ISA ISA Certifications ISA-IEC-62443 Questions & Answers

• Question 41:

  What is a commonly used protocol for managing secure data transmission over a Virtual Private Network (VPN)?

  Available Choices (select all choices that are correct)

  A. HTTPS

  B. IPSec

  C. MPLS

  D. SSH

  Correct Answer: B

  IPSec is a commonly used protocol for managing secure data transmission over a VPN. IPSec stands for Internet Protocol Security and it is a set of standards that define how to encrypt and authenticate data packets that travel between two or more devices over an IP network. IPSec can operate in two modes: transport mode and tunnel mode. In transport mode, IPSec only encrypts the payload of the IP packet, leaving the header intact. In tunnel mode, IPSec encrypts the entire IP packet and encapsulates it in a new IP header. Tunnel mode is more secure and more suitable for VPNs, as it can protect the original source and destination addresses of the IP packet from eavesdropping or spoofing. IPSec uses two main protocols to provide security services: Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides data integrity and source authentication, but not confidentiality. ESP provides data integrity, source authentication, and confidentiality. IPSec also uses two protocols to establish and manage security associations (SAs), which are the parameters and keys used for encryption and authentication: Internet Key Exchange (IKE) and Internet Security Association and Key Management Protocol (ISAKMP). IKE is a protocol that negotiates and exchanges cryptographic keys between two devices. ISAKMP is a protocol that defines the format and structure of the messages used for key exchange and SA management. References: ISA/IEC 62443-3-3:2018, Section 4.2.3.7.1, VPN1 ISA/IEC 62443-4-2:2019, Section 4.2.3.7.1, VPN ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 5.3.2, VPN ISA/IEC 62443 Cybersecurity Fundamentals Specialist Exam Specification, Section 5.3.2, VPN

• Question 42:

  Which activity is part of establishing policy, organization, and awareness?

  Available Choices (select all choices that are correct)

  A. Communicate policies.

  B. Establish the risk tolerance.

  C. Identify detailed vulnerabilities.

  D. Implement countermeasures.

  Correct Answer: A

  According to the ISA/IEC 62443 Cybersecurity Fundamentals Specialist course, establishing policy, organization, and awareness is one of the four steps of the IACS cybersecurity lifecycle. This step involves defining the cybersecurity policies, roles, and responsibilities, as well as communicating them to the relevant stakeholders. It also involves establishing the risk tolerance level, which is the acceptable level of risk for the organization. Communicating policies and establishing the risk tolerance are both activities that are part of this step. Identifying detailed vulnerabilities and implementing countermeasures are activities that belong to the next steps of the lifecycle, which are assessing the current situation and implementing the cybersecurityprogram, respectively. References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist course, Module 2: IACS Cybersecurity Lifecycle1

• Question 43:

  What are the four main categories for documents in the ISA-62443 (IEC 62443) series?

  Available Choices (select all choices that are correct)

  A. General. Policies and Procedures. System, and Component

  B. End-User, Integrator, Vendor, and Regulator

  C. Assessment. Mitigation. Documentation, and Maintenance

  D. People. Processes. Technology, and Training

  Correct Answer: A

  The ISA/IEC 62443 series of standards is organized into four main categories for documents, based on the topics and perspectives that they cover. These categories are: General, Policies and Procedures, System, and Component12. General: This category covers topics that are common to the entire series, such as terms, concepts, models, and overview of the standards1. For example, ISA/IEC 62443-1-1 defines the terminology, concepts, and models for industrial automation and control systems (IACS) security3. Policies and Procedures: This category focuses on methods and processes associated with IACS security, such as risk assessment, system design, security management, and security program development1. For example, ISA/IEC 62443- 21 specifies the elements of an IACS security management system, which defines the policies, procedures, and practices to manage the security of IACS4. System: This category is about requirements at the system level, such as security levels, security zones, security lifecycle, and technical security requirements1. For example, ISA/IEC 62443-3-3 specifies the system security requirements and security levels for zones and conduits in an IACS5. Component: This category provides detailed requirements for IACS products, such as embedded devices, network devices, software applications, and host devices1. For example, ISA/IEC 62443-4-2 specifies the technical security requirements for IACS components, such as identification and authentication, access control, data integrity, and auditability. The other options are not valid categories for documents in the ISA/IEC 62443 series of standards, as they either do not reflect the structure and scope of the standards, or they mix different aspects of IACS security that are covered by different categories. For example, end-user, integrator, vendor, and regulator are not categories for documents, but rather roles or stakeholders that are involved in IACS security. Assessment, mitigation, documentation, and maintenance are not categories for documents, but rather activities or phases that are part of the IACS security lifecycle. People, processes, technology, and training are not categories for documents, but rather elements or dimensions that are essential for IACS security. References: ISA/IEC 62443 Series of Standards - ISA1 IEC 62443 - Wikipedia2 ISA/IEC 62443-1-1: Concepts and models3 ISA/IEC 62443-2-1: Security management system4 ISA/IEC 62443-3-3: System security requirements and security levels5 ISA/IEC 62443-4-2: Technical security requirements for IACS components

• Question 44:

  Which communications system covers a large geographic area?

