Assessing the Cybersecurity of New or Existing IACS Systems (IC33)

Man in a control room on phone

Assessing the Cybersecurity of New or Existing IACS Systems (IC33) will provide students with the information and skills to assess the cybersecurity of a new or existing industrial automation control systems (IACS) and to develop a cybersecurity requirements specification (CRS). 

IC33 focuses on the first phase of the IACS Cybersecurity Lifecycle, as defined in ISA/IEC 62443-1-1 standard. Students will learn to identify and document IACS assets and perform a cybersecurity vulnerability and risk assessment to identify and understand the high-risk vulnerabilities that require mitigation. Per ISA/IEC 62443-2-1, these assessments need to be performed on both new (i.e., greenfield) and existing (i.e., brownfield) applications. Part of the assessment process involves developing a zone and conduit model of the system, identifying security level targets, and documenting the cybersecurity requirements in a CRS.

Course updated March 2023

ISA/IEC 62443 Cybersecurity Risk Assessment Specialist badge
IC33 is the second course in the  ISA/IEC 62443 Cybersecurity Certificate Program. Pass the exam to earn the ISA/IEC 62443 Cybersecurity Risk Assessment Specialist certificate. Course registration includes one exam fee. 



Successful completion of Using the ISA/IEC 62443 Standards to Secure Your Control Systems (IC32) and passing the ISA/IEC 62443 Cybersecurity Fundamentals Specialist certificate exam are mandatory prerequisites for this course. 

Who Should Attend IC33?

  • Control systems engineers and managers
  • System integrators
  • IT engineers and managers in industrial facilities
  • Plant managers
  • Plant safety and risk management personnel

View Offerings by Format

Classroom (IC33)

Length: 3 days 
CEU Credits: 2.1

View IC33 Classroom Offerings

Virtual Classroom (IC33V)

Length: 3 days 
CEU Credits: 2.1

Virtual Classroom Offering (IC33V)

Instructor-Guided Online (IC33E)

Length: 7 weeks 
CEU Credits: 2.1

Instructor-Guided, Online Offering (IC33E)

Self-Paced, Modular (IC33M)

Length: 4 Modules, (15-40 minutes each)
CEU Credits: 0.6

Self-Paced Modular Offering (IC33M)

Learning Objectives

  • Identify and document the scope of the IACS under assessment
  • Specify, gather, or generate the cybersecurity information required to perform the assessment
  • Identify or discover cybersecurity vulnerabilities inherent in the IACS products or system design
  • Interpret the results of a Process Hazard Analysis (PHA)  
  • Organize and facilitate a cybersecurity risk assessment for an IACS
  • Identify and evaluate realistic threat scenarios
  • Identify and assess the effectiveness of existing countermeasures
  • Identify gaps in existing policies, procedures, and standards
  • Evaluate the cost, complexity, and effectiveness of new countermeasures to make meaningful recommendations
  • Establish and document security zones and conduits
  • Develop a Cybersecurity Requirements Specification (CRS)

Topics Covered

Preparing for an Assessment
  • Security lifecycle
  • Scope
  • System architecture diagrams
  • Network diagrams
  • Asset inventory
  • Cyber criticality assessment
Cybersecurity Vulnerability Assessment
  • Risk
  • Types of cybersecurity vulnerability assessments
  • High-level assessments
  • Passive and active assessments
  • Penetration testing
  • Conducting high-level assessments
  • Assessment tools
  • CSET
Conducting Vulnerability Assessments
  • Vulnerability process
  • Pre-assessment
  • Standards
  • Research
  • Kick off and walk thru
  • Passive data collection
  • Active data collection
  • Penetration testing
Cyber Risk Assessments
  • Understanding risk
  • Risk identification, classification, and assessment
  • ISA/IEC 62443-2-1
  • SuC
  • Conduct high-level risk assessment
  • Consequence scale
  • Establish zones and conduits
  • Zone and conduit drawings and documentation
  • Document cybersecurity requirements
Conducting Cyber Risk Assessments
  • Detailed cyber risk assessment process
  • Threats
  • Vulnerabilities
  • Consequences
  • Likelihood
  • Calculate risk
  • Security levels
  • Countermeasures
  • Residual risk
  • Documentation
Critiquing System Architecture Diagrams
  • Asset inventory
  • Gap assessment
  • Windows vulnerability assessment
  • Capturing ethernet traffic
  • Port scanning
  • Using vulnerability scanning tools
  • Perform a high-level risk assessment
  • Creating a zone and conduit diagram
  • Perform a detailed cyber risk assessment
  • Critiquing a cybersecurity requirements specification
Documentation and Reporting
  • Document to maintain
  • Required reports
  • Zone and conduit diagrams
  • Cybersecurity Requirements Specification (CRS)


The following hands-on exercises are for IC33 and IC33V formats only.* 

  • Asset inventory
  • Perform a high-level cybersecurity risk assessment
  • High-level risk assessment using CSET 
  • Vulnerability scanning
  • Pentest Windows XP using Kali Linux 
  • Creating a zone & conduit diagram
  • Detailed risk assessment
  • Optional: Basic security analysis (GFI Languard)

Note: IC33M and IC33E students will use the cyberrange at Virginia Tech to complete the lab exercises.

Resources Include

  • ISA-62443-1-1-2007Security for Industrial Automation and Control Systems, Part 1-1: Terminology, Concepts, and Models
  • ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems, Part 2-1: Establishing an Industrial Automation and Control Systems Security Program
  • ANSI/ISA-62443-3‑2-2020, Security for industrial automation and control systems, Part 3‑2: Security risk assessment for system design
  • ANSI/ISA-62443-3-3 (99.03.03)-2013ANSI/ISA-62443-3-3 (99.03.03)-2013 Security for industrial automation and control systems, Part 3-3: System security requirements and security levels

Recommended Reading

ISA Cybersecurity Library

Not sure this course is right for you?

Complete the knowledge check designed to evaluate your level of understanding of the course material and show you the types of questions you’ll be able to answer after completing the course.

Custom Training Solutions

If your company is interested in bringing training on site to your team, please contact or call +1 919-549-8411.

ISA Member Discount

To get the member price on today’s purchase, log in as a member or complete the join process before you complete your purchase. To join and/or register by phone, call customer service at +1 919-549-8411.