IC33 EN 3v11 – Assessing the Cybersecurity of New or Existing IACS Systems
The first phase in the Industrial Systems Cybersecurity (IACS – defined in ISA/IEC-62443-1-1) lifecycle consists of identifying and documenting industrial assets (IACS) and performing a cybersecurity vulnerability analysis and risk assessment to identify and understand high-risk vulnerabilities that require mitigation. For ISA/IEC-62443-2-1 these assessments must be performed on both existing (Brownfield) and new (Greenfield) applications. Part of the assessment process involves developing a zone and conduit model of the systems under consideration, identifying security level objectives, and documenting cybersecurity requirements into a cybersecurity requirements specification (CSRS).
Course #: IC33 | CEUs: 2.1 | Length: 3 days | Version: 3.11 | A certificate of completion indicating the total number of CEUs earned will be provided upon successful completion of the course.
Assessing the Cybersecurity of New or Existing IACS Systems (IC33) will provide students with the information and skills to assess the cybersecurity of a new or existing industrial automation and control system (IACS); and to develop a cybersecurity requirements specification (CRS) that can be used to document the cybersecurity requirements of the project.
IC33 starts with the first phase of the IACS Cybersecurity Lifecycle, as defined in ISA/IEC-62443-1-1 standard. Students will learn to identify and document IACS assets and perform a cybersecurity vulnerability and risk assessment to identify and understand the high-risk vulnerabilities that require mitigation. Per ISA/IEC-62443-2-1, these assessments need to be performed on both new (i.e., greenfield) and existing (i.e., brownfield) applications. Part of the assessment process involves developing a zone and conduit model of the system, identifying security level targets and documenting the cybersecurity requirements in a CRS.
Para la audiencia de habla hispana (y portuguesa) el material de estudio se dispone en idioma inglés. La evaluación de certificación profesional se encuentra disponible únicamente en idioma inglés, al igual que la serie de normas ISA/IEC-62443. La traducción independiente de las normas no está aprobada ni autorizada por el Comité ISA99.
Certificate Program: IC33 is the second course in the ISA/IEC-62443 Cybersecurity Certificate Program. Pass the exam to earn the ISA/IEC-62443 Cybersecurity Risk Assessment Specialist certificate. Course registration includes one exam fee.
Required Prerequisites
Successful completion of Using the ISA/IEC-62443 Standards to Secure Your Control Systems (IC32) and passing the ISA/IEC-62443 Cybersecurity Fundamentals Specialist certificate exam are mandatory prerequisites for this course.
Who Should Take IC33?
- Control systems engineers and managers
- System integrators
- IT engineers and managers in industrial facilities
- Plant managers
- Plant safety and risk management personnel
Learning Objectives
- Identify and document the scope of the IACS under assessment
- Specify, gather, or generate the cybersecurity information required to perform the assessment
- Identify or discover cybersecurity vulnerabilities inherent in the IACS products or system design
- Interpret the results of a Process Hazard Analysis (PHA)
- Organize and facilitate a cybersecurity risk assessment for an IACS
- Identify and evaluate realistic threat scenarios
- Identify and assess the effectiveness of existing countermeasures
- Identify gaps in existing policies, procedures, and standards
- Evaluate the cost, complexity, and effectiveness of new countermeasures to make meaningful recommendations
- Establish and document security zones and conduits
- Develop a CRS
Topics Covered
- Preparing for an Assessment
- Security lifecycle
- Scope
- System architecture diagrams
- Network diagrams
- Asset inventory
- Cyber criticality assessment
- Cybersecurity Vulnerability Assessment
- Risk
- Types of cybersecurity vulnerability assessments
- High-level assessments
- Passive and active assessments
- Penetration testing
- Conducting high-level assessments
- Assessment tools
- Cyber Security Evaluation Tool (CSET)
- Conducting Vulnerability Assessments
- Vulnerability process
- Pre-assessment
- Standards
- Research
- Kick off and walk through
- Passive data collection
- Active data collection
- Penetration testing
- Cyber Risk Assessments
- Understanding risk
- Risk identification, classification and assessment
- ISA/IEC-62443-2-1
- System under Consideration (SuC)
- Conduct high-level risk assessment
- Consequence scale
- Establish zones and conduits
- Zone and conduit drawings and documentation
- Document cybersecurity requirements
- Conducting Cyber Risk Assessments
- Detailed cyber risk assessment process
- Threats
- Vulnerabilities
- Consequences
- Likelihood
- Calculate risk
- Security levels
- Countermeasures
- Residual risk
- Documentation
- Critiquing System Architecture Diagrams
- Asset inventory
- Gap assessment
- Windows vulnerability assessment
- Capturing Ethernet traffic
- Port scanning
- Using vulnerability scanning tools
- Perform a high-level risk assessment
- Creating a zone and conduit diagram
- Perform a detailed cyber risk assessment
- Critiquing a cybersecurity requirements specification
- Documentation and Reporting
- Document to maintain
- Required reports
- Zone and conduit diagrams
- CRS
Laboratory Exercises
- Asset inventory
- Perform a high-level cybersecurity risk assessment
- High-level risk assessment using CSET
- Vulnerability scanning
- Pentest Windows XP using Kali Linux
- Creating a zone & conduit diagram
- Detailed risk assessment
- Optional: Basic security analysis (GFI Languard)
Resources Included
Laboratory Access
- Students will use the cyber lab ISA headquarters to complete the lab exercises
- Access to a virtual lab during the class only
- Approximately 10 hours of lab activity
Recommended Resources
Standards
- ISA-62443-1-1-2007, Security for Industrial Automation and Control Systems, Part 1-1: Terminology, Concepts, and Models
- ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems, Part 2-1: Establishing an Industrial Automation and Control Systems Security Program
- ANSI/ISA-62443-3‑2-2020, Industrial Automation and Control Systems, Part 3‑2: Security Risk Assessment for System Design
- ANSI/ISA-62443-3-3 (99.03.03)-2013, ANSI/ISA-62443-3-3 (99.03.03)-2013 Industrial Automation and Control Systems, Part 3-3: System Security Requirements and Security Levels
Books
- Cybersecurity Library
- Industrial Automation and Control System Security Principles, Second Edition by Ronald L. Krutz, PhD, PE
Recommended Reading
- Cybersecurity Library
- Industrial Automation and Control System Security Principles, Second Edition by Ronald L. Krutz, PhD, PE
Not sure this particular course is for you? Contact us and our experts will guide you to build your professional career development based on your own objectives and organization needs.
The main objectives of ISA training are to make sure that the audience understands and interprets the requirements of the ISA/IEC-62443 series of standards correctly and what needs to be done. While the exercises and products used in the lab helps to understand the concepts, it is not within the objectives of ISA to recommend any specific solution or to show how to comply with the multiple requirements.
Check the Frequently Asked Questions (FAQ) here.
About Instructor
+17
enrolled
Course Includes
- 6 Lessons
- 9 Quizzes
- Course Certificate
