ISA IC33

Question 1

Security Life Cycle include?

Answer 1

Access,
Develop & implement,
and Maintain Phase

Question 2

Security Life Cycle is.

Answer 2

Continuous steps to minimize risk.

Question 3

IC33 focus on the Access Phase. Access Phase include?

Answer 3

1- High Level Cybersecurity assessment
2- Allocation of IACS assets to Security Zones and Conduits
3- Detailed Cyber Risk Assessment

Question 4

IC33 Access phase focuses are found in?

Answer 4

ISA/IEC62443-3-2

Question 5

IC34 is related to the Develop & Implement phase which include?

Answer 5

4- Cyber Security Requirement Specification (CRS) ISA 62443-3-2
5- Design and Engineering of Cybersecurity Countermeasures ISA 62443-3-3
6- Installation, Commissioning, and Validation of Cyber security Countermeasures
- It also includes Design and Develop other means of Risk Reduction

Question 6

IC34 Develop and Develop phase works with

Answer 6

ISA 62443-3-2 and ISA 62443-3-3

Question 7

IC37 is the Maintain Phase which includes…

Answer 7

7- Cybersecurity maintenance, monitoring, and management of change ISA 62443-2-1
8- Cyber security response and Recovery ISA 62443-2-1

Question 8

IC37 works with?

Answer 8

ISA/IEC62443-2-1

Question 9

ISA 62443-2-1 also used for the the what?

Answer 9

• Cybersecurity management system for policies, procedures, training & Awareness.
• Periodic Cybersecurity Audits.

Question 10

Before running any assessment you must define what?

Answer 10

The Scope of the project must be defined first.

Question 11

Scope

Answer 11

Determine the parameters on what is included in the assessment and how it is performed.

Question 12

Scope include?

Answer 12

1- Identify Requirement
2- Specify Devices.
3- Select Collection Method
4- Document

Question 13

The Documents in the scope is to help identify

Answer 13

1- constrains
2- deliverables
3- assumptions
4- boundaries

Question 14

Key Component of project scope include

Answer 14

1- system architecture diagram
2- Network Diagram
3- asset Inventory
4- Criticality assessment

Question 15

ISA 62443 Reference Model include

Answer 15

• Level 0 Process
• Level 1 Safety/Protection and Basic Control
• Level 2 Supervisory Control
• Level 3 Operations Management
• Level 4 Enterprise Systems

Question 16

Network Diagram should illustrate

Answer 16

• How the network logically and physically constructed.
• ## Port assignment, VLANS, device types.

Question 17

Asset Inventory should be done for all component such as software, hardware, and network this can be done by means of

Answer 17

• Documentations
• Tools such as automated tools.
• Using Site Surveys.

Question 18

Automated tools should always be tested

Answer 18

this is important to ensure no security vulnerability are introduced in the network.

Question 19

Cyber Criticality Assessment

Answer 19

Is the measure of the negative impact, should information are not available, not reliable, or compromised . it will always refer to the AIC and how each one of them is effected.

Question 20

CHAPTER 2

Answer 20

Cybersecurity vulnerability assessment

Question 21

RISK IS?

Answer 21

Threat * Vulnerability * Consequences.

Question 22

Understanding Vulnerability will help with

Answer 22

Better understanding the Risk.

Question 23

Management is responsible to determine

Answer 23

The Acceptable Risk Level that they can tolerate - risk Tolerance.

Question 24

Risk Types are divided into the following

Answer 24

• Design Risk Out by changing the design
• Reduce Risk by implementing countermeasure.
• Transfer risk using insurance.
• Eliminate and remove redundant controls.
• Accept Risk

Question 25

Why conducting Cybersecurity Vulnerability Assessment

Answer 25

The CVA defines, identify, and classify the vulnerability in the Industrial Control System and it is network component,.

Question 26

First Step in evaluating Cyber Risk is?

