Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISA/IEC 62443 - IC33E - Assessing the Cybersecurity of New or Existing IACS System > Conducting Cyber Risk Assessments > Flashcards

Conducting Cyber Risk Assessments Flashcards

1
Q

Identify Threats

A

Requeriment
A list of the threats that could affect the assets contained within the zone or conduit shall be developed

Include
* A description of the threat source
* A description of the capability or skill-level of the threat source
* A description of possible threat vectors
* Identfication of the potentially affected asset(s)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Threat Source

A

The threat source is the entity that can manifest a threat.

  • Unauthorized internal personnel
  • Authorized internal personnel
  • Unauthorized external person (hacker)
  • Authorized 3rd party
  • Malware
  • Equipment
  • Environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat Vector

A

The Threat Vector is the means the threat source may utilize to compromise the zone or conduit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identify Vulnerabilities

A

Requirement
The zone or conduit shall be analized in order to identify and document the known vulnerabilities in the zone or conduit assets contained within the zone or conduit including the access points.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Vulnerability

A

A vulnerability is any flaw or wakness in a system’s design, implementation or operation that could be exploited to compromise the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Determine Consequence & Impact

A

Each thrat identified in 5.1 and 5.2 shall be evaluated to determine the consequence and the impact of the consequence should the threat be realized. Document impact in terms of the worst case impact on risk areas such as personnel safety, financial loss, business interruption, and environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Determine Consequence & Impact

A

Each thrat identified in 5.1 and 5.2 shall be evaluated to determine the consequence and the impact of the consequence should the threat be realized. Document impact in terms of the worst case impact on risk areas such as personnel safety, financial loss, business interruption, and environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Determine Likelihood

A

Factors:
* Frequency
- Target attractiveness
- Attack sufrace
* Probability
- Capability of the threat actor
- Known vulnerabilites
- Motivation/intent of the threat actor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Determine Likelihood

A

Factors:
Frequency
- Target attractiveness
- Attack sufrace
Probability
- Capability of the threat actor
- Known vulnerabilites
- Motivation/intent of the threat actor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Likelihood Scale

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Unmitigated Threat Likelihood (UTL)

A

Is the likelihood of the threat occurring and leading to the final consequence without any cybersecurity countermeasures in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Calculate Risk

A

Requirement
The initial risk for each threat shall be calculated by combining the unmitigated likelihood measure and the impact measure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Determine Security Level Target

A

Requirement
A SL-T shall be established for each security zone or conduit. The SL-T is related to the Cyber Risk Reduction Factor (CRRF) which is a measure of the degree of risk reduction required to achieve tolarable risk.

CRRF = Unimitagated Risk / Tolarable Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of Security Levels (SLs)

A

Target
SL-T: are the desired level of security for a particular system. This is usually determined by performing a risk assessment on a system and determining that it needs a particular level of security to ensure correct operation.

Achieved
SL-A: are the actual level of security for a particular system. These are measured after a syhstem design is available or when a system is in place. They are used to establish that a security system is meeting goals that were originally set out in the target SLs.

Capability
SL-C: are the security levels that componentes or systems can provide when properly configured. These levels state that a particular component or system is capable of meeting the target SLs natively, without additional compensating countermeasures when properly configured and integrated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security Levels Defined

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SL-T Example

A
17
Q

Consider Existing Countermeasures

A

Requirement
Identify and evaluate the effectiveness of existing countermeasures to reduce the likelihood of threats or to mitigate vulnerabilities.

18
Q

Mitigated Threat Likelihood (MTL)

A

The MTL is the likelihood of the threat scenario occurring and leading to the final consequence. It takes into account all protection measures and cybersecurity countermeasures in place.

19
Q

Calculate the Residual Risk

A

Requirement
The residual risk for each threat shall be determined by combining the mitigated likelihood and impact measures.

Calculating residual risk provides a measure of the effectiveness of existing countermeasures. It is an essential step in determining whether the level of unmitigated risk is at or below the tolerable risk.

20
Q

Compare Residual Risk with Tolarable Risk

A

The residual risk calculated for each threat shall be compared to the organization’s tolerable risk. The organization must determine if the residual risk will be mitigated, transferred or accepted based upon the organization’s policy.

21
Q

Apply additional Security Countermeasures

A

Requirement
Appropiate security countermeasures shall be applied to mitigate the risk where the residual risk exceeds the organization’s tolerable risk unless the organization has accepted or transferred the risk.

22
Q

Document and Communicate Results

A

Requirement
The results of the cyber risk assessment shall be documented and shall include the date each session was conducted as well as the names and titles of the participants. Documentation that was instrumental in performing the cyber risk assessment (e.g. system architecture diagrams, PHAs, vulnerability assessments, gap assessments, sources of threat information, etc.) shall be recorded and archived along with the cyver risk assessment.

23
Q

Which Security Level is defined as “Protection against intentional violation using simple means with low resources, generic skills and low motivation”?

A

SL-2

24
Q

Which of the following is the term for the undesirable result of an inicident?

A

Consequence

25
Q

What is known as any flaw or weakness in a system’s design, implementation or operation that could be exploited to compromise the system?

A

Vulnerability

26
Q

Which type of Security Level is the desired level of security for a particular system?

A

Target (SL-T)

27
Q

What is the measure of the degree of risk reduction required to achieve tolerable risk?

A

CRRF

ISA/IEC 62443 - IC33E - Assessing the Cybersecurity of New or Existing IACS System (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions