IC33M

Question 1

Module 1

Answer 1

Identify and document the scope of the IACS under assessment

Specify, gather or generate the cybersecurity information required to perform the assessment

Question 2

What is the security lifecycle?

Answer 2

1. Assess
2. Design & Implement
3. Maintain

The security lifecycle is a continuous process needed to minimize risks.

Question 3

Cyber Risk Response

Design the risk out

Answer 3

One form of mitigation is to change the design of the system so that the risk is removed

Question 4

Cyber Risk Response

Reduce the risk

Answer 4

Risks can be decreased to an acceptable level through the implementation of countermeasures that reduce the likelihood or the consequences of an attack

Question 5

Cyber Risk Response

Transfer or share the risk

Answer 5

It may be possible to establish some sort of insurance or agreement that transfers some or all of the risk to a third entity

Question 6

Cyber Risk Response

Eliminate redundant or ineffective controls

Answer 6

A good risk assessment process will identify these types of controls that need to be addressed

Question 7

Cyber Risk Response

Accept the risk

Answer 7

There is always an option to accept the risk, to see it as the cost of doing business

Question 8

Why conduct Cybersecurity Vulnerability Assessments?

Answer 8

It defines, identifies , and classifies the security vulnerabilities in an industrial control system and its related network infrastructure.

Critical step in evaluating cyber risk

Evaluates the IACS design, implementation, configuration, operation and management

Determines the adequacy of the security measures and identifies security deficiencies

Question 9

What are the types of Cybersecurity Vulnerability assessments? (4)

Answer 9

1. High Level (Gap Assessment) - Least invasive
2. Passive
3. Active
4. Penetration Test - Most invasive

Question 10

Benefits of CSET

Answer 10

A repeatable and systematic approach for assessing an organization’s cyber security posture

Evaluation and comparison of existing industry standards and regulations

Facilities discussion and input from subject matter experts throughout the organization

Identifies potential vulnerabilities in the control system design and security policies

Offers guidelines for IACS cybersecurity solutions and mitigations

Question 11

Cyber Security Management System

Policy, Procedures Training, and Procedures

Answer 11

1. IC33M - High-level cyber risk Assessment
2. IC33M - Allocation of IACS assets to security zones or conduits
3. IC33M - Detailed cyber risk assessment
4. IC34M - Cybersecurity requirements specification
5. IC34M - Design and engineering of cyber security countermeasures
   6.

Question 12

Define the scope of a cyber security assessment

Answer 12

Scope determines the parameters of what is included in the assessment and how it is performed

1. Identify requirements
2. Specify devices
3. Select collection method
4. Document

Question 13

What are the elements of a good project plan?

Answer 13

1. What is the goal of the project, and what does the organization hope to achieve.
2. Clearly define the scope of the project, and what are the parameters, including what is not included in the scope, this helps keep resources focused.
3. What is the project budget, and what resources are required.
4. Identify all stakeholders and their interest in the

Question 14

Module 3 - After completing this module, you will be able to:

Answer 14

1. Identify or discover cybersecurity vulnerabilities inherent in the IACS products or system design
2. Organize and facilitate a cybersecurity risk assessment for an IACS

Question 15

How to conduct an IAC vulnerability assessment:

Answer 15

1. Pre-assessment
2. Kick-off meeting
3. Walkthrough
4. Passive data collection
5. Network Scanning (Active)
6. Vulnerability Scanning (Active)
7. Analysis
8. Reporting