ISA-IEC-62443 ISA/IEC 62443 Cybersecurity Fundamentals Specialist Questions and Answers

One of the reasons for the increase in attacks on IACS is the availability of information and tools that can be used to exploit vulnerabilities in these systems. The Internet provides a platform for hackers, researchers, and activists to share their knowledge and techniques for compromising IACS. Some examples of such information and tools are:

Stuxnet: A sophisticated malware that targeted the Iranian nuclear program in 2010. It exploited four zero-day vulnerabilities in Windows and Siemens software to infect and manipulate the programmable logic controllers (PLCs) that controlled the centrifuges. Stuxnet was widely analyzed and reported by the media and security experts, and its source code was leaked online1.

Metasploit: A popular penetration testing framework that contains modules for exploiting various IACS components and protocols. For instance, Metasploit includes modules for attacking Modbus, DNP3, OPC, and Siemens S7 devices2.

Shodan: A search engine that allows users to find devices connected to the Internet, such as webcams, routers, printers, and IACS components. Shodan can reveal the location, model, firmware, and configuration of these devices, which can be used by attackers to identify potential targets and vulnerabilities3.

ICS-CERT: A website that provides alerts, advisories, and reports on IACS security issues and incidents. ICS-CERT also publishes vulnerability notes and mitigation recommendations for various IACS products and vendors4. These sources of information and tools can be useful for legitimate purposes, such as security testing, research, and education, but they can also be misused by malicious actors who want to disrupt, damage, or steal from IACS. Therefore, IACS owners and operators should be aware of the threats and risks posed by the Internet and implement appropriate security measures to protect their systems. References:

The increase in attacks on Industrial Automation and Control Systems (IACS) can be attributed to several factors, including: A. Use of proprietary communications protocols: These can pose security risks because they may not have been designed with security in mind and are often not as well-tested against security threats as more standard protocols. C. Knowledge of exploits and tools readily available on the Internet: The availability of information about vulnerabilities and exploits on the internet has made it easier for attackers to target IACS.

The other options, B and D, are incorrect because: B. The move towards commercial off-the-shelf (COTS) systems, protocols, and networks actually increases risk because these systems are more likely to be known and targeted by attackers, compared to proprietary systems which might benefit from security through obscurity. D. There is actually an increase in risk with more personnel with system knowledge because it enlarges the attack surface – each individual with system knowledge can potentially become a vector for an attack, either maliciously or accidentally.

According to the ISA/IEC 62443-3-2 standard, a security zone is a grouping of systems and components based on their functional, logical, and physical relationship that share common security requirements. The primary objective of defining a security zone is to apply a consistent level of protection to the assets within the zone, based on their criticality and risk assessment. A security zone may contain assets from different vendors, different levels in the Purdue model, or different physical locations, as long as they have the same security requirements. A security zone may also be subdivided into subzones, if there are different security requirements within the zone. A conduit is a logical or physical grouping of communication channels connecting two or more zones that share common security requirements.

 The ISA/IEC 62443 series of standards is organized into four main categories for documents, based on the topics and perspectives that they cover. These categories are: General, Policies and Procedures, System, and Component12.

General: This category covers topics that are common to the entire series, such as terms, concepts, models, and overview of the standards1. For example, ISA/IEC 62443-1-1 defines the terminology, concepts, and models for industrial automation and control systems (IACS) security3.

Policies and Procedures: This category focuses on methods and processes associated with IACS security, such as risk assessment, system design, security management, and security program development1. For example, ISA/IEC 62443-2-1 specifies the elements of an IACS security management system, which defines the policies, procedures, and practices to manage the security of IACS4.

System: This category is about requirements at the system level, such as security levels, security zones, security lifecycle, and technical security requirements1. For example, ISA/IEC 62443-3-3 specifies the system security requirements and security levels for zones and conduits in an IACS5.

Component: This category provides detailed requirements for IACS products, such as embedded devices, network devices, software applications, and host devices1. For example, ISA/IEC 62443-4-2 specifies the technical security requirements for IACS components, such as identification and authentication, access control, data integrity, and auditability.

