IC37 IEC62443

Question 1

Scope

Answer 1

Determine the parameters of what is included in the assessment how it is performed.

Question 2

Scope include

Answer 2

• IDENTIFY Requirement
• Specify Devices
• Select Collection Method
• Document

Question 3

Key Components of Scope

Answer 3

• System Description
• Asset Inventory
• Criticality Assessment.
• System Architecture Design.
• Document Data flow
• Network Diagram .

Question 4

Cybersecurity Vulnerability Assessment

Answer 4

defines, identify, and classifies the security vulnerabilities in industrial control system and its related network infra

Question 5

Cybersecurity Vulnerability Assessment is

Answer 5

-Critical step in evaluating cyber risk
- Evaluate the IACS design, implementation, configuration, operation and management.
- Determines the adequacy of security measures and identify security deficiencies

Question 6

Benefits of Cybersecurity risk assessment

Answer 6

• determine what plants/processes need to address and what order.
• Definition of threats, vulnerabilities, and consequences so they can be mitigated. - this is very time consuming.
• Design and apply countermeasures to reduce risk.
• Prioritize mitigation activities and resources.
• Evaluate countermeasures of effectiveness versus cost and complexity.

Question 7

Cyber Risk Assessment Process

Answer 7

• Identify System under consideration.
• Conduct high-level cyber risk assessment.
• Partition the SUC into zones and conduits.
• perform detailed cybersecurity risk assessment for each zone and conduit.
• Document security requirement assumption and constrains.

Question 8

for each zone and conduit you will need to run

Answer 8

IEC 62443-3-3

Detailed risk assessment process, this is section 5 of the detailed risk assessment. just an FYI, this include:

• Identify Threats
• Identify Vulnerabilities
• Determine consequences and Impact.
• Determine Likelihood
• Calculate unmitigated Cyber risk
• Determine Security Level target.
• Consider Existing Countermeasures.
• Reevaluate likelihood and impact.
• Calculate residual risk
• All risk mitigated or below tolerable risk
• Document the results.

Question 9

You need Documentation to prove what you did `

Answer 9

Documents in general should be
- Revised
- Amended
- Reviewed,
- Approved.

Question 10

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@22

Answer 10

Review for the Design Chapter

Question 11

remember the 4 T of Managing risk

Answer 11

• Tolerate - risk organizations are willing to take.
• Transfer - insurance.
• Terminate - block the risk
• Treat. - reduce the lielihood

Question 12

Five D’s of treating Risk.

Answer 12

• Deter
• Detect
• Delay
• Deny
• Defeat.

Question 13

Remember firewalls

Answer 13

block unauthorized access of firewall. Network and Host firewalls.

Question 14

IDS are either

Answer 14

NIDS or HID -

• pre-defined rules signatures
• Anomaly - behavior

Question 15

Remote access

Answer 15

Huge Operational Benefits
High Risk.

with ease huge operation benefits and high risk….

Question 16

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Monitoring and Management

Answer 16

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

identify component of asset inventory
identify system harden

Question 17

Asset Inventory

Answer 17

Maintain a list of database of all IACS and SCADA hardware - physical and virtual.

Question 18

Asset inventory done through

Answer 18

• Documentation and site survey. this could take long time if the company is around for a long time.
• tools also can be used.-

Question 19

if you use automations tools ensure that

Answer 19

• they don’t impact system availability or integrity
• introduced security Vulnerability.

Question 20

Hardware include all

Answer 20

servers, computers, workstations, smart phones., PLC, DCS, VFD, RTU, etc, serial routable devices.

you will need to have record of
- Asset ID
Device Type
Function
Network interfaces.
Network Addresses
Manufacture
Model
Serial Number
Operation system and version
Firmware Version,
Physical location
Notes.
Device system name

VM all details needs to be documents - do not forget about this.

• all software- application, databases, firmware, operation system, patch process.

anything with ethernet and serial communication. routable serial. modbus, serial, profibus

Question 21

Asset inventory for Software is also important. this should include

Answer 21

operation systems.
applications.
database
firmware.

Question 22

Asset inventory tools are are either:

NETWORK MANAGEMNET TOOLS
SOFTWARE ASSET MANAGEMENT SAM TOOLS
CONFIGURATION MANAGEMENT TOOLS

Answer 22

Network Management tools.
- SolarWinds, OPenNMS, Siemens SNM, MOXa
software asset management SAM tools
- IT Asset tool, Microsoft system center.
Configuration Management Tools.
- Rockwell Asset center
PAS integrity
MDT autosave

Question 23

System Hardening

Answer 23

the process of security a system by reducing its attack surface. this include

• Remove unnecessary software —
  -Remote user accounts. —
  -Enforce strong access control - multifactor authentication is important
• Disable or remove services. this is important
  -Install security patches. patches are also important.

