D. PLCs under cyber attack can have costly and dangerous impacts.

Answer Description Network security is important in IACS environments because PLCs, or programmable logic controllers, are devices that control physical processes and equipment in industrial settings. PLCs under cyber attack can have costly and dangerous impacts, such as disrupting production, damaging equipment, compromising safety, and harming the environment. Therefore, network security is essential to protect PLCs and other IACS components from unauthorized access, modification, or disruption. The other choices are not primary reasons why network security is important in IACS environments. PLCs are not inherently unreliable, but they can be affected by environmental factors, such as temperature, humidity, and electromagnetic interference. PLCs are programmed using ladder logic, which is a graphical programming language that resembles electrical schematics. PLCs use serial or Ethernet communications methods, depending on the type and age of the device, to communicate with other IACS components, such as human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCSs). References:

• ISA/IEC 62443 Standards to Secure Your Industrial Control System training course1
• ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide2
• Using the ISA/IEC 62443 Standard to Secure Your Control Systems3

B. IDS sensors deployed within multiple zones in the production environment

Answer DescriptionThe best practice for detection-in-depth according to ISA/IEC 62443 involves layering different types of security controls that operate effectively under multiple scenarios and across various zones within an environment. IDS (Intrusion Detection Systems) sensors deployed across multiple zones within a production environment exemplify this strategy. By positioning sensors in various strategic locations, organizations can monitor for anomalous activities and potential threats throughout their network, thus enhancing their ability to detect and respond to incidents before they escalate. This deployment aligns with the ISA/IEC 62443 focus on comprehensive coverage and redundancy in cybersecurity mechanisms, contrasting with relying solely on perimeter defenses or single-point security solutions.

A. OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535.

Answer Description OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535. Comprehensive Explanation: OPC Classic is a software interface technology that uses the Distributed Component Object Model (DCOM) protocol to facilitate the transfer of data between different industrial control systems. DCOM is a Microsoft technology that allows applications to communicate across a network. However, DCOM is not designed with security in mind, and it poses several challenges for firewall configuration. One of the main challenges is that DCOM does not use fixed TCP port numbers, but rather negotiates new port numbers within the first open connection. This means that intermediary firewalls can only be used with wide-open rules, leaving a large range of ports open for potential attacks. This makes OPC Classic very “firewall unfriendly” and reduces the security and protection they provide. References:

• Tofino Security OPC Foundation White Paper
• Step 2 (for client or server): Configuring firewall settings - GE
• Secure firewall for OPC Classic - Design World

A. Application layer

Answer DescriptionThe File Transfer Protocol (FTP) is an application layer protocol that moves files between local and remote file systems. It runs on top of TCP, like HTTP. To transfer a file, 2 TCP connections are used by FTP in parallel: control connection and data connection. The control connection is used to send commands and responses between the client and the server, while the data connection is used to transfer the actual file. FTP is one of the standard communication protocols defined by the TCP/IP model and it does not fit neatly into the OSI model. However, since the OSI model is a reference model that describes the general functions of each layer, FTP can be considered as an application layer protocol in the OSI model, as it provides user services and interfaces to the network. The application layer is the highest layer in the OSI model and it is responsible for providing various network services to the users, such as email, web browsing, file transfer, remote login, etc. The application layer interacts with the presentation layer, which is responsible for data formatting, encryption, compression, etc. The presentation layer interacts with the session layer, which is responsible for establishing, maintaining, and terminating sessions between applications. The session layer interacts with the transport layer, which is responsible for reliable end-to-end data transfer and flow control. The transport layer interacts with the network layer, which is responsible for routing and addressing packets across different networks. The network layer interacts with the data link layer, which is responsible for framing, error detection, and medium access control. The data link layer interacts with the physical layer, which is responsible for transmitting and receiving bits over the physical medium. References:

• File Transfer Protocol (FTP) in Application Layer1
• FTP Protocol2
• What OSI layer is FTP?3

