity, with a particular focus on the oil and gas industry and North America. Its close alignment with IEC 62443 underscores its relevance, while regional acceptance still varies.
Promising developments for the future include expansions in the IIoT area and certification of operating sites. A central challenge will be balancing industry-specific specialization with broad applicability. For globally operating companies it is crucial to include both ISASecure and direct IEC 62443 certifications in their strategy in order to remain flexible in meeting different market requirements.
Frequently asked questions (FAQ) about ISASecure
Which designation is correct: ISA 62443, IEC 62443 or ISA/IEC 62443?
The official and internationally recognized designation for the standards series is IEC 62443.
The notation ISA/IEC 62443 is also used, especially in North America and by the International Society of Automation (ISA) itself. This emphasizes the ISA’s significant contribution to the original development of the standards series before it was adopted by the IEC as an international standard.
The designation ISA 62443 alone is less common and should be avoided because it does not reflect the international recognition by the IEC.
In the global professional community and in official international contexts, the designation IEC 62443 has become established. This notation emphasizes its status as an international standard and is used worldwide in industry, by regulators and in professional literature.
It is important to note that regardless of the designation used, the content and requirements of the standards are identical. The choice of designation may vary depending on regional context or specific application area.
Is ISASecure certification fully compliant with IEC 62443?
ISASecure certifications are largely aligned with the IEC 62443 series and are based directly on its requirements. The current certification programs (CSA, SSA, SDLA) correspond to the respective parts of IEC 62443. Some newer certifications, such as ICSA (for IIoT components) and ACSSA (for operating sites), complement IEC 62443 requirements with specific aspects that were not or not detailed in the original standards.
It is worth noting that the predecessor to the CSA certification, the so-called EDSA (Embedded Device Security Assurance), was developed before the publication of IEC 62443-4-2. EDSA did not require a secure development process according to IEC 62443-4-1 or SDLA, which contradicted the later requirements of IEC 62443-4-2. This older certification has been retired and is no longer used to ensure full compliance with the current IEC 62443 standards.
Overall, ISASecure aims for close alignment with the IEC 62443 standards while also responding to new developments and specific industry needs. This ensures that the certifications are both compliant with international standards and practical and future-oriented.
Is ISASecure certification mandatory?
ISASecure certification is not legally mandatory. However, it has gained high practical relevance in certain industry sectors, particularly the oil and gas industry. Many operators in these sectors require certified components for their automation solutions and operating facilities in tenders and procurement processes.
It is important to note, though, that in many cases an ISASecure certification is not the sole accepted proof. Often, certifications that are directly based on IEC 62443 without the specific ISASecure framework are recognized as equivalent. This reflects the global acceptance of IEC 62443 and allows flexibility when selecting suppliers and products.
This practice highlights that the primary focus is on compliance with the underlying security standards, regardless of whether compliance is demonstrated via ISASecure or other recognized certification schemes. Companies operating in or doing business with these sectors should be aware of their customers’ expectations and carefully weigh the benefits of different certifications.
Are penetration tests required for ISASecure certification?
Yes, penetration tests play an important role in the ISASecure certification process and are relevant in several ways.
A central component of ISASecure certification is adherence to a secure development lifecycle under SDLA. This requires regular penetration testing of components and systems. These tests are an integral part of the continuous security process during product development and maintenance.
As part of the certification process itself, ISASecure also requires a comprehensive vulnerability assessment called the “Vulnerability Identification Test” (VIT). This assessment is conducted by the certification body and forms part of the evaluation for certification.
The combination of regular penetration tests performed by the manufacturer and the independent vulnerability assessment by the certifier ensures a thorough evaluation of the product or system’s security. This helps identify and remediate potential weaknesses early, increasing the overall security and reliability of certified components or systems.
Companies pursuing ISASecure certification should therefore plan penetration testing and vulnerability assessments as essential elements of their security strategy and certification preparation.
Support for ISASecure certification
ISASecure certification is regarded as an internationally recognized proof of industrial automation components’ and systems’ cybersecurity. It is based on IEC 62443 requirements and combines technical testing with an assessment of development processes. Preparing for certification requires a solid understanding of the underlying programs such as SDLA, CSA or SSA.
Secuvi supports companies in structured preparation for ISASecure certification – from analyzing existing development practices to integrating technical and organizational measures and coordinating with the certification body. Our goal is to reduce the effort in the certification process while ensuring that all relevant requirements are met.
If you are considering ISASecure certification or planning one concretely, you can find more information and contacts on secuvi.com.
