ISA 62443 IC34 All Sets

What is the purpose of assigning a Target Security Level (SL-T) during the Assess phase of ICS security implementation?

To determine the existing vulnerabilities of the system.

What happens during the Develop & Implement phase of ICS security implementation?

Countermeasures are implemented to meet the Target Security Level (SL-T).

What is the primary goal of the Maintain phase in ICS security implementation?

To ensure the Achieved Security Level (SL-A) is equal to or better than the Target Security Level (SL-T).*

What is phase 1 of the IACS Cybersecurity Life Cycle?

Assess

What is phase 2 of the IACS Cybersecurity Life Cycle?

Develop & Implement

What is phase 3 of the IACS Cybersecurity Life Cycle?

Maintain phase

What is step 1 of the IACS Cybersecurity Life Cycle (Assess Phase)?

High-Level Cyber Risk Assessment

What is step 2 of the IACS Cybersecurity Life Cycle (Assess Phase)?

Allocation of IACS Assets to Security Zones or Conduits

What is step 3 of the IACS Cybersecurity Life Cycle (Assess Phase)?

Detail Cyber Risk Assessment

What is step 4 of the IACS Cybersecurity Life Cycle (Develop & Implement Phase)?

Cybersecurity Requirements Specification

What is step 5 of the IACS Cybersecurity Life Cycle (Develop & Implement Phase)?

Design and engineering of Cybersecurity countermeasures

What is step 6 of the IACS Cybersecurity Life Cycle (Develop & Implement Phase)?

Installation, commissioning and validation of Cybersecurity countermeasures

What is step 7 of the IACS Cybersecurity Life Cycle (Maintain)?

Cybersecurity Maintenance, Monitoring and Management of Change

What is step 8 of the IACS Cybersecurity Life Cycle (Maintain)?

Cyber Incident Response & Recovery

What are the continuous processes activities of the IACS Cybersecurity Life Cycle?

Cybersecurity Management System: Policies, Procedures, Training & Awareness, Periodic Cybersecurity Audits

A risk assessment should provide information about what?

An entire system as well as each zone

What information should be provided from a risk assessment?

-Risk profile

-Highest severity consequences

-Threats / vulnerabilities leading to the highest risks

-Target Security Levels

-Recommendations

A thorough risk assessment should deliver insights on system-wide, zone-specific, and conduit-specific levels and generate:

-Risk profile

-Highest severity consequences

-Threats / vulnerabilities leading to the highest risks

-Target Security Levels

-Recommendations

What is the output of a Risk Assessment called?

Cybersecurity Requirement Specification (CRS)

The CRS must include at least the following:

SUC description

Zone and conduit drawings

Zone and conduit characteristics

Operating environment assumptions

Threat environment

Organizational security policies

Tolerable risk

Regulatory requirements

What documents are required per zone/conduit?

•Name and/or unique identifier

•Accountable organization(s)

•Definition of logical boundary

•Definition of physical boundary, if applicable

•Safety designation

•List of all logical access points

•List of all physical access points

•List of data flows associated with each access point

•Connected zones or conduits

•List of assets and their classification, criticality and business value

•SL-T

•Applicable security requirements

•Applicable security policies

•Assumptions and external dependencies

How can the 5D's be applied to IACS's?

By developing a physical and cybersecurity protection strategy for each zone & conduit

What should physical and Cybersecurity protection strategy for each zone & conduit be based on?

-Risk assessment results

-Target Security Level

-Cybersecurity Requirements Specification

How many Security Levels (SLs) are defined in the ISA/IEC 62443 series?

5

What Security Level is defined as having no specific requirements or security protection necessary?

SL 0

What Security Level is defined as protection against casual or coincidental violation?

SL 1

What Security Level is defined as protection against intentional violation using simple means with low resources, generic skills and low motivation?

SL 2

What Security Level is defined as protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation?

SL 3

What Security Level is defined as protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation?

SL 4

What Security Level (SL) is defined as the security level reached by a zone or conduit?

Achieved Security Level (SL-A)

What Security Level (SL) is defined as the highest security level obtainable by the zone, conduit, or component?

Capability Security Level (SL-C)

What Security Level (SL) must be verified by the ISASecure group EDSA/CSA Certifications?

Capability Security Level (SL-C)

For owner operators, what ISA standard maps the Capability Security Level (SL-C)?