Question 24

which device can be hardened

Answer 24

any configurable device can be hardened. such as operation ystem, database, applications. managed switches, routers, firewalls, modems., PLCm IED, VFD.

Question 25

operation system hardening - where to go? OS HARDEINING Very IMPORTANT

Answer 25

- NIST SP 800-123 Microsoft Security Guides CIS security Benchmarks. Disa STIGS, Automation suppliers REMEMNER 800-123 IS OS HARDENING ---

Question 26

Basic Step to secure operation system. OS

Answer 26

- Patches and update the OS - Remove or disable services, application and network protocols. configure access controls. configure OS user authentication. install and configuration additional security control test the security of the OS, ' list of unnecessary softwares: - Remove games. - unused devicers. - messaging services. unused internet software compliers unused protocols.

Question 27

Device Hardening Guidance DEVICE HARDENING 800-82

Answer 27

NIST SP 800-82 Always look for vendors.

Question 28

HARDENING DEVICES INCLUDE

Answer 28

PLCs MOTOROS AND DRIVES I?O HMI Sensors IEDs Flow Computers.

Question 29

Hardening of devices are

Answer 29

-disable program changes. -install vendor firmware update -compare file hash -shutdown unused network interface. -default password -enable logging -disable unused protocols. -restrict remote access. - protectet with ICS -disable services not used. - restict remote access.

Question 30

Network Hardening NSA CISCO NIST SANS SECURITY CONFIGURATION CHECKLISTS

Answer 30

three functional planes of a network - Management - IOS - SSH SNMP - Control - EIGRP, BGP, OSPF - Data actual data/

Question 31

Network Hardening best practices

Answer 31

install firmware updates. compare hash files shutdown unused physical interfaces. enable configuration access control change and encrypt password use snmp3 restict remote management use secure protocols. shutdown unused ervices. enable logging.

Question 32

ACCESS CONTROL

Answer 32

Policies, Procedures and technical controls that govern the use of system resources. Access control ensure system only accessible to authorized users, programs, process and other systems. ACCESS CONTROL ENFORCE the following: separation of duties least privilege system notification. previous login concurrent session session locking unsuccessful login attempts least privilege. session termination

Question 33

Access control involve

Answer 33

establishing. activating modifying reviewing disabling removing accounts.

Question 34

Access control best practices

Answer 34

- Develop access control policy to establish appropriate logical and physical rules - segregate data with high sensitivity. employ multiple authentication - make use of centralized identify - use organization units.

Question 35

use always multifactor authentications

Answer 35

something you know something you have something you are.

Question 36

remote access

Answer 36

technology made it so easy.

Question 37

VPN appliance is a network device enhanced with security features known as secure socket layer SSL.

Answer 37

A network using public telecommunication infrastructure such as internet and provide remote networks or computes with secure access to another network.

Question 38

VPN security employs

Answer 38

- IPSec Internet protocol security SSL\TLS transport layer security DTLS datagram transport layer MPPE microsoft point to point encyption SSTP secure socket tunneling protocol MPVPN SSH

Question 39

firewall evelotion into all inclusive security products. NGFW-

Answer 39

firewall VPN content filtering load balancing vpn antispam data

Question 40

Type of VPNs

Answer 40

Site to site to vpn VPN gateway.

Question 41

VPN best practise

Answer 41

- require the use of corporate owned laptops -provide remote access users with secure bootable image -no vpn split should be allowed -change tcp port for something -monitor and log all remote access sessions. - encrypt all communications. - configure modems for maximum security - restirct remote connections to special machines.

Question 42

Secure Remote Access Examples

Answer 42

Read only access One way Reporting Limited data exchange Employee and vendor remote maintenance and troubleshooting Full remote operations.

Question 43

Antimalware Management

Answer 43

malware related incident are number one cause of cyber related production losses and upsets in process control systems. Viruses can impact control systems. user mix deployment. All major plc and DCS vendor support firewall.

Question 44

Always recommend using mix solutions

Answer 44

Antivirus scanning at the control system firewall Automatic updating for non critical system or systems with approved update schemes. Manual scheduled updates for more difficult system.