The other options are not valid categories for documents in the ISA/IEC 62443 series of standards, as they either do not reflect the structure and scope of the standards, or they mix different aspects of IACS security that are covered by different categories. For example, end-user, integrator, vendor, and regulator are not categories for documents, but rather roles or stakeholders that are involved in IACS security. Assessment, mitigation, documentation, and maintenance are not categories for documents, but rather activities or phases that are part of the IACS security lifecycle. People, processes, technology, and training are not categories for documents, but rather elements or dimensions that are essential for IACS security.

IT systems and IACS have different security priorities, requirements, and challenges. According to the ISA/IEC 62443 standards, the security priority for IT systems is confidentiality, which means protecting the data from unauthorized access or disclosure. The security priority for IACS is integrity, which means ensuring the accuracy and consistency of the data and the functionality of the system. A loss of integrity in an IACS can have severe consequences, such as physical damage, environmental harm, or human injury. Therefore, IACS cybersecurity must address safety issues, which are not typically considered in IT security. Safety is the ability of the system to prevent or mitigate hazardous events that can cause harm to people, property, or the environment. The ISA/IEC 62443 standards provide guidance and best practices for ensuring the safety and security of IACS, as well as the availability and reliability of the system. Availability is the ability of the system to perform its intended function when required, and reliability is the ability of the system to perform its intended function without failure. These properties are also important for IT systems, but they may have different trade-offs and implications for IACS. For example, an IACS may have stricter performance and availability requirements than an IT system, as a delay or disruption in the IACS operation can affect the industrial process and its outcomes. Additionally, an IACS may have longer equipment lifetimes and less frequent maintenance windows than an IT system, which can make patching and updating more difficult and risky. Furthermore, an IACS may use different technologies and architectures than an IT system, such as legacy devices, proprietary protocols, or specialized hardware. These factors can create compatibility and interoperability issues, as well as increase the attack surface and complexity of the IACS. Therefore, IT security solutions and practices may not be sufficient or suitable for IACS, and they may need to be adapted or supplemented by IACS-specific security measures. The ISA/IEC 62443 standards address these differences and provide a comprehensive framework for securing IACS throughout their lifecycle.

In cybersecurity, a demilitarized zone (DMZ) refers to a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, typically the internet. The main characteristic of a DMZ is that it acts as a buffer zone between the public internet and the private network. This allows for internet access through the firewall while keeping the internal network secure. Internet-facing servers are placed in the DMZ so that they are separated from the rest of the internal network. By doing so, if a server in the DMZ is compromised, the attacker would not have direct access to the internal network. This architecture is commonly used to host services such as web servers, mail servers, and FTP servers. Choice C is the most closely associated with the deployment of a DMZ as it allows for regulated and monitored internet access through a firewall.

Packet filter, application proxy, and stateful inspection are all recognized types or classes of firewalls in both IT and industrial control environments. A network monitor, on the other hand, is not considered a firewall but rather a tool for observing and analyzing network traffic. It does not provide firewall-like controls for blocking or allowing traffic.

 Modbus over Ethernet, also known as Modbus/TCP, is a protocol that encapsulates the Modbus/RTU data string inside the data section of the TCP frame. It then sets up a client/server exchange between nodes, using TCP/IP addressing to establish connections1. This makes it easy to manage in a firewall, because the firewall can filter the traffic based on the source and destination IP addresses and the TCP port number. The default TCP port for Modbus/TCP is 502, but it can be changed if needed. Modbus/TCP does not use any other ports or protocols, so the firewall rules can be simple and specific. References:

8: Open Modbus/TCP Specification, RTA Automation, 2010.

[9]: Modbus Application Protocol Specification V1.1b3, Modbus Organization, 2012.

ISA/IEC 62443 places primary accountability for cybersecurity risk on the asset owner, particularly during the Operation and Maintenance phase of the IACS lifecycle. This phase is where systems run for years or decades, and cybersecurity effectiveness depends less on design intent and more on how people and processes operate daily.

Step 1: Lifecycle responsibility of the asset owner

ISA/IEC 62443-2-1 requires the asset owner to establish, operate, and maintain an IACS Security Program. During operation, cybersecurity controls must be embedded into routine organizational activities such as operations, maintenance, incident handling, training, and change management.

