ISA-IEC-62443 ISA/IEC 62443 Cybersecurity Fundamentals Specialist Question and Answers

The asset model is used in ISA/IEC 62443 to represent and describe the relationships and dependencies between different assets in an IACS environment. This model helps organizations identify and document assets, their interconnections, and their significance for operational and cybersecurity purposes. The zone model builds upon the asset model for segmentation, but the asset model itself establishes the foundational relationships.

Modbus, in its traditional form, lacks inherent security features. According to ISA/IEC 62443, one of the most practical ways to secure Modbus traffic is by placing it behind a firewall, which restricts access to only trusted sources and destinations. While VPNs and user access controls can add security, firewalls provide critical segmentation, which is explicitly recommended for legacy and insecure protocols like Modbus.

Role-based access control (RBAC) is a method of restricting access to resources based on the roles of individual users within an organization. RBAC assigns permissions and responsibilities to roles, rather than to individual users, and then assigns users to those roles. This way, users can only perform the actions that are relevant and necessary for their role, and not access or modify any other resources that are beyond their scope of authority. RBAC is one of the security countermeasures that can be implemented in a defense-in-depth strategy, which is a layered approach to protect industrial automation and control systems (IACS) from cyber threats. RBAC can help prevent unauthorized access, misuse, or sabotage of IACS resources, as well as reduce the risk of human error or insider attacks.

ISO/IEC 15408, also known as the Common Criteria for Information Technology Security Evaluation, is an international standard that provides a framework for evaluating the security of IT products and systems. The purpose of the standard is to define a common set of requirements for the security functions and assurance measures of IT products and systems, and to establish a common methodology for conducting security evaluations. The standard allows users to specify their security needs and expectations in a Security Target (ST), which may be based on one or more Protection Profiles (PPs) that define security requirements for a class of products or systems. Vendors can then implement or claim compliance with the ST or PPs, and have their products or systems evaluated by independent testing laboratories against the security criteria defined in the standard. The standard also defines a scale of Evaluation Assurance Levels (EALs) that indicate the degree of confidence in the security of the evaluated product or system. The standard is intended to facilitate the development, procurement, and use of secure IT products and systems, and to promote the recognition and acceptance of evaluation results across different countries and regions. References:

ISO/IEC 15408-1:2009 - Common Criteria Evaluation for IT Security - Nemko1

Common Criteria - Wikipedia2

ISO/IEC Standard 15408 — ENISA3

Monitoring and improving a Cybersecurity Management System (CSMS) as per ISA/IEC 62443 standards involves several key activities that ensure the system remains effective and responsive to emerging threats. Two critical elements of this ongoing process are:

A. Increase in staff training and security awareness: Regular training and increasing security awareness among staff are vital to maintaining a secure operating environment. This proactive measure helps in reducing human error and enhancing the ability to respond effectively to cybersecurity incidents.

D. Review of system logs and other key data files: Continuous review and analysis of system logs and other relevant data files are essential for detecting, investigating, and responding to potential security incidents. This monitoring helps in identifying anomalies that may indicate a security breach or operational issues needing attention.

In the context of international standards and frameworks, SDO stands for “Standards Development Organization.” SDOs are organizations like ISA, IEC, ISO, and NIST, which are responsible for developing, maintaining, and publishing standards used globally for industrial cybersecurity and other domains.

 The ISA/IEC 62443 series of standards is organized into four main categories for documents, based on the topics and perspectives that they cover. These categories are: General, Policies and Procedures, System, and Component12.

General: This category covers topics that are common to the entire series, such as terms, concepts, models, and overview of the standards1. For example, ISA/IEC 62443-1-1 defines the terminology, concepts, and models for industrial automation and control systems (IACS) security3.

Policies and Procedures: This category focuses on methods and processes associated with IACS security, such as risk assessment, system design, security management, and security program development1. For example, ISA/IEC 62443-2-1 specifies the elements of an IACS security management system, which defines the policies, procedures, and practices to manage the security of IACS4.

System: This category is about requirements at the system level, such as security levels, security zones, security lifecycle, and technical security requirements1. For example, ISA/IEC 62443-3-3 specifies the system security requirements and security levels for zones and conduits in an IACS5.

