A.  

Vendors and suppliers

B.  

Employees

C.  

All personnel

D.  

Temporary staff

A.  

Network

B.  

Transport

C.  

Application

D.  

Data link

A.  

Marketing

B.  

Operations

C.  

IT security

D.  

Physical security

A.  

During the design phase

B.  

At the beginning of the project

C.  

After the handover of the solution

D.  

Before the handover of the solution

A.  

Forwards packets, including routing through intermediate routers

B.  

Gives transparent transfer of data between end users

C.  

Provides the rules for framing, converting electrical signals to data

D.  

Handles the physics of getting a message from one device to another

A.  

Risk evaluation and risk identification

B.  

Business rationale and risk reduction and avoidance

C.  

Business rationale and risk identification and classification

D.  

Business recovery and risk elimination or mitigation

A.  

ISA/IEC 62443-3-1

B.  

ISA/IEC 62443-3-2

C.  

ISA/IEC 62443-3-3

D.  

ISA/IEC 62443-3-4

A.  

Privilege escalation

B.  

Buffer overflow

C.  

Unauthorized access

D.  

Race conditions

A.  

Policies and procedures

B.  

System technology aspects

C.  

General standards and reports

D.  

Component security requirements

A.  

Packet filter

B.  

Network monitor

C.  

Application proxy

D.  

Stateful inspection

A.  

Failure Mode and Effects Analysis

B.  

Job Safety Analysis

C.  

Process Hazard Analysis (PHA)

D.  

System Safety Analysis (SSA)

A.  

No dedicated malware has been found targeting safety systems specifically.

B.  

Even the most modern and sophisticated safety systems can be defeated by an attacker.

C.  

Safety systems are an independent protection layer and as such have no cybersecurity vulnerabilities.

D.  

By integrating control and safety systems via Modbus TCP, cybersecurity risks are at a tolerable level.

A.  

General. Policies and Procedures. System, and Component

B.  

End-User, Integrator, Vendor, and Regulator

C.  

Assessment. Mitigation. Documentation, and Maintenance

D.  

People. Processes. Technology, and Training

A.  

Overtime pay is required for technicians.

B.  

Many more approvals are required.

C.  

Patching a live automation system can create safety risks.

D.  

Business systems automatically update.

A.  

Create a security management organization.

B.  

Define an information security policy.

C.  

Implement strict security controls.

D.  

Perform a security risk assessment.

A.  

They primarily target personal devices.

B.  

They focus solely on financial institutions.

C.  

They affect suppliers of essential services.

D.  

They lead to improved cybersecurity measures.

A.  

Initiate the CSMS program.

B.  

Conduct an initial/high-level risk assessment.

C.  

Create reference architecture.

D.  

Establish policy, organization, and awareness.

A.  

Datagram Transport Layer Security (DTLS)

B.  

Microsoft Point-to-Point Encryption

C.  

Secure Telnet

D.  

Secure Sockets Layer

A.  

Level 4 systems must use the DMZ to communicate with Level 3 and below.

B.  

Level 0 can only interact with Level 1 through the firewall.

C.  

Internet access through the firewall is allowed.

D.  

Email is prevented, thereby mitigating the risk of phishing attempts.

A.  

Security technologies for IACS

B.  

Cybersecurity risk assessment and system design

C.  

Secure product development lifecycle requirements

D.  

Technical security requirements for IACS components

A.  

2

B.  

3

C.  

4

D.  

5

A.  

Firewalls

B.  

Tunnels

C.  

Pathways

D.  

Conduits

A.  

An exploitable flaw in management

B.  

An event that could breach security

C.  

The potential for violation of security

D.  

The result that occurs from a particular incident

A.  

A programming language

B.  

A network security standard

C.  

A type of industrial machinery

D.  

A serial communications protocol

A.  

Asset owners

B.  

Service providers

C.  

Product suppliers

D.  

System integrators

A.  

Application layer

B.  

Data link layer

C.  

Session layer

D.  

Transport layer

A.  

Industrial Automation and Control Systems

B.  

Industrial Associations and Control Systems

C.  

Integrated Automation and Control Systems

D.  

International Automated and Control Systems

A.  

All assets in the zone must be from the same vendor.

B.  

All assets in the zone must share the same security requirements.

C.  

All assets in the zone must be at the same level in the Purdue model.

D.  

All assets in the zone must be physically located in the same area.

A.  

Organizational lack of communication

B.  

Failure to relate to the mission of the organization

C.  

Insufficient documentation due to lack of good follow-up

D.  

Immediate jump into detailed risk assessment

A.  

Many other elements in the CSMS

B.  

(Elements external to the CSMS

C.  

Only the Assessment element

D.  

Only the Risk ID element

A.  

Risk management

B.  

Agile development

C.  

Continuous integration

D.  

Defense-in-depth strategy

A.  

To replace relays

B.  

To service I/O exclusively

C.  

To enhance network security

D.  

To improve Ethernet functionality

A.  

2

B.  

3

C.  

4

D.  

5

A.  

Foundational requirements

B.  

Output from a risk assessment

C.  

Security levels

D.  

System design

A.  

Firewalls and unexpected protocols being used

B.  

IDS sensors deployed within multiple zones in the production environment

C.  

Role-based access control and unusual data transfer patterns

D.  

Role-based access control and VPNs

A.  

Building Automation and Control Network (BACnet)

B.  

Common Industrial Protocol

C.  

Highway Addressable Remote Transducer (HART)

D.  

Object Linking and Embedding (OLE) for Process Control

A.  

Hub

B.  

Router

C.  

Switch

D.  

Firewall

A.  

Router

B.  

Switch

C.  

Firewall

D.  

Host-based IDS

A.  

Failure Mode and Effects Analysis

B.  

Job Safety Analysis (JSA)

C.  

Process Hazard Analysis (PHA)

D.  

System Safety Analysis (SSA)

A.  

Common Component Security Criteria

B.  

Common Component Security Constraints

C.  

Centralized Component Security Compliance

D.  

Comprehensive Component Security Controls

A.  

Department of Energy

B.  

Nuclear Regulatory Commission

C.  

Department of Homeland Security

D.  

Transportation Security Administration

A.  

Human error

B.  

Hardware failure

C.  

Malware incidents

D.  

Network congestion

A.  

62443-1-1

B.  

62443-3-2

C.  

62443-3-3

D.  

62443-4-1

A.  

Internet

B.  

Enterprise WANs

C.  

Local area networks

D.  

Carrier-managed WANs

A.  

Risk assessment

B.  

Managing changes

C.  

Allocating assets to security zones

D.  

Designing cybersecurity countermeasures