Correct Answer: B

Phishing is a type of cyberattack that relies on a human weakness to succeed. Phishing is the practice of sending fraudulent emails or other messages that appear to come from a legitimate source, such as a bank, a government agency, or a trusted person, in order to trick the recipient into revealing sensitive information, such as passwords, credit card numbers, or personal details, or into clicking on malicious links or attachments that may install malware or ransomware on their devices. Phishing is a common and effective way of compromising the security of industrial automation and control systems (IACS), as it can bypass technical security measures by exploiting the human factor. Phishing can also be used to gain access to the IACS network, to conduct reconnaissance, to launch further attacks, or to cause damage or disruption to the IACS operations. The ISA/IEC 62443 series of standards recognize phishing as a potential threat vector for IACS and provide guidance and best practices on how to prevent, detect, and respond to phishing attacks. Some of the recommended countermeasures include: Educating and training the IACS staff on how to recognize and avoid phishing emails and messages, and how to report any suspicious or malicious activity. Implementing and enforcing policies and procedures for email and message security, such as using strong passwords, verifying the sender's identity, and not opening or clicking on unknown or unsolicited links or attachments. Applying technical security controls, such as antivirus software, firewalls, spam filters, encryption, and authentication, to protect the IACS devices and network from phishing attacks. Monitoring and auditing the IACS network and devices for any signs of phishing attacks, such as anomalous or unauthorized traffic, connections, or activities, and taking appropriate actions to contain and mitigate the impact of any incidents. References: ISA/IEC 62443-1-1:2009, Security for industrial automation and control systems - Part 1-1: Terminology, concepts and models1 ISA/IEC 62443-2-1:2009, Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program2 ISA/IEC 62443-2-4:2015, Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers3 ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels4 ISA/IEC 62443-4-2:2019, Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components5

Correct Answer: A

One of the primary goals of providing a framework addressing secure product development life-cycle requirements is to ensure that the development process of industrial automation and control systems (IACS) products is aligned with the security objectives and requirements of the ISA/IEC 62443 series of standards. The framework defines a secure development life-cycle (SDL) that covers all the phases of product development, from security requirements definition, to secure design, implementation, verification, validation, defect management, patch management, and product end-of-life. The framework also provides guidance on how to document and demonstrate compliance with the SDL requirements, as well as how to assess the security performance of the products using security levels. By following the framework, product suppliers can improve the security of their products and reduce the risk of vulnerabilities and exploits that may compromise the safety, integrity, reliability, and security of IACS. References: ISA/IEC 62443-4-1:2018, Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements1 ISA/IEC 62443-4-2:2019, Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components2

Correct Answer: C

API 1164 is an industry sector-specific standard that provides guidance on the cybersecurity of pipeline supervisory control and data acquisition (SCADA) systems. API stands for American Petroleum Institute, which is the largest U.S. trade association for the oil and natural gas industry. API 1164 was first published in 2004 and revised in 2009 and 2021. The latest version of the standard aligns with the ISA/IEC 62443 series of standards and incorporates the concepts of security levels, zones, and conduits. API 1164 covers the security lifecycle of pipeline SCADA systems, from risk assessment and policy development to implementation and maintenance. The standard also defines roles and responsibilities, security requirements, security controls, and security assessment methods for pipeline SCADA systems. References: API 1164: Pipeline SCADA Security, Fourth Edition, September 2021 ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 2.2.2, Industry Sector-Specific Standards ISA/IEC 62443 Cybersecurity Fundamentals Specialist Exam Specification, Section 2.2.2, Industry Sector-Specific Standards

Correct Answer: D

Asymmetric (public) key algorithms are a type of cryptographic algorithms that require more than one key. Asymmetric key algorithms use a pair of keys, one for encryption and one for decryption, that are mathematically related but not

identical1. The encryption key is usually made public, while the decryption key is kept private. This allows anyone to encrypt a message using the public key, but only the intended recipient can decrypt it using the private key1. Asymmetric key

algorithms are also known as public key algorithms or public key cryptography1. Asymmetric key algorithms are used for various purposes, such as digital signatures, key exchange, and encryption2. Some examples of asymmetric key

algorithms are RSA, Diffie-Hellman, ElGamal, and Elliptic Curve Cryptography2.

