B. 3

Answer DescriptionThe “Addressing Risk” CSMS category consists of three element groups: Security Policy, Organization and Awareness; Selected Security Countermeasures; and Implementation of Security Program1. These element groups cover the aspects of defining the security objectives, roles and responsibilities, policies and procedures, awareness and training, security countermeasures selection and implementation, and security program execution and maintenance1. The “Addressing Risk” CSMS category aims to reduce the security risk to an acceptable level by applying appropriate security measures to the system under consideration (SuC)1. References: 1: ISA/IEC 62443-2-1: Security for industrial automation and control systems: Establishing an industrial automation and control systems security program

A. Use of proprietary communications protocols
C. Knowledge of exploits and tools readily available on the Internet

Answer DescriptionOne of the reasons for the increase in attacks on IACS is the availability of information and tools that can be used to exploit vulnerabilities in these systems. The Internet provides a platform for hackers, researchers, and activists to share their knowledge and techniques for compromising IACS. Some examples of such information and tools are:

• Stuxnet: A sophisticated malware that targeted the Iranian nuclear program in 2010. It exploited four zero-day vulnerabilities in Windows and Siemens software to infect and manipulate the programmable logic controllers (PLCs) that controlled the centrifuges. Stuxnet was widely analyzed and reported by the media and security experts, and its source code was leaked online1.
• Metasploit: A popular penetration testing framework that contains modules for exploiting various IACS components and protocols. For instance, Metasploit includes modules for attacking Modbus, DNP3, OPC, and Siemens S7 devices2.
• Shodan: A search engine that allows users to find devices connected to the Internet, such as webcams, routers, printers, and IACS components. Shodan can reveal the location, model, firmware, and configuration of these devices, which can be used by attackers to identify potential targets and vulnerabilities3.
• ICS-CERT: A website that provides alerts, advisories, and reports on IACS security issues and incidents. ICS-CERT also publishes vulnerability notes and mitigation recommendations for various IACS products and vendors4. These sources of information and tools can be useful for legitimate purposes, such as security testing, research, and education, but they can also be misused by malicious actors who want to disrupt, damage, or steal from IACS. Therefore, IACS owners and operators should be aware of the threats and risks posed by the Internet and implement appropriate security measures to protect their systems.

References:

• The increase in attacks on Industrial Automation and Control Systems (IACS) can be attributed to several factors, including: A.Use of proprietary communications protocols:These can pose security risks because they may not have been designed with security in mind and are often not as well-tested against security threats as more standard protocols. C.Knowledge of exploits and tools readily available on the Internet:The availability of information about vulnerabilities and exploits on the internet has made it easier for attackers to target IACS.
• The other options, B and D, are incorrect because: B. The move towards commercial off-the-shelf (COTS) systems, protocols, and networks actually increases risk because these systems are more likely to be known and targeted by attackers, compared to proprietary systems which might benefit from security through obscurity. D. There is actually an increase in risk with more personnel with system knowledge because it enlarges the attack surface – each individual with system knowledge can potentially become a vector for an attack, either maliciously or accidentally.

A. RS232

Answer DescriptionRS232 is a physical layer standard for serial communication between two or more devices. It defines the electrical characteristics, timing, and pinout of connectors for serial data transmission. RS232 is widely used in industrial communication devices, such as PLCs, measuring instruments, and network servers. RS232 allows only one master and one slave to communicate on each line, and operates in a full duplex mode. RS232 haslower transmission speed, shorter maximum cable length, and larger voltage swing than later standards such as RS422 and RS485123

References: 1: Basics of RS232, RS422, and RS485 Serial Communication 2: RS-232 - Wikipedia 3: RS232 Serial Communication Protocol: Basics, Working & Specifications

B. IDS sensors deployed within multiple zones in the production environment

Answer DescriptionThe best practice for detection-in-depth according to ISA/IEC 62443 involves layering different types of security controls that operate effectively under multiple scenarios and across various zones within an environment. IDS (Intrusion Detection Systems) sensors deployed across multiple zones within a production environment exemplify this strategy. By positioning sensors in various strategic locations, organizations can monitor for anomalous activities and potential threats throughout their network, thus enhancing their ability to detect and respond to incidents before they escalate. This deployment aligns with the ISA/IEC 62443 focus on comprehensive coverage and redundancy in cybersecurity mechanisms, contrasting with relying solely on perimeter defenses or single-point security solutions.

A. OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535.

Answer Description OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535. Comprehensive Explanation: OPC Classic is a software interface technology that uses the Distributed Component Object Model (DCOM) protocol to facilitate the transfer of data between different industrial control systems. DCOM is a Microsoft technology that allows applications to communicate across a network. However, DCOM is not designed with security in mind, and it poses several challenges for firewall configuration. One of the main challenges is that DCOM does not use fixed TCP port numbers, but rather negotiates new port numbers within the first open connection. This means that intermediary firewalls can only be used with wide-open rules, leaving a large range of ports open for potential attacks. This makes OPC Classic very “firewall unfriendly” and reduces the security and protection they provide. References:

• Tofino Security OPC Foundation White Paper
• Step 2 (for client or server): Configuring firewall settings - GE
• Secure firewall for OPC Classic - Design World

C. Business rationale and risk identification and classification

Answer DescriptionThe risk analysis category of an IACS consists of two elements: business rationale and risk identification and classification1. Business rationale is the process of defining the scope, objectives, and criteria for the risk analysis, as well as the roles and responsibilities of the stakeholders involved. Risk identification and classification is the process of identifying the assets, threats, vulnerabilities, and consequences of a cyberattack on the IACS, and assigning a risk level to each scenario based on the likelihood and impact of the attack1. These elements are essential for establishing a baseline of the current risk posture of the IACS and determining the appropriate risk treatment measures to reduce the risk to an acceptable level.

References: 1: ISA/IEC 62443-3-2:2020, Security for industrial automation and control systems - Part 3-2: Security risk assessment for system design, International Society of Automation, Research Triangle Park, NC, USA, 2020.

A. Application layer

Answer DescriptionThe File Transfer Protocol (FTP) is an application layer protocol that moves files between local and remote file systems. It runs on top of TCP, like HTTP. To transfer a file, 2 TCP connections are used by FTP in parallel: control connection and data connection. The control connection is used to send commands and responses between the client and the server, while the data connection is used to transfer the actual file. FTP is one of the standard communication protocols defined by the TCP/IP model and it does not fit neatly into the OSI model. However, since the OSI model is a reference model that describes the general functions of each layer, FTP can be considered as an application layer protocol in the OSI model, as it provides user services and interfaces to the network. The application layer is the highest layer in the OSI model and it is responsible for providing various network services to the users, such as email, web browsing, file transfer, remote login, etc. The application layer interacts with the presentation layer, which is responsible for data formatting, encryption, compression, etc. The presentation layer interacts with the session layer, which is responsible for establishing, maintaining, and terminating sessions between applications. The session layer interacts with the transport layer, which is responsible for reliable end-to-end data transfer and flow control. The transport layer interacts with the network layer, which is responsible for routing and addressing packets across different networks. The network layer interacts with the data link layer, which is responsible for framing, error detection, and medium access control. The data link layer interacts with the physical layer, which is responsible for transmitting and receiving bits over the physical medium. References:

• File Transfer Protocol (FTP) in Application Layer1
• FTP Protocol2
• What OSI layer is FTP?3

D. Applying multiple countermeasures in a layered or stepwise manner

Answer DescriptionExplanation:

Defense in depth is a concept of cybersecurity that involves applying multiple layers of protection to a system or network, so that if one layer fails, another layer can prevent or mitigate an attack. Defense in depth is based on the principle that no single security measure is perfect or sufficient, and that multiple countermeasures can provide redundancy and diversity of defense. Defense in depth can also increase the cost and complexity for an attacker, as they have to overcome more obstacles and exploit more vulnerabilities to achieve their goals. Defense in depth is one of the key concepts of the ISA/IEC 62443 series of standards, which provide guidance and best practices for securing industrial automation and control systems (IACS). The standards recommend applying defense in depth strategies at different levels of an IACS, such as the network, the system, the component, and the policy and procedure level. The standards also define different zones and conduits within an IACS, which are logical or physical groupings of assets that share common security requirements and risk levels. By applying defense in depth strategies to each zone and conduit, the security of the entire IACS can be improved.

References:

ISA/IEC 62443-1-1:2009, Security for industrial automation and control systems - Part 1-1: Terminology, concepts and models1
ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels2
ISA/IEC 62443-4-1:2018, Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements3
ISA/IEC 62443-4-2:2019, Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components4