C. Cyber Security Management System

Answer DescriptionThe abbreviation CSMS stands for Cyber Security Management System in ISA 62443-2-1. This standard defines the elements necessary to establish a CSMS for industrial automation and control systems (IACS) and provides guidance on how to develop those elements123. A CSMS is a collection of policies, procedures, practices, and personnel that are responsible for ensuring the security of IACS throughout their lifecycle24. References: 1: ISA/IEC 62443 Series of Standards - ISA 2: ISA 62443-2-1 - Security for industrial automation and control systems, Part 2-1: Establishing an Industrial Automation and Control Systems Security Program | GlobalSpec 3: IEC 62443-2-1:2010 | IEC Webstore | cyber security, smart city 4: Structuring the ISA/IEC 62443 Standards - ISAGCA

A. Use of proprietary communications protocols
C. Knowledge of exploits and tools readily available on the Internet

Answer DescriptionOne of the reasons for the increase in attacks on IACS is the availability of information and tools that can be used to exploit vulnerabilities in these systems. The Internet provides a platform for hackers, researchers, and activists to share their knowledge and techniques for compromising IACS. Some examples of such information and tools are:

• Stuxnet: A sophisticated malware that targeted the Iranian nuclear program in 2010. It exploited four zero-day vulnerabilities in Windows and Siemens software to infect and manipulate the programmable logic controllers (PLCs) that controlled the centrifuges. Stuxnet was widely analyzed and reported by the media and security experts, and its source code was leaked online1.
• Metasploit: A popular penetration testing framework that contains modules for exploiting various IACS components and protocols. For instance, Metasploit includes modules for attacking Modbus, DNP3, OPC, and Siemens S7 devices2.
• Shodan: A search engine that allows users to find devices connected to the Internet, such as webcams, routers, printers, and IACS components. Shodan can reveal the location, model, firmware, and configuration of these devices, which can be used by attackers to identify potential targets and vulnerabilities3.
• ICS-CERT: A website that provides alerts, advisories, and reports on IACS security issues and incidents. ICS-CERT also publishes vulnerability notes and mitigation recommendations for various IACS products and vendors4. These sources of information and tools can be useful for legitimate purposes, such as security testing, research, and education, but they can also be misused by malicious actors who want to disrupt, damage, or steal from IACS. Therefore, IACS owners and operators should be aware of the threats and risks posed by the Internet and implement appropriate security measures to protect their systems.

References:

• The increase in attacks on Industrial Automation and Control Systems (IACS) can be attributed to several factors, including: A.Use of proprietary communications protocols:These can pose security risks because they may not have been designed with security in mind and are often not as well-tested against security threats as more standard protocols. C.Knowledge of exploits and tools readily available on the Internet:The availability of information about vulnerabilities and exploits on the internet has made it easier for attackers to target IACS.
• The other options, B and D, are incorrect because: B. The move towards commercial off-the-shelf (COTS) systems, protocols, and networks actually increases risk because these systems are more likely to be known and targeted by attackers, compared to proprietary systems which might benefit from security through obscurity. D. There is actually an increase in risk with more personnel with system knowledge because it enlarges the attack surface – each individual with system knowledge can potentially become a vector for an attack, either maliciously or accidentally.

D. Applying multiple countermeasures in a layered or stepwise manner

Answer DescriptionExplanation:

Defense in depth is a concept of cybersecurity that involves applying multiple layers of protection to a system or network, so that if one layer fails, another layer can prevent or mitigate an attack. Defense in depth is based on the principle that no single security measure is perfect or sufficient, and that multiple countermeasures can provide redundancy and diversity of defense. Defense in depth can also increase the cost and complexity for an attacker, as they have to overcome more obstacles and exploit more vulnerabilities to achieve their goals. Defense in depth is one of the key concepts of the ISA/IEC 62443 series of standards, which provide guidance and best practices for securing industrial automation and control systems (IACS). The standards recommend applying defense in depth strategies at different levels of an IACS, such as the network, the system, the component, and the policy and procedure level. The standards also define different zones and conduits within an IACS, which are logical or physical groupings of assets that share common security requirements and risk levels. By applying defense in depth strategies to each zone and conduit, the security of the entire IACS can be improved.

