The first phase in the Industrial Systems Cybersecurity Lifecycle (IACS – defined in ISA/IEC-62443-1-1) consists of identifying and documenting industrial assets (IACS) and performing a cybersecurity vulnerability analysis. The main outcome is to produce a risk assessment to identify and understand high-risk vulnerabilities that require mitigation.
By ISA/IEC-62443-2-1 these assessments must be performed on both existing (Brownfield) and new (Greenfield) applications. Part of the assessment process involves developing a zone and conduit model of the systems under consideration, identifying security level objectives, and documenting cybersecurity requirements into a cybersecurity requirements specification (CSRS).
This course will provide students with the information and skills needed to assess the cybersecurity of new or existing IACS and develop a specification of cybersecurity requirements that can be used to document the project’s cybersecurity requirements. This training course contains a respectable number of practical exercises of the laboratory type. For participants to take the professional certification exam in the SCANTRON network, they must complete all the exercises and attend 100% of the classes and sessions.
Main objective of the course
This course will provide the participants with the necessary information and knowledge to be able to evaluate the cybersecurity of new or existing IACS and make effective and sufficient mitigation decisions; to prevent the occurrence of potential consequences, according to the risk tolerance accepted by the organization. A good risk assessment with a proven RAGAGEP methodology will make it possible to influence the redesign of existing systems or influence the design of new systems before they are installed in the plants.
This training course contains a respectable number of laboratory-type practical exercises that will strengthen and fix the concepts. For participants to take the professional certification exam on the SCANTRON network, they must complete all the exercises and attend 100% of the classes and sessions.
ISA’s main objective is to ensure that participants understand the requirements of the ISA/IEC-62443 series of standards in the correct way. This is the first step before successful implementation and mitigation. ISA-agnostic courses are not intended to recommend a specific tool for performing risk assessment, and it will be the responsibility of the user to select their tools to meet the requirements.
Para la audiencia de habla hispana (y portuguesa) el material de estudio se dispone en idioma inglés. La evaluación de certificación profesional se encuentra disponible únicamente en idioma inglés, al igual que la serie de normas ISA/IEC-62443. La traducción de las normas no está aprobada ni autorizada por el Comité ISA99.
With the 2133 course, you will be able to
- Identify and document the scope of IACSs under evaluation and under consideration
- Specify, gather, or generate the cybersecurity information necessary to perform the assessment
- Identify or discover cybersecurity vulnerabilities inherent in the product or system under consideration
- Organize and facilitate a cybersecurity risk assessment for an integrated system
- Identify and evaluate realistic threat scenarios
- Identify gaps in existing company policies, procedures, and standards
- Establish and document safety zones and conduits
- Prepare documentation of the results of the evaluation.
Practical exercises to be done in class
- Discuss and critique systems architecture and its diagrams
- Inventory of assets of the systems under consideration
- Assessment of deficiencies
- Vulnerability Assessment (Windows)
- Ethernet traffic capture exercises
- Port Scanning
- Using Vulnerability Scanning Tools
- Conducting a high-level risk assessment
- Creating a zone and duct diagram
- Conducting a detailed cyber risk assessment
- Discuss and critique a specification of cybersecurity requirements
Requirements
Have completed and passed the IC32 Course. To take certification exam 2 “ISA/IEC 62443 Cybersecurity Risk Assessment Specialist” the participant must have passed the certification exam 1 “ISA/IEC 62443 Cybersecurity Fundamentals Specialist”.
Deliverables
Participants will receive in the class (face-to-face) at home (virtual) access to the following materials. Optional printed material may be provided at an additional cost.
- Printed course lessons.
- ISA/IEC-62443 standards used in the course.
- Educational campus to download complementary information and software.
- Laboratory workshops.
- Eligibility to obtain the official certificate. (Requires 100% assistance).
Certification N° 2 “ISA/IEC 62443 Cybersecurity Risk Assessment Specialist”
- CRE Credits: 2,1
- CEU Credits: 2.1 (Awarded by ISA)
- The exam to obtain the professional certification (included in the registration) is taken separately, with a maximum period of up to 6 months of completion of the course. Presently, the exam is taken only in English.
- UPDATED: The professional certification exam is included in the price. You can add as many opportunities as you need within 6 months of finishing the course, paying the additional Fee of USD 150,- for each new opportunity.
Recognitions
All participants who meet the course requirements and who successfully pass the final exam with a good grade will be awarded a Digital Badge. The digital badge certifies that the participant has attended the 2133 training course and has taken the final evaluation test with a good grade, verifying that said participant has assimilated the new knowledge. It is required that the participant completes all the requirements of the course to be qualified to take the professional certification exam described below.
Professional Certificate of International Recognition
All participants who have successfully completed 100% of the objectives of the IC33 course will be able to take the ISA/IEC-62443 Cybersecurity Risk Assessment Specialist international validity certification exam in the authorized facilities. Students who have successfully completed the course will have multiple opportunities over a maximum period of 6 months to take the exam and thus obtain their professional certification. The professional certification exam is of the multiple-choice type and is developed only in English. Therefore, participants are required to have good command of the written technical English language.
The main objectives of ISA training is to make sure that the audience understands and interprets the requirements of the ISA/IEC-62443 series of standards correctly and what needs to be done.
While the exercises and products used in the lab helps to understand the concepts, it is not within the objectives of ISA to recommend any specific solution or to show how to comply with the multiple requirements.