Step 2: Integration with people and processes

The standard explicitly recognizes that technology alone cannot manage cybersecurity risk. Operators, engineers, maintenance staff, and managers must understand their cybersecurity roles. Embedding IACS security into organizational processes ensures consistent execution across shifts, teams, and sites.

Step 3: Avoiding incorrect interpretations

Immediate decommissioning is not an operational objective. Allowing unrestricted remote updates by suppliers contradicts governance requirements. Granting full control to maintenance providers violates the asset owner’s accountability.

Step 4: Operational resilience

By embedding IACS security into organizational culture and workflows, the asset owner ensures that security measures are sustained, monitored, and improved over time.

Therefore, the correct reason is to embed the IACS within organizational processes and people.

ISA/IEC 62443-4-1 provides a framework for secure product development lifecycle (SDL). One of its primary goals is to ensure that security practices are integrated consistently and systematically throughout the product's development process.

“The objective of this part is to define a secure development lifecycle process that results in a consistent and repeatable approach to building secure products.”

— ISA/IEC 62443-4-1:2018, Clause 1 – Scope

While all listed items may contribute to security, the core intent of Part 4-1 is to ensure an aligned, structured development process.

ISA/IEC TR 62443-1-5 provides formal guidance on the creation and structure of cybersecurity profiles within the ISA/IEC 62443 framework. A security profile is intended to tailor existing requirements to a specific industry sector, application, or use case without altering the integrity of the base standard.

Step 1: Purpose of a security profile

The technical report clarifies that profiles are selections and combinations of existing requirements, not a mechanism to invent new controls. Profiles ensure consistent application of ISA/IEC 62443 while addressing sector-specific risk, regulatory, or operational needs.

Step 2: Authorized source documents

TR 62443-1-5 explicitly states that security profiles may reference requirements from:

ISA/IEC 62443-2-1 (asset owner security program requirements)

ISA/IEC 62443-2-4 (service provider requirements)

ISA/IEC 62443-3-3 (system security requirements)

ISA/IEC 62443-4-1 (secure product development lifecycle)

ISA/IEC 62443-4-2 (technical component requirements)

These documents collectively cover organizational, system, and component security.

Step 3: Why other options are incorrect

Limiting profiles to only Parts 3-3 and 4-1 excludes governance and lifecycle requirements.

Parts 1-1 and 1-2 are foundational and definitional, not requirement sources.

Referencing standards outside the 62443 family violates the intent of maintaining internal consistency.

Step 4: Standard integrity

By restricting profiles to these documents, ISA ensures profiles remain interoperable, auditable, and certifiable.

Thus, Option C is the only correct answer.

The ISA/IEC 62443-3-2 standard specifies that a key output of the risk assessment process is the establishment of Target Security Levels (SL-Ts) for each security zone or conduit. These target levels define the minimum cybersecurity requirements necessary to mitigate identified risks to an acceptable level. Total risk elimination is generally not possible; instead, setting SL-Ts allows for structured, risk-based implementation of security controls.

 According to the IEC 62443 standard, a capability security level (SL-C) is defined as “the security level that a component or system is capable of meeting when it is properly configured and protected by an appropriate set of security countermeasures” 1. A component or system can have different SL-Cs for different security requirements, depending on its design and implementation. The SL-C is determined by testing the component or system against a set of security test cases that correspond to the security requirements. The SL-C is not dependent on the actual operational environment or configuration of the component or system, but rather on its inherent capabilities. References:

IEC 62443 - Wikipedia

SP Element 3 in ISA/IEC 62443-2-1 focuses on Network and Communication Security, with segmentation as a foundational control.

Step 1: Threat origin reality

Many cyberattacks targeting IACS originate from enterprise IT networks, remote access paths, or external connections. Without segmentation, these threats can propagate directly into control systems.

Step 2: Zones and conduits concept

ISA/IEC 62443 requires logical and physical separation between IACS zones and non-IACS zones, with controlled conduits enforcing security policies.

Step 3: Attack surface reduction

Segmentation limits exposure by ensuring that only explicitly authorized communications can cross zone boundaries.

Step 4: Why other options are incorrect

Data classification, identity persistence, and backup verification are handled by other SP Elements and foundational requirements.

Thus, segmentation is critical to prevent attacks originating outside the IACS, making Option B correct.

