ISA 62443 IC34

What is phase 1 of the IACS Cybersecurity Life Cycle?

Assess

What is phase 2 of the IACS Cybersecurity Life Cycle?

Develop & Implement

What is phase 3 of the IACS Cybersecurity Life Cycle?

Maintain

When are countermeasures are implemented to meet the Target Security Level (SL-T)?

During the Develop & Implement phase of ICS security implementation

What is the primary goal of the Maintain phase in ICS security implementation?

To ensure the Achieved Security Level (SL-A) is equal to or better than the Target Security Level (SL-T).*

What is step 1 of the IACS Cybersecurity Life Cycle (Assess Phase)?

High-Level Cyber Risk Assessment

What is step 2 of the IACS Cybersecurity Life Cycle (Assess Phase)?

Allocation of IACS Assets to Security Zones or Conduits

What is step 3 of the IACS Cybersecurity Life Cycle (Assess Phase)?

Detail Cyber Risk Assessment

What is step 4 of the IACS Cybersecurity Life Cycle (Develop & Implement Phase)?

Cybersecurity Requirements Specification

What is step 5 of the IACS Cybersecurity Life Cycle (Develop & Implement Phase)?

Design and engineering of Cybersecurity countermeasures

What is step 6 of the IACS Cybersecurity Life Cycle (Develop & Implement Phase)?

Installation, commissioning and validation of Cybersecurity countermeasures

What is step 7 of the IACS Cybersecurity Life Cycle (Maintain)?

Cybersecurity Maintenance, Monitoring and Management of Change

What is step 8 of the IACS Cybersecurity Life Cycle (Maintain)?

Cyber Incident Response & Recovery

What are the continuous processes activities of the IACS Cybersecurity Life Cycle?

Cybersecurity Management System: Policies, Procedures, Training & Awareness, Periodic Cybersecurity Audits

A risk assessment should provide information about what?

An entire system as well as each zone

What information should be provided from a risk assessment?

-Risk profile

-Highest severity consequences

-Threats / vulnerabilities leading to the highest risks

-Target Security Levels

-Recommendations

What is the named output of a risk assessment?

Cybersecurity Requirement Specifications (CRS)

Once created, what is the Cybersecurity Requirement Specifications (CRS) used for?

Input for the Develop & Implementation phase

What, at a minimum, should Cybersecurity Requirement Specifications (CRS) include?

-SUC description

-Zone and conduit drawings

-Zone and conduit characteristics

-Operating environment assumptions

-Threat environment

-Organizational security policies

-Tolerable risk

-Regulatory requirements

What phase of the IACS Cybersecurity Lifecycle do you assign assign a Target Security Level (SL-T)?

Assess

What phase of the IACS Cybersecurity Lifecycle do you implement to meet an Achieved Security Level (SL-A)?

Development & Implement

In what phase of the IACS Cybersecurity Lifecycle do you ensure the Achieved Security Level (SL-A) meets or exceeds the Target Security Level (SL-T)?

Maintain

What documents are required per zone/conduit?

•Name and/or unique identifier

•Accountable organization(s)

•Definition of logical boundary

•Definition of physical boundary, if applicable

•Safety designation

•List of all logical access points

•List of all physical access points

•List of data flows associated with each access point

•Connected zones or conduits

•List of assets and their classification, criticality and business value

•SL-T

•Applicable security requirements

•Applicable security policies

•Assumptions and external dependencies

How many Security Levels (SLs) are defined in the ISA/IEC 62443 series?

5

What Security Level is defined as having no specific requirements or security protection necessary?

SL 0

What Security Level is defined as protection against casual or coincidental violation?

SL 1

What Security Level is defined as protection against intentional violation using simple means with low resources, generic skills and low motivation?

SL 2

What Security Level is defined as protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation?

SL 3

What Security Level is defined as protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation?

SL 4

What Security Level (SL) is defined as the security level reached by a zone or conduit?

Achieved Security Level (SL-A)

What Security Level (SL) is defined as the highest security level obtainable by the zone, conduit, or component?