Component: This category provides detailed requirements for IACS products, such as embedded devices, network devices, software applications, and host devices1. For example, ISA/IEC 62443-4-2 specifies the technical security requirements for IACS components, such as identification and authentication, access control, data integrity, and auditability.

The other options are not valid categories for documents in the ISA/IEC 62443 series of standards, as they either do not reflect the structure and scope of the standards, or they mix different aspects of IACS security that are covered by different categories. For example, end-user, integrator, vendor, and regulator are not categories for documents, but rather roles or stakeholders that are involved in IACS security. Assessment, mitigation, documentation, and maintenance are not categories for documents, but rather activities or phases that are part of the IACS security lifecycle. People, processes, technology, and training are not categories for documents, but rather elements or dimensions that are essential for IACS security.

One of the primary goals of providing a framework that addresses secure product development lifecycle requirements is to ensure that security policies and procedures are well-documented. This objective is crucial because it establishes a structured and standardized approach to security that is integrated throughout the development process of software or systems. This framework helps in aligning the development process with security best practices, thereby mitigating risks associated with security vulnerabilities. Documentation of security policies and procedures ensures that security considerations are consistently applied and that compliance with relevant standards, such as ISA/IEC 62443, is maintained. This foundational approach supports the overall security posture by embedding security considerations directly into the lifecycle of product development, rather than addressing security as an afterthought.

The first step in the Cyber Security Management System (CSMS) development process is to “Initiate the CSMS program,” which involves establishing its purpose, obtaining organizational support, allocating resources, and defining the program’s scope. These foundational activities are required to ensure that the program is properly structured and supported before detailed risk assessments or architecture planning are performed.

The primary responsibility of the network layer of the Open Systems Interconnection (OSI) model is to forward packets, including routing through intermediate routers. The network layer is the third layer from the bottom of the OSI model, and it is responsible for maintaining the quality of the data and passing and transmitting it from its source to its destination. The network layer also assigns logical addresses to devices, such as IP addresses, and uses various routing algorithms to determine the best path for the packets to travel. The network layer operates on packets, which are units of data that contain the source and destination addresses, as well as the payload. The network layer forwards packets from one node to another, using routers to switch packets between different networks. The network layer also handles host-to-host delivery, which means that it ensures that the packets reach the correct destination host.

The other choices are not correct because:

B. Gives transparent transfer of data between end users. This is the responsibility of the transport layer, which is the fourth layer from the bottom of the OSI model. The transport layer provides reliable and error-free data transfer between end users, using protocols such as TCP and UDP. The transport layer operates on segments, which are units of data that contain the source and destination port numbers, as well as the payload. The transport layer also handles flow control, congestion control, and multiplexing.

C. Provides the rules for framing, converting electrical signals to data. This is the responsibility of the data link layer, which is the second layer from the bottom of the OSI model. The data link layer provides the means for transferring data between adjacent nodes on a network, using protocols such as Ethernet and WiFi. The data link layer operates on frames, which are units of data that contain the source and destination MAC addresses, as well as the payload. The data link layer also handles error detection, error correction, and media access control.

D. Handles the physics of getting a message from one device to another. This is the responsibility of the physical layer, which is the lowest layer of the OSI model. The physical layer provides the means for transmitting bits over a physical medium, such as copper wire, fiber optic cable, or radio waves. The physical layer operates on bits, which are the smallest units of data that can be either 0 or 1. The physical layer also handles modulation, demodulation, encoding, decoding, and synchronization.

According to the ISA/IEC 62443-3-2 standard, implementing countermeasures is one of the steps in the security risk assessment for system design. The standard defines a comprehensive set of engineering measures to guide organizations through the process of assessing the risk of a particular industrial automation and control system (IACS) and identifying and applying security countermeasures to reduce that risk to tolerable levels. The standard recommends the following steps for implementing countermeasures:

Establish the risk tolerance: This step involves determining the acceptable level of risk for the organization and the system under consideration, based on the business objectives, legal and regulatory requirements, and stakeholder expectations. The risk tolerance can be expressed as a target security level (SL-T) for each zone or conduit in the system.

