A.  

Cybersecurity requirements specification and detailed cyber risk assessment

B.  

Cybersecurity requirements specification and allocation of IACS assets to zones and conduits

C.  

Detailed cyber risk assessment and cybersecurity maintenance, monitoring, and management of change

D.  

Allocation of IACS assets to zones and conduits, and detailed cyber risk assessment

A.  

Risk management

B.  

Agile development

C.  

Continuous integration

D.  

Defense-in-depth strategy

A.  

Budgeting

B.  

New technical controls

C.  

Organizational restructuring

D.  

Security incident exposing previously unknown risk.

A.  

6-x

B.  

5-x

C.  

4-x

D.  

3-x

A.  

No dedicated malware has been found targeting safety systems specifically.

B.  

Even the most modern and sophisticated safety systems can be defeated by an attacker.

C.  

Safety systems are an independent protection layer and as such have no cybersecurity vulnerabilities.

D.  

By integrating control and safety systems via Modbus TCP, cybersecurity risks are at a tolerable level.

A.  

All phases

B.  

Design and Implement phases

C.  

Verification and Validation phase only

D.  

Operate and Maintain phases exclusively

A.  

Security zones should contain assets that share common security requirements.

B.  

Security zones should align with physical network segments.

C.  

Assets within the same logical communication network should be in the same security zone.

D.  

All components in a large or complex system should be in the same security zone.

A.  

An exploitable flaw in management

B.  

An event that could breach security

C.  

The potential for violation of security

D.  

The result that occurs from a particular incident

A.  

New security requirements can be added freely.

B.  

Only foundational requirements can be changed.

C.  

No new requirements are added and existing ones are not modified.

D.  

Existing security requirements can be modified to fit sector needs.

A.  

By ignoring downtime and costs

B.  

Only after a cyberattack has occurred

C.  

As part of the broader risk management strategy

D.  

As a purely technical task with no business implications

A.  

Failure Mode and Effects Analysis

B.  

Job Safety Analysis

C.  

Process Hazard Analysis (PHA)

D.  

System Safety Analysis (SSA)

A.  

Introduction of a new PDCA cycle framework

B.  

Elimination of duplication of ISMS requirements

C.  

Removal of supply chain security considerations

D.  

Focus only on individual system components rather than overall system

A.  

Aligned development process

B.  

Aligned needs of industrial users

C.  

Well-documented security policies and procedures

D.  

Defense-in-depth approach to designing

A.  

2

B.  

3

C.  

4

D.  

5

A.  

Controllers, sensors, transmitters, and final control elements

B.  

Wiring, routers, switches, and network management devices

C.  

Ferrous, thickwall, and threaded conduit including raceways

D.  

Power lines, cabinet enclosures, and protective grounds

A.  

Part 1-1: Terminology, concepts, and models; Part 1-2: Master glossary of terms and definitions; Part 1-3: Security program ratings; and Part 1-4: IACS security lifecycle and use cases

B.  

Part 1-1: Terminology, concepts, and models; Part 1-2: Master glossary of terms and definitions; Part 1-3: Security technologies for IACS; and Part 1-4: IACS security lifecycle and use cases

C.  

Part 1-1: Terminology, concepts, and models; Part 1-2: Master glossary of terms and definitions; Part 1-3: System security conformance metrics; and Part 1-4: IACS security lifecycle and use cases

D.  

Part 1-1: Terminology, concepts, and models; Part 1-2: Master glossary of terms and definitions; Part 1-3: System security conformance metrics; and Part 1-4: Security program requirements for IACS service providers

A.  

New security requirements can be added freely.

B.  

Only foundational requirements can be changed.

C.  

No new requirements are allowed, and existing ones are not modified.

D.  

Existing security requirements can be modified to fit the sector needs.

A.  

PROFIBUS DP

B.  

PROFIBUS PA

C.  

PROFINET

D.  

PROF1SAFE

A.  

Hub

B.  

Router

C.  

Switch

D.  

Firewall

A.  

Level 1: Supervisory Control

B.  