Question 45

Whitelisting BENEFITS Smaller and more efficient Does not require sig-nature update can ensure critical files and approved. zero day protection. ISSUES: Agnostic to malware can block software updates

Answer 45

Blacklisting BENEFITS Can define malicious software behavior ISSUED: Number of known bad signatures are large and growing. Require frequent update. False positive can block critical files. no protection against zero day attack

Question 46

Whitelisting mean

Answer 46

Allow known Good

Question 47

blacklisting

Answer 47

blocking known bad

Question 48

Anti-Virus Management

Question 49

Application Control

Answer 49

Identify entitlement, privilege, or access based approval Protect memory so application in memory cannot be changed.

Question 50

Change Control

Answer 50

Extend application control to include file integrity monitoring for non executable.

Question 51

ALWAYS KEEP Systems up to date because it is critical to protection

Question 52

Patching

Answer 52

patch should be analyized for each device. Installed and verified on test system backup should be done before patch is installed. Document all changes.

Question 53

PATCH MANAGEMENT LIFECYCLE - it is continuous process

Answer 53

- Information Gathering - Monitoring & Evaluation - Patch Testing - Patch Deployment - Verification and Reporting

Question 54

Patch Management Best Practice

Answer 54

- Establish and Maintain inventory for all updatable electronic devices. - Determine regular schedule and what is available - Test deployment of patches in manner that reflect production environment - Schedule qualified patches for installation at next available opportunity - Update records at planned interval - periodically identify security vulnerabilities. - Implement paches or equivalent counter measures.

Question 55

PLC Backup and Configuration Management - (BACKUP AN Recovery)

Answer 55

Restoration Time - how much time required- is redundancy required. Backup Interval - how often the backup should run Backup Management - how many duplicates required in case of damage. Media Storage - keep media and license keys in safe area, Responsible party - what department is responsible Review and Update plan - review and update BCP when system change.

Question 56

System backup best practices

Answer 56

check for redundancy real time? near realtrimen? data center? hot warm, cold? point- in time snapshot automated or manual? maintain version control. automate the backup protect backups.

Question 57

System backup types?

Answer 57

Redundant systems. = physical or virtual = Pcs = Hardware/software = Network Point in time snapshots. = pc code, apps, image, partitions, files, and config. = PLc code, apps, and config = Data base = network devices. config

Question 58

`Backup and Recovery best practices

Answer 58

Establish backup and restore policies. Document procedures and ensure they are repeatable. All devices with configuration should be backed up Backup are performed automatiacally on staggered schedule Onsite and offisite storage of backup Periodic testing of backup periodic trsting of restore.

Question 59

Change Management

Answer 59

the objective of change management is to minimalize RISK to safety and downtime by ensuring that request for change are recorded, evaluated, autherized. prioritized, planned,, tested, implemented, documented and reviewed. in controlled and consistent manner. Remember that Vulnrability and Patch Management must also follow the same change management process. ISA 62443-2-1 secrion 4.3 and 4.3.2

Question 60

Typial IACS changed that require management of change

Answer 60

- Changes to equipment and system on ICS architecture diagram Change of IT equipment and other services. Any changes.

Question 61

Change requests conftain inforamtion required in assessing the goals and cot wnd risk associated with change

Answer 61

Descirption of the change benefit of applying the change cost and risk of not applying the change cost associated with the change risk assessment of the change priority of the change.

Question 62

change in industrial facilities and processes is

Answer 62

Critical to safety. Remember that change has to be done by MULTI-DISCIPLIONARY TEAM....

Question 63

Change Management priority examples

Answer 63

- IMMEDIATE - Life is at risk, significant los of revenue - Imediate action is required. - HIGH - Severely affecting safety systems or impacting the ability of production. - MEDIUM - no server impact but things will need to be fixed prior the next schedule. - LOW Changes can be taken care of in the next schedule.

Question 64

Information and Document Management Best Practices

Answer 64

- Lifecycle document management process should be eveloped. information classification is required. Control system information such as design information

Question 65

physical security

Answer 65

protection of personnel, hardware, program, networks and data from physical circumstances and events.

Question 66

Asset inventory tools are

Answer 66

Network Management Tools Management Tools known as SAM Configuration Management tools

Question 67

Three function planes of data are

Answer 67

Management, Control Data

Question 68

System Hardening

Answer 68

System hardening is the process of securing a system by reducing its attack serfuce.

Question 69

Access Control

Answer 69

is the policies, procedures, technical controls that govern the use of system resources to ensure the system can be accessed by authorized user, program and othe sysyems.

Question 70

Detection tools @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Answer 70

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Question 71

What does security monitoring and detection entail???

