IC33 Flashcards

Question

What is ISA 95 Level 4?

Answer 1

Level 4 — Business logistics systems — Managing the business-related activities of the manufacturing operation. ERP is the primary system; establishes the basic plant production schedule, material use, shipping and inventory levels. Time frame: months, weeks, days, shifts.

Answer 2

* The function is critical to plant safety * The function is critical to plant reliability * The function is critical to plant efficiency * The function is critical to product quality * The function is critical to maintaining regulatory compliance. – Usually, product or environmental related – This includes such factors as safety, environmental, and cGMP compliance (FDA, EPA, USDA, OSHA, …)

Answer 3

* Detail how the network is physically and logically constructed * Individual routers, switches, firewalls are shown symbolically * Switch port assignments are identified * VLANS are documented * May or may not show hosts (e.g. devices plugged into switches)

Answer 4

*Host Devices * Embedded Devices * Network Devices * Software Applications

Answer 5

*Facilities should maintain a list or database of all IACS and SCADA hardware (physical and virtual) and software * Compiled through documentation and site survey * Automated tools can be used to gather this data * Automated tools should be carefully tested to ensure they do not impact system availability or integrity and do not introduce security vulnerabilities

Answer 6

Hardware inventory should include: – Computers (e.g., servers, workstations) – Network equipment (e.g., switches, routers and firewalls) – Automation devices (e.g., PLCs, DCSs, VFDs, RTUs, etc.) * List should include all devices with Ethernet connection and an IP address * Devices with routable serial protocols (e.g. ControlNet, Profibus, Modbus TCP, etc.) should also be included

Answer 7

The following attributes should be recorded for all hardware devices: – Device or System Name – Asset ID – Device Type – Function – Network interface(s) – Network address(es) – Manufacturer – Model – Serial Number – Operating system and version (if applicable) – Firmware versions (if applicable) – Responsible organization/individual – Physical Location – Notes

Answer 8

*Virtual machines (VMs) should also be documented * The following attributes should be recorded for all virtual hardware: – VM name – VM Type – Function – Network interface(s) – Network address(es) – Host Name/ID – Host type – Operating system and version – Responsible organization/individual – Custodian(s) (Admin) – Notes

Answer 9

Software inventory should include: – Firmware – Operating systems – Databases – Applications (FODA)

Answer 10

At a minimum, the following attributes should be recorded for all software: – Software Name – Software type (e.g. OS, application, database, firmware, etc.) – Function – Host Name – Host type (physical or virtual, server or workstation, network device, controller, etc.) – Vendor – Version – Responsible organization/person – License information – # of Licenses – Location of License – License Expiration Date – Update/Patch Process

Answer 11

* Network management tools * Software Asset Management (SAM) tools * Configuration management tools

Answer 12

* Solarwinds * Spiceworks * Open-AudIT * Lansweeper * OpenNMS * WhatsUpGold * Siemens PRONETA * Hirschmann HiVision * Moxa Mxview * Nozomi * Claroty

Answer 13

* Microsoft Assessment and Planning Toolkit (MAP) * Microsoft System Center * IT Asset Tool * System Information for Windows (SIW) * WinAudit * Spiceworks * Microsoft Software Inventory Analyzer (MSIA)

Answer 14

* Rockwell - AssetCentre * PAS - Integrity * Auvesy-MDT - Octoplant

Answer 15

* Visual inspection of the system * Physical security review * Compare drawings with actual installation * Observe operating environment * Interview operational personnel

Answer 16

Combined Approach Preferred Asset Owner and Integration Service Provider will understand the SuC better by combining different approaches: * Documentation Analysis * Assisted Analysis with tools * Walk through the plant

Answer 17

* The Threat Source is the entity that can manifest a threat. * It may be a person or a group of people or it may be an object such as hardware or software. * It may even be an environmental event such as a fire or flood. * When identifying the threat source, it is helpful to identify some of the characteristics of the source such as its location, capability and motivation.

Answer 18

* There are several factors that may affect the threat environment of a SUC, including the geo-political climate, the physical environment and the sensitivity of the system.

Answer 19

– ICS-CERT (https://www.us-cert.gov/ics) – Enisa(https://www.enisa.europa.eu/) – Local Government – Industry specific ISAC (Information Sharing and Analysis Center) – IACS Product suppliers – Anti-Malware vendors – Industry advisory groups

Answer 20

* Authorized internal personnel * Authorized 3rd party * Unauthorized internal personnel * Unauthorized external person (hacker) * Malware * Equipment * Environment

Answer 21

The Threat Vector is the means the threat source may utilize to compromise the zone or conduit.