  Available Choices (select all choices that are correct)

  A. Campus Area Network (CAN)

  B. Local Area Network (LAN)

  C. Storage Area Network

  D. Wide Area Network (WAN)

  Correct Answer: D

  A Wide Area Network (WAN) is a communications system that covers a large geographic area, such as a city, a country, or even several countries or continents1. WANs are often used to connect local area networks (LANs) and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations2. WANs use various communication infrastructures, such as public telephone lines, undersea cables, and communication satellites, to transmit data over long distances1. WANs are typically established with leased telecommunication circuits or less costly circuit switching or packet switching methods2. WANs are often built by Internet service providers, who provide connections from an organization's LAN to the Internet2. The Internet itself may be considered aWAN2. References: Hardware and network technologies - CCEA LAN and WAN - BBC, Wide area network - Wikipedia.

• Question 45:

  Why is OPC Classic considered firewall unfriendly?

  Available Choices (select all choices that are correct)

  A. OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535.

  B. OPC Classic is allowed to use only port 80.

  C. OPC Classic works with control devices from different manufacturers.

  D. OPC Classic is an obsolete communication standard.

  Correct Answer: A

  OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535. Comprehensive OPC Classic is a software interface technology that uses the Distributed Component Object Model (DCOM) protocol to facilitate the transfer of data between different industrial control systems. DCOM is a Microsoft technology that allows applications to communicate across a network. However, DCOM is not designed with security in mind, and it poses several challenges for firewall configuration. One of the main challenges is that DCOM does not use fixed TCP port numbers, but rather negotiates new port numbers within the first open connection. This means that intermediary firewalls can only be used with wide-open rules, leaving a large range of ports open for potential attacks. This makes OPC Classic very "firewall unfriendly" and reduces the security and protection they provide. References: Tofino Security OPC Foundation White Paper Step 2 (for client or server): Configuring firewall settings - GE Secure firewall for OPC Classic - Design World

• Question 46:

  Which is a role of the application layer?

  Available Choices (select all choices that are correct)

  A. Includes protocols specific to network applications such as email, file transfer, and reading data registers in a PLC

  B. Includes user applications specific to network applications such as email, file transfer, and reading data registers in a PLC

  C. Provides the mechanism for opening, closing, and managing a session between end- user application processes D. Delivers and formats information, possibly with encryption and security

  Correct Answer: A

  The application layer is the topmost layer of the OSI model, which provides the interface between the user and the network. It includes protocols specific to network applications such as email, file transfer, and reading data registers in a PLC. These protocols deliver and format information, possibly with encryption and security, to ensure reliable and meaningful communication between differentapplications. The application layer does not include user applications, which are separate from the network protocols. The application layer also does not provide the mechanism for opening, closing, and managing a session between end-user application processes, which is the function of the session layer. References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, page 181 Using the ISA/IEC 62443 Standards to Secure Your Control System, page 82

• Question 47:

  How many element qroups are in the "Addressinq Risk" CSMS cateqorv?

  Available Choices (select all choices that are correct)

  A. 2

  B. 3

  C. 4

  D. 5

  Correct Answer: B

  The "Addressing Risk" CSMS category consists of three element groups: Security Policy, Organization and Awareness; Selected Security Countermeasures; and Implementation of Security Program1. These element groups cover the aspects of defining the security objectives, roles and responsibilities, policies and procedures, awareness and training, security countermeasures selection and implementation, and security program execution and maintenance1. The "Addressing Risk" CSMS category aims to reduce the security risk to an acceptable level by applying appropriate security measures to the system under consideration (SuC)1. References: 1: ISA/IEC 62443-2-1: Security for industrial automation and control systems: Establishing an industrial automation and control systems security program

• Question 48:

  Which of the following are the critical variables related to access control?

