ISA ISA Certifications ISA-IEC-62443 Questions & Answers

• Question 21:

  Which statement is TRUE reqardinq application of patches in an IACS environment?

  Available Choices (select all choices that are correct)

  A. Patches should be applied as soon as they are available.

  B. Patches should be applied within one month of availability.

  C. Patches never should be applied in an IACS environment.

  D. Patches should be applied based on the organization's risk assessment.

  Correct Answer: D

  Patches are software updates that fix bugs, vulnerabilities, or improve performance or functionality. Patches are important for maintaining the security and reliability of an IACS environment, but they also pose some challenges and risks. Applying patches in an IACS environment is not as simple as in an IT environment, because patches may affect the availability, integrity, or safety of the IACS. Therefore, patches should not be applied blindly or automatically, but based on the organization's risk assessment. The risk assessment should consider the following factors: 1 The severity and likelihood of the vulnerability that the patch addresses The impact of the patch on the IACS functionality and performance The compatibility of the patch with the IACS components and configuration The availability of a backup or recovery plan in case the patch fails or causes problems The testing and validation of the patch before applying it to the production system The communication and coordination with the stakeholders involved in the patching process The documentation and auditing of the patching activities and results References: ISA TR62443-2-3 - Security for industrial automation and control systems, Part 2-3: Patch management in the IACS environment

• Question 22:

  What are the connections between security zones called?

  Available Choices (select all choices that are correct)

  A. Firewalls

  B. Tunnels

  C. Pathways

  D. Conduits

  Correct Answer: D

  According to the ISA/IEC 62443 standard, the connections between security zones are called conduits. A conduit is defined as a logical or physical grouping of communication channels connecting two or more zones that share common security requirements. A conduit can be used to control and monitor the data flow between zones, and to apply security measures such as encryption, authentication, filtering, or logging. A conduit can also be used to isolate zones from each other in case of a security breach or incident. A conduit can be implemented using various technologies, such as firewalls, routers, switches, cables, or wireless links. However, these technologies are not synonymous with conduits, as they are only components of a conduit. A firewall, for example, can be used to create multiple conduits between different zones, or to protect a single zone from external threats. Therefore, the other options (firewalls, tunnels, and pathways) are not correct names for the connections between security zones. References: ISA/IEC 62443-3-2:2016 - Security for industrial automation and control systems - Part 3-2: Security risk assessment and system design1 ISA/IEC 62443-3-3:2013 - Security for industrial automation and control systems - Part 3-3: System security requirements and security levels2 Zones and Conduits | Tofino Industrial Security Solution3 Key Concepts of ISA/IEC 62443: Zones and Security Levels | Dragos4

• Question 23:

  What does Layer 1 of the ISO/OSI protocol stack provide?

  Available Choices (select all choices that are correct)

  A. Data encryption, routing, and end-to-end connectivity

  B. Framing, converting electrical signals to data, and error checking

  C. The electrical and physical specifications of the data connection

  D. User applications specific to network applications such as reading data registers in a PLC

  Correct Answer: C

  Layer 1 of the ISO/OSI protocol stack is the physical layer, which provides the means of transmitting and receiving raw data bits over a physical medium. It defines the electrical and physical specifications of the data connection, such as the voltage levels, signal timing, cable types, connectors, and pin assignments. It does not perform any data encryption, routing, end-to-end connectivity, framing, error checking, or user applications. These functions are performed by higher layers of the protocol stack, such as the data link layer, the network layer, the transport layer, and the application layer. References: ISO/IEC 7498-1:1994, Section 6.11; ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 3.1.12

• Question 24:

  The Risk Analysis category contains background information that is used where?

  Available Choices (select all choices that are correct)

  A. Many other elements in the CSMS

  B. (Elements external to the CSMS

  C. Only the Assessment element

  D. Only the Risk ID element

  Correct Answer: A

  The Risk Analysis category contains background information that is used to identify and assess the risks associated with the cyber-physical system (CPS) under consideration. This information includes the system description, the threat model, the vulnerability analysis, the risk assessmentmethod, and the risk acceptance criteria. The Risk Analysis category is used as an input for many other elements in the CSMS, such as the Risk ID, Risk Reduction, Risk Acceptance, and Risk Monitoring elements. The Risk Analysis category provides the basis for the risk management process and helps to ensure a consistent and systematic approach to cybersecurity in the CPS. References: Using the ISA/IEC 62443 Standards to Secure Your Control System, page 13 [ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide], page 34

• Question 25:

  What do packet filter firewalls examine?

