Using the ISA/IEC 62443 Standard to Secure Your Control Systems
(IC32E – Online Version)
Length: 8 weeks
Price: € 1.875,- / € 1.575,- for ISA Members
Exam: ISA/IEC 62443 Cybersecurity Fundamentals Specialist is included (€ 200,- value)
CEU Credits: 2.1
Course Hours: Online Course – Refer to Syllabus
Certification of Completion: A Certificate of Completion indicating the total number of CEUs earned will be provided upon successful completion of the course.
Part of the ISA/IEC 62443 Cybersecurity Certificate Program
Your course registration includes your registration for the exam.
ISA’s CyberU online instructor-led training courses offer the benefit of a high quality ISA training course with the added advantage of studying at your own pace in the office, at home, or while traveling.
This online course utilizes online training modules, additional text materials, online evaluations, and e-mail discussions. Students will have access via email to an instructor and an opportunity to participate in live Q&A sessions with the instructor and other class participants.
This CyberU course runs for eight (8) weeks. You will have access to twelve online modules for the web/audio sessions. Each module is between 20 to 60 minutes. Your course syllabus will guide you through the course modules and provide assignments and the schedule for the live Q&A sessions.
A detailed look at how the ISA/IEC 62443 (formerly ISA 99) Standards can be used to protect your critical control systems. It also explores the procedural and technical differences between the security for traditional IT environments and those solutions appropriate for SCADA or plant floor environments. The course explores the move to using open standards such as Ethernet, TCP/IP, and web technologies in SCADA and process control networks that has begun to expose these systems to the same cyber-attacks that have wreaked so much havoc on global government and corporate information systems.
You will be able to:
- Discuss the need and importance for control system security
- Learn about current principles and best practices
- Understand the structure and content of the ISA 99 / IEC 62443 series of documents
- Discuss the principles behind the creating an effective long term program security
- Learn the basics of risk analysis, industrial networking and network security
- Understand the concepts of defense in depth and zones and conduits
- Learn how to apply key risk mitigation techniques such as anti-virus, patch management, firewalls and virtual private networks
- Learn how secure software development strategies can make systems inherently more secure
- Learn what is being done to validate or verify the security of systems
You will cover:
Module 1: Using the ISA/IEC 62443 Standards to Secure Your Control Systems
Provides a basic introduction to control system cyber security and the ISA/IEC 62443 standards. Discussion of trends, regulations, industry standards and best practices, common myths, the ISA 99 committee, and the structure of the ISA 62443 standard. Topics include: Self-assessment of your Control Systems Security knowledge, Trends in control system cybersecurity, Potential Impacts, Five common myths regarding IACS Security, Regulations and Standards, ISA99 committee work.
Module 2: Terminology, Concepts, Models and Metrics
Covers the material in ISA 62443-1-1 (published as ISA-99.00.01:2007) that forms the basis for the ISA 62443 series of standards. Topics include: Difference between IT and IACS, Security Objectives, Defense-in-Depth, Risk Assessment, Policies, Zones & Conduits, Security Levels and the Security Lifecycle Models
Module 3: Threats and Vulnerabilities
Provides a basic introduction to networking with a focus on the application of Ethernet in the industrial environment. Topics include: Types of networks, OSI reference model, Network Devices, Network Protocols, Network Tools built into Operating Systems.
Module 4: Industrial Networking Basics L1-L3
Builds on the previous module and covers networking with a focus on the upper layers of the OSI reference model, problems with the OSI model, network discovery, and security auditing tools in the industrial environment. Topics include: Encapsulating data, OSI reference model, Network Devices, Network Protocols.
Module 5: Network Security Basics 101
Provides a basic introduction to network security. Topics include: Security Appliances, Network Segmentation, Encryption, Secure Protocols and Intrusion Detection. Topics include: Why address security? Firewalls, Network Segmentation Architectures, Encryption, Intrusion Detection, Monitoring Network Traffic.
Module 6: Industrial Protocols
Covers at a high level the structure and application of common industrial protocols such as MODBUS, PROFIBUS, OPC and CIP (EtherNet/IP). Topics include: What is a protocol? Multitude of Industrial Protocols, Ports in use.