Level 2: Quality Control

C.  

Level 3: Operations Management

D.  

Level 4: Process

A.  

Datagram Transport Layer Security (DTLS)

B.  

Microsoft Point-to-Point Encryption

C.  

Secure Telnet

D.  

Secure Sockets Layer

A.  

Risk evaluation and risk identification

B.  

Business rationale and risk reduction and avoidance

C.  

Business rationale and risk identification and classification

D.  

Business recovery and risk elimination or mitigation

A.  

If a low priority, there is no need to apply the patch.

B.  

If a medium priority, schedule the installation within three months after receipt.

C.  

If a high priority, apply the patch at the first unscheduled outage.

D.  

If no problems are experienced with the current IACS, it is not necessary to apply the patch.

A.  

Initiate the CSMS program.

B.  

Conduct an initial/high-level risk assessment.

C.  

Create reference architecture.

D.  

Establish policy, organization, and awareness.

A.  

The asset owner

B.  

The product vendor

C.  

The external auditor

D.  

The system integrator

A.  

Denial-of-service

B.  

Phishing

C.  

Escalation-of-privileges

D.  

Spoofing

A.  

During the design phase

B.  

At the beginning of the project

C.  

After the handover of the solution

D.  

Before the handover of the solution

A.  

Internal sabotage

B.  

Nation state

C.  

Insider threat

D.  

Random hacking

A.  

American Society for Industrial Security

B.  

Automation Federation

C.  

National Institute of Standards and Technology

D.  

Security Compliance Institute

A.  

Vector approaches eliminate the need for risk models.

B.  

Vector approaches are always more accurate than qualitative methods.

C.  

Vector values should be ignored if they do not match industry standards.

D.  

Vector values must align with the asset owner’s risk matrix and risk appetite.

A.  

TLS

B.  

L2TP

C.  

PPTP

D.  

IPsec

A.  

Root cause analysis

B.  

User interface improvements

C.  

The cost of patch development

D.  

Marketing strategy for the product

A.  

Increased product sales

B.  

Endangerment of public safety

C.  

Loss of proprietary information

D.  

Economic and operational losses

A.  

A qualitative risk assessment method

B.  

A single protection factor for all FRs

C.  

The FR values for a specific zone's security level

D.  

The SL values for a specific zone's foundational requirements

A.  

Notification

B.  

File authenticity

C.  

Removal procedure

D.  

Qualification and verification

A.  

Phishing

B.  

Ransomware

C.  

DDoS attack

D.  

Malware variant

A.  

Vendors and suppliers

B.  

Employees

C.  

All personnel

D.  

Temporary staff

A.  

IACS tolerates occasional failures while IT does not.

B.  

Rebooting is never acceptable in IT but tolerated in IACS.

C.  

Both IACS and IT have the same availability requirements.

D.  

Continuous operation is expected in IT while scheduled operation is sufficient for IACS.

A.  

Individual preferences

B.  

Common needs for large groups

C.  

Specific roles

D.  

System complexity

A.  

Zone model

B.  

Asset model

C.  

Reference model

D.  

Reference architecture

A.  

Control System Management System

B.  

Control System Monitoring System

C.  

Cyber Security Management System

D.  

Cyber Security Monitoring System

A.  

Financial investment records in cybersecurity tools only

B.  

Anecdotal reports from employees about security practices

C.  

Documentation verifying use and configuration of technologies

D.  

Marketing materials describing the company's commitment to security

A.  

An open standard protocol for real-time field bus communication between automation technology devices

B.  

An open standard protocol for the communication of real-time data between devices from different manufacturers

C.  

An open standard serial communications protocol widely used in industrial manufacturing environments

D.  

A vendor-specific proprietary protocol for the communication of real-time plant data between control devices

A.  

IEC PAS

B.  

ISO/IEC 27001

C.  

ISO/IEC 27019

D.  

NIST SP 800-53

A.  

ISA/IEC 62443-2-1

B.  

ISA/IEC 62443-3-1

C.  

ISA/IEC 62443-3-2

D.  