Answer 26

Cybersecurity Vulnerability Assessment

Question 27

Cybersecurity Vulnerability Assessment

Answer 27

Evaluate the configuration, Implementation, Management, and Operation.

Question 28

Cybersecurity Vulnerability Assessment

Answer 28

Identify security deficiencies

Question 29

Cybersecurity Vulnerability Assessment Types

Answer 29

• High Level - GAP Assessment - least invasive
• Passive Assessment
• Active Assessment
• Penetration Test - Most Invasive

Question 30

When conducting risk you should always look at

Answer 30

• Cost of the Assessment
• Benefit gained from the Assessment.

Question 31

GAP ASSESSMENT

Answer 31

meant for reviewing the system and compare it to the industrial standards and regulations.

Question 32

GAP Assessment include

Answer 32

• Interviews with key personnel
• Questionnaires
• Walk though
• Examine of Sample Configurations and Drawings.

Question 33

Passive CVA include

Answer 33

• Reviewing configuration
• Collecting logs, data,
• Capture traffic from network
• Analysis of actual traffic.
• Reviewing ARP tables.

Question 34

Active CVA include

Answer 34

running tools which are more invasive to the system. tools such as Nessus, Advance IP scanner, NMAP, Shodan, and others.

Question 35

PEN Test

Answer 35

is the most intrusive to the system.
PEN TEST start with active scanners then it exploit known vulnerabilities in the system,.

• The JOB of the PEN TEST is to Validate the effectiveness of the countermeasures.

Question 36

Difference Between VA and PEN Test

Answer 36

VA only assess and collect data, identify weakness, and report. PEN test exploit Vuln and try to gain access using complex tools.

Question 37

How to conduct GAP assessment

Answer 37

• Identify benchmark standards.
• Gather information from system by performing interviews, site visit and documentation
• Compare the Benchmark standard with the performance - compart 1 and 2.
• Document and report the results.

Question 38

Gap Assessment tools include

Answer 38

• CSET tool
• Custom Databases
• Custom Spreadsheets

Question 39

Benefit of CSET tool

Answer 39

• Repeatable and Systematic approach to assess the network
• Evaluate against the security standards and regulation.
• Identify potential Vuln in the system
• Provide and offer guidelines

Question 40

CSET LIMITATIONS

Answer 40

• Its component focus and not system focus
• it cannot provide detailed risk assessment to deigns.
• it is not meant to substitute the in depth analysis.
• it is not risk analysis tool for system.
• date should be treated securely.

Question 41

Standard listed in CSET are

Answer 41

• NERC-CIP
• NIST Special publications.
• NIST SP800-82
• DoD Instruction 8500
• NIST Cyber Security Framework
• CNNSI 1253
• FIPS 199
• CFATS RBPS
• NRC-RG

Question 42

CSET Process includes

Answer 42

• Form a Team
• Add Assessment Information
• • Select Mode and Standard
• Determine Security Level
• Build a Network Diagram
• Answer Questions
• Analyze the Results.

Question 43

Which assessment give feedback

Answer 43

GAP Assessment

Question 44

Conducting Risk Assessment include

Answer 44

• Pre Assessment
• Kick off meeting
• Walk through
• Passive Data collection
• Network Scanning - Active
• Vulnerability Scanning - Active
• Analysis
• Reporting

Question 45

Pre Assessment phase include -1

Answer 45

• scope of the project
• Find assessment team
  -`Select standard
• set time and logistics
• Review Documents
• PPE requirement

Question 46

it is important to identifying gaps by

Answer 46

asking and collecting all documents required to help with assessment

Question 47

Kickoff meeting -2

Answer 47

• identify personnel
• timelines
• contract needs
• pre assessment requirement

Question 48

Walk through 3

Answer 48

• Visual inspection of the system
• Physical Security Review
• Review design document against actual installation.
• Observe Operating Environment
• Interview operational Personnel.

