ICS Cybersecurity Services

ISA/IEC-62443/ISA-99 Based Control System Cybersecurity Vulnerability Assessment

The move by most, if not all, DCS vendors towards “open systems” and the resulting incorporation of off-the- shelf technologies represented a significant shift in control system design. System integration became easier, product development by manufacturers was accelerated, and training was simplified as it leveraged common tools and concepts. While the benefits have been tremendous, at the same time, open technology has now allowed control systems to be exposed by frequent and significant security vulnerabilities, putting production, assets, and human safety at risk. Gone are the days of proprietary operating systems and communication busses, isolated systems, and inherently secure processing environments.

Identifying and mitigating these threats requires organizations to develop a better understanding of their overall process control system security, their vulnerabilities and risks, and how they are positioned to address them. 

An ISA/IEC-62443/ISA-99 Based Control System Cybersecurity Vulnerability Assessment (CVA) 

  • Evaluates the current control system by examining such areas as; Documentation and architecture, 3rd party and remote connections, ICS policies and procedures, evaluates Process Control Network (PCN) traffic, system and device configurations, device susceptibility to threats, physical security, administrative security, and more
  • Compares results to industry standards and best practices such as ANSI/ISA 99.02.01-2009, DHS CFATS RBPS-8, NERC CIP, IEC/ISA-62443, etc.
  • Provides the organization with a detailed confidential report of what they have done right, where they can improve, and recommendations on how to achieve standards based "best practice" solutions .
  • Provides documentation required by regulators, insurance companies and any other stakeholders 

The Process

The process can be broken down into three phases: 

Control System Cybersecurity Vulnerability Assessment

In Phase 1, or the pre-assessment phase, existing information is collected from those responsible for the system. Items such as network diagrams, lists of cyber assets, existing policies and procedures etc. are reviewed in order to provide the assessment team with a basic understanding of the system before they arrive on site. 

Phase 2 is performed onsite and is primarily focused on data-gathering. Among other data gathering steps, the assessment team will assess physical and administrative security, verify the network architecture and traffic flows. They will examine networked devices to collect basic information such as make, model, and analyze the configuration and susceptibility to threats (access control measures, open ports, applications and services, status of patches, anti-virus tools, etc.) of each device. They will evaluate and assess remote and 3rd party connections to the Process Control Network. The assessment team will also interview key staff to better understand actual procedures that are being followed and their cybersecurity awareness. Before leaving your site the assessment team will meet with management to provide a briefing on key and initial recommendations. 

Phase 3 is for the assessment team to fully analyze the data and formally document the results in an assessment report. Vulnerabilities identified in devices or applications will be documented, architecture deficiencies, physical security lapses, identified gaps between current practices and standards/best practices are documented and recommendations are identified and prioritized.


  • Provides management with solid understanding of current situation both successes and gaps
  • Helps identify and prioritize security resources and investments
  • Provides a foundation and direction towards developing a broader security program
  • Short Duration – most systems can be assessed in less than a week - and minimally invasive to personnel, and non invasive to the PCN itself 

Request a Proposal