ISA-62443-3-3

For product suppliers and ISASecure, what ISA standard maps the Capability Security Level (SL-C)?

ISA-62443-4-2

What Security Level (SL) is defined as assigned as part of the CRS documentation and the desired target of the zone or conduit?

Target Security Level (SL-T)

What is the purpose of establishing a Target Security Level (SL-T)?

Communicate the desired level of security for a specific zone or conduit.

How can the Target Security Level (SL-T) be expressed?

As a single value or a vector.

Where can you find more information on the SL vector approach?

Annex A of the ISA‑62443-3-3 standard

What are the two pillars of the IACS Cybersecurity Lifecycle contained within the ISA 62443-2-1?

Cybersecurity Management System: Policies, Procedures, Training & Awareness and Periodic Cybersecurity Audits

What is the first step of developing a Security Strategy?

Identify Zone

How many zones should be evaluated at once when developing your Security Strategy?

One at a time

What should be type of assessment results should be reviewed to inform the development of your Security Strategy?

Risk Assessment Results / Cybersecurity Requirement Specifications (CRS)

During the development of a Security Strategy, what should be done with Security Target Levels (SL-T)?

This type of Security Level (SL) should be established

Other than zones, what should be identified during the development of a Security Strategy?

physical and cyber access points

What is the objective and of developing a 5D physical and cybersecurity strategy while creating a Security Strategy?

To ensure security measures are in place to address each access point.

What are the four "T's" of Managing Risks?

Tolerate, Transfer, Terminate, Treat

Which "T" of Managing Risk is defined as risk known and accepted by the organization?

Tolerate

Which "T" of Managing Risk is defined as risk delegated to a third party?

Transfer

(True/False) Transferring risk to a third party eliminates the risk.

False

(True/False) The correlation of Security Levels is an Iterative Cycle

True

Which "T" of Managing Risk is defined as stopping the process, activity, or stopping the use of a premises, IT system at risk and hence the risk is no longer relevant.

Terminate

Which "T" of Managing Risk is defined as the endeavor to decrease the probability of the threat occurring or mitigate its impact through the implementation of appropriate controls and continuity strategies?

Treat

What are the five "Ds" of treating risk?

Deter

Detect

Delay

Deny

Defeat

What industries and sectors are the five "Ds" of treating risk used in?

-Nuclear weapons security

-Physical / perimeter security

-Military defense

What is the objective of the first "D" in treating risk, Deter?

Thwart the attacker from even attempting a breach of the system.

How does the deter perimeter relate to the location of the assets?

This perimeter is the farthest one from the location of the assets.

What are some examples of physical infrastructure that can contribute to deterrence in risk treatment?

Examples of physical infrastructure that can contribute to deterrence in risk treatment include fences, lighting, visible surveillance technology, and signs saying "no trespassing" or "area under surveillance."

What is the objective of the second "D" in treating risk, Detect?

The objective is to monitor large areas of space and accurately detect possible unauthorized intrusion in time to respond appropriately.

How does surveillance camera technology contribute to accurate detection?

Surveillance camera technology, especially megapixel cameras, is highly effective as an accurate detection tool.

What are important objectives when it comes to intrusion detection?

timely notification to security personnel and the ability to analyze in detail and with context the where an intrusion was detected

What is the objective of the third "D" in treating risk, Delay?

To slow down an active intrusion enough to force the intruder to give up or allow the security team to respond.

What is the objective of the fourth "D" in treating risk, Deny?

To keep unauthorized persons out, while allowing authorized persons to enter

What is the objective of the fifth "D" in treating risk, Deny?

A response that attempts to apprehend or the intruder or destroy the attack kill chain.

What is the objective of the sixthn "D" in treating risk, Defeat?

A security personnel response that attempts to apprehend the intruder.

How can the 5D's be applied to IACS's?

By developing a physical and cybersecurity protection strategy for each zone & conduit

What should physical and Cybersecurity protection strategy for each zone & conduit be based on?

-Risk assessment results

-Target Security Level

-Cybersecurity Requirements Specification

What is required to establish complementary physical and cybersecurity policies

Security policies and procedures shall be established for both physical and cybersecurity to protect assets.

What is required to establish physical security perimeter(s)?

Physical security perimeters shell be established to prevent unauthorized access to protected assets.

What is required to provide entry controls?

At each barrier or boundary, appropriate entry controls shall be provided.

