Module 1-10

Question 1

Assess Phase?

Answer 1

1. High-Level Cyber Risk Assessment
2. Allocation of IACS assets to Zones/Conduits
3. Detailed Risk Assessment
   62443-3-2

Question 2

Development & Implementation Phase?

Answer 2

4. CRS
   62443-3-2
5. Design and Engineering of Cybersecurity Countermeasures (CC)
   62443-3-3
6. Installation, Commissioning, and Validation of CC

Question 3

Maintain Phase?

Answer 3

7. Cybersecurity Maintenance, Monitoring, and MoC
8. Cyber Incident Response and Recovery
   62443-2-1

Question 4

Continuous Process

Answer 4

Cybersecurity Management System (CMS): Policies, Procedures, Training, and Awareness
Periodic Cybersecurity Audits
62443-2-1

Question 5

Interpreting CRS

Answer 5

The output of the risk assessment (CRS) is the input for the Development & Implementation

Question 6

Security Level (SL) Definitions

Answer 6

0 = No reqs. or security protection needed.
1 = Protection against casual/coincidental violation
2 = Protection against intentional violation with low resources/skill/motivation
3 = Protection against intentional violation with moderate resource/IACS skill/motivation
4 = Protection against intentional violation with extended resource/IACS skill/motivation

Question 7

SL Types

Answer 7

SL-T = desired security level for system
SL-A = actual security level of system
SL-C = potential security level of system

Question 8

Four Ts for Managing Risk

Answer 8

Terminate
Tolerate
Transfer
Treat

Question 9

5 Ds of Treating Risk

Answer 9

Defeat
Delay
Deny
Detect
Deter

Question 10

Steps to Developing a Security Strategy

Answer 10

I R E I D
Identify Zones
Review Risk Assessment results
Establish SL-T
Identify Physical and Cyber Access points
Develop 5D physical & cyber strategy for each point

Question 11

Seven Foundational Requirements (62443-3-3)

Answer 11

I U S D R T R
1. Identity and Authentication Control
2. Use Control
3. System Integrity
4. Data Confidentiality
5. Restricted Data Flow
6. Timely Response to Events
7. Resource Availability

Question 12

FR Technologies

Answer 12

System Integrity: Malware/Anti-virus
Data Confidentiality: Encryption
Both: Physical security, secure protocols
Restricted Data Flow: Firewall, VLAN
Timely Response to Events: IDS/IPS
Resource Availability: Backup/recovery tools

Question 13

62443-4-2 Overview

Answer 13

Used by suppliers to identify security capabilities of their components (Software App, Embedded Device, Host Device, Network Device)
Series of Component Requirement (CR) and Requirement Enhancements (RE)
Expands System Requirements (SR) and RE

Question 14

Network types for IACS

Answer 14

Mesh, Star/Hub, Spoke, Ring, Bus, Hybrid

Question 15

ISO/OSI Reference model layers and description

Answer 15

1. Physical - physics of getting messages between devices (Ethernet - IEEE 802.3)
2. Data Link - rules for framing, converting electrical signals to data, physical/MAC addressing (802.3)
3. Network - routing messages through complex network (IP, ICMP, ARP)
4. Transport - transparent transfer of data between systems/hosts, end2end recovery, flow control (TCP/UDP)
5. Session - persistent logical linking of 2 software apps, mechanism for opening, closing, managing sessions (RPC)
6. Presentation - delivers/formats data for L7 data, format conversion, encryption/security, SSL
7. Application - interfaces with software apps that have a communicating component, Email (SMTP), File (FTP),
   HTTP

Question 16

Problems with OSI model?

Answer 16

Layer specification is FUNCTIONAL only
Too complex for many applications such as industrial protocols where L5,6,7 are combined

Question 17

How do Network Discovery and Security Auditing Tools affect IACS

Answer 17

May adversely affect hazardous materials/operations/equipment
Safety systems could be triggered
Disrupt the flow of the control system

Question 18

Three classes of firewalls

Answer 18

Packet Filter - filters based on packet headers
Stateful Inspection - tracks state of connections and blocks packets that deviate from state
3 states Connection Establishment, Usage, Termination
Deep Packet Inspection - basic intrusion detection technology that analyses protocols for malware

Question 19

Steps in Firewall Planning

Answer 19

P I T D M
Plan - select technologies
Install & Configure - Install device, soft/firmware, patch/update. Configure users, policies, rules, ACLs
Test - Connectivity, rulesets, security, performance
Deploy - notify users, integration with routers/switches, test, back up
Manage - Maintain policies, patching, MoC, Config mgmt., Logs, Audits

Question 20

IACS Firewall configuration best practices

Answer 20

Deny all, allow by exception
No direct connections from internet to ICS network
Restrict access between CORP/PROD

Question 21

Host Intrusion Detection System (HIDS)

Answer 21

Monitors and analyzes internal and network interfaces on a single host

Agents monitor SI, applications activity, file changes, logs, Policy enforcement

Question 22

NIDS vs HIDS

Answer 22

Broad vs Narrow
Near real-time vs after suspicious activity
Bandwidth-dependent vs independent
High false positive rates vs low
Hardware vs no hardware