Capability Security Level (SL-C)

What Security Level (SL) must be verified by the ISASecure group EDSA/CSA Certifications?

Capability Security Level (SL-C)

For owner operators, what ISA standard maps the Capability Security Level (SL-C)?

ISA-62443-3-3

For product suppliers and ISASecure, what ISA standard maps the Capability Security Level (SL-C)?

ISA-62443-4-2

What Security Level (SL) is defined as assigned as part of the CRS documentation and the desired target of the zone or conduit?

Target Security Level (SL-T)

What is the purpose of establishing a Target Security Level (SL-T)?

Communicate the desired level of security for a specific zone or conduit.

How can the Target Security Level (SL-T) be expressed?

As a single value or a vector.

Where can you find more information on the SL vector approach?

Annex A of the ISA‑62443-3-3 standard

What are the two pillars of the IACS Cybersecurity Lifecycle contained within the ISA 62443-2-1?

Cybersecurity Management System: Policies, Procedures, Training & Awareness and Periodic Cybersecurity Audits

What is the first step of developing a Security Strategy?

Identify Zone

How many zones should be evaluated at once when developing your Security Strategy?

One at a time

What should be type of assessment results should be reviewed to inform the development of your Security Strategy?

Risk Assessment Results / Cybersecurity Requirement Specifications (CRS)

During the development of a Security Strategy, what should be done with Security Target Levels (SL-T)?

This type of Security Level (SL) should be established

Other than zones, what should be identified during the development of a Security Strategy?

physical and cyber access points

What is the objective and of developing a 5D physical and cybersecurity strategy while creating a Security Strategy?

To ensure security measures are in place to address each access point.

What are the four "T's" of Managing Risks?

Tolerate, Transfer, Terminate, Treat

Which "T" of Managing Risk is defined as risk known and accepted by the organization?

Tolerate

Which "T" of Managing Risk is defined as risk delegated to a third party?

Transfer

(True/False) Transferring risk to a third party eliminates the risk.

False

(True/False) The correlation of Security Levels is an Iterative Cycle

True

Which "T" of Managing Risk is defined as stopping the process, activity, or stopping the use of a premises, IT system at risk and hence the risk is no longer relevant.

Terminate

Which "T" of Managing Risk is defined as the endeavor to decrease the probability of the threat occurring or mitigate its impact through the implementation of appropriate controls and continuity strategies?

Treat

What are the five "Ds" of treating risk?

-Deter

-Detect

-Delay

-Deny

-Defeat

What industries and sectors are the five "Ds" of treating risk used in?

-Nuclear weapons security

-Physical / perimeter security

-Military defense

What is the objective of the first "D" in treating risk, Deter?

Thwart the attacker from even attempting a breach of the system.

How does the deter perimeter relate to the location of the assets?

This perimeter is the farthest one from the location of the assets.

What are some examples of physical infrastructure that can contribute to deterrence in risk treatment?

Examples of physical infrastructure that can contribute to deterrence in risk treatment include fences, lighting, visible surveillance technology, and signs saying "no trespassing" or "area under surveillance."

What is the objective of the second "D" in treating risk, Detect?

The objective is to monitor large areas of space and accurately detect possible unauthorized intrusion in time to respond appropriately.

How does surveillance camera technology contribute to accurate detection?

Surveillance camera technology, especially megapixel cameras, is highly effective as an accurate detection tool.

What are important objectives when it comes to intrusion detection?

timely notification to security personnel and the ability to analyze in detail and with context the where an intrusion was detected

What is the objective of the third "D" in treating risk, Delay?

To slow down an active intrusion enough to force the intruder to give up or allow the security team to respond.

What is the objective of the fourth "D" in treating risk, Deny?

To keep unauthorized persons out, while allowing authorized persons to enter

What is the objective of the fifth "D" in treating risk, Deny?

A response that attempts to apprehend or the intruder or destroy the attack kill chain.

How can the 5D's be applied to IACS's?

By developing a physical and cybersecurity protection strategy for each zone & conduit

What should physical and Cybersecurity protection strategy for each zone & conduit be based on?

-Risk assessment results

-Target Security Level

-Cybersecurity Requirements Specification