ISA/IEC 62443 Standard Course IC32M

Questions and Answers

How are these three terms defined in the 62443 standards?: Electronic Security, Control System, Cybersecurity?

Electronic Security is defined as the actions required to protect critical systems, informational assets, unauthorized uses, denial of service, modifications, disclosure, loss of revenue, destruction, pretty much anything. A control system is defined as hardware and software components of an industrial automation and control system, IACS, or sometimes pronounced eye-axe. Then, cybersecurity is defined as measures taken to protect a computer or a computer system against unauthorized access or attacks.

What are some implications of using commercial off-the-shelf components in a control system?

Increased connectivity and use of common protocols (correct)

Isolation or separation of business and operational networks can be difficult or impossible (correct)

Potential adversaries are more familiar with the technology (correct)

Remote access may broaden the network's attack surface (correct)

The "5-4-3-2" rule states the maximum transmission path is composed of 5 segments linked by 4 repeaters. It allows up to 3 coax segments and 2 link segments.

True (A)

What are some aspects of the “7-Layer Networking Model? (ISO/OSI)”

It helps to represent the many layers of information in a network (B), It helps to understand how low-level transport mechanisms relate to your product design (C)

The 7-Layer Networking Model (ISO/OSI) is a hierarchical model.

True (A)

Which type of network is most commonly used in a factory environment?

LAN (A)

What are the common Network Architecture approaches to enhance cybersecurity?

Split flat networks into zones and conduits (A), Consider what is trusted or untrusted network (B), Use cryptography with virtual private networks (C), All of the above (D)

Firewalls can be implemented as an application installed on a general purpose computer, or as a dedicated platform and appliance.

True (A)

What are the three common classes of firewalls, be sure to include an example of each and an explanation of why they are used?

The three common classes of firewalls are Packet Filter Firewall, Stateful Inspection Firewall, and Application Proxy and DPI Firewall. A Packet Filter Firewall examines only the headers of each packet of information (source, destination, function, port). It accepts or rejects packets based on Access Control Lists (ACLs). These firewalls are fast and cheap, but their functionality is limited. Administrators can create ACLs based on the IP address, protocols, and packet attributes. A Stateful Inspection Firewall tracks the relationships between packets in session by inspecting packet structure and sequence. These firewalls are relatively fast, flexible, and offer improved security, but they can be spoofed by an attacker. They can be either hardware-based (e.g. Cisco ASA, Tofino) or server-based (e.g. Checkpoint Firewall-1). Application Proxy and DPI firewalls operate at the application level. They act as an intermediary. These firewalls accept connections and requests from a client and then interpret the incoming data. This data is then re-issued to the target device. This class of firewall provides strong security; however, they are slower and process intensive.

What are the important considerations when making decisions about network security?

All of the above (D)

Firewalls are easy to install but difficult to configure.

True (A)

IACS firewalls are typically designed with an industrial form factor for robustness. Features include heat sinks instead of fans to reduce noise and increase the life span of the device, and they are designed with knowledge of industrial protocols.

True (A)

Unidirectional Gateways (Data Diodes) allow data to travel in one direction only and can successfully remove most negligent user and misconfiguration errors.

True (A)

Intrusion Detection Systems (IDS) can be implemented as:

Both A and B (B)

Intrusion Detection Systems (IDS) add the ability to act on intrusion detection by automatically blocking malicious activity.

False (B)

What are some best practices for implementing IDS?

Deploy an Intrusion Prevention System (IPS) with extreme care (A), Use enhanced IT/IDS signatures with SCADA IDS Signatures (B), Distribute deployment by installing NIDS at zone entry points (C), All of the above (D)

Unified Threat Management (UTM) offers single appliances with multiple security features.

True (A)

Virtual Private Networks (VPNs) use a public telecommunication infrastructure

Both A and B (B)

The two endpoints of a site-to-site VPN are intermediary devices that pass traffic from a trusted network to another trusted network while relying on the VPN technology to secure the traffic on the untrusted transport network

True (A)

Network segmentation can be applied to zones and conduits, where a separation of business and control networks is recommended to improve security.

True (A)

In industrial networking, a firewall is a must between the plant floor and the rest of the company, and using a router is an equally effective option.

False (B)

Using a demilitarized zone (DMZ) between the enterprise and process control networks is not an effective approach to cybersecurity in an industrial environment

False (B)

Distributing security appliances provides defense-in-depth approach to key assets like the DCS controllers.

True (A)

The ISA/IEC 62443 standards provide requirements for service providers that specify procedures and technologies that are considered secure.

True (A)

The standard ISA/IEC 62443 provides a general definition for IACS which includes components, systems, automation solutions, and the people involved in their operation.

True (A)

What is ISA Secure Conformance?

