ICS CVA can be performed offsite, onsite or a combination of both. An onsite assessment is more thorough and is preferred for existing (i.e. brownfield) systems as there are almost always documentation gaps in operational systems. aeSolutions understands the critical and sensitive nature of ICS applications and uses only non-intrusive, passive forms of data collection when performing an ICS CVA on an operational systems.
For new systems or major retrofits, the ICS CVA is performed at various stages of the project (e.g. design, implementation and commissioning). For these projects, more aggressive techniques can be used to test the system before it is fully commissioned and operational. See ICS Cybersecurity Acceptance Testing for more information.