Answer 22

Spoofing Tampering Information Disclosure Denial of Service

Answer 23

Assuming the identity of another user or device

Answer 24

Making unauthorized changes to a program, configuration or data

Answer 25

Unauthorized redirection of data

Answer 26

Delaying or blocking the flow of information

Answer 27

TA: Authorized support TV: Infected laptop

Answer 28

A threat catalog enlists the main categories of threat sources and what type of threat they can manifest. It serves as a check list during the Risk Assessment. (Asset owner) * Criteria for choosing Threat Sources and Actions consistently with ISA/IEC-62443-3-2 methodology should also be created and approved by the Asset Owner * Realistic Threat Scenarios will be used during a Detailed Cyber Risk Analysis to take good decisions that mitigates the intolerable risk, and to determine security levels for each zone and conduit

Answer 29

A vulnerability is any flaw or weakness in a system's design, implementation, or operation that could be exploited to compromise the system

Answer 30

Broad classes of vulnerabilities: – Policy & Procedural – Architecture & Design – Configuration & Maintenance – Physical – Software – Communication & Network

Answer 31

Inadequate security policy for the ICS No formal ICS security training and awareness program Absent or deficient ICS equipment implementation guidelines Lack of administrative mechanisms for security policy enforcement Inadequate review of the effectiveness of the ICS security controls No ICS-specific contingency plan Lack of configuration management policy Lack of adequate access control policy Lack of adequate authentication policy Inadequate incident detection and response plan and procedures Lack of redundancy for critical components

Answer 32

Inadequate incorporation of security into architecture and design. Insecure architecture allowed to evolve No security perimeter defined Control networks used for non-control traffic Control network services not within the control network Inadequate collection of event data history

Answer 33

Hardware, firmware, and software not under configuration management. OS and vendor software patches may not be developed until significantly after security vulnerabilities are found OS and application security patches are not maintained or vendor declines to patch vulnerability Inadequate testing of security changes Poor remote access controls Poor configurations are used Critical configurations are not stored or backed up Data unprotected on portable device Passwords generation, use, and protection not in accord with policy Inadequate access controls applied Improper data linking Malware protection not installed or up to date Malware protection implemented without sufficient testing Denial of service (DoS) Intrusion detection/prevention software not installed Logs not maintained

Answer 34

Unauthorized personnel have physical access to equipment Radio frequency and electro-magnetic pulse (EMP) Lack of backup power Loss of environmental control Unsecured physical ports

Answer 35

Improper Data Validation Installed security capabilities not enabled by default Inadequate authentication, privileges, and access control in software

Answer 36

Flow controls not employed Firewalls nonexistent or improperly configured Inadequate firewall and router logs Standard, well-documented communication protocols are used in plain text Authentication of users, data or devices is substandard or nonexistent Use of unsecure industry-wide ICS protocols Lack of integrity checking for communications Inadequate authentication between wireless clients and access points Inadequate data protection between wireless clients and access points

Answer 37

* Exercise to define, identify, and classify the security vulnerabilities in an industrial control system and its related network infrastructure * Evaluate the IACS design, implementation, configuration as well as its operation and management * Determine the adequacy of security measures and identify security deficiencies * Determine known vulnerabilities for the used components

Answer 38

* High-level vulnerability assessment * Passive vulnerability assessment * Active vulnerability assessment * Penetration test (hunting for vulnerabilities)

Answer 39

* Assessment of an organization's existing operational and technical cybersecurity practices * Comparison to industry regulations, standards and best practices * Feedback on performance relative to industry peers * Typically involves: – Interviews with key personnel – Site walk-throughs – Examination of drawings – Examination of sample configurations – Review of existing polices and procedures – Completing a questionnaire * Sometimes called “Gap Assessment”

Answer 40

* Discover network devices using passive means such as: – Reviewing drawings – documentation analysis – System walk-throughs – Traffic analysis – ARP tables, log reviews, firewall rules, etc. * Discover vulnerabilities using passive means such as: – Capture and study actual network traffic – Collect data from devices (e.g. logs) – Review configurations – Research using vulnerability databases * Understanding the system and the industrial process * Create or update documentation