Answer 71

detecting abnormal activity. Network inrusion detection Host intrusion detection Monitoring logs Periodic testing and auditing.

Question 72

Detection techniques??

Answer 72

Signature against black list Behavior against beh avior Anomaly again knowing good. white list

Question 73

diffferences

Answer 73

best solution for zero day exploit is BEHAVIOR Best solution for known exploit is Signature Best solution for insider threat? Anomaly.

Question 74

Anomaly detection include

Answer 74

- DATA HOARDING - GEO Graphic location - time versus data -service traffic. - host data loss

Question 75

User Observation for Abnormal System Behavior

Answer 75

anything that can trigger changes such as? CPU usage protocol blocked patch changes system shutdown lockedout account logs and clear logs.

Question 76

Cababilities of host inrusion systems are ?

Answer 76

Log analysis policy enforcment event colleration Alerting rootkit detection integrity checking

Question 77

LIDS are

Answer 77

log based Intrusion detection system LIDS LIDS is normally part of the SIEM

Question 78

All intrusion detection system needs the following

Answer 78

Testing / Auditing / Adjustment as part of CSMS testing should be established by policy audit by third party tester adjust based on new threats. IMPORTANT-------------

Question 79

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@2

Answer 79

this chapter will be talking about - incident response lifecycle. - aspect of incident response planning - incident management. incident prevention - four phases of forensic three C of incident Analysis.

Question 80

Incident response lifecycle include?

Answer 80

1- PLANNING 2- INCIDENT PREVENTION 3- DETECTION 4- CONTAINMENT 5- REMEDIATION 6- RECOVERY and RESTORATION 7- POST INCIDENT Analysis and forensic.

Question 81

1 - PHASE ONE IS PLANNING

Answer 81

in this phase we assemble CYBER SECURITY INSIDENT RESPONSE TEAM CSIRT the team consist of engineers. managers. in this phase we need to have clear written operation procedure. and response checklist.

Question 82

2- INCIDENT PREVNTION techniques....

Answer 82

IACS asset management system hardening access control remote access malware prevention system backups change management information & documentation physical security and you will need vendor interaction.

Question 83

Incident Analysis 3C's

Answer 83

Calm - dont panic Cool intense discussion Collected. list and think critcally.

Question 84

INCIDENT MANAGEMENT include

Answer 84

Detection Response tools Categorization Containment Remediation Recovery and restoration. important

Question 85

3- INCIDENET DETECTION

Answer 85

how to detect the incident Automated detection tools Reporting Detection by observing traffic, CPU, USAGE

Question 86

4- INCIDENT CONTAINMENET

Answer 86

How to contain an incident. isolate the system? remove the effected device remove? protect? this should be documented.

Question 87

5- REMEDIATION

Answer 87

fix the source of the problem close unauthorized path remove malware. etc. in this phase you may want to work with the asset owner and data owner.

Question 88

6- Recovery and Restoration

Answer 88

Establish contingency plans patch and maintain all bakcup systems. verify failover systems. establish plan to run segmenet in isolation. test backups. establish and run acceptance test. this also include defining procedure to provide for the tests and declare the IACS fully operational.

Question 89

7- Once you are done there is another phase called.... POST INCICENT ANALYSIS and FORENSIC

Answer 89

the idea of this phase is to gain understanding of how it happen and how why.

Question 90

forensic process is as follow: CEAR

Answer 90

Collection Examination Analysis Reporting

Question 91

1 - Collection phase

Answer 91

time is important secure senstive date preserver the scene protect the evidence

Question 92

2- Examination

Answer 92

Establish check list identify the key people and personeen. identify normal and abnormal operating. identify requirement identify remote access. identify any protections. conduct interview operation personnel can give you alot of insight.

Question 93

3- Analysis.

Answer 93

conduct packet analyzer, network analyzer, and packet sniffer. check cabling and wiring as well! know how identify any alarms. HMI alarm view alarms. windows event logs can also be configured.

Question 94

- Reporting

Answer 94

preserve forensic data keep detailed notes and report and dont rely on memory detected computers.

Question 95

INCIDENT REPONSE PLANNING INCLUDES::::

Answer 95

overview goals and objective. incident description incident detection. incident notification incident analysis response action. communication forensics.

Question 96

Incident response plan include

Answer 96

incident analysis incident descirption fornsic.

Question 97

Network Hardening best practices

Answer 97

install firmware updates. compare hash files shutdown unused physical interfaces. enable configuration access control change and encrypt password use snmp3 restict remote management use secure protocols. shutdown unused ervices. enable logging.