The “Maintain” phase is the fourth phase of the IACS Cybersecurity Lifecycle described in ISA/IEC 62443-2-1. A key activity in this phase is managing changes (also known as “change management”). This activity ensures that any modifications to the IACS environment (hardware, software, processes, etc.) are evaluated for cybersecurity impact, and proper controls are implemented to maintain the intended security posture. While risk assessment is typically done in the Assess phase, and allocating assets and designing countermeasures belong to earlier phases, managing changes is essential for ensuring ongoing compliance and effectiveness of cybersecurity controls over time.

 IPSec is a commonly used protocol for managing secure data transmission over a VPN. IPSec stands for Internet Protocol Security and it is a set of standards that define how to encrypt and authenticate data packets that travel between two or more devices over an IP network. IPSec can operate in two modes: transport mode and tunnel mode. In transport mode, IPSec only encrypts the payload of the IP packet, leaving the header intact. In tunnel mode, IPSec encrypts the entire IP packet and encapsulates it in a new IP header. Tunnel mode is more secure and more suitable for VPNs, as it can protect the original source and destination addresses of the IP packet from eavesdropping or spoofing. IPSec uses two main protocols to provide security services: Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides data integrity and source authentication, but not confidentiality. ESP provides data integrity, source authentication, and confidentiality. IPSec also uses two protocols to establish and manage security associations (SAs), which are the parameters and keys used for encryption and authentication: Internet Key Exchange (IKE) and Internet Security Association and Key Management Protocol (ISAKMP). IKE is a protocol that negotiates and exchanges cryptographic keys between two devices. ISAKMP is a protocol that defines the format and structure of the messages used for key exchange and SA management.

The four documents classified under the General category of ISA/IEC 62443 are:

Part 1-1: Terminology, concepts, and models

Part 1-2: Master glossary of terms and definitions

Part 1-3: System security conformance metrics

ISA/IEC 62443-3-3 defines system-level security requirements applicable across roles.

Step 1: System focus

Part 3-3 specifies technical security requirements for IACS systems, independent of who implements them.

Step 2: Multi-role applicability

These requirements are used by:

Product suppliers (design alignment)

System integrators (implementation)

Asset owners (operation and verification)

Step 3: Distinction from other parts

2-1 focuses on management systems

2-4 focuses on service providers

4-2 focuses on component-level requirements

Thus, Option C is correct.

API 1164 is an industry sector-specific standard that provides guidance on the cybersecurity of pipeline supervisory control and data acquisition (SCADA) systems. API stands for American Petroleum Institute, which is the largest U.S. trade association for the oil and natural gas industry. API 1164 was first published in 2004 and revised in 2009 and 2021. The latest version of the standard aligns with the ISA/IEC 62443 series of standards and incorporates the concepts of security levels, zones, and conduits. API 1164 covers the security lifecycle of pipeline SCADA systems, from risk assessment and policy development to implementation and maintenance. The standard also defines roles and responsibilities, security requirements, security controls, and security assessment methods for pipeline SCADA systems.

 Layer 1 of the ISO/OSI protocol stack is the physical layer, which provides the means of transmitting and receiving raw data bits over a physical medium. It defines the electrical and physical specifications of the data connection, such as the voltage levels, signal timing, cable types, connectors, and pin assignments. It does not perform any data encryption, routing, end-to-end connectivity, framing, error checking, or user applications. These functions are performed by higher layers of the protocol stack, such as the data link layer, the network layer, the transport layer, and the application layer. References: ISO/IEC 7498-1:1994, Section 6.11; ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 3.1.12

“Defense in Depth” is a foundational principle in ISA/IEC 62443, defined as:

“The application of multiple security countermeasures in a layered (stepwise) fashion to protect assets.”

(ISA/IEC 62443-1-1, Clause 3.2.65)

The objective is to reduce the probability that a single point of failure or vulnerability can be exploited to compromise the system. Layers may include physical security, network segmentation, authentication, intrusion detection, and endpoint protection.

From ISA/IEC 62443-3-3:

“Defense in depth should be employed to provide redundancy in security mechanisms. Each layer increases the security of the system and mitigates different types of threats.”

Incorrect Options:

A and B – Misinterpret the concept as technical complexity, rather than layered protection.