Answer 41

* Discover network devices using active network scanning tools and techniques: – Nmap – Ping Sweep or ARP Scan – Advanced IP scanner – Superscan – Shodan * Discover vulnerabilities using active vulnerability scanning tools such as: – OpenVAS – Nessus – Nexpose * Understanding the system and the industrial process * Create or update documentation

Answer 42

* Begins with an active cybersecurity vulnerability assessment * Perspective of a malicious actor * Attempts to exploit known and unknown security vulnerabilities using exploit tools and techniques * Validate effectiveness of security countermeasures * Can be on an individual asset, a zone or an entire SUC (usually known as Red Teaming)

Answer 43

Vulnerability Assessment * Define, identify, and classify security vulnerabilities * Identify weaknesses * Report on discoveries Penetration Testing * Exploit the vulnerabilities * Attempt to gain nonauthorized access * Aggressive tools and techniques to attack and penetrate the system

Answer 44

* Identify benchmark standards * Gather information – Interviews – Questionnaires – Drawings – Site visits * Compare performance with benchmark standards – People – Processes – Technology * Document and report results

Answer 45

* DHS Cybersecurity Evaluation Tool (CSET)

Answer 46

* Repeatable and systematic approach for assessing an organizations cybersecurity posture * Evaluation and comparison to existing industry standards and regulations * Facilitates discussion and input from subject matter experts throughout the organization (e.g. operations, engineering, maintenance, information technology, business, health/safety and Cybersecurity) * Identifies potential vulnerabilities in the control system design and security policies * Offers guidelines for IACSs cybersecurity solutions and mitigations

Answer 47

* CSET is only one component of a comprehensive control system security program. * CSET will not provide a detailed architectural analysis of the network or a detailed network hardware/software configuration review * CSET has a component focus rather than a system focus * CSET is not a risk analysis tool, it will not create a detailed risk assessment * CSET is not intended as a substitute for in-depth analysis of control system vulnerabilities as performed by trained professionals. * Data and reports generated by the CSET should be managed securely and marked, stored, and distributed in a manner appropriate to their sensitivity

Answer 48

Categories: – Health – Safety – Environment – Business continuity – Reputation – Information or intellectual property leakage – Other …

Answer 49

the undesirable result of an incident, usually described in terms of health and safety effects, environmental impacts, loss of property, and business interruption costs result that occurs from a particular incident

Answer 50

a measure of the ultimate loss or harm associated with a consequence. Impact may be expressed in terms of numbers of injuries and/or fatalities, extent of environmental damage and/or magnitude of losses such as property damage, material loss, loss of intellectual property, lost production, market share loss, and recovery costs

Answer 51

company's risk appetite

Answer 52

This makes it easier to compare budget requests for different risks assessments to each-other

Answer 53

* Assessment of the criticality of an IACS asset, input for risk assessment – Also called Business Impact Assessment * Measure of the negative impact should information be unavailable, unreliable or compromised * Communicated to employees and contractors * Methodology for identifying worse case consequences

Answer 54

Risk = Threat x Vulnerability x Consequence

Answer 55

– Target attractiveness – Attack surface – Capability of threat actors – Vulnerabilities in the organization's assets – Motivation and intent of threat actors – Geopolitical situation

Answer 56

– A 'slogan' for the likelihood value or level – Additional information to determine the level for each risk – Quantification of the likelihood (use this where possible)

Answer 57

This is the level of risk deemed acceptable to an organization, sometimes called the organization's risk appetite

Answer 58

Senior management is responsible for defining the risk tolerance

Answer 59

Accept the risk

Answer 60

* If risk is above tolerable risk: – Design the risk out – Reduce the risk – Transfer or share the risk – Eliminate or redesign redundant or ineffective controls

Answer 61

* Determine what plants/processes need to be addressed first * Understand the threats and vulnerabilities * Intelligently design and apply countermeasures (e.g. network segmentation, access controls, hardening, detection, etc.) to reduce risk * Prioritize activities and resources * Evaluate countermeasures based upon their effectiveness of versus their cost/complexity

Answer 62

4.2.3.1 Select a risk assessment methodology 4.2.3.2 Provide risk assessment background information 4.2.3.3 Conduct a high-level risk assessment 4.2.3.4 Identify the industrial automation and control systems 4.2.3.5 Develop simple network diagrams 4.2.3.6 Prioritize systems 4.2.3.7 Perform a detailed vulnerability assessment 4.2.3.8 Identify a detailed risk assessment methodology 4.2.3.9 Conduct a detailed risk assessment 4.2.3.10 Identify the reassessment frequency and triggering criteria 4.2.3.11 Integrate physical, HSE and Cybersecurity risk assessment results 4.2.3.12 Conduct risk assessments throughout the lifecycle of the IACS 4.2.3.13 Document the risk assessment

Answer 63

ZCR 1: Identify System Under Consideration (SUC)

Answer 64

* Requirement: – The organization shall clearly identify the SUC, including clear demarcation of the security perimeter and identification of all access points to the SUC. * Rationale and supplemental guidance – Organizations typically own and operate multiple control systems, especially larger organizations with multiple industrial facilities. Any of these control systems may be defined as a SUC. For example, there is generally at least one control system at an industrial facility , but in many cases there are several systems that control various functions within the facility. – This requirement specifies that SUCs are identified for the purpose of performing Cybersecurity analysis. The definition of a SUC is intended to include all IACS assets that are needed to provide a complete automation solution. – System inventory, architecture diagrams, network diagrams and dataflows can be used to determine and illustrate the IACS assets that are included in the SUC description.

Answer 65

ZCR 2: Initial Risk Assessment

Answer 66

* Requirement – The organization shall perform a Cybersecurity risk assessment of the SUC or confirm a previous initial Cybersecurity risk assessment is still applicable in order to identify the worst case unmitigated Cybersecurity risk that could result from the interference with, breach or disruption of, or disablement of mission critical IACS operations. * Rationale – The purpose of the initial Cybersecurity risk assessment is to gain an initial understanding of the worst-case risk the SUC presents to the organization should it be compromised. This is typically evaluated in terms of impacts to health, safety, environmental, business interruption, production loss, product quality, financial, legal, regulatory, reputation, etc. This assessment assists with the prioritization of detailed risk assessments and facilitates the grouping of assets into zones and conduits within the SUC.

Answer 67

ZCR 3.1: Establish zones and conduits

Answer 68

* Requirement – The organization shall group IACS and related assets into zones or conduits as determined by risk. Grouping shall be based upon the results of the initial Cybersecurity risk assessment or other criteria, such as criticality of assets, operational function, physical or logical location, required access (for example, least privilege principles) or responsible organization * Rationale – The intent of grouping assets into zones and conduits is to identify those assets which share common security requirements and to permit the identification of common security measures required to mitigate risk. The assignment of IACS assets to zones and conduits may be adjusted based upon the results of the detailed risk assessment. This is a general requirement, but special attention should be given to the safety related systems including safety instrumented systems, wireless systems, systems directly connected to Internet endpoints, systems that interface to the IACS but are managed by other entities (including external systems) and mobile devices

Answer 69

ZCR 3.2: Separate business and IACS assets

Answer 70

* Requirement – IACS assets shall be grouped into zones that are logically or physically separated from business or enterprise system assets. * Rationale and supplemental guidance – Business and IACS are two different types of systems that need to be divided into separate zones as their functionality, responsible organization, results of initial risk assessment and location are often fundamentally different. It is important to understand the basic difference between business and IACS, and the ability of IACS to impact health, safety and environment (HSE).

Answer 71

ZCR 3.3: Separate Safety Related Assets

Answer 72

* Requirement – Safety related IACS assets shall be grouped into zones that are logically or physically separated from zones with non-safety related IACS assets. However, if they cannot be separated, the entire zone shall be identified as a safety related zone. * Rationale and supplemental guidance – Safety related IACS assets usually have different security requirements than basic control system components or systems, and components interfaced to the control system components. Safety related zones typically require a higher level of security protection due to the higher potential for health, safety and environmental consequences if the zone is compromised.

Answer 73

ZCR 3.4: Separate Temporarily Connected Devices

Answer 74

* Recommendation – Devices that are permitted to make temporary connections to the SUC should be grouped into a separate zone or zones from assets that are intended to be permanently connected to the IACS.

Answer 75

ZCR 3.5: Separate Wireless Devices

Answer 76

* Recommendation – Wireless devices should be in one or more zones that are separated from wired devices.