Select common countermeasures: This step involves selecting the appropriate security countermeasures for each zone or conduit, based on the SL-T and the existing security level (SL-A) of the system. The standard provides a list of common countermeasures for each security level, covering the domains of physical security, network security, system security, and application security. The selected countermeasures should be documented and justified in the security risk assessment report. References: ISA/IEC 62443 Cybersecurity Series Designated as IEC Horizontal Standards, Cybersecurity Risk Assessment According to ISA/IEC 62443-3-2

ISA/IEC 62443-3-3 provides the list of Foundational Requirements (FRs) for IACS cybersecurity, mapping security controls to each FR to address risks identified during the risk assessment process. The seven FRs include: Identification & Authentication Control (IAC), Use Control (UC), System Integrity (SI), Data Confidentiality (DC), Restricted Data Flow (RDF), Timely Response to Events (TRE), and Resource Availability (RA).

Application whitelisting (AWL) is a technique that allows only authorized applications to run on a system, and blocks any unauthorized or malicious code from executing. AWL is one of the most effective methods for preventing malware infections and reducing the attack surface of a system. AWL can be implemented at different levels, such as the operating system, the network, or the application itself. AWL is especially useful for industrial automation and control systems (IACS), which often run on legacy or proprietary platforms that are not compatible with traditional antivirus software or other security solutions. AWL can also help protect IACS from zero-day attacks, which exploit unknown vulnerabilities that have not been patched or detected by security vendors. AWL is recommended by the ISA/IEC 62443 standards as a key component of malicious code protection for IACS. According to the standards, AWL should be applied to all IACS components that support it, and should be configured and maintained according to the security policies and procedures of the organization. AWL should also be complemented by other security measures, such as network segmentation, zones and conduits, and patch management, to provide a defense-in-depth approach to IACS security. References:

ISA/IEC 62443-3-3:2013, System security requirements and security levels, Section 5.2.3.41

ISA/IEC 62443-2-1:2010, Establishing an industrial automation and control systems security program, Section 4.3.3.6.42

ISA/IEC 62443-4-2:2019, Technical security requirements for IACS components, Section 4.2.3.43

ISA/IEC 62443-3-2:2020, Security risk assessment for system design, Section 7.3.3.44

ISA/IEC 62443-4-1:2018, Product development requirements, Section 5.2.3.45

A control system, in the context of ISA/IEC 62443, refers to the hardware and software components of an Industrial Automation and Control System (IACS). This includes PLCs, SCADA, DCS, HMIs, sensors, actuators, and supporting networks and applications used to monitor and control physical processes.

According to the ISA/IEC 62443-3-2 standard, a security zone is a grouping of systems and components based on their functional, logical, and physical relationship that share common security requirements. The primary objective of defining a security zone is to apply a consistent level of protection to the assets within the zone, based on their criticality and risk assessment. A security zone may contain assets from different vendors, different levels in the Purdue model, or different physical locations, as long as they have the same security requirements. A security zone may also be subdivided into subzones, if there are different security requirements within the zone. A conduit is a logical or physical grouping of communication channels connecting two or more zones that share common security requirements.

Separation of duties is a security principle that aims to prevent fraud, errors, conflicts of interest, or misuse of resources by dividing critical tasks or functions among different people or teams. It is one of the foundational requirements (FRs) of the ISA/IEC 62443 standards for securing industrial automation and control systems (IACSs). According to the ISA/IEC 62443-2-1 standard, separation of duties includes the following system requirements (SRs):

SR 2.1: Security management policy

SR 2.2: Personnel security

SR 2.3: System development and maintenance

SR 2.4: Incident response and recovery

SR 2.5: Compliance and review

Among these SRs, the one that is most related to the example of system development and maintenance is SR 2.3. SR 2.3 requires that the IACS shall provide the capability to ensure that the development and maintenance of the system and its components are performed in a secure manner. This means that the IACS should have a mechanism to control the access and authorization of developers, testers, integrators, and maintainers who work on the system and its components. It also means that the IACS should have a mechanism to verify and validate the quality and security of the system and its components before, during, and after the development and maintenance processes.

Therefore, an example of separation of duties as a part of system development and maintenance is that changes are approved by one party and implemented by another. This ensures that the changes are authorized, documented, and reviewed by someone who is not involved in the implementation. This reduces the risk of introducing errors, vulnerabilities, or malicious code into the system and its components.