References: Asymmetric Algorithm or Public Key Cryptography - IBM, Cryptography 101:

Key Principles, Major Types, Use Cases and Algorithms | Splunk.

Correct Answer: C

At layer 4 of the OSI model, also known as the transport layer, the application that will handle a packet inside a host is identified by a TCP/UDP port number. A port number is a 16-bit integer that is assigned to a specific application or service that runs on a host. Port numbers are used to multiplex and demultiplex the data streams that are exchanged between hosts and end systems. Multiplexing is the process of combining multiple data streams into one, while demultiplexing is the process of separating one data stream into multiple ones. Port numbers are part of the header of the transport layer protocol data unit (PDU), which is called a segment for TCP and a datagram for UDP. The header contains the source port number and the destination port number, which indicate the applications that are involved in the communication. For example, if a host sends a packet to another host using the HTTP protocol, which runs on port 80 by default, the source port number would be a random number chosen by thesender, and the destination port number would be 80. The receiver would then use the destination port number to demultiplex the packet and deliver it to the HTTP application. Port numbers are divided into three ranges: well-known ports (0-1023), registered ports (1024-49151), and dynamic or private ports (49152-65535). Well-known ports are reserved for common and standardized applications and services, such as HTTP (80), FTP (21), and SSH (22). Registered ports are assigned by the Internet Assigned Numbers Authority (IANA) to specific applications and services that request them, such as Skype (49175) and Minecraft (25565). Dynamic or private ports are not assigned by any authority and can be used by any application or service that needs them, such as ephemeral ports that are used for temporary connections. The other options are not valid identifiers for the application that will handle a packet inside a host at layer 4 of the OSI model. A TCP/UDP application ID is not a term that is used in the OSI model or the TCP/IP model. A TCP/UDP host ID is not a term that is used in the OSI model or the TCP/IP model, and it would be more appropriate for layer 3, which is the network layer, where the host is identified by an IP address. A TCP/UDP registry number is not a term that is used in the OSI model or the TCP/IP model, and it would be more appropriate for layer 5, which is the session layer, where the registry number is used to identify a session between two hosts. References: Transport Layer | Layer 4 | The OSI-Model1 OSI model - Wikipedia2 What is Layer 4 of the OSI Model? | Glossary | A10 Networks3 What Are the 7 Layers of the OSI Model? | Webopedia4

Correct Answer: A

According to the IEC 62443 standard, a capability security level (SL-C) is defined as "the security level that a component or system is capable of meeting when it is properly configured and protected by an appropriate set of security countermeasures" 1. A component or system can have different SL-Cs for different security requirements, depending on its design and implementation. The SL-C is determined by testing the component or system against a set of security test cases that correspond to the security requirements. The SL-C is not dependent on the actual operational environment or configuration of the component or system, but rather on its inherent capabilities. References: IEC 62443 - Wikipedia

Correct Answer: A

The ISA/IEC 62443 series of standards is organized into four main categories for documents, based on the topics and perspectives that they cover. These categories are: General, Policies and Procedures, System, and Component12. General: This category covers topics that are common to the entire series, such as terms, concepts, models, and overview of the standards1. For example, ISA/IEC 62443-1-1 defines the terminology, concepts, and models for industrial automation and control systems (IACS) security3. Policies and Procedures: This category focuses on methods and processes associated with IACS security, such as risk assessment, system design, security management, and security program development1. For example, ISA/IEC 62443- 21 specifies the elements of an IACS security management system, which defines the policies, procedures, and practices to manage the security of IACS4. System: This category is about requirements at the system level, such as security levels, security zones, security lifecycle, and technical security requirements1. For example, ISA/IEC 62443-3-3 specifies the system security requirements and security levels for zones and conduits in an IACS5. Component: This category provides detailed requirements for IACS products, such as embedded devices, network devices, software applications, and host devices1. For example, ISA/IEC 62443-4-2 specifies the technical security requirements for IACS components, such as identification and authentication, access control, data integrity, and auditability. The other options are not valid categories for documents in the ISA/IEC 62443 series of standards, as they either do not reflect the structure and scope of the standards, or they mix different aspects of IACS security that are covered by different categories. For example, end-user, integrator, vendor, and regulator are not categories for documents, but rather roles or stakeholders that are involved in IACS security. Assessment, mitigation, documentation, and maintenance are not categories for documents, but rather activities or phases that are part of the IACS security lifecycle. People, processes, technology, and training are not categories for documents, but rather elements or dimensions that are essential for IACS security. References: ISA/IEC 62443 Series of Standards - ISA1 IEC 62443 - Wikipedia2 ISA/IEC 62443-1-1: Concepts and models3 ISA/IEC 62443-2-1: Security management system4 ISA/IEC 62443-3-3: System security requirements and security levels5 ISA/IEC 62443-4-2: Technical security requirements for IACS components

