Exam (elaborations) ISA 62443 IC33

(True/False) All vulnerabilities lead to a consequence. - False (True/False) IACS functionality should be graphically represented on at least one IACS Architecture drawing - True (True/False) ISA-95 functional layers are the same thing as the Purdue Enterprise Reference Architecture (PERA) - False (True/False) ISA-95 functional layers speak to functionality - NOT systems or network layers. - True (True/False) Not all vulnerabilities represent risk to an IACS network. - True (True/False) Vulnerability Analysis is the same thing as Cyber Risk Analysis. - False 4.2.3.1 Select a risk assessment methodology - The organization shall select a particular risk assessment and analysis approach and methodology that identifies and prioritizes risks based upon security threats, vulnerabilities and consequences related to their IACS assets. 4.2.3.10 Identify the reassessment frequency and triggering criteria - The organization shall identify the risk and vulnerability reassessment frequency as well as any reassessment triggering criteria based on technology, organization, or process changes. 4.2.3.11 Integrate physical, HSE and Cybersecurity risk assessment results - The results of physical, HSE and Cybersecurity risk assessments shall be integrated to understand the assets' overall risk. 4.2.3.12 Conduct risk assessments throughout the lifecycle of the IACS - Risk assessments shall be conducted through all stages of the technology lifecycle including development, implementation, updates, and retirement. 4.2.3.13 Document the risk assessment - The risk assessment methodology and the results of the risk assessment shall be documented. 4.2.3.2 Provide risk assessment background Information - The organization should provide participants in the risk assessment activity with appropriate information including methodology training, before beginning to identify the risks. 4.2.3.3 Conduct a high-level risk assessment - A high-level system risk assessment shall be performed to understand the financial and HS&E consequences in the event that availability, integrity, or confidentiality of the IACS is compromised. 4.2.3.4 Identify the industrial automation and control systems - The organization shall identify the various IACS, gather data about the devices to characterize the nature of the security risk, and group the devices into logically integrated systems. 4.2.3.5 Develop simple network diagrams - The organization shall develop simple network diagrams for each of the logically integrated systems showing the major devices, network types, and general locations of the equipment. 4.2.3.6 Prioritize systems - The organization shall develop the criteria and assign a priority rating for mitigating the risk of each logical control system. 4.2.3.7 Perform a detailed vulnerability assessment - The organization shall perform a detailed vulnerability assessment of its individual logical IACS, which may be scoped based on the high-level risk assessment results and prioritization of IACS subject to these risks. 4.2.3.8 Identify a detailed risk assessment methodology - The organization's risk assessment methodology shall include methods for prioritizing detailed vulnerabilities identified in the detailed vulnerability assessment. 4.2.3.9 Conduct a detailed risk assessment - The organization shall conduct a detailed risk assessment incorporating the vulnerabilities identified in the detailed vulnerability assessment. Achieved SLs (SL-A) - Actual level of security for a particular system measured after a system design is available or in place. Used to determine of the security system is meeting the goals set in the SL-Ts Architecture & Design Vulnerabilities - Weaknesses or flaws in the foundational structure and conceptual design of industrial automation and control systems (IACS), including inadequate security considerations, flawed architecture choices, and insufficient protection mechanisms. At a minimum, Network Diagrams should include... - Physical or Logical connections Individual network devices represented symbollically Switch port assignments VLANs Hosts (optional) Balancing Security and Cost - Perfect security is unaffordable. Thus, risk reduction is balanced against the cost of security measures intended to mitigate the risk. Benefits of Cyber Risk Assessments - Helps determine priority plants/processes, understand threats and vulnerabilities, intelligently design and apply countermeasures to reduce risk, prioritize activities and resources, and evaluate countermeasures based on their effectiveness versus cost/complexity. Capability SLs (SL-C) - This Security Level (SL) represents the inherent cybersecurity capability of components or systems when appropriately configured and integrated. It states the system's native ability to meet target SLs without needing additional compensating countermeasures. Communication & Network Vulnerabilities - Weaknesses or susceptibilities in the communication and networking components of industrial automation and control systems (IACS), including insecure protocols, inadequate segmentation, and lack of encryption. Addressing these vulnerabilities is crucial for maintaining secure and reliable communication within IACS. Components of a System Under Consideration (SUC) - SUC, often defined using illustrations, includes the in-scope assets, perimeter, and access points. It can include subsystems like BPCSs, DCSs, SISs, SCADA, MES/MOMS, and Historians. Conducting a High-Level Vulnerability Assessment - A process that involves identifying benchmark standards, gathering information via interviews, questionnaires, drawings, and site visits, comparing performance with benchmarks across people, processes, and technology, and documenting and reporting the results. Conduit - The means through which electronic information can cross the logical boundary of a zone. It requires listing logical and physical access points, which include areas that allow for physical access to assets within the zone or conduit, like fences, doors, and enclosures. Configuration & Maintenance Vulnerabilities - Weaknesses in the setup and ongoing management of industrial automation and control systems (IACS), including insecure configurations, improper maintenance practices, and lack of monitoring and control mechanisms. Configuration & Maintenance Vulnerabilities - Weaknesses in the setup and ongoing management of industrial automation and control systems (IACS), including insecure configurations, improper maintenance practices, and lack of monitoring and control mechanisms.