Module 7: Establishing an Industrial Automation and Control Systems Security Program
Covers the material in ISA 62443-2-1 (published as ISA-99.02.01:2009) that specifies the elements and requirements of an IACS Cyber Security Management System (CSMS). Topics include: Six top level activities, Common pitfalls, Risk Analysis, Security Policy, Organization and Awareness, Personnel security, Physical & Environmental Security, Network Segmentation, Access Control, Change Management, Patch and Anti-virus management, Information management, Incident Response and Disaster Recover Planning, Compliance Monitoring, and Program Maintenance.
Module 8: Security Risk Assessment and System Design
Covers Security Level definitions and Foundational Requirements that establish a basis for the requirements in scoping an IACS assessment, establishing zones & conduits, analyzing the security risk for each zone, assigning a security level target to each zone and verifying the design satisfies the security level target. Topics include: Definitions, Risk Equation, Cyber Risk Reduction Factor, Basic Security analysis tools, Identification of Zones and Conduits.
Module 9: Intro to the IACS Cybersecurity Lifecycle
Short jaunt into the Assess, Develop & Implement and Maintain phases of the IACS Cybersecurity Lifecycle. These phases are covered more in depth in ISA’s IC33, IC34 & IC37 courses. Topics include: Cyber Security Life Cycle diagram, Phases, Continuous processes.
Module 10: Security Program Requirements for IACS Service Providers
Creating a secure product out of the box is only a small piece of the security puzzle. Asset Owners, Integrators and Suppliers all have a role. This module covers how IEC 62443-2-4 specifies requirements IACS service providers can offer to the asset owner during integration and maintenance activities of an Automation Solution. Topics include: IACS Patching, Asset Owner Requirements, Product Supplier/Service Provider Requirements, Malicious Code Protection.
Module 11: Developing Secure Products and Systems
Overview of component tier Product Development Requirements and Technical Security Requirements for IACS that are Product supplier centric. Topics include: Component tier standards ISA-62443-4-1 & ISA-62443-4-2, Primary & Secondary goals, ISA 62443 relationships, ISA Security Compliance Institute (ISCI), ISASecure™.
Module 12: Evolving Security Standards and Practices
Standards are voluntary documents unless there is a requirement to use them. In this module, we look at the continuously evolving industrial security regulatory landscape. The only constant is change! Topics include: Normative and Informative elements, NIST Cyber Security Framework, ISA-62443-2-1 requirement to monitor and evaluate applicable legislation relevant to cyber security, Standards Development Organizations (SDOs).
Course Materials (PDF format):
- IC32E v2.0 Course Syllabus
- IC32E v2.0 Noteset Volume I with sections on Course Presentation slides from course modules, Instructional Surveys/Answers and Additional Resources
- IC32E v2.0 Noteset Volume II with the following three publications
- ANSI / ISA 99.00.01-2007 / IEC 62443-1-1: Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models (Approved 29 October 2007)
- ANSI / ISA 99.00.02-2009 / IEC 62443-2-1: Security for Industrial Automation and Control Systems Part 2: Establishing an Industrial Automation and Control System Security Program
- ISA-62443.03.03 / IEC 62443-3-3: Security for Industrial Automation and Control Systems: System Security Requirements and Security Assurance Levels
- Textbook: Industrial Automation by Ronald L. Krutz (Second Edition)
Features of ISA CyberU online course:
Online Pre-recorded Course Modules
Your instructor has pre-recorded each course module so that you can access the course presentations on your schedule. Each module is a web/audio session that takes approximately 20 – 60 minutes.
Ask the Expert
Interact with your expert instructor via email throughout the course and through scheduled live Q&A sessions. You can expect a reply to your email within 24 hours. This email address is active during the entire course duration.
The Q&A sessions provide an opportunity for you and your classmates to speak one-on-one with the instructor. You will have an opportunity to ask any questions you may have about the course material and interact with your fellow classmates.
You will be invited to subscribe to a course listserve that includes course participants. You can use this listserve to post questions and share experience relevant to the course with other class members.
Course Assignments and Exams
- Take the course pre-test before you begin studying the course material to get a better understanding of areas that you will want to focus on more during the course.
- Homework assignments for all modules will be indicated on the syllabus. The homework assignments are designed to help expand your understanding of the course material.
- Complete the final exam for the course in order to receive Continuing Education Units (CEU) credit. The final exam will be taken and scored online. You must receive at least 80% on the course exam to receive CEU credit. (Note this exam is not the ISA/IEC 62443 Cybersecurity Fundamentals Specialist Exam)
Not sure this particular course is for you?
A pre-instructional survey is available for you to evaluate your level of understanding of the course material and to show you the types of questions you’ll be able to answer after completing the course.