Datagram Transport Layer Security (DTLS) and Secure Sockets Layer (SSL) are both commonly used protocols for managing secure data transmission on the Internet. DTLS is a variant of SSL that is designed to work over datagram protocols such as UDP, which are used for real-time applications such as voice and video. SSL is a protocol that provides encryption, authentication, and integrity for data transmitted over TCP, which is used for reliable and ordered delivery of data. Both DTLS and SSL use certificates and asymmetric cryptography to establish a secure session between the communicating parties, and then use symmetric cryptography to encrypt the data exchanged. DTLS and SSL are widely used in web browsers, email clients, VPNs, and other applications that require secure communication over the Internet. References:

ISA/IEC 62443 Standards to Secure Your Industrial Control System, Module 3: Introduction to Cryptography, pages 3-5 to 3-7

Using the ISA/IEC 62443 Standards to Secure Your Control System, Chapter 6: Securing Communications, pages 125-126

According to the OSI model, the physical address is assigned in the layer 2, also known as the data link layer. The physical address is a unique identifier for each device on a network, such as a MAC address or a serial number. The data link layer is responsible for transferring data between adjacent nodes on a network, using the physical address to identify the source and destination of each frame. The data link layer also provides error detection and correction, flow control, and media access control. References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist Exam Prep, section 2.2; ISA/IEC 62443 Standards to Secure Your Industrial Control System, section 3.1.2.

The Modbus Application Protocol is a messaging protocol that provides client/server communication between devices connected on different types of buses or networks. It is positioned at level 7 of the OSI model, which is the application layer. The application layer is the highest level of the OSI model and defines the rules and formats for data exchange between applications. The Modbus Application Protocol is independent of the underlying communication layers and can be implemented using different transport protocols, such as TCP/IP, serial, or Modbus Plus. The Modbus Application Protocol defines the function codes, data formats, and error codes for Modbus transactions123 References:

MODBUS APPLICATION PROTOCOL SPECIFICATION V1

Modbus - Wikipedia

Overview of Modbus — EPICS support for Modbus - GitHub Pages

The ISA/IEC 62443 standards are divided into four main groups: General, Policies and Procedures, System, and Component. The first group, “General,” includes foundational standards and technical reports that provide essential concepts, models, terminology, and overall guidance for the rest of the series. This includes parts such as 62443-1-1 (concepts and models), 1-2 (glossary), 1-3 (metrics), and 1-4 (security lifecycle and use cases).

 A router and a VPN can be employed as barrier devices in a segmented network. A barrier device is a device that controls the flow of traffic between different network segments, based on predefined rules and policies1. A router is a device that forwards packets between different networks, based on their IP addresses2. A router can act as a barrier device by applying access control lists (ACLs) or firewall rules to filter or block unwanted or malicious traffic2. A VPN is a technology that creates a secure and encrypted tunnel between different networks, such as a remote site and a corporate network3. A VPN can act as a barrier device by encrypting the traffic and authenticating the users or devices that access the network3. A VPN can also prevent unauthorized access or eavesdropping by outsiders3.

 ISA-TR62443-2-3 is the technical report that describes the requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program. Patch management is the process of applying software updates to fix vulnerabilities, bugs, or performance issues in the IACS components. Patch management is an essential part of maintaining the security and reliability of the IACS environment. The technical report provides guidance on how to establish a patch management policy, how to assess the impact and risk of patches, how to test and deploy patches, and how to monitor and audit the patch management process. References: 1, 2, 3

Phishing is a type of cyberattack that relies on a human weakness to succeed. Phishing is the practice of sending fraudulent emails or other messages that appear to come from a legitimate source, such as a bank, a government agency, or a trusted person, in order to trick the recipient into revealing sensitive information, such as passwords, credit card numbers, or personal details, or into clicking on malicious links or attachments that may install malware or ransomware on their devices. Phishing is a common and effective way of compromising the security of industrial automation and control systems (IACS), as it can bypass technical security measures by exploiting the human factor. Phishing can also be used to gain access to the IACS network, to conduct reconnaissance, to launch further attacks, or to cause damage or disruption to the IACS operations. The ISA/IEC 62443 series of standards recognize phishing as a potential threat vector for IACS and provide guidance and best practices on how to prevent, detect, and respond to phishing attacks. Some of the recommended countermeasures include:

Educating and training the IACS staff on how to recognize and avoid phishing emails and messages, and how to report any suspicious or malicious activity.