Question 23

IDS Best practices

Answer 23

Distributed Deployment
Use SCADA IDS Signatures
Careful not to block necessary traffic with IPS

Question 24

Security Requirements (SRs)

Answer 24

CAD SIR
Confidentiality
Access control,
Data flow,
Security event monitoring,
Industry/regulatory standards
Risk assessment

Question 25

Network Intrusion Detection System (NIDS)

Answer 25

Monitors network traffic for suspicious activity IDS sensors/collectors are placed throughout a network connected to a mgmt. console

Question 26

System Hardening - Reducing Attack Vectors

Answer 26

* Remove unnecessary software, user accounts, unnecessary services * Install Security Patches * Strengthen access controls

Question 27

OS Hardening Guidance

Answer 27

Guidance: Center for Internet Security (CIS) security benchmarks Microsoft security guides NIST SP 800-123 Guide to general server security

Question 28

OS Hardening Steps

Answer 28

Patch/update OS Remove/Disable unnecessary services/apps/protocols Configure Access controls Configure OS user authentication Install and configure additional security controls Test the security

Question 29

CIS Benchmarks

Answer 29

Recommendations for technical control rules/values for hardening OS, software and network devices Accepted by governments, industry and academia

Question 30

IACS Guidance

Answer 30

Guidance: NIST SP 800-82 Guide to ICS Vendor Specific Independent test reports: ISA Secure

Question 31

IACS Device Hardening

Answer 31

Disable remote program changes,unused interfaces, unnecessary services, protocols Compare file hashes Install vendor firmware updates Restrict remote access Protect with IACS firewall Change default passwords Enable Logging

Question 32

Functional Planes of a Network

Answer 32

Mgmt. - SSH/SNMP Control - BGP, OSPF Data

Question 33

Network Hardening Best Practices

Answer 33

Shutdown unused interfaces and services Restrict remote mgmt. Install firmware updates Compare hashes Change/encrypt passwords Enable logging Use secure protocols for remote mgmt. Use SNMPv3 with Encryption

Question 34

Access Control

Answer 34

Policies, Procedures, and technical controls that govern the use of system resources.

Question 35

Access Control Best Practices

Answer 35

D E E M S Develop an access control policy that enables logical and physical rules and rights Employ multiple authentication methods of critical IACSs. Establish separate IACS domains for each production area. Use Organizational units (Ous) to partition resources into logical/functional units. Make use of centralized identity and access mgmt. tools Segregate data with high sensitivity and/or business consequences from other internal info.

Question 36

Remote Access Best Practices

Answer 36

Require - use of CORP laptops for remote access - 3rd parties with RA to contractually comply with orgs security policies - 2FA > Provide separate authentication mechanisms for int/external users Change TCP port numbers for well-known remote access protocols from their defaults Monitor and log all remote access sessions Encrypt all communication over untrusted networks

Question 37

VPNs

Answer 37

VPN appliance is a network device with security features known as Secure Socket Layer (SSL) Site-to-Site VPN (LAN to LAN, 2 gateways) Remote Access VPN (Host to Host, 1 gateway)

Question 38

IACS remote access

Answer 38

Fill me

Question 39

Types of remote users

Answer 39

System Operators/Integratiors/Support Specialist & Engineers, field technicians Reporting and regulatory entities supply chain representatives, managed service providers Vendors, customers, business partners

Question 40

Cybersecurity Factory Acceptance Testing (CFAT) Objective?

Answer 40

1. Verification of Cybersecurity specifications 2. Cybersecurity robustness testing – testing the design of the system to discover and identify weaknesses or vulnerabilities.

Question 41

Need for Cybersecurity Site Acceptance Testing (CSAT)?

Answer 41

verifies that security settings are properly configured

Question 42

Cyber Acceptance testing best practices

Answer 42

Select different vendors for testing vs design Define System-under-Test Develop a verification and testing plan Verify cybersecurity configuration settings Perform robustness testing Document results 62443-2-4

Question 43

Security Auditing Tools

Answer 43

Auditing Tools: Center for Internet Security (CIS) has the Configuration Assessment Tool (CAT) and the Router Assessment Tool (RAT) Tenable has Nessus audits OS, Apps, DB Digital Bond has Bandolier audits against optimal security configs for ICS servers and workstations (works with nessus) MBSA (Microsoft Baseline Security Analyser)

Question 44

Roles to support asset owner

Answer 44

1. Product Supplier Components (in 62443-4-1) 2. Integration Provider Design and Setup (Analyzing environment, developing architecture, defining connections, installing, configuring, patching, testing and backups) 3. Maintenance Provider Support After Handoff (patching and anti-virus updates, equipment upgrades and maintenance, change management)

Question 45

Maturity Levels

Answer 45

Level Description 1 Initial - undocumented 2 Managed - written policies 3 Defined - repeatable across the organization 4 Improving - service providers control the effectiveness and performance of the service and demonstrate improvement I M D I Based on CMMI SVC Model

Question 46

Security Program Requirements for IACS Service Providers

Answer 46

62443-2-4 Can be used by asset owner to request or assess specific security capabilities from service provider