Question 49

Passive Data Collections - 4

Answer 49

• Windows System information
• Log files
• Firewall, switches, routers configuration.
• Network packet capture

Question 50

SPAN

Answer 50

capture traffic in all ports or same VLAN of the switch

Question 51

RSPAN

Answer 51

Remote Switch Port Analyzer - it is used with bigger network to allow for traffic to be sent. if a lot of messages running then some packets or frames will be lost.

Question 52

why do we use packet capture tools?

Answer 52

• identify what devices talk to
• identify protocols in the network
• detect unexpected or unusual traffic.
• recognize messages with clear text
• troubleshooting

Question 53

Active Scanning include

Answer 53

• Port Scanning
• Vulnerability Scanning
• Pentation Testing

Question 54

when running active scanning.

Answer 54

always make sure you have the proper approval for it.

Question 55

if port scanning return no response it basically means the network was effected

Answer 55

this behavior means the network is vulnerable.

Question 56

Vulnerability Scanner

Answer 56

is a computer program designed to assess computers, computer systems, and applications.

Question 57

Scanners for Vulnerability are

Answer 57

• Nessus
• Open Vas
• Nexpose
• Quslysy

Question 58

Pen Test

Answer 58

is the most invasive method to evaluate the network. it will exploits known vulnerabilities and unknown ones as well.

Question 59

Pen Test tools are

Answer 59

• Kali Linux
• Metasploit
• Canvas

Question 60

what type of tool is used to capture and display ethernet communication?

Answer 60

Packet Capture

Question 61

a feature that send copy of that data from one port to another

Answer 61

Port Mirroring

Question 62

what term is used to describe the passive collection of data packet capture

Answer 62

Sniffing the Ethernet

Question 63

Computer program that assess the network against weakness from known vulnerabilities is called?

Answer 63

Network Vulnerability Scanning tool

Question 64

Risk Management

Answer 64

Understanding risk is important to determine how to assess risk

Question 65

Understanding Risk in order to Manage it. how can we do that?

Answer 65

• Identify critical assets.
• Determine realistic Threat
• Identify existing Vulnerabilities
• Understand the consequences of compromise
• asses the effectiveness of the current countermeasures.

Question 66

How to develop plan for unacceptable risk?

Answer 66

• Evaluate existing countermeasures.
• Recommend additional countermeasures.
• Recommend changes to policies and procedures.
• priortize recommendation
• evaluate effectiveness and evaluate risk

Question 67

Benefit of Cyber Risk Assessment

Answer 67

• help to determine what needs to be addressed first
• help with understanding the threats and vlunrabilities
• provide information to reduce risk by introducing segmentation, hardening
• help with proritize the resources and activities.
• help to evaluate the countermeasure based on their cost/complexity.

Question 68

fine balance in security is defined as

Answer 68

cost vs the security level as per the organiziation.

Question 69

what standard addresses risk assessment requirement?

Answer 69

IEC62443-2-1

Question 70

Cybersecurity risk assessment process is listed under?

Answer 70

IEC62443-3-2

Question 71

the cybersecurity risk assessment process include

Answer 71

• Identify system under consideration SuC section 4.1
• Conduct high-level risk assessment section 4.2.
• partition the SuC into zones and conduits 4.3

Question 72

first step of the cybersecurity risk assessment process is identify the system under consideration which include?

Answer 72

• high-level diagrams
• inventory list review

Question 73

the outcome if the system under consideration is normally

Answer 73

• updated high level diagram and update inventory list.

Question 74

second step of the cybersecurity risk assessment process is to conduct high level risk assessment. the outcome of this include?

Answer 74

it is meant to perform high level assessment for the SuC. the result include the worst case unmitigated risk that the SuC is brining to the organization.

Question 75

High Level design normally address and understand the following

Answer 75

• performing exersie to understand the worst case scenario in term of financial and HSE.
• the scope should include the entire system under assessment.
• the team with the knowledge should develop the worst case scenario.
• any process hazard and process should be reviewed to identify potential consequences.
• the results of the high level design should then be rated using the CONSEQUENCE SCALE..