Implementing and enforcing policies and procedures for email and message security, such as using strong passwords, verifying the sender’s identity, and not opening or clicking on unknown or unsolicited links or attachments.

Applying technical security controls, such as antivirus software, firewalls, spam filters, encryption, and authentication, to protect the IACS devices and network from phishing attacks.

Monitoring and auditing the IACS network and devices for any signs of phishing attacks, such as anomalous or unauthorized traffic, connections, or activities, and taking appropriate actions to contain and mitigate the impact of any incidents. References:

ISA/IEC 62443-1-1:2009, Security for industrial automation and control systems - Part 1-1: Terminology, concepts and models1

ISA/IEC 62443-2-1:2009, Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program2

ISA/IEC 62443-2-4:2015, Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers3

ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels4

ISA/IEC 62443-4-2:2019, Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components5

Authorization is the process of granting or denying access to a network resource or function. Authorization (user accounts) must be granted based on specific roles, which are defined as sets of permissions and responsibilities assigned to a user or a group of users. Roles should be based on the principle of least privilege, which means that users should only have the minimum level of access required to perform their tasks. Roles should also be based on the principle of separation of duties, which means that users should not have conflicting or overlapping responsibilities that could compromise the security or integrity of the system. Authorization based on individual preferences or common needs for large groups is not recommended, as it could lead to excessive or unnecessary access rights, or to inconsistent or conflicting policies. Authorization based on system complexity is also not a good criterion, as it could result in overcomplicated or unclear roles that are difficult to manage or audit. References:

ISA/IEC 62443-3-3:2013 - Security for industrial automation and control systems - Part 3-3: System security requirements and security levels1

ISA/IEC 62443-2-1:2010 - Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program2

ISA/IEC 62443-4-1:2018 - Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements3

ISASecure is a conformity assessment scheme developed under the ISA Security Compliance Institute (ISCI), an affiliate of ISA. Its primary focus is the certification of IACS (Industrial Automation and Control System) products, systems, and supplier processes for cybersecurity. The program’s aim is to facilitate and ensure the cybersecurity of automation and control systems by certifying that products and systems meet the requirements set forth in the ISA/IEC 62443 standards. ISASecure offers certifications such as ISASecure EDSA (Embedded Device Security Assurance), SSA (System Security Assurance), and CSA (Component Security Assurance), all of which are tightly mapped to the 62443 series requirements.

ISA/IEC 62443-3-2 specifically describes the methodology for conducting risk assessments within industrial automation and control systems (IACS). This part of the standard provides guidance on identifying risks, assigning Security Levels, and making design decisions during the Assess phase of the IACS Cybersecurity Lifecycle.

In ANSI/ISA-99.00.01:2007, which is part of the ISA/IEC 62443 standards, electronic security encompasses both the technical and human aspects of cybersecurity within industrial automated and control systems (IACS). Option B correctly highlights components such as computers, networks, operating systems, applications, and other programmable configurable components which are intrinsic to the system's electronic security framework. Option C is also correct as it includes the personnel, policies, and procedures which play a crucial role in securing these systems. This emphasizes that security is not only about the technological solutions but also about managing human elements and organizational processes effectively.

ISA/IEC 62443 Cybersecurity Fundamentals References:

ISA/IEC 62443 standards focus on the holistic nature of security which is clearly supported by including both the technological (Option B) and human elements (Option C) in the definition of electronic security.

