Course Overview

Assessing the Cybersecurity of New or Existing IACS Systems (IC33) provides the knowledge and skills needed to

assess the cybersecurity of new or existing industrial automation and control systems (IACS). Participants learn how to identify assets, evaluate vulnerabilities, perform cybersecurity risk assessments, and develop a Cybersecurity Requirements Specification (CRS) aligned with ISA/IEC 62443.

The course focuses on the first phase of the IACS cybersecurity lifecycle and applies to both greenfield and brownfield systems.

Course Details

Course #: IC33

Dates: May 6–8

Length: 3 days

Hours: 8:00 a.m. – 4:00 p.m.

CEUs: 2.1

Location: Microsoft, Houston TX

Certificate: Certificate of completion provided

Exam: One exam included with registration

Certificate Program

IC33 is the second course in the ISA/IEC 62443 Cybersecurity Certificate Program.

Successful completion of the course and exam earns the ISA/IEC 62443 Cybersecurity Risk Assessment Specialist
certificate.

Required Prerequisites

Successful completion of IC32 – Using the ISA/IEC 62443 Standards to Secure Your Control Systems

Passing the ISA/IEC 62443 Cybersecurity Fundamentals Specialist exam

Who Should Take IC33

– Control systems engineers and managers

– System integrators

– IT engineers and managers in industrial facilities- Plant managers

– Plant safety and risk management personnel

Learning Objectives

– Identify and document the scope of the IACS under assessment

– Gather cybersecurity information required to perform assessments

– Identify cybersecurity vulnerabilities in products and system design

– Interpret Process Hazard Analysis (PHA) results

– Organize and facilitate cybersecurity risk assessments

– Identify and evaluate realistic threat scenarios

– Assess effectiveness of existing countermeasures

– Identify gaps in policies, procedures, and standards

– Establish security zones and conduits

– Develop a Cybersecurity Requirements Specification (CRS)

Topics Covered

– Preparing for an assessment and defining scope

– Security lifecycle concepts

– System and network architecture diagrams

– Asset inventory and cyber criticality assessment

– Cybersecurity vulnerability assessments (high-level, passive, active)

– Penetration testing concepts

– Cyber risk assessment methodology

– ISA/IEC 62443-2-1 alignment

– Zones and conduits modeling

– Risk identification, classification, and calculation

– Countermeasures and residual risk

– Documentation and reporting requirements

Hands-On Activities & Exercises

– High-level risk assessment using CSET

– Capturing Ethernet traffic

– Vulnerability scanning

– Penetration testing demonstrations

– Creating zone and conduit diagrams

– Developing a Cybersecurity Requirements Specification

Recommended Resources – Standards

ISA-62443-1-1-2007 – Terminology, Concepts, and Models

ISA-62443-2-1-2009 – Establishing an IACS Security Program

ANSI/ISA-62443-3-2-2020 – Security Risk Assessment for System Design

ANSI/ISA-62443-3-3-2013 – System Security Requirements and Security LevelsRecommended Resources – Books

Industrial Automation and Control System Security Principles, Second Edition by Ronald L. Krutz, PhD, PE

Recommended Additional Preparation

Familiarity with industrial networking concepts, cybersecurity fundamentals, and prior exposure to ISA standards will help students succeed in this fast-paced course.