IC33M

Question 1

What are the benefits of CSET?

Answer 1

Repeatable and systematic approach to assess an orgs cybersecurity posture.
Evaluate and Compare to standards/regulations
Facilitates input and discussion from SMEs
Identifies potential vulnerabilities.
Offers guidelines for IACS cyber solutions and mitigations
REFIG

Question 2

What is the process for a GAP Assessment?

Answer 2

1. Identify benchmark standards
2. Gather info by site visits, interviews and documentation
3. Compare performance with benchmark standards
4. Document and report results

Question 3

What are the types of Likelihood?

Answer 3

Frequency:
Target Attractiveness, Attack Surface
Probability:
Capability of threat actor,
Motivation/intent,
Known Vulnerabilities,

Question 4

What is the process for the Scope?

Answer 4

1. Identify Requirements
2. Specify Devices
3. Select Collection Method
4. Document
   ISSD

Question 5

What does the Scope identify?

Answer 5

1. Assumptions
2. Boundaries
3. Constraints
4. Deliverables
   ABCD

Question 6

What are some Active Assessment tools?

Answer 6

Nmap (network) or Nessus , Nexpose and Retina (vulnerability)

Question 7

What is the CRRF?

Answer 7

The measure of the degree of risk reduction required to reach tolerable risk

Question 8

What are the different Vulnerability Classes?

Answer 8

PPASCC
Physical
Policy and Procedure
Architecture and Design
Software
Config and Management
Comms and Network

Question 9

What are the steps to a Vulnerability Assessment?

Answer 9

Pre-assessment > Kick-off Meeting > Walkthrough
Passive Data collection
Active network and vulnerability scanning
Analysis
Reporting

Question 10

What are the elements of a good Project Plan?

Answer 10

Goal
Clearly defined scope
Budget and Resources
Stakeholders

Question 11

How do you conduct a Detailed Risk Assessment?

Answer 11

1. Identify Threats
2. Identify Vulnerabilities
3. Determine Consequence and Impact
4. Determine the Likelihood
5. Calculate Unmitaged Cyber Risk
6. Determine SL-T
7. Does the Unmitigated Cyber Risk exceed the Tolerable Risk?
8. Consider Existing Countermeasures
9. Re-evaluate the Likelihood and Impact
10. Calculate Residual Risk
11. All Risk Mitigated or below Tolerable Risk?
12. Appy Additional Countermeasures
13. Document Results section

Question 12

What is the purpose of a CVA?

Answer 12

Defines, Identifies and Classifies vulnerabilities in an ICS
Evaluates the IACS Design, Config, Mgmt. Implementation and Operation
Evaluates Security Countermeasures
Identifies Security Deficiencies
Critical Step in Evaluating Cyber Risk
DESSC

Question 13

What are the steps in the Assess phase (3-2)?

Answer 13

1. High-level Cyber Risk Assessment
2. Allocate IACS Assets to Security zones and Conduits
3. Detailed Cyber Risk Assessment

Question 14

What are the steps in the Develop and Implement phase (3-2/3)?

Answer 14

4. Cyber Requirement Specification
5. Design and Engineering of Cybersecurity Countermeasures
6. Install, Commissioning and Validation of Cyber Countermeasures

Question 15

What are the steps in the Maintain phase (2-1)?

Answer 15

7. Cybersecurity Maintenance, Monitoring and Change Management
8. Cyber Incident Response and Recovery

Question 16

What does the CRS Include?

Answer 16

SuC Description
Zone and Conduit Drawings /Characteristics
SL-Ts
Operating Environment Assumptions
Threat Environments
Tolerable Risk
Security Policies and Regulations
Requirements: Acces control, Physical Security, Detection and Monitoring, Response Time, OS Hardening, Device Hardening

Question 17

Why is the CRS created?

Answer 17

To document mandatory Security Countermeasures of the SuC based on the Detailed Risk Assessment as well as Security Requirements based on Policies, Standards and Regulations

Question 18

What is Residual Risk?

Answer 18

Risk that remains after existing countermeasures are implemented

Question 19

How do you Calculate the CRRF

Answer 19

Unmitigated Risk / Tolerable Risk

Question 20

What is a Cyber Criticality Assessment?

Answer 20

Measure of negative Impact should the AIC of information be affected

Question 21

What is the Security Lifecycle?

Answer 21

Assess, Develop and Implement, Maintain

A continuous process to minimize risks

Question 22

What are the Limitations of CSET?

Answer 22

Component focus rather than System focus
Will not provide a detailed analysis or review
Not a risk analysis tool
Reports need to be treated securely

Question 23

How is Unmitigated Cyber Risk Calculated?

Answer 23

Risk Matrix that establishes a relationship between Likelihood and Impact

Question 24

What documents should be Maintained?

Answer 24

Gap Assessment Report
Vulnerability Assessment Report
Risk Assessment Report
Zone and Conduit Diagrams
CRS

Question 25

What is in a Vulnerability Assessment Report?

Answer 25

Scope
“As found” System Architecture
Assessment Details
Prioritised summary of findings
Detailed findings

Question 26

What is in a Cyber Risk Assessment Report?

Answer 26

Risk Profile
Scope
Assessment details
Detailed findings
Prioritised Recommendations