 According to the ISA/IEC 62443 Cybersecurity Fundamentals Specialist resources, patches are software updates that fix bugs, vulnerabilities, or improve performance of a system. Patches are classified into three categories based on their urgency and impact: low, medium, and high. Low priority patches are those that have minimal or no impact on the system functionality or security, and can be applied at the next scheduled maintenance. Medium priority patches are those that have moderate impact on the system functionality or security, and should be applied within a reasonable time frame, such as three months. High priority patches are those that have significant or critical impact on the system functionality or security, and should be applied as soon as possible, preferably at the first unscheduled outage. Applying patches in a timely manner is a best practice for maintaining the security and reliability of an industrial automation and control system (IACS). References:

ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 4.3.2, Patch Management

ISA/IEC 62443-2-1:2009, Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program, Clause 5.3.2.2, Patch management

ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels, Clause 4.3.3.6.2, Patch management

The Risk Analysis category contains background information that is used to identify and assess the risks associated with the cyber-physical system (CPS) under consideration. This information includes the system description, the threat model, the vulnerability analysis, the risk assessment method, and the risk acceptance criteria. The Risk Analysis category is used as an input for many other elements in the CSMS, such as the Risk ID, Risk Reduction, Risk Acceptance, and Risk Monitoring elements. The Risk Analysis category provides the basis for the risk management process and helps to ensure a consistent and systematic approach to cybersecurity in the CPS. References:

Using the ISA/IEC 62443 Standards to Secure Your Control System, page 13

[ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide], page 34

 A vulnerability scanner is a tool that scans a network or a system for known vulnerabilities, such as misconfigurations, outdated software, or weak passwords. A vulnerability scanner can provide valuable information for improving the security posture of a system, but it can also cause serious disruption of a control network if used on a live system. This is because a vulnerability scanner may generate a large amount of network traffic, consume system resources, trigger alarms, or even crash devices by exploiting vulnerabilities. Therefore, a vulnerability scanner should not be used on a live system without proper authorization and precautions. A vulnerability scanner should only be used on a test or isolated network, or during a scheduled maintenance window with minimal impact on the system operation. References: ISA/IEC 62443 Standards to Secure Your Industrial Control System, Module 5: Assessing the Current Security Level, Slide 25.

CCSC stands for “Common Component Security Criteria.” In the ISA/IEC 62443 series, specifically in Part 4-2, CCSC refers to a harmonized set of security criteria applicable to individual components within an IACS, such as embedded devices, network devices, host devices, and software applications. These criteria are used to ensure that each component meets a consistent baseline for cybersecurity, supporting overall system security.

Modbus TCP is a widely used protocol in industrial control systems, enabling communication between devices such as PLCs and SCADA systems over Ethernet networks. It is an adaptation of the classic Modbus protocol to TCP/IP networks and is explicitly referenced in ISA/IEC 62443 documentation as a common protocol for IACS communications. FTP, HTTP, and SMTP are general IT protocols and not primarily associated with industrial control communications.

A Wide Area Network (WAN) is a communications system that covers a large geographic area, such as a city, a country, or even several countries or continents1. WANs are often used to connect local area networks (LANs) and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations2. WANs use various communication infrastructures, such as public telephone lines, undersea cables, and communication satellites, to transmit data over long distances1. WANs are typically established with leased telecommunication circuits or less costly circuit switching or packet switching methods2. WANs are often built by Internet service providers, who provide connections from an organization’s LAN to the Internet2. The Internet itself may be considered a WAN2. References: Hardware and network technologies - CCEA LAN and WAN - BBC, Wide area network - Wikipedia.

The reference model described in ISA/IEC 62443-1-1 (see Figure 2) starts at a high level and encompasses all levels of the ISA-95 model (Levels 0 to 4), which range from field devices up to business logistics systems. This model provides a holistic, layered view of all the equipment, systems, and information flows in industrial automation.

The application layer is the topmost layer of the OSI model, which provides the interface between the user and the network. It includes protocols specific to network applications such as email, file transfer, and reading data registers in a PLC. These protocols deliver and format information, possibly with encryption and security, to ensure reliable and meaningful communication between different applications. The application layer does not include user applications, which are separate from the network protocols. The application layer also does not provide the mechanism for opening, closing, and managing a session between end-user application processes, which is the function of the session layer. References:

ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, page 181

Using the ISA/IEC 62443 Standards to Secure Your Control System, page 82

The application layer in network protocols, such as in the OSI model or the TCP/IP protocol suite, is primarily responsible for providing services directly to user applications. This layer is involved in:

Option A: Including protocols specific to network applications such as email, file transfer, and industrial protocols like reading data registers in a Programmable Logic Controller (PLC). This is a core function of the application layer as it facilitates specific high-level networking capabilities.