Question 76

Consequence scale include things like

Answer 76

High, Medium, and Low

Question 77

consequence scale also include areas defined such as

Answer 77

• Business Continuity Plan
• Information Security
• Process Safety
• Environment safety.

Question 78

Third step in the cybersecurity risk assessment process is?

Answer 78

define zones and conduits. this can be done based on the highlevel risk assessment. zones should be based on same function. same level, same security requirment.

Question 79

dont mix business and IACS system together

Answer 79

those are two different systems with different requirements. they should always be divided.

Question 80

Always remember that

Answer 80

Safety instrument systems are different from basic control systems. those two should not be interfered and put in the same zone.

Question 81

Temporary access should be set in a different zone than permement devices. this include

Answer 81

• usbs, maintenance machines, portable processing equipment’s. .

Question 82

Wireless devices ?

Answer 82

should always be in one zone or more but not in the control system zones. this is because those devices are part of bigger network behind them.

Question 83

devices from untrusted network should always be ?

Answer 83

connect in one zone which is different from the rest of the network.

Question 84

drawing for the SuC is important and it should include

Answer 84

• illustration of the different zones in the network
• clearly shows how each zone is separated in the network
• assets contained with those zones and conduits should be marked too.

Question 85

Cybersecurity Requirement Specifications (CRS)

Answer 85

• SuC description
• operation environment assumption
• threat landscape
• mandatory security function.
• tolerable risk
• regulatory requirement .

Question 86

there are Three main key task when preparing for Detailed risk assessment. those are?

Answer 86

• schedule a facilitator - someone can lead and have confidence in running cyber security assessment.
• Team and establishing team - the team should include, the facilitator, control engineer, network engineers. process, process safety, SMEs.
• prepare workshop material - this include network diagrams, previous assessment, data flow diagrams, inventory list, process flow,

Question 87

Detailed risk assessment as per the IEC62443-3-2 described as follow:

Answer 87

as per the standard it is defined under section 5-
the standard explain the input which is the requirement for each zone and conduit. the middle is the requirement and the output is the results.

the list is
5.1 identify threat
5.2 identify vulnerabilities
5.3 determine consequences and impact.
5.4 determine likelihood.
5.5 calculate unmitigated cyber security risk
5.6 determine security level target.
5.7 consider exaiting countermeasures,
5.8 reevaluate likelihood and impact
5.9 calculate residual risk
5.10 all risk mitigated or below tolerable risk.
5.11 apply additional cybersecurity measure.
5.12 document results

Question 88

Section 5.1 talk about identifying threat.

Answer 88

here we should list all the threats that could effect the assets. we should include
- threat description.,
- description of the threat skills.
- description of possible threat vector.
- identifying possible effected systems.

Question 89

Threat source

Answer 89

threat source could be - person or group. they normally created a software or hardware threat. it could also be environmental such as flood.

the list should be comprehensive. and the threat should be classified and listed.

Question 90

common threat sources.

Answer 90

• unauthorized internal personnel
• authorized internal personnel
• unauthorized external personnel - hacker.
• authorized 3rd party.
• malware, equipment, equipment.

Question 91

Threat vector

Answer 91

Is the means the threat source may utilize to compromise zone or conduit.

this only describe what the attack is in general for documentation purposes. for example we talk about spoofing in general, tampering and what they mean in general.

Question 92

Section 5.2 talk about identify Vulnerabilities.

Answer 92

Vulnerability is the weakness or the flow in a system design .

Question 93

Classes of vulnerability include

Answer 93

• policy and procedural
• architecture and design
• configuration and maintenance.
• physical
• software
• communication and network

Question 94

section 5.3 is determine consequences and impact.

Answer 94

basically each threat and VULN found in section 5.1 and 5.2 should be evaluated to determine the consequences and impact. everything should be documented, for example when a person is injured then we need to know what is the conesquence who got effected and how much the fine.

