Assessing the Cybersecurity of New or Existing IACS Systems (IC33) will provide students with the information and skills to assess the cybersecurity of a new or existing industrial automation control systems (IACS) and to develop a cybersecurity requirements specification (CRS).
IC33 focuses on the first phase of the IACS Cybersecurity Lifecycle, as defined in ISA/IEC 62443-1-1 standard. Students will learn to identify and document IACS assets and perform a cybersecurity vulnerability and risk assessment to identify and understand the high-risk vulnerabilities that require mitigation. Per ISA/IEC 62443-2-1, these assessments need to be performed on both new (i.e., greenfield) and existing (i.e., brownfield) applications. Part of the assessment process involves developing a zone and conduit model of the system, identifying security level targets, and documenting the cybersecurity requirements in a CRS.
Required Prerequisite
Successful completion of Using the ISA/IEC 62443 Standards to Secure Your Control Systems (IC32) and passing the ISA/IEC 62443 Cybersecurity Fundamentals Specialist certificate exam are mandatory prerequisites for this course.
Who Should Attend IC33?
- Control systems engineers and managers
- System integrators
- IT engineers and managers in industrial facilities
- Plant managers
- Plant safety and risk management personnel
View Offerings by Format
Classroom (IC33)Length: 3 days |
Virtual Classroom (IC33V)Length: 3 days |
|
|
Visit our course formats page for a detailed description of each format.
Learning Objectives
- Identify and document the scope of the IACS under assessment
- Specify, gather, or generate the cybersecurity information required to perform the assessment
- Identify or discover cybersecurity vulnerabilities inherent in the IACS products or system design
- Interpret the results of a Process Hazard Analysis (PHA)
- Organize and facilitate a cybersecurity risk assessment for an IACS
- Identify and evaluate realistic threat scenarios
- Identify and assess the effectiveness of existing countermeasures
- Identify gaps in existing policies, procedures, and standards
- Evaluate the cost, complexity and effectiveness of new countermeasures to make meaningful recommendations
- Establish and document security zones and conduits
- Develop a Cybersecurity Requirements Specification (CRS)
Topics Covered
- Preparing for an Assessment
- Security lifecycle
- Scope
- System architecture diagrams
- Network diagrams
- Asset inventory
- Cyber criticality assessment
- Cybersecurity Vulnerability Assessment
- Risk
- Types of cybersecurity vulnerability assessments
- High-level assessments
- Passive and active assessments
- Penetration testing
- Conducting high-level assessments
- Assessment tools
- Cyber Security Evaluation Tool (CSET)
- Conducting Vulnerability Assessments
- Vulnerability process
- Pre-assessment
- Standards
- Research
- Kick off and walk thru
- Passive data collection
- Active data collection
- Penetration testing
- Cyber Risk Assessments
- Understanding risk
- Risk identification, classification and assessment
- ISA/IEC 62443-2-1
- System under Consideration (SuC)
- Conduct high-level risk assessment
- Consequence scale
- Establish zones and conduits
- Zone and conduit drawings and documentation
- Document cybersecurity requirements
- Conducting Cyber Risk Assessments
- Detailed cyber risk assessment process
- Threats
- Vulnerabilities
- Consequences
- Likelihood
- Calculate risk
- Security levels
- Countermeasures
- Residual risk
- Documentation
- Critiquing System Architecture Diagrams
- Asset inventory
- Gap assessment
- Windows vulnerability assessment
- Capturing ethernet traffic
- Port scanning
- Using vulnerability scanning tools
- Perform a high-level risk assessment
- Creating a zone and conduit diagram
- Perform a detailed cyber risk assessment
- Critiquing a cybersecurity requirements specification
- Documentation and Reporting
- Document to maintain
- Required reports
- Zone and conduit diagrams
- Cybersecurity Requirements Specification (CRS)
Exercises
The following hands-on exercises are for IC33 and IC33V formats only.*
- Asset inventory
- Perform a high-level cybersecurity risk assessment
- High-level risk assessment using CSET
- Vulnerability scanning
- Pentest Windows XP using Kali Linux
- Creating a zone & conduit diagram
- Detailed risk assessment
- Optional: Basic security analysis (GFI Languard)
Note: IC33M and IC33E students will use the cyber range at Virginia Tech to complete the lab exercises.
Recommended Resources
- ISA-62443-1-1-2007, Security for Industrial Automation and Control Systems – Part 1-1: Terminology, Concepts and Models (Standard)
- ANSI/ISA-62443-2-1-2024, Security for industrial automation and control systems – Part 2-1: Security program requirements for IACS asset owners (Standard)
- ANSI/ISA-62443-3‑2-2020, Security for Industrial Automation and Control Systems – Part 3‑2: Security Risk Assessment for System Design (Standard)
- ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems – Part 3-3: System Security Requirements and Security Levels (Standard)
- ISA Cybersecurity Library (Publication)
- Industrial Automation and Control System Security Principles, Second Edition by Ronald L. Krutz, PhD, PE (Publication)