Option D: Delivering and formatting information, which can include encryption and ensuring the security of data as it is transmitted across the network. This includes protocols like HTTP for web browsing which can encrypt data via HTTPS, SMTP for secure email transmission, and FTP for secure file transfer.

The Chemical Facility Anti-Terrorism Standards (CFATS) program is overseen and enforced by the U.S. Department of Homeland Security (DHS). This program is designed to identify and regulate high-risk chemical facilities to ensure they have security measures in place to reduce the risk associated with hazardous chemicals, including risks posed by cyber threats.

Security Levels (SLs) are a way of expressing the security performance of an industrial automation and control system (IACS) or its components. SLs are broken down into three types: target, capability, and achieved1.

Target SL is the level of security performance that is required for a system or component to protect against a specific threat scenario. The target SL is determined by conducting a risk assessment that considers the likelihood and impact of potential security incidents1.

Capability SL is the level of security performance that a system or component can provide based on its design and implementation. The capability SL is determined by evaluating the security functions and features of the system or component against a set of security requirements1.

Achieved SL is the level of security performance that a system or component actually provides in its operational environment. The achieved SL is determined by verifying that the system or component is properly installed, configured, maintained, and monitored1.

 Modbus over Ethernet, also known as Modbus/TCP, is a protocol that encapsulates the Modbus/RTU data string inside the data section of the TCP frame. It then sets up a client/server exchange between nodes, using TCP/IP addressing to establish connections1. This makes it easy to manage in a firewall, because the firewall can filter the traffic based on the source and destination IP addresses and the TCP port number. The default TCP port for Modbus/TCP is 502, but it can be changed if needed. Modbus/TCP does not use any other ports or protocols, so the firewall rules can be simple and specific. References:

8: Open Modbus/TCP Specification, RTA Automation, 2010.

[9]: Modbus Application Protocol Specification V1.1b3, Modbus Organization, 2012.

The formula for risk in ISA/IEC 62443 is typically expressed as:

Risk = Threat × Vulnerability × Consequence

This means that risk is a product of the likelihood that a threat will exploit a vulnerability and the impact (consequence) if that event occurs. This formula is consistently used in both the general information security domain and explicitly referenced in the ISA/IEC 62443-3-2 standard in the context of IACS risk assessments.

ISA/IEC 62443 is listed as an “Informative Reference” in the NIST Cybersecurity Framework (CSF). The NIST CSF provides cross-references to a number of standards and guidelines, including ISO/IEC 27001, NIST SP 800-53, and ISA/IEC 62443, to help organizations implement cybersecurity controls using globally recognized frameworks tailored for industrial and critical infrastructure environments.

An asymmetric key is a feature of asymmetric cryptography, also known as public-key cryptography, which is a method of encrypting and decrypting data using two different keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret by the owner. The public key and the private key are mathematically related, but it is computationally infeasible to derive one from the other. Asymmetric cryptography can be used for various purposes, such as digital signatures, key exchange, and encryption. For example, if Alice wants to send a message to Bob, she can use Bob’s public key to encrypt the message, and only Bob can decrypt it using his private key. Alternatively, if Bob wants to prove that he is the author of a message, he can use his private key to sign the message, and anyone can verify it using his public key. Asymmetric cryptography has some advantages over symmetric cryptography, which uses the same key for both encryption and decryption. For instance, asymmetric cryptography does not require a secure channel to distribute the keys, and it can provide non-repudiation and authentication. However, asymmetric cryptography also has some drawbacks, such as higher computational complexity, larger key sizes, and higher network overhead.

The ISA/IEC 62443 standards series was originally developed by the International Society of Automation (ISA) and then adopted and published by the International Electrotechnical Commission (IEC) as the IEC 62443 series. The IEC is the primary international body responsible for the ongoing development, maintenance, and publication of these standards, which are recognized globally for IACS cybersecurity. ANSI is a US standards body, NIST is responsible for US federal cybersecurity frameworks, and ETSI develops telecommunications standards for Europe, but IEC is the correct answer here.