What is the objective of deterring cyber attacks?

The goal is to discourage potential attackers from breaching the system, by demonstrating a firm commitment to system defense and pursuing prosecution of intruders.

Deter strategies and tools:

Policies and procedures

Warning banners

Obscurity

What is the objective of detecting cyber attacks?

The aim is to vigilantly monitor systems, enabling timely detection and appropriate response to potential unauthorized intrusions.

Detection strategies and tools:

Intrusion detection systems (IDS)

Security incident and event monitoring (SIEM)

Anti-virus

Firewalls

Email / URL filtering

Train personnel to detect phishing and social engineering

What is the goals of delaying cyber attacks?

The aim is to decelerate an ongoing intrusion, prompting the intruder to abandon the attack or enabling the security team to react.

Delay strategies and tools:

Security Hardening

Patching

Encryption

Network segmentation

Access controls

Honey Pot Systems

What is the goal of denying cyber attacks?

The goal is to prevent unauthorized users or software access, while granting access to authorized users or software.

Denial strategies and tools:

Firewalls

Whitelisting

Intrusion Prevention Systems (IPS)

Access controls

What is the goal of defeat/responding to cyber attacks?

The aim is to eliminate intruders or malicious software, restore the system to normal, and retain forensic evidence to identify and prosecute the intruder.

Defeat/respond strategies and tools:

Malware removal tools

Policies & procedures

Intrusion Prevention

Conceptual Cybersecurity Design Specifications:

Document the new or upgraded security countermeasures that are planned to achieve the Target Security Level (SL-T)

Scope of work

Conceptual system architecture

Budgetary cost and schedule estimates

i.e. new systems (Greenfield) vs existing systems or (Brownfield)

What Foundational Requirements (FR) is Identification and authentication control (IAC)?

FR 1

What are three common constraints of Control System Security?

Support of essential functions

Compensating countermeasures

Least privilege

What Foundational Requirements (FR) is Use control (UC)?

FR 2

What Foundational Requirements (FR) is System integrity (SI)?

FR 3

What Foundational Requirements (FR) is Data confidentiality (DC)?

FR 4

What Foundational Requirements (FR) is Restricted data flow (RDF)?

FR 5

What Foundational Requirements (FR) is Timely response to events (TRE)?

FR 6

What Foundational Requirements (FR) is Resource availability (RA)?

FR 7

How can a vector be more effective in describing the security requirements for a zone, conduit, component, or system compared to a single number?

By providing a more detailed and comprehensive representation of security requirements, considering multiple aspects or parameters beyond a single number.

In what scenario can the security level be defined per PR instead of having the same security level for each Foundational Requirement (FR)?

If a system does not require the same security level for every Foundational Requirement (FR), it is possible to define the security level on a per PR (Protection Requirement) basis, tailoring the security measures accordingly.

What is definition of FR 1?

Identify and authenticate all users before allowing them to access to the control system.

(True/False) For FR 1, "Users" includes humans, software processes, and devices.

True

What is a definition of FR 2?

Ensure that authenticated users only have access to authorized actions within the control system.

What two Functional Requirements (FRs) compose Access Control?

FR 1 and FR 2

What is a definition of FR 3?

Ensure the integrity of the IACS by safeguarding communication channels, maintaining secure configurations and software, implementing change and version management, protecting against malware, securing stored data/records, utilizing encryption, and enabling read-only access.

What is a definition of FR 4?

The key components of a secure industrial control system include physical security, secure communication protocols, data integrity, malware protection, EICAR test string verification, source code management systems, detection of unauthorized changes, secure programming techniques, input validation on HMI and controller, and error handling for output to a predetermined state during attacks.

What is a definition of FR 5?

Ensure the confidentiality of sensitive information by protecting communication channels and data repositories against unauthorized disclosure and eavesdropping.

What technologies ensure Data Confidentiality?

Physical security measures, encryption/cryptography, and the use of secure protocols.

What Technologies ensure System Integrity?

Network segmentation through zones and conduits to control data flow and the use of unidirectional gateways, stateful firewalls, and DMZs to isolate control system networks from business or public networks.

What is a definition of FR 5?

Segmenting the control system using zones and conduits to limit unnecessary data flow and disconnecting control system networks from business or public networks. This is achieved through the use of unidirectional gateways, stateful firewalls, and DMZs to effectively manage the flow of information.