ISA ISA Certifications ISA-IEC-62443 Questions & Answers

• Question 71:

  What is the definition of "defense in depth" when referring to

  Available Choices (select all choices that are correct)

  A. Using countermeasures that have intrinsic technical depth.

  B. Aligning all resources to provide a broad technical gauntlet

  C. Requiring a minimum distance requirement between security assets

  D. Applying multiple countermeasures in a layered or stepwise manner

  Correct Answer: D

  Defense in depth is a concept of cybersecurity that involves applying multiple layers of protection to a system or network, so that if one layer fails, another layer can prevent or mitigate an attack. Defense in depth is based on the principle that no single security measure is perfect or sufficient, and that multiple countermeasures can provide redundancy and diversity of defense. Defense in depth can also increase the cost and complexity for an attacker, as they have to overcome more obstacles and exploit more vulnerabilities to achieve their goals. Defense in depth is one of the key concepts of the ISA/IEC 62443 series of standards, which provide guidance and best practices for securing industrial automation and control systems (IACS). The standards recommend applying defense in depth strategies at different levels of an IACS, such as the network, the system, the component, and the policy and procedure level. The standards also define different zones and conduits within an IACS, which are logical or physical groupings of assets that share common security requirements and risk levels. By applying defense in depth strategies to each zone and conduit, the security of the entire IACS can be improved. References: ISA/IEC 62443-1-1:2009, Security for industrial automation and control systems - Part 1-1: Terminology, concepts and models1 ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels2 ISA/IEC 62443-4-1:2018, Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements3 ISA/IEC 62443-4-2:2019, Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components4

• Question 72:

  Which of the following is a trend that has caused a significant percentage of security vulnerabilities?

  Available Choices (select all choices that are correct)

  A. IACS developing into a network of air-gapped systems

  B. IACS evolving into a number of closed proprietary systems

  C. IACS using equipment designed for measurement and control

  D. IACS becoming integrated with business and enterprise systems

  Correct Answer: D

  One of the trends that has increased the security risks for industrial automation and control systems (IACS) is the integration of these systems with business and enterprise systems, such as enterprise resource planning (ERP), manufacturing execution systems (MES), and supervisory control and data acquisition (SCADA). This integration exposes the IACS to the same threats and vulnerabilities that affect the business and enterprise systems, such as malware, denial-of-service attacks, unauthorized access, and data theft. Moreover, the integration also creates new attack vectors and pathways for adversaries to compromise the IACS, such as through remote access, wireless networks, or third-party devices. Therefore, the integration of IACS with business and enterprise systems is a trend that has caused a significant percentage of security vulnerabilities. References: ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 1-2.

• Question 73:

  In an IACS system, a typical security conduit consists of which of the following assets?

  Available Choices (select all choices that are correct)

  A. Controllers, sensors, transmitters, and final control elements

  B. Wiring, routers, switches, and network management devices

  C. Ferrous, thickwall, and threaded conduit including raceways

  D. Power lines, cabinet enclosures, and protective grounds

  Correct Answer: B

  A security conduit is a logical or physical grouping of communication channels connecting two or more zones that share common security requirements1. A zone is a grouping of systems and components based on their functional, logical, and physical relationship that share common security requirements1. Therefore, a security conduit consists of assets that enable or facilitate communication between zones, such as wiring, routers, switches, and network managementdevices. Controllers, sensors, transmitters, and final control elements are examples of assets that belong to a zone, not a conduit. Ferrous, thickwall, and threaded conduit including raceways are physical structures that may enclose or protect wiring, but they are not part of the communication channels themselves. Power lines, cabinet enclosures, and protective grounds are also not part of the communication channels, but rather provide power or protection to the assets in a zone or a conduit. References: 1: Key Concepts of ISA/IEC 62443: Zones and Security Levels | Dragos

• Question 74:

  In a defense-in-depth strategy, what is the purpose of role-based access control?

  Available Choices (select all choices that are correct)

  A. Ensures that users can access systems from remote locations

  B. Ensures that users can access only certain devices on the network

  C. Ensures that users can access only the functions they need for their job

  D. Ensures that users correctly manage their username and password

  Correct Answer: C

  Role-based access control (RBAC) is a method of restricting access to resources based on the roles of individual users within an organization. RBAC assigns permissions and responsibilities to roles, rather than to individual users, and then assigns users to those roles. This way, users can only perform the actions that are relevant and necessary for their role, and not access or modify any other resources that are beyond their scope of authority. RBAC is one of the security countermeasures that can be implemented in a defense-in-depth strategy, which is a layered approach to protect industrial automation and control systems (IACS) from cyber threats. RBAC can help prevent unauthorized access, misuse, or sabotage of IACS resources, as well as reduce the risk of human error or insider attacks. References: ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels, Clause 5.3.2.11 ISA/IEC 62443-2-1:2010, Security for industrial automation and control systems Part 2-1: Establishing an industrial automation and control systems security program, Clause 6.2.2.32 ISA/IEC 62443-4-1:2018, Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements, Clause 5.2.3.23 ISA/IEC 62443-4-2:2019, Security for industrial automation and control systems

  - Part 4-2: Technical security requirements for IACS components, Clause 4.2.3.24

• Question 75:

  Which of the following refers to internal rules that govern how an organization protects critical system resources?