ISA/IEC 62443-3-3

A.  

CSMS development

B.  

Cybersecurity awareness programs

C.  

Control systems adjustment programs

D.  

ISCS cybersecurity certification programs

A.  

Common Component Security Criteria

B.  

Common Component Security Constraints

C.  

Centralized Component Security Compliance

D.  

Comprehensive Component Security Controls

A.  

SL1

B.  

SL2

C.  

SL3

D.  

SL4

A.  

ISA/IEC 62443-2-1

B.  

ISA/IEC 62443-2-4

C.  

ISA/IEC 62443-3-3

D.  

ISA/IEC 62443-4-2

A.  

COBIT 5

B.  

PCI DSS

C.  

ISO 9001

D.  

ISA/IEC 62443

A.  

Router

B.  

Switch

C.  

Firewall

D.  

Host-based IDS

A.  

If a low priority, there is no need to apply the patch.

B.  

If a medium priority, schedule the installation within three months after receipt.

C.  

If a high priority, apply the patch at the first unscheduled outage.

D.  

If no problems are experienced with the current IACS, it is not necessary to apply the patch.

A.  

The IACS security priority is integrity.

B.  

The IT security priority is availability.

C.  

IACS cybersecurity must address safety issues.

D.  

Routers are not used in IACS networks.

A.  

Software development security assurance, functional security assessment, and communications robustness testing

B.  

Software robustness security testing, functional software assessment assurance, and essential security functionality assessment

C.  

Communications robustness testing, functional security assurance, and software robustness communications

D.  

Communication speed, disaster recovery, and essential security functionality assessment

A.  

2

B.  

3

C.  

4

D.  

5

A.  

Regulations are voluntary documents.

B.  

Regulations contain only informative elements.

C.  

Cybersecurity risks can best be managed individually and in isolation.

D.  

There are a limited number of enforced cybersecurity and physical security regulations.

A.  

To classify data according to sensitivity levels

B.  

To prevent attacks originating outside the IACS

C.  

To manage user identity persistence effectively

D.  

To ensure backup verification processes run smoothly

A.  

Department of Energy

B.  

Nuclear Regulatory Commission

C.  

Department of Homeland Security

D.  

Transportation Security Administration

A.  

All assets in the zone must be from the same vendor.

B.  

All assets in the zone must share the same security requirements.

C.  

All assets in the zone must be at the same level in the Purdue model.

D.  

All assets in the zone must be physically located in the same area.

A.  

To inform about hardware upgrades

B.  

To advertise cybersecurity services

C.  

To notify the owners of critical infrastructure

D.  

To alert of targeted global energy sector threats

A.  

Patches should be applied as soon as they are available.

B.  

Patches should be applied within one month of availability.

C.  

Patches never should be applied in an IACS environment.

D.  

Patches should be applied based on the organization's risk assessment.

A.  

Patch management guidance

B.  

Security technologies for ICS and IACS

C.  

Security evaluation methodology for Part 2-4

D.  

System security requirements, phases, and levels

A.  

Notification

B.  

File authenticity

C.  

Removal procedure

D.  

Qualification and verification

A.  

To create new cybersecurity technologies

B.  

To replace existing cybersecurity standards

C.  

To enhance the resilience of critical infrastructure

D.  

To provide a certification for organizations

A.  

By having zones within zones, or subzones, that provide layered security

B.  

By having a zone edge that is using the security policies of the asset owner

C.  

By having zones that are connected via using the latest version of SSL

D.  

By having zones that separate sensors from actuators, that provide layered security

A.  

Allow all traffic by default.

B.  

Allow IACS devices to access the Internet.

C.  

Allow traffic directly from the IACS network to the enterprise network.

D.  

Block all traffic by default.

A.  

Tabletop exercises

B.  

Password hygiene campaign

C.  

Architecture awareness workshops

D.  

Anomaly detection drills for operators

A.  

LAN, portable media, and wireless

B.  

LAN, portable media, and hard drives

C.  

LAN, power source, and wireless OD.

D.  

LAN, WAN, and hard drive