  Available Choices (select all choices that are correct)

  A. The packet structure and sequence

  B. The relationships between packets in a session

  C. Every incoming packet up to the application layer

  D. Only the source, destination, and ports in the header of each packet

  Correct Answer: B

  Detection-in-depth is a security principle that aims to provide multiple layers of detection mechanisms to identify and respond to potential cyberattacks. Detection-in- depth is based on the assumption that no single security measure can prevent all attacks, and that attackers will eventually find a way to bypass or compromise some defenses. Therefore, it is important to have multiple detection points throughout the system, especially in the most critical and vulnerable areas, to increase the chances of detecting an attack before it causes significant damage or disruption. Detection-in-depth is complementary to defense-in-depth, which focuses on preventing or mitigating attacks by applying multiple layers of protection mechanisms. According to the ISA/IEC 62443 standards, one of the recommended techniques for implementing detection-in-depth is to use intrusion detection systems (IDS) to monitor network traffic and system activities for signs of malicious or anomalous behavior. IDS can be classified into two types: network-based IDS (NIDS) and host-based IDS (HIDS). NIDS are deployed at strategic points in the network, such as the boundaries between zones or conduits, to analyze the packets and protocols that flow through the network. HIDS are installed on individual hosts, such as servers or workstations, to monitor the processes, files, and logs that occur on the system. Both types of IDS can generate alerts or notifications when they detect suspicious or unauthorized events, such as unauthorized access, malware infection, denial-of-service attack, or data exfiltration. The ISA/IEC 62443 standards also recommend the use of zones and conduits to segment the industrial automation and control system (IACS) into logical groups of assets that share similar security requirements and risk levels. Zones are defined as groups of assets that have the same security level (SL), which is a measure of the required security performance of the zone based on the impact of a successful attack. Conduits are defined as communication paths between zones that have different SLs, which require security controls to ensure the integrity, confidentiality, and availability of the data that flows through them. By using zones and conduits, asset owners can applythe principle of least privilege, which means that only the minimum necessary access and communication are allowed between zones and conduits, and that any unnecessary or unwanted access and communication are blocked or restricted. Therefore, the best example of detection-in-depth best practices is to deploy IDS sensors within multiple zones in the production environment, as this would provide multiple detection points for different segments of the IACS, and increase the visibility and awareness of the network and system activities. This would also help to identify any potential attacks that may have bypassed the perimeter defenses, such as firewalls or VPNs, or that may have originated from within the IACS, such as insider threats or compromised devices. By deploying IDS sensors within multiple zones, asset owners can also monitor the compliance of the communication protocols and data patterns with the expected or authorized behavior, and detect any deviations or anomalies that may indicate an attack. The other options are not as good examples of detection-in-depth best practices, as they either focus on prevention or mitigation rather than detection, or they do not provide multiple layers of detection mechanisms. For example, firewalls and VPNs are security controls that aim to prevent or mitigate unauthorized or malicious access or communication, but they do not provide detection capabilities. Role-based access control (RBAC) is a security control that aims to prevent or mitigate unauthorized or inappropriate actions by users or devices, but it does not provide detection capabilities. Unexpected protocols and unusual data transfer patterns are possible indicators of an attack, but they require detection mechanisms, such as IDS, to identify and alert them. Therefore, these options are not as good examples of detection-in-depth best practices as option B. References: ISA/IEC 62443-1-1: Concepts and models ISA/IEC 62443-3-2: Security risk assessment and system design ISA/IEC 62443-4-2: Technical security requirements for IACS components ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide ISA/IEC 62443 Cybersecurity Library Using the ISA/IEC 62443 Standard to Secure Your Control System

• Question 26:

  Which type of cryptographic algorithms requires more than one key?

  Available Choices (select all choices that are correct)

  A. Block ciphers

  B. Stream ciphers

  C. Symmetric (private) key

  D. Asymmetric (public) key

  Correct Answer: D

  Asymmetric (public) key algorithms are a type of cryptographic algorithms that require more than one key. Asymmetric key algorithms use a pair of keys, one for encryption and one for decryption, that are mathematically related but not

  identical1. The encryption key is usually made public, while the decryption key is kept private. This allows anyone to encrypt a message using the public key, but only the intended recipient can decrypt it using the private key1. Asymmetric key

  algorithms are also known as public key algorithms or public key cryptography1. Asymmetric key algorithms are used for various purposes, such as digital signatures, key exchange, and encryption2. Some examples of asymmetric key

  algorithms are RSA, Diffie-Hellman, ElGamal, and Elliptic Curve Cryptography2.

  References: Asymmetric Algorithm or Public Key Cryptography - IBM, Cryptography 101:

  Key Principles, Major Types, Use Cases and Algorithms | Splunk.

• Question 27:

  Which policies and procedures publication is titled Patch Manaqement in the IACS Environment?

  Available Choices (select all choices that are correct)

  A. ISA-TR62443-2-3

  B. ISA-TR62443-1-4

  C. ISA-62443-3-3

  D. ISA-62443-4-2

  Correct Answer: A

  ISA-TR62443-2-3 is the technical report that describes the requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program. Patch management is the process of applying software updates to fix vulnerabilities, bugs, or performance issues in the IACS components. Patch management is an essential part of maintaining the security and reliability of the IACS environment. The technical report provides guidance on how to establish a patch management policy, how to assess the impact and risk of patches, how to test and deploy patches, and how to monitor and audit the patch management process. References: 1, 2, 3

• Question 28:

  How many security levels are in the ISASecure certification program?