An independent certification of IACS products that are robust against attack vectors and free from known vulnerabilities (B)

Part 4-1 of the ISA/IEC 62443 standards defines requirements for a product developers security development lifecycle, whereas Part 4-2 defines technical requirements for the components, systems, and automation solution of any given IACS.

True (A)

The ISA/IEC 62443 standards are used to define cybersecurity profiles.

False (B)

Flashcards

ISA/IEC 62443

A set of standards aimed at securing industrial automation and control systems.

Cybersecurity Importance

Vital for protecting control systems from unauthorized access and attacks.

Control System

Hardware and software components that monitor and control physical processes.

Cybersecurity Measures

Actions taken to protect computer systems from cyber threats.

Threat Landscape

Overview of potential cyber threats facing an organization.

Defense-in-Depth

A security strategy that uses multiple layers of defense.

Ransomware

Malware that encrypts a victim's data and demands payment for access.

ISO 27000

A series of standards for information security management.

IACS

Industrial Automation and Control Systems, including personnel, hardware, and software.

Vulnerability

A weakness in a system that can be exploited by threats.

Availability

The property of a system that ensures it's operational and accessible.

CIA Triad

A model for information security that includes Confidentiality, Integrity, and Availability.

Incident Response

Activities to manage and mitigate the impact of a cybersecurity incident.

Patch Management

The process of keeping software up to date to fix known vulnerabilities.

Security Awareness

Understanding of security policies and threats among personnel.

Risk Management

The process of identifying, assessing, and controlling threats to an organization.

Malware

Malicious software designed to harm or exploit any programmable device.

Quizzes

Short tests at the end of each module to verify understanding.

Cyber Risk Equation

A formula that assesses threat, vulnerability, and consequence.

System Security Requirements

Specifications for security features and capabilities for IACS.

IEC

The International Electrotechnical Commission, which develops international standards.

NIST

National Institute of Standards and Technology, agency for standards and guidelines.

Collaboration

Working together with other organizations to improve security.

Audit

A systematic examination of an organization's information security controls.

Common Myths

Misconceptions about cybersecurity in control systems.

Detection in Depth

Techniques used to identify and respond to security threats at various levels.

Segmentation

Dividing a network into segments to enhance security.

COTS

Commercial off-the-shelf products that can create security issues.

Nature of Cybersecurity

The evolving and complex landscape of threats in the digital world.

Study Notes

Course Information

• ISA/IEC 62443 Standard to Secure Your Control Systems
• Course IC32M (Online)
• Participant Noteset
• Volume I

Copyright Information

• Copyright © ISA
• All rights reserved.
• Unauthorized reproduction or distribution is illegal.

Training Equipment Donors

• Companies donated equipment for use in hands-on training labs.
• This increased their industry recognition.

Course Presentation

• Course materials are available from ISA's LMS.

Course Contributors

• A global team of cybersecurity SMEs worked on the course.
• Specific individuals are listed for the most recent version.

Course Goals

• Describe the need and importance of control system security.
• Describe the need and importance of awareness as a countermeasure.
• Describe the structure and content of ISA/IEC 62443.
• Define the principles behind the creation of an effective long-term security program.
• Discuss the basics of risk analysis, industrial networking, and network security.
• Discuss fundamental concepts that form the basis of ISA/IEC 62443 standards.
• Describe how to apply key risk mitigation techniques.
• Describe how secure software development strategies can make systems inherently more secure.
• Describe how to validate or verify the security of systems.
• Describe security profiles for ISA/IEC 62443.

Topics in Module 1

• What is Control System Cybersecurity?
• Trends in Control System Cybersecurity
• Potential Consequences
• Malware Events and Trends
• Common Myths Regarding IACS Security
• Concepts
• Awareness

Module Objectives

• Describe the need and importance of control system security.
• Discuss current trends in control system cybersecurity and how they could affect control systems.
• Analyze the differences between IT and IACS.
• Recognize there are still myths that exist regarding cybersecurity in IACS environments.
• Explain how awareness can be an effective countermeasure to reduce risks in an IACS environment.

What is Control System Cybersecurity?

• Electronic security - actions required to protect critical systems or informational assets from unauthorized use, denial of service, modifications, disclosure, loss of revenue, and destruction.
• Industrial Automation and Control Systems (IACS) - hardware and software components.
• Cybersecurity - measures taken to protect a computer or computer system against unauthorized access or attacks.

