Landingpage available in the following languages:
or select your TÜV Rheinland region / country website:

Security Risk Assessment

EFSTAS - Security Risk Assessment

EFSTAS Ltd. - United Kingdom, is an accepted course provider of the TÜV Rheinland Cyber Security Training Program.

Course Objectives

The objective of the course is to provide participants with a fundamental understanding of the principles of IACS Cybersecurity Risk Assessment in the process industries according to IEC 62443 and to understand:

  • The role and the process of Security Risk Assessment (SRA) in gaining an understanding of the security risks on the facility and their potential consequences.
  • The concept of Security Level – Targets (SL-T) and the Cyber Security Requirements Specification (CSRS).
  • The relationship between SL-T and CSRS to the design and implementation of security countermeasures that are capable and able to achieve the security requirements needed of the determined security level.

Successful participants, who have sufficient experience and pass both the fundamentals and Security Risk Assessment exam, will be eligible for the prestigious CySec Specialist (TÜV Rheinland) certificate in Security Risk Assessment.

The course is based around a practical case study that will be developed across the three days of the course taking the delegate through the SRA process. The course is a modular structure of classroom tuition followed by a case study practical, which will take the participant through the SRA process as identified in IEC 62443-3.2.

Day four consists of a four-hour two-part examination based on a multiple choice and an Open SRA examination.


Display all Hide all

Day 1

Provides the introduction to the background, concepts and principles to be applied to the Security Risk Assessment, competency, compliance, security management and the relevant international standards. The Security Risk Assessment using a risk matrix will be discussed as well as the introduction to the case study.

The topics covered are:

  • Introduction to TUV Rheinland Cyber Security (CySec) Program
  • Requirements for Cyber Security in the IACS environment, including: IEC 61511 and the Network and Information Systems (NIS) directive.
  • Security Management and Common Management Systems
  • Introduction to Security in the IACS environment
  • Introduction to the relevant Security and Safety Standards
  • Introduction to the IEC 62443 Security Lifecycle
  • Introduction to Risk Assessment specific standards
  • Asset Inventory and it’s relation to Security Risk Assessment
  • Introduction to the Case Study
  • Asset Inventory exercise – Session 1
  • Types of Risk Assessment – Quantitative, Semi Quantitative & Qualitative
  • High-Level Security Risk Assessment
    • How to use previous Process Hazard Analysis (PHA) as an input to High-Level SRA.
    • Determination of the High-Level Threat Scenarios
    • Determination of the High-Level Vulnerabilities
    • Determination of the High-Level Risk
    • Determination of the preliminary Security Level – Target
    • High-Level SRA exercise – Session 2

Day 2

Further develops on the concepts, principles and techniques carried out in day one and the case study work by taking the output from the High-Level SRA and evaluates the risks based on their likelihood and consequence and prioritizes them for examination in the Detailed-Level SRA. The second day also includes an explanation of what outputs would be expected from the High-Level SRA. The principles and activities of the Zoning and Conduit sections of the IEC 62443 will also be explained

The topics covered are:

  • The required outputs from the High-Level SRA
  • Requirements of IEC 62443 with relation to the Zone and Conduit exercise.
  • Trust Boundaries, Entry Points and further benefits of the Zone and Conduit exercise.
  • Allocation of IACS to Zone
  • Network Segmentation
  • System Architecture
  • Allocation of Zones Exercise – Session 3

Day 3

Develops on the case study work carried out in day one and two taking the outputs from the High-Level SRA and the Zone and Conduit exercise and then examining the prioritised risk zones in detail in the Detailed-Level SRA. Also covered is the relation between the Detailed-Level SRA and Attack Trees and how they may be used in both the risk assessment and the effective implementation of the countermeasures/security controls.

The topics covered are:

  • IEC 62443 Detailed-Level SRA requirements
  • Description of Attack Surfaces in the ICS Environment
  • Detailed-Level SRA Process
    • Determination of Threats including Threat Assessment
    • Determination of Vulnerabilities including Vulnerability Assessment
    • Determination of the Detailed Risk and Security Level - Targets through the use of a Security Risk Matrix.
  • The Importance of Security Level - Targets and their relation to Foundational Requirements.
  • How pruning of Attack Trees can be used to demonstrate a Risk-Based approach to risk reduction
  • Detailed-Level SRA exercise – Session 4
  • Risk Management (Acceptance)
  • IEC 62443 Required Documentation for SRA, including the Cybersecurity Requirement Specification (CRS).
  • Risk Management (Monitoring and Review)
  • Concluding remarks
  • Format of exam and preparation and close.

Day 4

A four (4) hour two-part competency examination compromising:

Part 1 = 30 multiple-choice questions (1 mark each question);

Part 2 = Open-Ended exam with 7 questions (10 marks each question).

The pass score criterion is 75%

Who Should Attend?

Functional, Process and Technical Safety Engineers, Control and Instrument Engineers and Managers, Process Engineers, Operations personnel and Managers, Maintenance staff, consultants, advisors and persons involved in Management, Engineering, Operations and safety of process operations. In addition, persons with PH&RA experience and who are currently involved in Process Hazard and Risk Analysis, and will be required to take part in the Security Risk Assessments and Cybersecurity Requirements Specification.

Participant Eligibility Requirements

In accordance with the TÜV Rheinland Functional Safety and Cyber Security Program:

  • A minimum of 3 to 5 years experience in a related field (e.g. Control & Instrumentation, process engineering, IT/OT, functional safety or cyber security).
  • University degree or equivalent engineering experience and responsibilities as certified by employer or engineering institution.


From £1950 GBP (Euro €2100) per participant