Cyber Security Fundamentals & Security Risk Assessment (TÜV Rheinland) certification course


Embark on a journey to become a Cyber Security expert through the prestigious TÜV Rheinland Cyber Security Training Program. This program is your gateway to demonstrating your expertise in Industrial Automation Control and Safety System (IACS) Security.

Highlights of the Training:

  • Week-long Comprehensive Training: Covering both the Fundamental Cybersecurity and the Security Risk Assessment.
  • Day 1: A recap of Cybersecurity Fundamentals, building on your existing knowledge.
  • Days 2-4: In-depth Security Risk Assessment training.
  • Day 5: Examinations for both Fundamental Cybersecurity and Security Risk Assessment, featuring a mix of multiple-choice and open SRA questions.


The TÜV Rheinland Cyber Security Training Program is a unique opportunity to provide evidence of competency in Cyber Security from an internationally recognized organisation. The CySec Specialist (TÜV Rheinland) certificate program demonstrates competency with respect to assessing and specifying Industrial Automation Control and Safety System (IACS) Security and provides a skill set enabling staff to fulfill responsibilities and to perform activities to recognised standards of competence, in order to:

  • Reduce the risk of a successful cyber attack
  • Satisfy legal and regulatory requirements
  • Meet the organisation’s system security and business objectives


This is a COMBINED version of two separate 3.5 days courses ‘Cyber Security Fundamentals (TÜV Rheinland) course’ and ‘Cyber Security Risk Assessment (TÜV Rheinland) certification course’ into 1 week (4,5 days) combined course. This is based on ’self-study’ and or ‘existing know how’ of the fundamentals requirements. We will provide for all participants reference material to prepare for the minimum Fundamental Cyber Security principals.

Highlights of the Training:

  • Week-long Comprehensive Training: Covering both the Fundamental Cybersecurity and the Security Risk Assessment.
  • Day 1: A recap of Cybersecurity Fundamentals, building on your existing knowledge.
  • Days 2-4: In-depth Security Risk Assessment training.
  • Day 5: Examinations for both Fundamental Cybersecurity and Security Risk Assessment, featuring a mix of multiple-choice and open SRA questions.


Curriculum Highlights:

  • Mastering IEC 62443 Standard Principles.
  • Understanding Global Cybersecurity Standards Application.
  • Defining Tolerable Risk Criteria.
  • Applying Risk Assessment Techniques.
  • Exploring Popular Security Risk Determination Methodologies.
  • Bridging the Gap Between SRA and Cybersecurity Requirements.


Course Objectives:

This course aims to equip participants with a foundational comprehension of IACS Cybersecurity Risk Assessment principles specific to the process industries in accordance with IEC 62443. By the end of the course, participants will be able to:

  1. Understand the Role and Process of Security Risk Assessment (SRA): Gain insight into how SRA plays a pivotal role in comprehending security risks within a facility and the potential consequences associated with them.
  2. Grasp the Concept of Security Level Targets (SL-T) and Cyber Security Requirements Specification (CSRS): Explore the concept of SL-T and its connection to CSRS, delving into how these elements contribute to the design and implementation of effective security countermeasures.
  3. Establish the Relationship Between SL-T and CSRS: Develop an understanding of how SL-T aligns with CSRS to ensure that security countermeasures are capable of meeting the security requirements stipulated for the determined security level.
  4. Achieve the Prestigious CySec Specialist Certification: Successful participants, who possess the necessary experience and pass both the Cybersecurity Fundamentals and Security Risk Assessment exams, will qualify for the prestigious CySec Specialist (TÜV Rheinland) certificate in Security Risk Assessment.
  5. Engage in Practical Learning: The course centers around a practical case study, progressively developed over three days. Participants will be guided through the entire SRA process, mirroring the methodology outlined in IEC 62443-3-2.


By the end of this course, you will have the knowledge and skills required to assess and address cybersecurity risks effectively in the context of industrial automation and control systems, enhancing your professional capabilities and career prospects.


Day 1 Agenda 

Provides a concise overview of Cybersecurity Fundamentals, covering:

  • Network Basics: Introduction to core concepts in computer networks.
  • Network Security Basics: Essential principles for securing computer networks.
  • Cryptography Basics: Exploration of fundamental cryptography principles crucial for cybersecurity.
  • Cybersecurity Countermeasures: Strategies and tactics for defending against cyber threats.
  • Industrial Protocols: Insights into protocols used in industrial settings, vital for industrial cybersecurity.
  • Creating a CSMS (Cyber Security Management System) Program: Focus on developing a comprehensive Cyber Security Management System program, with a specific emphasis on compliance with IEC 62443-2-1:2010 standards.