Question 95

example of consequence include

Answer 95

create statement of the worst case consequence if threat would have happened. then assign impact rating as per consequence. normally worst case scenario is when no countermeasure in place.

Question 96

section 5.4 talk about the determining the likelihood.

Answer 96

likelihood is based on section 5.2 which is evaluating the vulnerability. the likelihood is either defined using frequency or probability.

Question 97

likelihood based on frequency include

Answer 97

• target attractiveness
• attack surface.

Question 98

likelihood based on probablitiy include

Answer 98

• capability of threat vector
• known vulnrability
• motive/intent of threat.

Question 99

likelihood scale

Answer 99

most of the time is qualitative ( no numbers) it uses low, medium, or high. another

Question 100

unmitigated likelihood threat.

Answer 100

we will always need the UTL - unmitigated threat Likelihood for each threat. this is important.

the UTL means that likelihood of threat leading to final consequence.

Question 101

Section 5.5 is calculating unmittigated cybersecurity risk

Answer 101

this calculation is normally done using RISK MATRIX that establish the relationship between the likelihood and impact.
By providing the likelihood and impact measures we can easily determine and calculate the unmitigated cybersecurity risk

Question 102

Section 5.6 focuses on determining the security level target.

Answer 102

this needs to be done for each zone and conduit. the SLT in general is related to the CRRF and it is the unmitigated risk/tolerable risk.

Question 103

5.7 consider existing countermeasure.

Answer 103

in this level we evaluate the level of existing countermeasure to reduce the likelihood or attack.

Question 104

5.8 revaluate the likelihood and impact.

Question 105

5.9 Calculate Residual Risk

Answer 105

• it is the combination of mitigate likelihood and impact measure.

Question 106

5.10 Residual Risk

Answer 106

it should be less than the tolerable risk. the company can decided to either transfer it, accept it, or reduce it.

Question 107

5.11 apply additional cybersecurity countermeasure

Answer 107

this step is used to take care of any residual risk that it exceeds the tolerable risk. you can use IEC62443-3-3 which have option to how risk is and countermeasure are treated.

Question 108

documentation is important. this include

Answer 108

• documenting the results and participants for the assessment.
• ## date should be identified on when the assessment was conducted.

Question 109

Why documentations are so important?

Answer 109

• documents are meant to verify, audit, and prove the finding of the assessment.
  documents should be under control scheme, they also needs to tracked, verified, updated and amended as per the requirement.

Question 110

what documents are important to keep?

Answer 110

• Gap assessment reports.
• Vulnerability assessment reports.
• Risk Assessment Reports.
• Zone and Conduit diagrams.
  Cybersecurity Requirement Specifications CRS.

Question 111

GAP assessment is

Answer 111

High level document with all the findings. THIS DOCUMENT INCLUDES THE SL-T

Question 112

vulnerability assessment report should include information concerning the “as found” in the system. results include:

PEER COMPARISION

Answer 112

• Discovered cyber assets.
• policy and procedure VULN
• Arch and Design Vuln
• physical VULN
• Software VULN.
• Communication and network vuln

Question 113

cybersecurity risk assessment report - RISK PROFILE

Answer 113

it general it provide risk profile. risk profile include
- document finding such as high risk threats, high risk vulnerability and detailed assessment worksheet.

Question 114

Zone and Conduits

Answer 114

one of the requirement is to divide the network into zones and conduits.

Question 115

Cybersecurity Requirement Specification CRS - THIS IS LIVING DOCUMENT!

Answer 115

this document include general security requirement based upon company policy, standard and regulations.

• NOTE- CRS INCLUDE DEFINATIONS OF ZONES AND CONDUITS, ACCESS CONTROL REQUIREMENT,

Question 116

when developing the CRS the following should be included.

Answer 116

• system arch
• definition of zone and conduits.
• network segment requirement
• access control requirement
• physical requirement
• detection requirement