IC33 - Assessing the Cybersecurity of New or Existing IACS Systems (August 2018 - DE) 

John Cusimano, Director of Industrial Cybersecurity for aeSolutions, will be instructing this IC39C training course.

Length:  3 days

CEUs:  2.1 

Certificate Program: Part of the ISA/IEC 62443 Cybersecurity Certificate Program
Your course registration includes your registration for the exam.

NEW: Enter the referal code AES2018 when you register for a thank you gift from aeSolutions!

Description:

The first phase in the IACS Cybersecurity Lifecycle (defined in ISA 62443-1-1) is to identify and document IACS assets and perform a cybersecurity vulnerability and risk assessment in order to identify and understand the high-risk vulnerabilities that require mitigation.  Per ISA 62443-2-1 these assessments need to be performed on both new (i.e. greenfield) and existing (i.e. brownfield) applications. Part of the assessment process involves developing a zone and conduit model of the system, identifying security level targets, and documenting the cybersecurity requirements into a cybersecurity requirements specification (CRS).  

This course will provide students with the information and skills to assess the cybersecurity of a new or existing IACS and to develop a cybersecurity requirements specification that can be used to document the cybersecurity requirements the project.

You Will Be Able to:

• Identify and document the scope of the IACS under assessment
• Specify, gather or generate the cybersecurity information required to perform the assessment
• Identify or discover cybersecurity vulnerabilities inherent in the IACS products or system design
• Organize and facilitate a cybersecurity risk assessment for an IACS
• Identify and evaluate realistic threat scenarios
• Identify gaps in existing policies, procedures and standards
• Establish and document security zones and conduits 
• Prepare documentation of assessment results

 

Classroom/Laboratory Exercises:

• Critiquing system architecture diagrams
• Asset Inventory
• Gap Assessment
• Windows Vulnerability Assessment
• Capturing Ethernet Traffic
• Port Scanning
• Using Vulnerability Scanning Tools
• Perform a high-level risk assessment
• Creating a zone & conduit diagram
• Perform a detailed cyber risk assessment
• Critiquing a cybersecurity requirements specification

 

Who Should Attend:

• Control systems engineers and managers
• System Integrators
• IT engineers and managers industrial facilities
• IT corporate/security professionals
• Plant Safety and Risk Management

 

Recommended Pre-Requisite:

ISA Course IC32 or equivalent knowledge/experience.

About the Instructor:

John Cusimano, CISSP, GICSP, CFSE, is the Director of Industrial Cybersecurity for aeSolutions. John is an industrial control systems cybersecurity and functional safety expert with more than twenty years of experience. He leads the cybersecurity group for aeSolutions, a process safety consulting, engineering and automation company that provides process safety lifecycle solutions and tools. John has performed countless control system cybersecurity vulnerability and cyber risk assessments in the Oil & Gas, Chemical, Water/Wastewater, and Power industries per ISA/IEC 62443 and NERC CIP standards. He has also overseen and participated in the security testing and certification of several control and safety systems per the ISASecure™ and Achilles™ security certification programs. A leader in the development of ICS cybersecurity standards and best practices, John is Chairman of ISA 99 WG4 TG2 Zones & Conduits committee and co-chair of ISA 99 WG4 TG6 Product Development committee. He was instrumental in the development of the ISASecure certification scheme and was recently appointed as US Expert to the IEC TC65 WG10 committee. John is also the lead course developer and instructor for the ISA IC32 training course, “Using the ANSI / ISA 62443 Standards to Secure Your Industrial Control System.”