ENCS architecture training

Information

The ENCS security architecture training teaches you how to select technical security measures for Operational Technology (OT) systems. You learn how to assess the security risks to OT systems, and how to choose measures to mitigate them.

Furthermore, our security architecture training teaches you a reusable approach to designing security architectures for OT systems. Our approach is based on the ISO 27005 and IEC 62443 standards, and was developed in the member projects on distribution automation, electric vehicles charging, and substation automation. ENCS has used this approach with individual members to design new systems, or redesign existing systems.

Who should attend the security architecture training?

The training is useful to anyone who is responsible for choosing technical security measures for OT systems. This includes:

  • IT, network, and solution architects doing work on OT systems
  • System and network administrators designing OT systems
  • Security officers with a technical focus on OT

What will I learn in the training?

The training will teach you to select technical security measures for OT systems based on security risks. To do this, you will learn:

  • how to divide an OT system into security zones
  • how to assess the security risks of a design or existing system
  • how to select the security measures that
    • sufficiently reduce the security risks
    • are feasible to implement on OT systems
  • how to evaluate the effectiveness of the implementation of the measures

 

What is the training program?

In the training, you will work through practical cases. The cases cover the systems typically seen at grid operators and in each case, participants go through four steps:

  1. Zoning
  2. Risk assessment
  3. Selecting security measures
  4. Evaluating the implementation

The course consists of four cases:

1) Distribution automation RTUs, in which you learn:

  • How to define users and interfaces for a zone
  • How to assess the security risks for a zone
  • How to find measures that mitigate a threat
  • How to create a security test assignment for acceptance testing

2) The Wide-Area Network, in which you learn:

  • How to define conduits
  • How to create BowTie diagrams
  • How to assess the effectiveness of security measures using security levels
  • How to select security measures for the following IEC 62443 foundational requirements:
    • FR 3: System integrity
    • FR 4: Data confidentiality
  • How to evaluate the effectiveness of the implementation of cryptographic security measures

3) High-Voltage Substations, in which you learn:

  • How to identify which components in a zone implement security functionality
  • How to estimate the likelihood of threats given the security measures
  • How to assess the security risks for substation automation and protection systems
  • How to select security measures for the following IEC 62443 foundational requirements:
    • FR 1: Identification and authentication control
    • FR 2: Use control
  • How to choose between different authentication options (password or keys, centralised or not)
  • How to select security measures that are feasible for legacy and modern hosts
  • How to assess the feasibility of authentication for GOOSE

4) Central Systems, in which you learn:

  • How to divide a larger OT system into security zones
  • How to apply design patterns typical for the IT/OT interface, such as:
    • Demilitarised zones (DMZ) for data exchange
    • Jump servers for remote maintenance
  • How to select security measures for the following IEC 62443 foundational requirements:
    • FR 5: Restricted data flow
    • FR 7: Resource availability
  • How to evaluate the effectiveness of the implementation on operational server systems

Training location & dates

TBA

Training duration

The training takes two days.

Day 1: 10:00 – 17:00

Day 2: 09:00 – 15:00

On the evening of day 1, you can network during our ENCS dinner.

Knowledge before training

Before starting this training, you are expected to have a basic knowledge of OT systems, such as SCADA systems, and the security risks to such systems.

Costs of training

For ENCS members, the costs are 1,500 euros per participant. For non-members, the costs are 2,000 euros per participant.  The dinner on day 1 is included in the training price.