COURSE OVERVIEW:

The Auditing Operational Technology (OT), SCADA, and ICS Environments course is a specialized program designed to address the unique challenges of assessing the security and functional integrity of industrial control systems. Unlike traditional IT auditing, OT auditing requires a deep understanding of real-time availability, legacy hardware constraints, and the catastrophic physical consequences of system failure. This course provides a structured framework for evaluating the resilience of Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), and Supervisory Control and Data Acquisition (SCADA) networks against both internal errors and external cyber threats.

The scope of this training encompasses the technical and administrative controls necessary to secure critical infrastructure in sectors such as energy, water, and manufacturing. Participants will explore the nuances of the Purdue Model for industrial network segmentation and learn how to audit cross-domain communication between IT and OT layers. The curriculum provides a detailed roadmap for conducting non-intrusive technical assessments, reviewing firewall configurations, and evaluating the effectiveness of endpoint protection in environments where traditional scanning tools may cause system instability or process trips.

This comprehensive coverage ensures that auditors can identify vulnerabilities without compromising the continuity of industrial operations. The course delves into compliance with international standards such as IEC 62443 and NIST SP 800-82, teaching participants how to document findings, assess risk levels, and recommend practical remediation strategies. By focusing on asset inventory accuracy, patch management protocols, and incident response readiness, the program equips professionals with the expertise to lead complex audits that enhance the overall safety and reliability of the industrial enterprise.

COURSE OBJECTIVES:

After completion of this course, the participants will be able to:

• Define the fundamental differences between IT and OT auditing methodologies and priorities.
• Evaluate the effectiveness of network segmentation according to the Purdue Reference Model.
• Conduct a comprehensive risk assessment of SCADA and Industrial Control Systems (ICS).
• Audit the security of industrial communication protocols such as Modbus, DNP3, and PROFINET.
• Verify the accuracy of OT asset inventories and hardware configuration baselines.
• Assess the physical security and environmental controls protecting critical control rooms and racks.
• Review and validate logical access controls and password management for industrial workstations.
• Audit the lifecycle of patch management and firmware updates in sensitive OT environments.
• Evaluate the resilience of backup and disaster recovery plans for real-time control systems.
• Inspect the integration points and security gateways between corporate and industrial networks.
• Analyze incident response plans specifically tailored for industrial process disruptions.
• Document audit findings in accordance with IEC 62443 and other global regulatory standards.

TARGET AUDIENCE:

This course is intended for Internal and External Auditors, IT Security Professionals, OT Security Specialists, Compliance Officers, and Control System Engineers who are responsible for the oversight and security of industrial infrastructure.

TRAINING COURSE METHODOLOGY:

A highly interactive combination of lectures, discussion sessions, and case studies will be employed to maximize the transfer of information, knowledge, and experience. The course will be intensive, practical, and highly interactive. The sessions will start by raising the most relevant questions and motivating everybody to find the right answers. The attendants will also be encouraged to raise more of their questions and to share in developing the right answers using their analysis and experience. There will also be some indoor experiential activities to enhance the learning experience. Course material will be provided in PowerPoint, with necessary animations, learning videos, and general discussions.

The course participants shall be evaluated before, during, and at the end of the course.

COURSE CERTIFICATE:

National Consultant Centre for Training LLC (NCC) will issue an Attendance Certificate to all participants completing a minimum of 80% of the total attendance time requirement.