What is a requirement for product security development lifecycles?
Correct Answer: A
The ISA/IEC 62443-4-1 standard defines the requirements for a secure product development lifecycle for IACS products. One of the core requirements is "risk management" - the systematic process of identifying, evaluating, and mitigating security risks throughout the product lifecycle. This ensures that security is built in from the early design phases through to maintenance and decommissioning. While agile and continuous integration can be useful development methods, they are not specific requirements of the standard. Defense-in- depth is a security principle, not a lifecycle process requirement. Reference: ISA/IEC 62443-4-1:2018, Section 4.2.3 ("Security risk management").
ISA-IEC-62443 Exam Question 37
Who must be included in a training and security awareness program? Available Choices (select all choices that are correct)
Correct Answer: C
Modbus over Ethernet, also known as Modbus/TCP, is a protocol that encapsulates the Modbus/RTU data string inside the data section of the TCP frame. It then sets up a client/server exchange between nodes, using TCP/IP addressing to establish connections1. This makes it easy to manage in a firewall, because the firewall can filter the traffic based on the source and destination IP addresses and the TCP port number. The default TCP port for Modbus/TCP is 502, but it can be changed if needed. Modbus/TCP does not use any other ports or protocols, so the firewall rules can be simple and specific. References: * 8: Open Modbus/TCP Specification, RTA Automation, 2010. * [9]: Modbus Application Protocol Specification V1.1b3, Modbus Organization, 2012.
ISA-IEC-62443 Exam Question 38
After receiving an approved patch from the JACS vendor, what is BEST practice for the asset owner to follow?
Correct Answer: C
According to the ISA/IEC 62443 Cybersecurity Fundamentals Specialist resources, patches are software updates that fix bugs, vulnerabilities, or improve performance of a system. Patches are classified into three categories based on their urgency and impact: low, medium, and high. Low priority patches are those that have minimal or no impact on the system functionality or security, and can be applied at the next scheduled maintenance. Medium priority patches are those that have moderate impact on the system functionality or security, and should be applied within a reasonable time frame, such as three months. High priority patches are those that have significant or critical impact on the system functionality or security, and should be applied as soon as possible, preferably at the first unscheduled outage. Applying patches in a timely manner is a best practice for maintaining the security and reliability of an industrial automation and control system (IACS). References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 4.3.2, Patch Management ISA/IEC 62443-2-1:2009, Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program, Clause 5.3.2.2, Patch management ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels, Clause 4.3.3.6.2, Patch management
ISA-IEC-62443 Exam Question 39
What do packet filter firewalls examine? Available Choices (select all choices that are correct)
Correct Answer: D
Packet filter firewalls, as defined by ISA/IEC 62443 standards on cybersecurity, primarily examine the source, destination, and ports in the header of each packet. This type of firewall does not inspect the packet content deeply (such as its structure or sequence) or maintain awareness of the relationships between packets in a session. Instead, it operates at a more superficial level, filtering packets based solely on IP addresses and TCP/UDP ports. This approach allows packet filter firewalls to quickly process and either accept or block packets based on these predefined criteria without delving into the complexities of session management or the content of the packets up to the application layer.
ISA-IEC-62443 Exam Question 40
How many element groups are in the "Addressing Risk" CSMS category? Available Choices (select all choices that are correct)
Correct Answer: B
The "Addressing Risk" CSMS category consists of three element groups: Security Policy, Organization and Awareness; Selected Security Countermeasures; and Implementation of Security Program1. These element groups cover the aspects of defining the security objectives, roles and responsibilities, policies and procedures, awareness and training, security countermeasures selection and implementation, and security program execution and maintenance1. The "Addressing Risk" CSMS category aims to reduce the security risk to an acceptable level by applying appropriate security measures to the system under consideration (SuC) 1. References: 1: ISA/IEC 62443-2-1: Security for industrial automation and control systems: Establishing an industrial automation and control systems security program