  Available Choices (select all choices that are correct)

  A. 2

  B. 3

  C. 4

  D. 5

  Correct Answer: C

  The ISASecure certification program is based on the ISA/IEC 62443 standards, which define four security levels (SL) for industrial automation and control systems (IACS). The security levels range from SL 1 to SL 4, with SL 1 being the lowest and SL 4 being the highest. Each security level represents a set of security requirements and countermeasures that can protect an IACS from a certain level of threat. The ISASecure certification program offers three types of product certifications: Component Security Assurance (CSA), IIoT Component Security Assurance (ICSA), and System Security Assurance (SSA). Each product certification has four security assurance levels (SAL) that correspond to the security levels defined in the ISA/IEC 62443 standards. The ISASecure certification program also offers two types of process certifications: Security Development Lifecycle Assurance (SDLA) and IACS Security Assurance (IACSSA). Each process certification has four certification levels that correspond to the security levels defined in the ISA/IEC 62443 standards. Therefore, the ISASecure certification program has four security levels for both product and process certifications. References: ISASecure - IEC 62443 Conformance Certification - Official Site1 Certifications - ISASecure2 ISA Security Compliance Institute3

• Question 29:

  What are the two sublayers of Layer 2?

  Available Choices (select all choices that are correct)

  A. HIDS and NIDS

  B. LLC and MAC

  C. OPC and DCOM

  D. VLAN and VPN

  Correct Answer: B

  Layer 2 of the OSI model is the data link layer, which is responsible for transferring data frames between nodes on a network segment. The data link layer is divided into two sublayers: logical link control (LLC) and media access control (MAC). The LLC sublayer deals with issues common to both dedicated and broadcast links, such as framing, flow control, and error control. The MAC sublayer deals with issues specific to broadcast links, such as how to access the shared medium and avoid collisions. The LLC and MAC sublayers are not related to the ISA/IEC 62443 cybersecurity standards, which focus on the security of industrial automation and control systems (IACS). References:https:// www.baeldung.com/cs/data-link-sub-layers https://bing.com/search?q=Layer+2+sublayers

• Question 30:

  At Layer 4 of the Open Systems Interconnection (OSI) model, what identifies the application that will handle a packet inside a host?

  Available Choices (select all choices that are correct)

  A. ATCP/UDP application ID

  B. A TCP/UDP host ID

  C. ATCP/UDP port number

  D. ATCP/UDP registry number

  Correct Answer: C

  At layer 4 of the OSI model, also known as the transport layer, the application that will handle a packet inside a host is identified by a TCP/UDP port number. A port number is a 16-bit integer that is assigned to a specific application or service that runs on a host. Port numbers are used to multiplex and demultiplex the data streams that are exchanged between hosts and end systems. Multiplexing is the process of combining multiple data streams into one, while demultiplexing is the process of separating one data stream into multiple ones. Port numbers are part of the header of the transport layer protocol data unit (PDU), which is called a segment for TCP and a datagram for UDP. The header contains the source port number and the destination port number, which indicate the applications that are involved in the communication. For example, if a host sends a packet to another host using the HTTP protocol, which runs on port 80 by default, the source port number would be a random number chosen by thesender, and the destination port number would be 80. The receiver would then use the destination port number to demultiplex the packet and deliver it to the HTTP application. Port numbers are divided into three ranges: well-known ports (0-1023), registered ports (1024-49151), and dynamic or private ports (49152-65535). Well-known ports are reserved for common and standardized applications and services, such as HTTP (80), FTP (21), and SSH (22). Registered ports are assigned by the Internet Assigned Numbers Authority (IANA) to specific applications and services that request them, such as Skype (49175) and Minecraft (25565). Dynamic or private ports are not assigned by any authority and can be used by any application or service that needs them, such as ephemeral ports that are used for temporary connections. The other options are not valid identifiers for the application that will handle a packet inside a host at layer 4 of the OSI model. A TCP/UDP application ID is not a term that is used in the OSI model or the TCP/IP model. A TCP/UDP host ID is not a term that is used in the OSI model or the TCP/IP model, and it would be more appropriate for layer 3, which is the network layer, where the host is identified by an IP address. A TCP/UDP registry number is not a term that is used in the OSI model or the TCP/IP model, and it would be more appropriate for layer 5, which is the session layer, where the registry number is used to identify a session between two hosts. References: Transport Layer | Layer 4 | The OSI-Model1 OSI model - Wikipedia2 What is Layer 4 of the OSI Model? | Glossary | A10 Networks3 What Are the 7 Layers of the OSI Model? | Webopedia4