References:

ISA/IEC 62443-1-1:2009, Security for industrial automation and control systems - Part 1-1: Terminology, concepts and models1
ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels2
ISA/IEC 62443-4-1:2018, Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements3
ISA/IEC 62443-4-2:2019, Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components4

C. PROFINET

Answer DescriptionPROFINET is the implementation of PROFIBUS over Ethernet for non-safety-related communications. It is a standard for industrial Ethernet that enables real-time data exchange between automation devices, controllers, and higher-level systems. PROFINET uses standard Ethernet hardware and software, but adds a thin software layer that allows deterministic and fast communication. PROFINET supports different communication profiles for different applications, such as motion control, process automation, and functional safety. PROFINET is compatible with PROFIBUS, and allows seamless integration of existing PROFIBUS devices and networks123

References: 1: What is PROFINET? - PI North America 2: PROFINET - Wikipedia 3: PROFINET Technology and Application - System Description

C. Business rationale and risk identification and classification

Answer DescriptionThe risk analysis category of an IACS consists of two elements: business rationale and risk identification and classification1. Business rationale is the process of defining the scope, objectives, and criteria for the risk analysis, as well as the roles and responsibilities of the stakeholders involved. Risk identification and classification is the process of identifying the assets, threats, vulnerabilities, and consequences of a cyberattack on the IACS, and assigning a risk level to each scenario based on the likelihood and impact of the attack1. These elements are essential for establishing a baseline of the current risk posture of the IACS and determining the appropriate risk treatment measures to reduce the risk to an acceptable level.

References: 1: ISA/IEC 62443-3-2:2020, Security for industrial automation and control systems - Part 3-2: Security risk assessment for system design, International Society of Automation, Research Triangle Park, NC, USA, 2020.

A. Application layer

Answer DescriptionThe File Transfer Protocol (FTP) is an application layer protocol that moves files between local and remote file systems. It runs on top of TCP, like HTTP. To transfer a file, 2 TCP connections are used by FTP in parallel: control connection and data connection. The control connection is used to send commands and responses between the client and the server, while the data connection is used to transfer the actual file. FTP is one of the standard communication protocols defined by the TCP/IP model and it does not fit neatly into the OSI model. However, since the OSI model is a reference model that describes the general functions of each layer, FTP can be considered as an application layer protocol in the OSI model, as it provides user services and interfaces to the network. The application layer is the highest layer in the OSI model and it is responsible for providing various network services to the users, such as email, web browsing, file transfer, remote login, etc. The application layer interacts with the presentation layer, which is responsible for data formatting, encryption, compression, etc. The presentation layer interacts with the session layer, which is responsible for establishing, maintaining, and terminating sessions between applications. The session layer interacts with the transport layer, which is responsible for reliable end-to-end data transfer and flow control. The transport layer interacts with the network layer, which is responsible for routing and addressing packets across different networks. The network layer interacts with the data link layer, which is responsible for framing, error detection, and medium access control. The data link layer interacts with the physical layer, which is responsible for transmitting and receiving bits over the physical medium. References:

• File Transfer Protocol (FTP) in Application Layer1
• FTP Protocol2
• What OSI layer is FTP?3

B. Wiring, routers, switches, and network management devices

Answer DescriptionA security conduit is a logical or physical grouping of communication channels connecting two or more zones that share common security requirements1. A zone is a grouping of systems and components based on their functional, logical, and physical relationship that share common security requirements1. Therefore, a security conduit consists of assets that enable or facilitatecommunication between zones, such as wiring, routers, switches, and network management devices. Controllers, sensors, transmitters, and final control elements are examples of assets that belong to a zone, not a conduit. Ferrous, thickwall, and threaded conduit including raceways are physical structures that may enclose or protect wiring, but they are not part of the communication channels themselves. Power lines, cabinet enclosures, and protective grounds are also not part of the communication channels, but rather provide power or protection to the assets in a zone or a conduit. References: 1: Key Concepts of ISA/IEC 62443: Zones & Security Levels | Dragos

B. New technical controls
C. Organizational restructuring
D. Security incident exposing previously unknown risk.

Answer DescriptionAccording to the ISA/IEC 62443-2-1 standard, a review of the CSMS should be triggered by any changes that affect the cybersecurity risk of the industrial automation and control system (IACS), such as new technical controls, organizational restructuring, or security incidents1. Budgeting is not a trigger for CSMS review, unless it impacts the cybersecurity risk level or the CSMS itself2. References: 1: ISA/IEC 62443-2-1:2010, Section 4.3.3.3 2: A Practical Approach to Adopting the IEC 62443 Standards, ISAGCA Blog3