Answer 77

ZCR 3.6: Separate Devices Connected via External Networks

Answer 78

* Recommendation – Devices that are permitted to make connections to the SUC via networks external to the SUC should be grouped into a separate zone or zones.

Answer 79

* Establishment of zones and conduits (3.1) – Group IACS and related assets – Criticality of assets – Operational function – Physical location – Logical location * Requirements from ISA/IEC 62443 – Separation of business and control system zones (3.2) – Separation of safety-critical zones (3.3) – Separation of temporarily connected devices (3.4) – Separation of wireless communications (3.5) – Separation of devices connected via untrusted networks (3.6)

Answer 80

ZCR 4: Compare Initial Risk to Tolerable Risk

Answer 81

* Requirement – The initial risk determined in subsection 4.3, ZCR 2: Initial Cybersecurity risk assessment, shall be compared to the organization’s tolerable risk. If the initial risk exceeds the tolerable risk, the organization shall perform a detailed Cybersecurity risk assessment

Answer 82

ZCR 5: Perform a Detailed Cybersecurity Risk Assessment

Answer 83

* Schedule a facilitator * Establish the team * Prepare workshop materials

Answer 84

A person who has a degree of independence from the design and operation of the control system, control system networks and related IT systems and has received specialty training for leading Cyber Risk Assessments.

Answer 85

The team should include: – Facilitator trained in Cyber Risk Assessment – Scribe trained in the software application to be used – Automation/Controls Engineer(s) – Network Engineer(s) – Cybersecurity SME – Process Safety SME – Operator(s) with experience operating the process under consideration

Answer 86

* System architecture diagrams – Physical – Functional * Network diagrams – Segments – Networking components * Asset inventory * Criticality assessment * Process flow * Data flow * Business processes

Answer 87

ZCR 5.1: Identify Threats

Answer 88

* Requirement – A list of the threats that could affect the assets contained within the zone or conduit shall be developed.

Answer 89

– a description of the threat source; – a description of the capability or skill-level of the threat source; – a description of possible threat vectors; – an identification of the potentially affected asset(s).

Answer 90

ZCR 5.2: Identify vulnerabilities

Answer 91

* Requirement – The zone or conduit shall be analyzed in order to identify and document the known vulnerabilities associated with the assets contained within the zone or conduit including the access points.

Answer 92

ZCR 5.3: Determine consequence and impact

Answer 93

* Requirement – Each threat scenario shall be evaluated to determine the consequence and the impact should the threat be realized. Consequences should be documented in terms of the worst case impact on risk areas such as personnel safety, financial loss, business interruption and environment

Answer 94

performing the cost/benefit analysis of security controls

Answer 95

ZCR 5.4: Determine Unmitigated Likelihood

Answer 96

* Requirement – Each threat shall be evaluated to determine the unmitigated likelihood. This is the likelihood that the threat will materialize

Answer 97

Likelihood is evaluated twice during the detailed risk assessment process. It is initially determined without consideration for any existing countermeasures in order to establish the unmitigated risk

Answer 98

ZCR 5.5: Determine Unmitigated Cybersecurity Risk

Answer 99

* Requirement – The unmitigated Cybersecurity risk for each threat shall be determined by combining the impact measure determined in subclause 4.6.4, ZCR 5.3: Determine consequence and impact, and the unmitigated likelihood measure determined in subclause 4.6.5, ZCR 5.4: Determine unmitigated likelihood.

Answer 100

ZCR 5.6: Determine SL-T

Answer 101

* Requirement – A SL-T shall be established for each security zone or conduit.

Answer 102

ISA 62443-3-3 defines SLs in terms of five different levels (0, 1, 2, 3 and 4), each with an increasing level of security * SL 0: No specific requirements or security protection necessary * SL 1: Protection against casual or coincidental violation * SL 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation * SL 3: Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation * SL 4: Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

Answer 103

Based on a company's risk matrix: – Specific risk levels justify a certain SL-T Typically determined based on unmitigated risk – Countermeasures can be disregarded.

Answer 104

ZCR 5.7: Compare Unmitigated Risk with Tolerable Risk

Answer 105

* Requirement – The unmitigated risk determined for each threat identified in subclause 4.6.6, ZCR 5.5: Determine unmitigated Cybersecurity risk, shall be compared to the organization’s tolerable risk. If the unmitigated risk exceeds the tolerable risk, the organization shall determine whether to accept, transfer or mitigate the risk.