  Available Choices (select all choices that are correct)

  A. Formal guidance

  B. Legislation

  C. Security policy D- Code of conduct

  Correct Answer: C

  A security policy refers to internal rules that govern how an organization protects critical system resources, such as industrial control systems (ICS). A security policy defines the objectives, scope, roles, responsibilities, and requirements for

  securing the ICS environment, as well as the procedures and guidelines for implementing, monitoring, and enforcing the security measures. A security policy also establishes the baseline for assessing and managing the security risks to the

  ICS, and for ensuring compliance with relevant standards, regulations, and best practices. A security policy is a key component of the ICS security program, and it should be documented, communicated, and reviewed regularly.

  The other choices are not correct because:

  A. Formal guidance. Formal guidance refers to external sources of information and recommendations that can help an organization improve its ICS security posture, such as standards, frameworks, guidelines, and best practices. Formal guidance is not an internal rule, but rather a reference that can be used to develop, implement, and evaluate the security policy and controls. For example, the ISA/IEC 62443 series of standards provide formal guidance on how to secure ICS from cyber threats1.

  B. Legislation. Legislation refers to external laws and regulations that impose legal obligations and penalties on an organization for its ICS security performance, such as the NERC CIP standards for the electric sector2, or the EU NIS Directive for critical infrastructure operators3. Legislation is not an internal rule, but rather a compliancerequirement that must be met by the organization. Legislation may also influence the security policy and controls, as the organization needs to align its security objectives and practices with the legal expectations and consequences. D. Code of conduct. A code of conduct refers to a set of ethical principles and values that guide the behavior and decision-making of an organization and its employees, such as honesty, integrity, respect, and accountability. A code of conduct is not an internal rule for protecting critical system resources, but rather a general norm for conducting business and maintaining a positive reputation. A code of conduct may also support the security policy and culture, as it can foster a sense of responsibility and trust among the ICS stakeholders. References:

  1: ISA/IEC 62443 Standards to Secure Your Industrial Control System

  2: NERC Critical Infrastructure Protection Standards

  3: EU Network and Information Systems Directive

• Question 76:

  After receiving an approved patch from the JACS vendor, what is BEST practice for the asset owner to follow?

  A. If a low priority, there is no need to apply the patch.

  B. If a medium priority, schedule the installation within three months after receipt.

  C. If a high priority, apply the patch at the first unscheduled outage.

  D. If no problems are experienced with the current IACS, it is not necessary to apply the patch.

  Correct Answer: C

  According to the ISA/IEC 62443 Cybersecurity Fundamentals Specialist resources, patches are software updates that fix bugs, vulnerabilities, or improve performance of a system. Patches are classified into three categories based on their urgency and impact: low, medium, and high. Low priority patches are those that have minimal or no impact on the system functionality or security, and can be applied at the next scheduled maintenance. Medium priority patches are those that have moderate impact on the system functionality or security, and should be applied within a reasonable time frame, such as three months. High priority patches are those that have significant or criticalimpact on the system functionality or security, and should be applied as soon as possible, preferably at the first unscheduled outage. Applying patches in a timely manner is a best practice for maintaining the security and reliability of an industrial automation and control system (IACS). References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 4.3.2, Patch Management ISA/IEC 62443-2-1:2009, Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program, Clause 5.3.2.2, Patch management ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels, Clause 4.3.3.6.2, Patch management

• Question 77:

  Which layer in the Open Systems Interconnection (OSI) model would include the use of the File Transfer Protocol (FTP)?

  Available Choices (select all choices that are correct)

  A. Application layer

  B. Data link layer

  C. Session layer

  D. Transport layer

  Correct Answer: A

  The File Transfer Protocol (FTP) is an application layer protocol that moves files between local and remote file systems. It runs on top of TCP, like HTTP. To transfer a file, 2 TCP connections are used by FTP in parallel: control connection and data connection. The control connection is used to send commands and responses between the client and the server, while the data connection is used to transfer the actual file. FTP is one of the standard communication protocols defined by the TCP/IP model and it does not fit neatly into the OSI model. However, since the OSI model is a reference model that describes the general functions of each layer, FTP can be considered as an application layer protocol in the OSI model, as it provides user services and interfaces to the network. The application layer is the highest layer in the OSI model and it is responsible for providing various network services to the users, such as email, web browsing, file transfer, remote login, etc. The application layer interacts with the presentation layer, which is responsible for data formatting, encryption, compression, etc. The presentation layer interacts with the session layer, which is responsible for establishing, maintaining, and terminating sessions between applications. The session layer interacts with the transport layer, which is responsible for reliable end-to-end data transfer and flow control. The transport layer interacts with the network layer, which is responsible for routing and addressing packets across different networks. The network layer interacts with the data link layer, which is responsible for framing, error detection, and medium access control. The data link layer interacts with the physical layer, which is responsible for transmitting and receiving bits over the physical medium. References: File Transfer Protocol (FTP) in Application Layer1 FTP Protocol2 What OSI layer is FTP?3

• Question 78:

  Which is an important difference between IT systems and IACS?