C – Refers to physical spacing, not a cybersecurity strategy.

The first step in the Cyber Security Management System (CSMS) development process is to “Initiate the CSMS program,” which involves establishing its purpose, obtaining organizational support, allocating resources, and defining the program’s scope. These foundational activities are required to ensure that the program is properly structured and supported before detailed risk assessments or architecture planning are performed.

ISA/IEC 62443-3-2 introduces the concept of the System under Consideration (SuC) as the scope boundary for risk assessment.

Step 1: Purpose of the SuC

The SuC defines exactly what is being analyzed for cybersecurity risk.

Step 2: Inclusive scope

It includes a defined collection of IACS components, systems, zones, conduits, and supporting assets that contribute to the system’s function.

Step 3: Why definition matters

A clearly defined SuC ensures accurate threat modeling, impact analysis, and Security Level determination.

Step 4: Why other options are incorrect

Limiting the SuC to business assets or physical devices ignores logical, networked, and functional dependencies.

Therefore, the correct answer is a defined collection of IACS and related assets.

In the Assess phase of the IACS Cybersecurity Lifecycle (as defined in ISA/IEC 62443-2-1 and 62443-3-2), the main objective is to identify assets, analyze risks, and assign a Target Security Level (SL-T) for each zone or conduit. This sets the foundation for design and implementation decisions. Achieving or verifying the SL-A (Achieved Security Level) occurs later in the lifecycle, after implementation.

The Security Program (SP) portfolio is the correct foundational document for an evolving IACS cybersecurity approach according to the ISA/IEC 62443 family of standards. ISA/IEC 62443 is explicitly designed around the concept of continuous risk management and lifecycle-based cybersecurity, rather than static or one-time security implementations.

Step 1: Role of the Security Program (SP)

ISA/IEC 62443-2-1 defines the requirements for establishing, implementing, maintaining, and continuously improving an IACS Cybersecurity Management System. The Security Program provides organizational governance through policies, roles, responsibilities, procedures, training, incident handling, change management, and continuous improvement activities. These elements ensure cybersecurity adapts as threats, vulnerabilities, and system configurations evolve.

Step 2: Need for an evolving security approach

The standard recognizes that IACS environments are long-lived and subject to changing operational conditions, emerging threat actors, and new vulnerabilities. Therefore, cybersecurity must be managed as an ongoing process. The SP portfolio enables periodic reassessment of risks, updates to controls, and improvements to security processes throughout the system lifecycle.

Step 3: Relationship between SP and SPS

IEC 62443-2-2 introduces the Security Protection Scheme (SPS), which is a documented set of technical, procedural, and physical security measures selected to mitigate identified risks. However, the SPS is not the foundation; it is a product of the Security Program. The SP governs how the SPS is developed, implemented, operated, and modified over time.

Step 4: Elimination of incorrect options

“IEC 62443-2-2 only” is insufficient because it addresses SPS development without broader governance.

Corporate KPIs unrelated to IACS do not manage cybersecurity risk.

An SPS alone cannot evolve without programmatic oversight.

In alignment with the intent and structure of ISA/IEC 62443, the Security Program (SP) portfolio is the correct foundation for a cybersecurity plan that must continuously evolve.

The ISA/IEC 62443-4-1 standard defines the requirements for a secure product development lifecycle for IACS products. One of the core requirements is “risk management” — the systematic process of identifying, evaluating, and mitigating security risks throughout the product lifecycle. This ensures that security is built in from the early design phases through to maintenance and decommissioning. While agile and continuous integration can be useful development methods, they are not specific requirements of the standard. Defense-in-depth is a security principle, not a lifecycle process requirement.

Cybersecurity and physical security regulations are intended to provide guidance and requirements for protecting industrial control systems from various threats and risks. However, these regulations may face mixed resistance from different stakeholders for various reasons. One of the reasons is that there are a limited number of enforced cybersecurity and physical security regulations, especially at the international level. This means that some regions or countries may have more stringent or comprehensive regulations than others, creating inconsistencies and challenges for cross-border cooperation and compliance. Moreover, some regulations may be outdated or not aligned with the current best practices and standards, such as ISA/IEC 62443, which may limit their effectiveness and applicability. Therefore, some organizations may prefer to follow voluntary standards or frameworks, such as ISA/IEC 62443, rather than mandatory regulations, as they may offer more flexibility and adaptability to the specific needs and contexts of each industrial control system. References:

ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 3

Using the ISA/IEC 62443 Standard to Secure Your Control System, page 9

ISA/IEC 62443-2-1 clearly recommends that the IACS Security Program (SP) be fully embedded into existing organizational processes, including alignment with the Information Security Management System (ISMS), if present.

