Security Risk Assessment (SRA)

Provides the introduction to the background, concepts and principles to be applied to the Security Risk Assessment, competency, compliance, security management and the relevant international standards. The Security Risk Assessment using a risk matrix will be discussed as well as the introduction to the case study.

The topics covered are:

• Introduction to TUV Rheinland Cyber Security (CySec) Program
• Requirements for Cyber Security in the IACS environment, including: IEC 61511 and the Network and Information Systems (NIS) directive.
• Security Management and Common Management Systems
• Introduction to Security in the IACS environment
• Introduction to the relevant Security and Safety Standards
• Introduction to the IEC 62443 Security Lifecycle
• Introduction to Risk Assessment specific standards
• Asset Inventory and it’s relation to Security Risk Assessment
• Introduction to the Case Study
• Asset Inventory exercise – Session 1
• Types of Risk Assessment – Quantitative, Semi Quantitative & Qualitative
• High-Level Security Risk Assessment
  • How to use previous Process Hazard Analysis (PHA) as an input to High-Level SRA.
  • Determination of the High-Level Threat Scenarios
  • Determination of the High-Level Vulnerabilities
  • Determination of the High-Level Risk
  • Determination of the preliminary Security Level – Target
  • High-Level SRA exercise – Session 2

Further develops on the concepts, principles and techniques carried out in day one and the case study work by taking the output from the High-Level SRA and evaluates the risks based on their likelihood and consequence and prioritizes them for examination in the Detailed-Level SRA. The second day also includes an explanation of what outputs would be expected from the High-Level SRA. The principles and activities of the Zoning and Conduit sections of the IEC 62443 will also be explained

The topics covered are:

• The required outputs from the High-Level SRA
• Requirements of IEC 62443 with relation to the Zone and Conduit exercise.
• Trust Boundaries, Entry Points and further benefits of the Zone and Conduit exercise.
• Allocation of IACS to Zone
• Network Segmentation
• System Architecture
• Allocation of Zones Exercise – Session 3

Develops on the case study work carried out in day one and two taking the outputs from the High-Level SRA and the Zone and Conduit exercise and then examining the prioritised risk zones in detail in the Detailed-Level SRA. Also covered is the relation between the Detailed-Level SRA and Attack Trees and how they may be used in both the risk assessment and the effective implementation of the countermeasures/security controls.

The topics covered are:

• IEC 62443 Detailed-Level SRA requirements
• Description of Attack Surfaces in the ICS Environment
• Detailed-Level SRA Process
  • Determination of Threats including Threat Assessment
  • Determination of Vulnerabilities including Vulnerability Assessment
  • Determination of the Detailed Risk and Security Level - Targets through the use of a Security Risk Matrix.
• The Importance of Security Level - Targets and their relation to Foundational Requirements.
• How pruning of Attack Trees can be used to demonstrate a Risk-Based approach to risk reduction
• Detailed-Level SRA exercise – Session 4
• Risk Management (Acceptance)
• IEC 62443 Required Documentation for SRA, including the Cybersecurity Requirement Specification (CRS).
• Risk Management (Monitoring and Review)
• Concluding remarks
• Format of exam and preparation and close.

A four (4) hour two-part competency examination compromising:

Part 1 = 30 multiple-choice questions (1 mark each question);

Part 2 = Open-Ended exam with 7 questions (10 marks each question).

The pass score criterion is 75%