  Available Choices (select all choices that are correct)

  A. Reporting and monitoring

  B. Account management and monitoring

  C. Account management and password strength

  D. Password strength and change frequency

  Correct Answer: C

  Access control is the process of granting or denying specific requests to obtain and use information and related information processing services. It is one of the foundational requirements (FRs) of the ISA/IEC 62443 standards for securing industrial automation and control systems (IACSs). According to the ISA/IEC 62443-3-3 standard, access control includes the following system requirements (SRs): SR 1.1: Identification and authentication control SR 1.2: Use control SR 1.3: System integrity SR 1.4: Data confidentiality SR 1.5: Restricted data flow SR 1.6: Timely response to events SR 1.7: Resource availability Among these SRs, the ones that are most related to the critical variables of account management and password strength are SR 1.1 and SR 1.2. SR 1.1 requires that the IACS shall provide the capability to uniquely identify and authenticate all users, processes, and devices that attempt to establish a logical connection to the system. This means that the IACS should have a robust account management system that can create, modify, delete, and monitor user accounts and their privileges. It also means that the IACS should enforce strong password policies that can prevent unauthorized access or compromise of user credentials. Password strength refers to the level of difficulty for an attacker to guess or crack a password. It depends on factors such as length, complexity, randomness, and uniqueness of the password. SR 1.2 requires that the IACS shall provide the capability to enforce the use of logical connections in accordance with the security policy of the organization. This means that the IACS should have a mechanism to control the access rights and permissions of users, processes, and devices based on their roles, responsibilities, and needs. It also means that the IACS should have a mechanism to audit and log the activities and events related to access control, such as successful or failed login attempts, password changes, privilege escalations, or unauthorized actions. Therefore, account management and password strength are the critical variables related to access control, as they directly affect the identification, authentication, and authorization of users, processes, and devices in the IACS. References: ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels1 ISA/IEC 62443 Cybersecurity Fundamentals Specialist Certificate Program2 ISA/IEC 62443 Cybersecurity Library3 Using the ISA/IEC 62443 Standards to Secure Your Control Systems4

• Question 49:

  Which is the PRIMARY responsibility of the network layer of the Open Systems Interconnection (OSI) model?

  Available Choices (select all choices that are correct)

  A. Forwards packets, including routing through intermediate routers

  B. Gives transparent transfer of data between end users

  C. Provides the rules for framing, converting electrical signals to data

  D. Handles the physics of getting a message from one device to another

  Correct Answer: A

  The primary responsibility of the network layer of the Open Systems Interconnection (OSI) model is to forward packets, including routing through intermediate routers. The network layer is the third layer from the bottom of the OSI model, and it is responsible for maintaining the quality of the data and passing and transmitting it from its source to its destination. The network layer also assigns logical addresses to devices, such as IP addresses, and uses various routing algorithms to determine the best path for the packets to travel. The network layer operates on packets, which are units of data that contain the source and destination addresses, as well as the payload. The network layer forwards packets from one node to another, using routers to switch packets between different networks. The network layer also handles host-to-host delivery, which means that it ensures that the packets reach the correct destination host. The other choices are not correct because:

  B. Gives transparent transfer of data between end users. This is the responsibility of the transport layer, which is the fourth layer from the bottom of the OSI model. The transport layer provides reliable and error-free data transfer between end users, using protocols such as TCP and UDP. The transport layer operates on segments, which are units of data that contain the source and destination port numbers, as well as the payload. The transport layer also handles flow control, congestion control, and multiplexing.

  C. Provides the rules for framing, converting electrical signals to data. This is the responsibility of the data link layer, which is the second layer from the bottom of the OSI model. The data link layer provides the means for transferring data between adjacent nodes on a network, using protocols such as Ethernet and WiFi. The data link layer operates on frames, which are units of data that contain the source and destination MAC addresses, as well as the payload. The data link layer also handles error detection, error correction, and media access control. D. Handles the physics of getting a message from one device to another. This is the responsibility of the physical layer, which is the lowest layer of the OSI model. The physical layer provides the means for transmitting bits over a physical medium, such as copper wire, fiber optic cable, or radio waves. The physical layer operates on bits, whichare the smallest units of data that can be either 0 or 1. The physical layer also handles modulation, demodulation, encoding, decoding, and synchronization. References: The OSI Model ?The 7 Layers of Networking Explained in Plain English1 Network Layer in OSI Model2 OSI model3

• Question 50:

  Whose responsibility is it to determine the level of risk an organization is willing to tolerate?

  Available Choices (select all choices that are correct)

  A. Management

  B. Legal Department

  C. Operations Department

  D. Safety Department

  Correct Answer: A

  According to the ISA/IEC 62443 standards, the level of risk an organization is willing to tolerate is determined by the management, as they are responsible for defining the business and risk objectives, as well as the security policies and procedures for the organization. The management also has the authority to allocate the necessary resources and assign the roles and responsibilities for implementing and maintaining the security program. The legal, operations, and safety departments may provide input and feedback to the management, but they do not have the final say in determining the risk tolerance level. References: ISA/IEC 62443-2-1:2010 - Establishing an industrial automation and control systems security program, section 4.2.1.