Day 2 Agenda 

Provides an introduction to the background, concepts and principles to be applied to the Security risk assessment, competency, compliance, security management and the relevant international standards. The Security Risk Assessment using a risk matrix will be discussed as well as the introduction to the case study

The topics covered are:

  • Introduction to TUV Rheinland Cyber Security (CySec) Program
  • Requirements for Cyber Security in the IACS environment, including IEC 61511 and the Network and Information Systems (NIS) directive. 
  • Security Management and Common Management Systems
  • Introduction to Security in the IACS environment
  • Introduction to the relevant Security and Safety Standards
  • Introduction to the IEC 62443 Security Lifecycle
  • Introduction to Risk Assessment specific standards


Day 2 Agenda (continued…)

  • Asset Inventory and it’s relation to Security Risk Assessment
  • Introduction to the Case Study
  • Asset Inventory exercise – Session 1
  • Types of Risk Assessment – Quantitative, Semi Quantitative & Qualitative
  • High-Level Security Risk Assessment
  • How to use previous Process Hazard Analysis (PHA) as an input to High-Level SRA.
  • Determination of the High-Level Threat Scenarios
  • Determination of the High-Level Vulnerabilities
  • Determination of the High-Level Risk
  • Determination of the preliminary Security Level – Target
  • High-Level SRA exercise – Session 2


Day 3 Agenda

Further develops on the concepts, principles and techniques carried out in day one and the case study work by taking the output from the High-Level SRA and evaluates the risks based on their likelihood and consequence and prioritises them for examination in the Detailed-Level SRA. The second day also includes an explanation of what outputs would be expected from the High-Level SRA. The principles and activities of the Zoning and Conduit sections of the IEC 62443 will also be explained.

The topics covered are:

  • The required outputs from the High-Level SRA
  • Requirements of IEC 62443 with relation to the Zone and Conduit exercise.
  • Trust Boundaries, Entry Points and further benefits of the Zone and Conduit exercise.
  • Allocation of IACS to Zone
  • Network Segmentation
  • System Architecture
  • Allocation of Zones Exercise – Session 3


Day 4 Agenda

Develops on the case study work carried out in day two and three taking the outputs from the High-Level SRA and the Zone and Conduit exercise and then examining the prioritised risk zones in detail in the Detailed-Level SRA. Also covered is the relation between the Detailed-Level SRA and Attack Trees and how they may be used in both the risk assessment and the effective implementation of the countermeasures/security controls.

The topics covered are:

  • IEC 62443 Detailed-Level SRA requirements
  • Description of Attack Surfaces in the ICS Environment
  • Detailed-Level SRA Process
  • Determination of Threats including Threat Assessment
  • Determination of Vulnerabilities including Vulnerability Assessment
  • Determination of the Detailed Risk and Security Level – Targets through the use of a Security Risk Matrix.
  • The Importance of Security Level – Targets and their relation to Foundational Requirements.
  • How pruning of Attack Trees can be used to demonstrate a Risk-Based approach to risk reduction
  • Detailed-Level SRA exercise – Session 4
  • Risk Management (Acceptance)
  • IEC 62443 Required Documentation for SRA, including the Cybersecurity Requirement Specification (CRS).
  • Risk Management (Monitoring and Review)
  • Concluding remarks
  • Format of exam and preparation and close


Day 5 Agenda

There are 2 examinations as follows:

  • Fundamentals Cybersecurity

A 90-minute exam competency examination compromising 75 multiple-choice questions (1 mark each question, no negative marks). The pass score criterion is 75%

  • Security Risk Assessments:

A three (3) hour competency examination compromising 30 multiple-choice questions (1 mark per question) and 10 open questions (4 marks per question). The pass score criterion is 75% on each paper

Who Should Attend?

This training is essential for Functional, Process, and Technical Safety Engineers, Control and Instrument Engineers, Process Engineers, Operations Managers, Maintenance Staff, Consultants, and Advisors involved in process operations, safety, and risk analysis.

Participant Eligibility:

Participants should meet the following criteria according to TÜV Rheinland Functional Safety and Cyber Security Training Program:

  • Minimum 3-5 years of related experience (e.g., Control & Instrumentation, process engineering, IT/OT, functional safety, or cybersecurity).
  • University degree or equivalent engineering experience, certified by employer or engineering institution.

Course Provider: 

TVC Functional Safety Services FZ-LLC


For more information contact us via info@tinovc.com

Additional information


F07 – 13 may 2024, F09 – 3 june 2024, F12 – 23 september 2024