  Available Choices (select all choices that are correct)

  A. The IACS security priority is integrity.

  B. The IT security priority is availability.

  C. IACS cybersecurity must address safety issues.

  D. Routers are not used in IACS networks.

  Correct Answer: A

  IT systems and IACS have different security priorities, requirements, and challenges. According to the ISA/IEC 62443 standards, the security priority for IT systems is confidentiality, which means protecting the data from unauthorized access or disclosure. The security priority for IACS is integrity, which means ensuring the accuracy and consistency of the data and the functionality of the system. A loss of integrity in an IACS can have severe consequences, such as physical damage, environmental harm, or human injury. Therefore, IACS cybersecurity must address safety issues, which are not typically considered in IT security. Safety is the ability of the system to prevent or mitigate hazardous events that can cause harm to people, property, or the environment. The ISA/IEC 62443 standards provide guidance and best practices for ensuring the safety and security of IACS, as well as the availability and reliability of the system. Availability is the ability of the system to perform its intended function when required, and reliability is the ability of the system to perform its intended function without failure. These properties are also important for IT systems, but they may have different trade-offs and implications for IACS. For example, an IACS may have stricter performance and availability requirements than an IT system, as a delay or disruption in the IACS operation can affect the industrial process and its outcomes. Additionally, an IACS may have longer equipment lifetimes and less frequent maintenance windows than an IT system, which can make patching and updating more difficult and risky. Furthermore, an IACS may use different technologies and architectures than an IT system, such as legacy devices, proprietary protocols, or specialized hardware. These factors can create compatibility and interoperability issues, as well as increase the attack surface andcomplexity of the IACS. Therefore, IT security solutions and practices may not be sufficient or suitable for IACS, and they may need to be adapted or supplemented by IACS-specific security measures. The ISA/IEC 62443 standards address these differences and provide a comprehensive framework for securing IACS throughout their lifecycle. References: 1: Security of Industrial Automation and Control Systems - ISAGCA 2: ISA/IEC 62443 Series of Standards - ISA 3: ISA/IEC 62443 Series of Standards | ISAGCA 4: Securing IACS based on ISA/IEC 62443 ?Part 1: The Big Picture

• Question 79:

  What is OPC?

  Available Choices (select all choices that are correct)

  A. An open standard protocol for real-time field bus communication between automation technology devices

  B. An open standard protocol for the communication of real-time data between devices from different manufacturers

  C. An open standard serial communications protocol widely used in industrial manufacturing environments

  D. A vendor-specific proprietary protocol for the communication of real-time plant data between control devices

  Correct Answer: B

  OPC stands for Open Platform Communications, and it is a series of standards and specifications for industrial telecommunication based on Object Linking and Embedding (OLE) for process control. It allows the communication of real-time data between devices from different manufacturers using various data transportation technologies, such as Microsoft's OLE, COM, DCOM, .NET, XML, and TCP123. OPC is not a protocol itself, but rather a standardized approach for data connectivity supported by the OPC Foundation3. OPC is widely used in industrial automation and control systems, as well as other industries, to achieve interoperability and integration between different applications and devices3. A is incorrect, because OPC is not a field bus protocol, but rather a standard for data exchange between devices that may use different field bus protocols, such as Modbus, Profibus, or Ethernet/IP2. C is incorrect, because OPC is not a serial communications protocol, but rather a standard that can use various data transportation technologies, including serial, Ethernet, or wireless2. D is incorrect, because OPC is not a vendor- specific proprietary protocol, but rather an open standard that can be implemented by any vendor or device that supports the OPC specifications3. References: 1: Open Platform Communications - Wikipedia 2: What is OPC Protocol - The Automization 3: What is OPC?

  -OPC Foundation

• Question 80:

  Which of the following tools has the potential for serious disruption of a control network and should not be used on a live system?

  Available Choices (select all choices that are correct) A. Remote desktop

  B. Vulnerability scanner

  C. FTP

  D. Web browser

  Correct Answer: B

  A vulnerability scanner is a tool that scans a network or a system for known vulnerabilities, such as misconfigurations, outdated software, or weak passwords. A vulnerability scanner can provide valuable information for improving the security posture of a system, but it can also cause serious disruption of a control network if used on a live system. This is because a vulnerability scanner may generate a large amount of network traffic, consume system resources, trigger alarms, or even crash devices by exploiting vulnerabilities. Therefore, a vulnerability scanner should not be used on a live system without proper authorization and precautions. A vulnerability scanner should only be used on a test or isolated network, or during a scheduled maintenance window with minimal impact on the system operation. References: ISA/IEC 62443 Standards to Secure Your Industrial Control System, Module 5: Assessing the Current Security Level, Slide 25.