Correct Answer: A

The application layer is the topmost layer of the OSI model, which provides the interface between the user and the network. It includes protocols specific to network applications such as email, file transfer, and reading data registers in a PLC. These protocols deliver and format information, possibly with encryption and security, to ensure reliable and meaningful communication between differentapplications. The application layer does not include user applications, which are separate from the network protocols. The application layer also does not provide the mechanism for opening, closing, and managing a session between end-user application processes, which is the function of the session layer. References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, page 181 Using the ISA/IEC 62443 Standards to Secure Your Control System, page 82

Correct Answer: A

The primary responsibility of the network layer of the Open Systems Interconnection (OSI) model is to forward packets, including routing through intermediate routers. The network layer is the third layer from the bottom of the OSI model, and it is responsible for maintaining the quality of the data and passing and transmitting it from its source to its destination. The network layer also assigns logical addresses to devices, such as IP addresses, and uses various routing algorithms to determine the best path for the packets to travel. The network layer operates on packets, which are units of data that contain the source and destination addresses, as well as the payload. The network layer forwards packets from one node to another, using routers to switch packets between different networks. The network layer also handles host-to-host delivery, which means that it ensures that the packets reach the correct destination host. The other choices are not correct because:

B. Gives transparent transfer of data between end users. This is the responsibility of the transport layer, which is the fourth layer from the bottom of the OSI model. The transport layer provides reliable and error-free data transfer between end users, using protocols such as TCP and UDP. The transport layer operates on segments, which are units of data that contain the source and destination port numbers, as well as the payload. The transport layer also handles flow control, congestion control, and multiplexing.

C. Provides the rules for framing, converting electrical signals to data. This is the responsibility of the data link layer, which is the second layer from the bottom of the OSI model. The data link layer provides the means for transferring data between adjacent nodes on a network, using protocols such as Ethernet and WiFi. The data link layer operates on frames, which are units of data that contain the source and destination MAC addresses, as well as the payload. The data link layer also handles error detection, error correction, and media access control. D. Handles the physics of getting a message from one device to another. This is the responsibility of the physical layer, which is the lowest layer of the OSI model. The physical layer provides the means for transmitting bits over a physical medium, such as copper wire, fiber optic cable, or radio waves. The physical layer operates on bits, whichare the smallest units of data that can be either 0 or 1. The physical layer also handles modulation, demodulation, encoding, decoding, and synchronization. References: The OSI Model ?The 7 Layers of Networking Explained in Plain English1 Network Layer in OSI Model2 OSI model3

Correct Answer: C

Authorization is the process of granting or denying access to a network resource or function. Authorization (user accounts) must be granted based on specific roles, which are defined as sets of permissions and responsibilities assigned to a user or a group of users. Roles should be based on the principle of least privilege, which means that users should only have the minimum level of access required to perform their tasks. Roles should also be based on the principle of separation of duties, which means that users should not have conflicting or overlapping responsibilities that could compromise the security or integrity of the system. Authorization based on individual preferences or common needs for large groups is not recommended, as it could lead to excessive or unnecessary access rights, or to inconsistent or conflicting policies. Authorization based on system complexity is also not a good criterion, as it could result in overcomplicated or unclear roles that are difficult to manage or audit. References: ISA/IEC 62443-3-3:2013 - Security for industrial automation and control systems - Part 3-3: System security requirements and security levels1 ISA/IEC 62443-2-1:2010 - Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program2 ISA/IEC 62443-4-1:2018 - Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements3