IEC 62443 Exam Questions and Answers
100% Correct
IACS - ANSWER-Industrial Automation and Control Systems. Example: A nuclear
power plant control room
Threat - ANSWER-The adversary's goals or what they might try to do a system.
Example: steal money or steal passwords.
Threat Agent - ANSWER-The attacker or adversary. Example: some bad guy in North
Korea.
Asset - ANSWER-An abstract or concrete resource that must be protected from misuse
by an adversary. Example: Credit card number, web server
Attack pattern - ANSWER-General strategies an adversary might use to break into a
system. Not a specific vulnerability. Example: SQL injection, or buffer overflow
Exploit - ANSWER-Instance of an attack pattern. Taking advantage of a specific flaw to
do something bad. Example: buffer overflow in a JSON parsing library
Attack - ANSWER-Act of carrying out an exploit
ICS - ANSWER-Industrial control systems
CRT testing - ANSWER-Communication Robustness testing
Cyber Priorities of an IT department - ANSWER-(1) Confidentiality (2) integrity (3)
availability
Cyber Priorities for ICS - ANSWER-(1) availability (2) integrity (3) confidentiality
ISO 27001 - ANSWER-General IT security certification
Software security assurance - ANSWER-Security level of software depends on the
consequences of the software being compromised. Example: Wikipedia needs less
security than a nuclear power plant
4 main themes of IEC 62443 - ANSWER-(1) General
(2) Policies and Procedures
(3) System
(4) Component
, 8 fundamental practices in IEC 62443 - ANSWER-(1) Security management
(2) Specification of security requirements
(3) Secure by design
(4) Secure implementation
(5) Security verification and validation testing
(6) Management of security related issues
(7) Security update management
(8) Security guidelines
Maturity levels - ANSWER-Define security for components, processes, and product
development
4 types of 62443 Certifications - ANSWER-(1) Process certification
(2) Device certification
(3) System certification
(4) Personnel certification
Why should negative requirements be avoided? - ANSWER-They are hard to test
Integrity check - ANSWER-Verify the signature of data in transit or at rest. Required by
IEC 62443.
Non-repudiation - ANSWER-Somebody cannot deny they did something because you
have an audit trail
Security levels - ANSWER-Use to asses the security of an asset or zone in IEC 62443
How long does an IEC 62443 cert often take? - ANSWER-6 months to 1 year
How long are exida IEC 62443 certs valid for? - ANSWER-3 years, with a easy 3 year
extension
IEC 62443 certs that do not expire - ANSWER-Are often only valid for a specific binary
image of a piece of software. No updates can be made.
ICS CERT - ANSWER-Vulnerability database for industrial control systems
Two attacck methodologies - ANSWER-Lockheed Martin Kill Chain
Common Attack Methodology
Rootkit - ANSWER-Program that allows an attacker to access and manipulate some
low-level functionality in a machine
CAPEC - ANSWER-Common Attack Pattern Enumeration and Classification - a official
list of methods used to attack
100% Correct
IACS - ANSWER-Industrial Automation and Control Systems. Example: A nuclear
power plant control room
Threat - ANSWER-The adversary's goals or what they might try to do a system.
Example: steal money or steal passwords.
Threat Agent - ANSWER-The attacker or adversary. Example: some bad guy in North
Korea.
Asset - ANSWER-An abstract or concrete resource that must be protected from misuse
by an adversary. Example: Credit card number, web server
Attack pattern - ANSWER-General strategies an adversary might use to break into a
system. Not a specific vulnerability. Example: SQL injection, or buffer overflow
Exploit - ANSWER-Instance of an attack pattern. Taking advantage of a specific flaw to
do something bad. Example: buffer overflow in a JSON parsing library
Attack - ANSWER-Act of carrying out an exploit
ICS - ANSWER-Industrial control systems
CRT testing - ANSWER-Communication Robustness testing
Cyber Priorities of an IT department - ANSWER-(1) Confidentiality (2) integrity (3)
availability
Cyber Priorities for ICS - ANSWER-(1) availability (2) integrity (3) confidentiality
ISO 27001 - ANSWER-General IT security certification
Software security assurance - ANSWER-Security level of software depends on the
consequences of the software being compromised. Example: Wikipedia needs less
security than a nuclear power plant
4 main themes of IEC 62443 - ANSWER-(1) General
(2) Policies and Procedures
(3) System
(4) Component
, 8 fundamental practices in IEC 62443 - ANSWER-(1) Security management
(2) Specification of security requirements
(3) Secure by design
(4) Secure implementation
(5) Security verification and validation testing
(6) Management of security related issues
(7) Security update management
(8) Security guidelines
Maturity levels - ANSWER-Define security for components, processes, and product
development
4 types of 62443 Certifications - ANSWER-(1) Process certification
(2) Device certification
(3) System certification
(4) Personnel certification
Why should negative requirements be avoided? - ANSWER-They are hard to test
Integrity check - ANSWER-Verify the signature of data in transit or at rest. Required by
IEC 62443.
Non-repudiation - ANSWER-Somebody cannot deny they did something because you
have an audit trail
Security levels - ANSWER-Use to asses the security of an asset or zone in IEC 62443
How long does an IEC 62443 cert often take? - ANSWER-6 months to 1 year
How long are exida IEC 62443 certs valid for? - ANSWER-3 years, with a easy 3 year
extension
IEC 62443 certs that do not expire - ANSWER-Are often only valid for a specific binary
image of a piece of software. No updates can be made.
ICS CERT - ANSWER-Vulnerability database for industrial control systems
Two attacck methodologies - ANSWER-Lockheed Martin Kill Chain
Common Attack Methodology
Rootkit - ANSWER-Program that allows an attacker to access and manipulate some
low-level functionality in a machine
CAPEC - ANSWER-Common Attack Pattern Enumeration and Classification - a official
list of methods used to attack
