Industrial Control System
Cyber Security Institute

ICS Cyber Security Training Curriculum



Threat Vulnerability & Risk Assessments for
Industrial Control Systems

Duration 2-3 days (In-Person) or 90 days (Self-Paced Remote)
Available Format(s) Live In-Person or Online
Who should attend Staff and personnel responsible for understanding, implementing, and evaluating the impact to operational systems and their directed consequences on service availability, safety, environmental responsibility, and business profitability. This is performed through the identification, collection, evaluation and prioritization of threats and vulnerabilities and the calculation of unmitigated and residual risk of the cyber-physical ecosystem.

Typical student profiles include: automation engineers (OT), process / manufacturing engineers (OT), facility operations and maintenance, finance, procurement, corporate compliance, system administrators (IT), network managers (IT), security officers, and facility management.
Prerequisites Fundamentals of Information and Operational Technology Systems
Fundamentals of Risk Management
Linux Fundamentals
Hands-On Exercises / Labs Multiple
Expected Outcome (MANAGERIAL and OPERATIONAL) Ability to supervise, participate in, and/or evaluate results of an operational assessment correlating logical and physical threats, vulnerabilities and weaknesses of integrated, heterogeneous cyber-physical systems and the impacts they have on operational integrity.
CEUs 24
Certification Ready N/A
Course Fee Individual: US $2,000  |  International US $2,250
Group / On-Site: Pricing Available on Request

This mission critical course focuses on one the most apparent weaknesses in securing operational technologies and their connected physical systems from threats aiming to cause harm – Risk. Training emphasizes the three cohesive activities that “assess” risk, “manage” risk, and deploy security controls that target and “mitigate” risk.

The curriculum introduces processes and methodologies based on decades of field activities and operational data to look at systems from a risk point-of-view that emphasize consequences or impact to critical services and functions rather than component or system level vulnerabilities that often do not map to any operational targets. This course is taught using a range of real-world architectures, components, devices, and protocols that leverage both traditional software vulnerabilities and other more subtle, hard to find yet equally if not, more powerful human vulnerabilities that arise from typical system configuration and usage to focus on mapping threats to impact. This course is based on a balanced combination of brief educational lectures that are reinforced with a combination of individual and group exercises. The typical course splits content with 40% lectures/discussions/demonstrations and 60% individual and group exercises.

Course Agenda

  • Part 1: Risk Management, Architecture and Networking
    • Present: Risk Assessment Process
    • Present: Understanding the Components of Risk
    • Present: Describe the Threat, Vulnerability, & Risk Assessment (TVRA) Process
    • Present: Identifying and Quantifying Risk - Instrument Air System (IAS)
    • Exercise: Assessment Preparation & Planning - Acme Manufacturing Company
    • Present: ICS Architectures & Networking
    • Exercise: Installing Network Analysis Tools (optional)
    • Exercise: Using Network Analysis Tools
    • Present: ICS Communication Protocols
    • Exercise: Analyzing ICS Network Traffic with Network Analysis Tools
  • Part 2: Deep Dive TVRA Process
    • Present: ICS Asset Identification & Characterization - Process, Tools & Tricks
    • Exercise: Multi-Zone Asset Discovery (Hardware & Software Inventories)
    • Exercise: Multi-Zone Asset Discovery (Data Flow & Firewall Analysis)
    • Present: ICS Vulnerability, Threat Discovery & Remediation
    • Exercise: Vulnerability Identification on a Multi-Zone OT Architecture
    • Exercise: Performing Credentialed Vulnerability Scans at Home using Nessus (optional)
    • Exercise: Characterization & Compliance Auditing
    • Demonstration: Collecting Assessment data using Tenable Nessus
    • Present: Risk, Resiliency & Project Lifecycle
    • Present: Alternatives to Traditional Risk Management Methods
    • Exercise: ICS Risk Analysis & Control Selection
    • Exercise: Addressing Resilience to Improve Security of OT Architectures
    • Present: The Changing Threat Landscape


Student Requirements

Students will use their own laptop to complete activities and exercises included with this course. This student-supplied laptop will be used to access the ICSCSI Moodle Learning Management System (LMS) during and after the course. The laptop must have installed a modern Internet web browser such as Chrome, Edge, Firefox, Safari, etc. The platform operating system is not important and may include Linux (multiple distributions), macOS, or Windows. No additional software is required for this course.

Access to the LMS requires a public Internet connection that resolves the icscsi.org domain name and allows connectivity using TCP transport ports 443 and 8443.

The LMS will host content used throughout the course that can be viewed and downloaded by the students. This includes the course textbook, documents, spreadsheets, instructional videos and more. The LMS will also be available to students after the course that includes access to the ICSCSI course “Fundamentals of Industrial Control System Cyber Security (EXPRESS)” covering the operational skills and tools, techniques and procedures (TTP) needed to perform the activities that comprise a TVRA that are too extensive to include in this short format course.

Student Material

Students utilize both hard-copy and electronic versions of material used in the course. A typical list of student materials include:

  • Course Textbook - "Industrial Network Security, 3rd ed."
  • Threat, Vulnerability & Risk Assessment Sample Report
  • Course Manual (presentation slides)
  • Course Lab Manual (includes forms and detailed instructions
  • Industrial Control System Cyber Security Assessment Field Manual
  • Pre-Assessment Scope Definition Questionnaire
  • Assessment Asset Collection Form

Students will also receive six (6) months of access to the full on-line course "Fundamemtals of Industrial Control System Cyber Security EXPRESS". This course provides more context around the material covered in this course, and provides a solid basis of establishing a baseline of knowledge that supports external qualification and certification examinations.

Training Logistics

The in-person training class size is limited to no more than 50 students. The instructor will use the class size to evaluate how the group activities will be conducted to maximize participation and individual student learning. This may include working in small groups (typically no more than 2-4 people per group).

Providing a suitable training room for in-person training is the responsibility of the client and should focus on a safe and comfortable learning environment for the group.


Recommended Optional Reading

Title Publisher
Applied Cyber Security and the Smart Grid Syngress
Hacking Exposed - Industrial Control Systems McGraw Hill
Open Source Security Testing Methodology Manual (OSTMM)  
Security Assessing using the US National Security Agency Information Assurance Methodology Syngress
Security Controls Evaluation, Testing and Assessment Handbook Syngress

Pricing (scan applicable QR Code)

Domestic (US only): US$ 2,000
Domestic (US only)

International: US$ 2,250
International

Training material will be shipped within 14 days from receipt of order using FedEx Express Saver (Domestic US Only) with delivery times typically 3-5 days. International shipping delivery times vary and will be provided prior to shipment.


Additional information on other courses offered as part of the curriculum can be viewed by selecting from the following list or the Quick Links located in the top righthand section of this page: