Shop

Artificial Intelligence Notice: ISA prohibits the entry of any ISA intellectual property (“ISA IP”), including standards, publications, training or other materials into any form of Artificial Intelligence (AI) tools, such as ChatGPT. Additionally, creating derivatives of ISA IP using AI is also prohibited without express written permission from ISA’s CEO. In the case of such use, ISA will suspend a licensee’s access to ISA IP, and further legal action will be considered. Please review ISA's policies for Use of AI Tools, Intellectual Property and Terms and Conditions for further information.

Cancel

Assessing the Cybersecurity of New or Existing IACS Systems (IC33)


Evaluate IACS Cybersecurity and Turn Findings Into Action

Assessing the Cybersecurity of New or Existing IACS Systems (IC33) teaches how to evaluate the cybersecurity of both new and existing industrial automation and control systems (IACS) and the elements that make up a Cybersecurity Requirements Specification (CRS), which documents project security needs. This course highlights the Assess phase of the IACS cybersecurity lifecycle (per ISA/IEC 62443-1-1) and guides participants through defining the System under Consideration (SuC), building an asset and data-flow inventory, identifying realistic threats and vulnerabilities, evaluating risks based on consequences and likelihood and developing zones and conduits with security-level targets. It explains how a CRS is produced from the assessment results and serves as the foundation for system-level security requirements used in subsequent design and implementation processes. 

Students taking IC33 will build skills in asset discovery, threat and vulnerability analysis, risk ranking and technical reporting, enabling them to work effectively on multidisciplinary assessment teams and to communicate findings clearly to operations and management. For organizations, adopting the IC33 course framework encourages a consistent, standards-based approach to IACS risk assessment and yields implementation-ready deliverables, including zone/conduit models, prioritized risk reports, and CRS-required elements. These deliverables help prioritize remediation, inform secure design and procurement decisions, and support ongoing maintenance and compliance activities.

ISA/IEC 62443 Cybersecurity Risk Assessment Specialist badge
IC33 is the second course in the  ISA/IEC 62443 Cybersecurity Certificate Program. Pass the exam to earn the ISA/IEC 62443 Cybersecurity Risk Assessment Specialist certificate. Course registration includes one exam fee. 
 

Required Prerequisite

Successful completion of Using the ISA/IEC 62443 Standards to Secure Your Control Systems (IC32) and passing the ISA/IEC 62443 Cybersecurity Fundamentals Specialist certificate exam are mandatory prerequisites for this course. 

Who Should Attend IC33?

  • Control systems engineers and managers
  • System integrators
  • IT engineers and managers in industrial facilities
  • Plant managers
  • Plant safety and risk management personnel

View Offerings by Format

Classroom (IC33)

Length: 3 days 
CEU Credits: 2.1

View IC33 Offerings

Virtual Classroom (IC33V)

Length: 3 days 
CEU Credits: 2.1

View IC33V Offerings


Instructor-Guided Online (IC33E)

Length: 7 weeks 
CEU Credits: 2.1

View IC33E Offerings


Self-Paced, Modular (IC33M)

Length: 4 Modules, (15-40 minutes each)
CEU Credits: 0.6

View IC33M Offering

Visit our course formats page for a detailed description of each format. 

Learning Objectives

  • Identify and document the scope of the IACS under assessment
  • Specify, gather, or generate the cybersecurity information required to perform the assessment
  • Identify or discover cybersecurity vulnerabilities inherent in the IACS products or system design
  • Interpret the results of a Process Hazard Analysis (PHA)  
  • Organize and facilitate a cybersecurity risk assessment for an IACS
  • Identify and evaluate realistic threat scenarios
  • Identify and assess the effectiveness of existing countermeasures
  • Identify gaps in existing policies, procedures, and standards
  • Evaluate the cost, complexity and effectiveness of new countermeasures to make meaningful recommendations
  • Establish and document security zones and conduits
  • Develop a Cybersecurity Requirements Specification (CRS)

Topics Covered

  • Preparing for an Assessment
    • Security lifecycle
    • Scope
    • System architecture diagrams
    • Network diagrams
    • Asset inventory
    • Cyber criticality assessment
  • Cybersecurity Vulnerability Assessment
    • Risk
    • Types of cybersecurity vulnerability assessments
    • High-level assessments
    • Passive and active assessments
    • Penetration testing
    • Conducting high-level assessments
    • Assessment tools
    • Cyber Security Evaluation Tool (CSET)
  • Conducting Vulnerability Assessments
    • Vulnerability process
    • Pre-assessment
    • Standards
    • Research
    • Kick off and walk thru
    • Passive data collection
    • Active data collection
    • Penetration testing
  • Cyber Risk Assessments
    • Understanding risk
    • Risk identification, classification and assessment
    • ISA/IEC 62443-2-1
    • System under Consideration (SuC)
    • Conduct high-level risk assessment
    • Consequence scale
    • Establish zones and conduits
    • Zone and conduit drawings and documentation
    • Document cybersecurity requirements
  • Conducting Cyber Risk Assessments
    • Detailed cyber risk assessment process
    • Threats
    • Vulnerabilities
    • Consequences
    • Likelihood
    • Calculate risk
    • Security levels
    • Countermeasures
    • Residual risk
    • Documentation
  • Critiquing System Architecture Diagrams
    • Asset inventory
    • Gap assessment
    • Windows vulnerability assessment
    • Capturing ethernet traffic
    • Port scanning
    • Using vulnerability scanning tools
    • Perform a high-level risk assessment
    • Creating a zone and conduit diagram
    • Perform a detailed cyber risk assessment
    • Critiquing a cybersecurity requirements specification
  • Documentation and Reporting
    • Document to maintain
    • Required reports
    • Zone and conduit diagrams
    • Cybersecurity Requirements Specification (CRS)

Exercises

The following hands-on exercises are for IC33 and IC33V formats only.* 

  • Asset inventory
  • Perform a high-level cybersecurity risk assessment
  • High-level risk assessment using CSET 
  • Vulnerability scanning
  • Pentest Windows XP using Kali Linux 
  • Creating a zone & conduit diagram
  • Detailed risk assessment
  • Optional: Basic security analysis (GFI Languard)

Note: IC33M and IC33E students will use the cyber range at Virginia Tech to complete the lab exercises.

Recommended Resources

Not sure this course is

right for you?

 

Complete the knowledge check designed to evaluate your level of understanding of the course material and show you the types of questions you’ll be able to answer after completing the course.

Custom Training Solutions

If your company is interested in bringing training on site to your team, please contact trainingsales@isa.org or call +1 919-549-8411.

ISA Member Discount

To get the member price on today’s purchase, log in as a member or complete the join process before you complete your purchase. To join and/or register by phone, call Customer Experience at +1 919-549-8411.