Answer 106

ZCR 5.8: Identify and Evaluate Existing Countermeasures

Answer 107

* Requirement – Existing countermeasures in the SUC shall be identified and evaluated to determine the effectiveness of the countermeasures to reduce the likelihood or impact

Answer 108

Security Level Capability (SL-C)

Answer 109

ISA standard 62443-3-3

Answer 110

reduce the likelihood aspect of risks

Answer 111

– Design the risk out – Reduce the risk – Transfer or share the risk – Eliminate or redesign redundant or ineffective controls

Answer 112

Logical Access Physical Access Controls Data Flow Controls Data Integrity Controls Detection Policy/Procedure Hardening

Answer 113

Manage user authentication and privileges Examples: System/device login, network access controls, domain controllers

Answer 114

Control physical access to critical cyber assets Examples: Guards, fences, doors, enclosures,

Answer 115

Control the flow of data in, out and within the system Examples: Firewalls, routers, switches

Answer 116

Prevent the corruption or unauthorized disclosure of data Examples: Encryption, VPN, CRC, whitelisting

Answer 117

Detect and alert anomalous or malicious events Examples: Intrusion detection, SIEM, anti-virus

Answer 118

Define and enforce appropriate and inappropriate behavior Examples: Policy documents, procedures, Group Policy settings

Answer 119

Minimize vulnerability by disabling or blocking unnecessary functions Examples: Uninstalling unnecessary applications, blocking unused ports

Answer 120

– Threats – Countermeasures (optionally also their effectiveness) – Activity that could cause damage if control is lost (risk source) – Consequences

Answer 121

ZCR 5.9: Reevaluate Likelihood and Impact

Answer 122

* Requirement – The likelihood and impact shall be re-evaluated considering the countermeasures and their effectiveness.

Answer 123

Mitigated Threat Likelihood

Answer 124

The MTL is likelihood of the threat scenario occurring and leading to the final consequence taking into account all protection measures and cybersecurity countermeasures in place.

Answer 125

ZCR 5.10: Determine Residual Risk

Answer 126

* Requirement – The residual risk for each threat shall be determined by combining the mitigated likelihood measure and mitigated impact values.

Answer 127

ZCR 5.11: Compare Residual Risk with Tolerable Risk

Answer 128

* Requirement – The residual risk determined for each threat shall be compared to the organization’s tolerable risk. If the residual risk exceeds the tolerable risk, the organization shall determine if the residual risk will be accepted, transferred or mitigated based upon the organization’s policy.

Answer 129

ZCR 5.12: Identify Additional Cybersecurity Countermeasures

Answer 130

* Requirement – Additional Cybersecurity countermeasures such as technical, administrative or procedural controls shall be identified to mitigate the risks where the residual risk exceeds the organization’s tolerable risk unless the organization has elected to tolerate or transfer the risk.

Answer 131

reallocate an IACS asset from a lower security to a higher security zone or conduit in order to take advantage of the security countermeasures of the higher security zone or conduit.

Answer 132

Adjusted Mitigated Threat Likelihood

Answer 133

ZCR 5.13: Document and Communicate Results

Answer 134

* Requirement – The results of the detailed cyber risk assessment shall be documented, reported and made available to the appropriate stakeholders in the organization. Appropriate information security classification shall be assigned to protect the confidentiality of the documentation. Documentation shall include the date each session was conducted as well as the names and titles of the participants. Documentation that was instrumental in performing the cyber risk assessment (such as, system architecture diagrams, PHAs, vulnerability assessments, gap assessments and sources of threat information) shall be recorded and archived along with the cyber risk assessment.

Answer 135

* Scope of the assessment * “As found” system architecture * Assessment details – Dates/Locations – Participants – Vulnerability Assessment Process * Prioritized summary of findings * Detailed findings – Discovered cyber assets – Policy & Procedural vulnerabilities – Architecture & Design vulnerabilities – Configuration & Maintenance vulnerabilities – Physical vulnerabilities – Software vulnerabilities – Communication & Network vulnerabilities

Answer 136

* Scope of the risk assessment * Assessment details – Dates/Locations – Participants – Risk Assessment Process * Risk profile * Summary of recommendations * Detailed findings – High risk threats – High risk vulnerabilities – Prioritized recommendations – Detailed risk assessment worksheets