Trends in Control System Cybersecurity

• Increase in malicious code attacks
• Tools to automate attacks
• Increased remote monitoring and access
• More commercial off-the-shelf (COTS) offerings
• More unauthorized attempts

Implications of the Trends

• Commercial off the shelf (COTS) components and increased connectivity
• Potential adversaries familiar with the technology
• Many common risks with business systems
• Remote access broadens the attack surface
• Isolation or separation of business and operational is difficult, especially with legacy equipment
• More vulnerabilities in IACS components are being published and used by attackers

Potential Consequences

• Unauthorized access, theft, or misuse of data
• Loss of integrity or reliability of the control system
• Loss of control system availability
• Equipment damage
• Personnel injury
• Violations of legal and regulatory requirements

Potential Consequences for Society

• Large number of people poisoned because of water manipulation
• Disruption of normal life due to large-scale electricity grid outages
• Large number of injured people
• Fatalities due to plant explosions
• People receiving wrong medicine due to recipe alterations

Ransomware

• A type of malicious attack that encrypts an organization's data and demands payment for access restoration.
• High profile incidents ranking among the top threats.

Threat Landscape

• Many government agencies are issuing alerts and reports due to increasing attacks on industrial control systems and critical infrastructure.
• A variety of resources are provided for further exploration.

Malware Events and Trends

• Stuxnet - claimed to be the first global digital weapon, mainly targeting Iran’s centrifuges
• Shamoon - destructive malware, wiped 30,000 computers at Saudi Aramco and targeted a Saudi company and Italian oil and gas company
• Windows OS is a major target for malware.

Cyberattack Example - Ukrainian Power Grid

• Real-life example of a nation state attack via phishing.

Five Common Myths Regarding IACS Security

• We don't connect to the internet.
• Control systems are behind a firewall.
• Hackers don't understand control systems.
• Our facility is not a target; our safety systems protect us.

Myth #1 - We don't connect to the internet

• Internet connected devices can be discovered on Shodan.

Myth #2 - Control Systems are behind a firewall

• Firewalls are often misconfigured.

Myth #3 - Hackers don't understand control systems

• Hackers now use more sophisticated means, including using hacking as a service.

Myth #4 - Our facility is not a target

• Our facility is a potential target.

Myth # 5 - Our safety systems will protect us

• Even sophisticated systems can be defeated by attackers..

Differences Between IT and IACS

• IACS Security must accommodate HSE.
• IACS and IT need to cooperate.

Different Security Priorities

• IT prioritize confidentiality, integrity, and availability.
• IACS prioritize availability and integrity over confidentiality.

Different Performance Requirements

• IT - reliable response; high throughput; tolerant to high delay and jitter
• IACS- time critical response; modest throughput; high delay is not tolerated.

Different Availability Requirements

• IT - some failures/reboots are tolerated.
• IACS- continuous operation; no tolerated outages.

Different Operating Environments

• IT - typically uses standard OS, upgrades relatively easy.
• IACS - typically uses special embedded OS, upgrades are challenging, and have constrained resources.

Different Risk Management Goals

• IT - Data confidentiality and integrity are paramount
• IACS - HSE and production are paramount (integrity and availability).

Security Levels

• SL 0 - no specific requirements necessary
• SL 1 - protect against casual violation
• SL 2 - protection against intentional violation using simple means
• SL 3 - protection using sophisticated means and moderate resources
• SL 4 - protection using sophisticated means, requiring extensive resources.

Risk Equation

• Risk = Likelihood × Vulnerability × Consequence

Risk Response and Tolerance

• Design the risk out
• Reduce the risk
• Accept the risk
• Transfer or share the risk
• Eliminate or redesign controls

Use Case - Financial Impact

• A sample use case of risk assessment for financial reasons.

Risk Level Matrix

• A tool used in determining risk response.

Knowledge Check (Module 1)

• Correctly identify answers to questions regarding cybersecurity, IACS, and related topics.

Module 2 Overview

• Key topics: Regulations and standards, ISA/IEC 62443 Series and the ISA99 Committee.

Module 3 Overview

• Key topics: ISA/IEC 62443 Models, Security Levels and Lifecycle.

Module 4 Overview

• Key topics: Establishing an industrial automation and control systems security program.

Module 5 Overview

• Key topics: Evolving security standards and practices.

Module 6 Overview

• Key topics: Industrial networking basics (Layers 1-7).

Module 7 Overview

• Key topics: Network security basics, addressing security, network attack methods.

Module 8 Overview

• Key topics: Industrial Protocols, specifically Modbus and OPC

Module 10 Overview

• Key topics: Introduction to patch management in the IACS Environment

Module 11 Overview

• Key topics: Security Risk Assessment and System Design

Module 12 Overview

• Key topics: Security Program Requirements for IACS Service Providers.

Glossary of Terms

Description

This quiz covers the ISA/IEC 62443 standard for securing control systems, focused on the first volume of the course IC32M. You'll explore the principles of control system security, the importance of awareness, and the structure of ISA/IEC 62443. Enhance your understanding of industrial cybersecurity and develop your skills in risk analysis.