A. Security zones should contain assets that share common security requirements.

Answer DescriptionSecurity zones are logical groupings of assets that share common security requirements based on factors such as criticality, consequence, vulnerability, and threat. Security zones are used to apply the principle of defense in depth, which means creating multiple layers of protection to prevent or mitigate cyberattacks. By creating security zones, asset owners can isolate the most critical or sensitive assets from the less critical or sensitive ones, and apply different levels of security controls to each zone according to the risk assessment. Security zones are not necessarily aligned with physical network segments, as assets within the same network may have different security requirements. For example, a network segment may contain both a safety instrumented system (SIS) and a human-machine interface (HMI), but the SIS has a higher security requirement than the HMI. Therefore, the SIS and the HMI should be in different security zones, even if they are in the same network segment. Similarly, assets within the same logical communication network may not have the same security requirements, and therefore should not be in the same security zone. For example, a logical communication network may span across multiple physical locations, such as a plant and a corporate office, but the assets in the plant may have higher security requirements than the assets in the office. Therefore, the assets in the plant and the office should be in different security zones, even if they are in the same logical communication network. Finally, all components in a large or complex system should not be in the same security zone, as this would create a single point of failure and expose the entire system to potential cyberattacks. Instead, the components should be divided into smaller and simpler security zones, based on their security requirements, and the communication between the zones should be controlled by conduits. Conduits are logical or physical connections between security zones that allow data flow and access control. Conduits should be designed to minimize the attack surface and the potential impact of cyberattacks, by applying security controls such as firewalls, encryption, authentication, and authorization. References:

• How to Define Zones and Conduits1
• Securing industrial networks: What is ISA/IEC 62443?2
• ISA/IEC 62443 Series of Standards3

C. Process Hazard Analysis (PHA)

Answer DescriptionA Process Hazard Analysis (PHA) is a systematic and structured method of identifying and evaluating the potential hazards and risks associated with an industrial process. A PHA can help to identify the possible causes and consequences of undesired events, such as equipment failures, human errors, cyberattacks, natural disasters, etc. A PHA can also provide recommendations for reducing the likelihood and severity of such events, as well as improving the safety and security of the process. A PHA is one of the most frequently used analysis methods as an input to a security risk assessment, as it can help to identify the assets, threats, vulnerabilities, and impacts related to the process, and provide a basis for determining the security risk level and the appropriate security countermeasures. A PHA is also a requirement of the ISA/IEC 62443 standard, as part of the security program development and implementation phase12.

References: 1: ISA/IEC 62443-2-1: Security for industrial automation and control systems: Establishing an industrial automation and control systems security program 2: ISA/IEC 62443-3-2: Security for industrial automation and control systems: Security risk assessment for system design

D. Perform a security risk assessment.

Answer DescriptionThe first step in implementing ISO 27001, an international standard for information security management systems (ISMS), is to perform a security risk assessment. This initial step is critical as it helps identify the organization's information assets that could be at risk, assess the vulnerabilities and threats to these assets, and evaluate their potential impacts. This risk assessment forms the foundation for defining appropriate security controls and measures tailored to the organization’s specific needs. Starting with a risk assessment ensures that the security controls implemented are aligned with the actual risks the organization faces, making the ISMS more effective and targeted.ISA/IEC 62443 Cybersecurity Fundamentals References:

Although ISO 27001 is not part of ISA/IEC 62443, it shares common principles in cybersecurity management by starting with a comprehensive understanding and assessment of security risks, which is a fundamental aspect in both standards for setting up effective security practices.

C. PROFINET

Answer DescriptionPROFINET is the implementation of PROFIBUS over Ethernet for non-safety-related communications. It is a standard for industrial Ethernet that enables real-time data exchange between automation devices, controllers, and higher-level systems. PROFINET uses standard Ethernet hardware and software, but adds a thin software layer that allows deterministic and fast communication. PROFINET supports different communication profiles for different applications, such as motion control, process automation, and functional safety. PROFINET is compatible with PROFIBUS, and allows seamless integration of existing PROFIBUS devices and networks123

References: 1: What is PROFINET? - PI North America 2: PROFINET - Wikipedia 3: PROFINET Technology and Application - System Description