Answer 137

* Scope and purpose of the system * Physical and environmental security requirements * General cybersecurity requirements * Zone and Conduit specific requirements

Answer 138

ZCR 6: Cybersecurity Requirements Specification

Answer 139

* Requirement – A Cybersecurity requirements specification (CRS) shall be created to document mandatory security countermeasures of the SUC based on the outcome of the detailed risk assessment as well as general security requirements based upon company or site-specific policies, standards and relevant regulations

Answer 140

– SUC description – Zone and conduit drawings – Zone and conduit characteristics – Operating environment assumptions – Threat environment – Organizational security policies – Tolerable risk – Regulatory requirements

Answer 141

True * The CRS defines what needs to be done in the Develop & Implement phase

Answer 142

– Name – High-level description – Intended usage – Architecture diagrams – Network diagrams – Security perimeter and Access points – System inventory – Dataflows – Process Flows

Answer 143

* Accountable organization(s) * Definition of logical boundary * Definition of physical boundary, if applicable * Safety designation * Connected zones or conduits * SL-T * Applicable security requirements * Applicable security policies * Assumptions and external dependencies. – Clean power – Physical security – Network security

Answer 144

* List of logical access points – Place where electronic information can cross the logical boundary of a zone or conduit. – Vulnerabilities that can be exploited by threats. * List of physical access points – fences, doors and enclosures etc. – Any place where people can gain physical access to zone or conduit assets. – Physical access points need to be identified and documented to determine appropriate means of monitoring and preventing unauthorized access. * List of data flows – In order to detect anomalies, it is important to identify and document the expected flow of data throughout the system and the flow of data in and out of a zone or conduit. – Source, Destination, Protocol, Business reason behind it – ISA-95 models can help in identifying and structuring * List of assets – IACS assets contained within each zone or conduit and their classification – Criticality and business value – Consider the consequences to other zones/conduits as well as the zone/conduit in question

Answer 145

– Threat source(s) – Threat vectors – Geo-political climate – Physical environment

Answer 146

– ICS-CERT (https://www.us-cert.gov/ics) – Enisa (https://www.enisa.europa.eu/) – Local Government – IACS Product suppliers – Anti-Malware vendors – Industry advisory groups

Answer 147

Initial system architecture diagrams and inventory Company Polices Regulations Tolerable risk guidelines

Answer 148

Updated system architecture diagrams and inventory with IACS external services and support identified

Answer 149

Existing PHAs and other relevant risk assessment and corporate risk matrix

Answer 150

Initial evaluation of risk

Answer 151

Standards and best practices Policies Supplier guidelines Criticality assessments Data flows Functional specifications

Answer 152

Initial or revised zone and conduit diagram

Answer 153

None: Yes/No decision

Answer 154

Residual cyber security risk and SL-Ts for each zone and conduit

Answer 155

Company policies Regulations Tolerable risk guidelines

Answer 156

Cyber security requirement specification (CRS)

Answer 157

Asset owner approval

Answer 158

Inputs: Historical data and other threat information sources Output: List of threats

Answer 159

Inputs: Vulnerability assessment, prior audits, vulnerability databases Output: List of vulnerabilities

Answer 160

Inputs: Threats, vulnerabilities, existing PHAs, other risk assessments Output: Assessment of impact

Answer 161

Inputs: List of threats and vulnerabilities Output: Assessment of likelihood

Answer 162

Inputs: Likelihood, impact, corporate risk matrix Output: Assessment of unmitigated cyber security risk

Answer 163

Inputs: Corporate risk matrix with tolerable risk Output: SL-T

Answer 164

None "Unmitigated risk exceeds tolerable risk?" If yes, go to 5.8 If No, go to 5.13

Answer 165

Inputs: ZCR 5.7 Output: List of countermeasures

Answer 166

Inputs: [Updated] List of countermeasures Output: [Updated] Likelihood and impact assessment

Answer 167

Inputs: [Updated] Likelihood, impact, corporate risk matrix Output: Residual cybersecurity risk

Answer 168

Inputs: ZCR 5.10 Output: "Are all residual risks at or below tolerable risk?" If yes, go to 5.13 If no, go to 5.12

Answer 169

Inputs: 5.11 Output: [Updated] List of Countermeasures

Answer 170

Inputs: 5.7 OR 5.11 Output: Detailed risk assessment report

IC33 Flashcards

(205 cards)