“The IACS security program shall be integrated with the organization's overall management systems and processes, including those defined in the ISMS (e.g., ISO/IEC 27001).”

— ISA/IEC 62443-2-1:2010, Clause 4.2.1 – Integration of Security Program

This ensures that security is a sustained operational priority and not a separate or siloed initiative.

According to ISA/IEC 62443-3-2, the risk analysis phase in the IACS security lifecycle includes both the business rationale and the risk identification and classification. This ensures that risk decisions are based not only on technical vulnerability but also on business impact and operational context.

“The risk analysis process includes identification and classification of risks based on a defined business rationale. This ensures that the protection requirements are aligned with the organization’s risk tolerance and operational priorities.”

— ISA/IEC 62443-3-2:2020, Section 6.4 – Risk Assessment and SL Targeting

The term business rationale refers to understanding the value and criticality of the asset or system in order to make informed security decisions.

The Presentation layer (Layer 6) of the OSI model is responsible for data format conversion (such as character set translation) and encryption/decryption of messages. This layer ensures that data sent from the application layer of one system can be read by the application layer of another, regardless of differences in data representation.

According to the ISA/IEC 62443-2-1 standard, a review of the CSMS should be triggered by any changes that affect the cybersecurity risk of the industrial automation and control system (IACS), such as new technical controls, organizational restructuring, or security incidents1. Budgeting is not a trigger for CSMS review, unless it impacts the cybersecurity risk level or the CSMS itself2. References: 1: ISA/IEC 62443-2-1:2010, Section 4.3.3.3 2: A Practical Approach to Adopting the IEC 62443 Standards, ISAGCA Blog3

 A recommended default rule for IACS firewalls is to block all traffic by default, and then allow only the necessary and authorized traffic based on the security policy and the zone and conduit model. This is also known as the principle of least privilege, which means granting the minimum access required for a legitimate purpose. Blocking all traffic by default provides a higher level of security and reduces the attack surface of the IACS network. The other choices are not recommended default rules for IACS firewalls, as they may expose the IACS network to unnecessary risks. Allowing all traffic by default would defeat the purpose of a firewall, as it would not filter any malicious or unwanted traffic. Allowing IACS devices to access the Internet would expose them to potential cyber threats, such as malware, phishing, or denial-of-service attacks. Allowing traffic directly from the IACS network to the enterprise network would bypass the demilitarized zone (DMZ), which is a buffer zone that isolates the IACS network from the enterprise network and hosts services that need to communicate between them. References:

ISA/IEC 62443 Standards to Secure Your Industrial Control System training course1

ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide2

Using the ISA/IEC 62443 Standard to Secure Your Control Systems3

 Access control is the process of granting or denying specific requests to obtain and use information and related information processing services. It is one of the foundational requirements (FRs) of the ISA/IEC 62443 standards for securing industrial automation and control systems (IACSs). According to the ISA/IEC 62443-3-3 standard, access control includes the following system requirements (SRs):

SR 1.1: Identification and authentication control

SR 1.2: Use control

SR 1.3: System integrity

SR 1.4: Data confidentiality

SR 1.5: Restricted data flow

SR 1.6: Timely response to events

SR 1.7: Resource availability

Among these SRs, the ones that are most related to the critical variables of account management and password strength are SR 1.1 and SR 1.2. SR 1.1 requires that the IACS shall provide the capability to uniquely identify and authenticate all users, processes, and devices that attempt to establish a logical connection to the system. This means that the IACS should have a robust account management system that can create, modify, delete, and monitor user accounts and their privileges. It also means that the IACS should enforce strong password policies that can prevent unauthorized access or compromise of user credentials. Password strength refers to the level of difficulty for an attacker to guess or crack a password. It depends on factors such as length, complexity, randomness, and uniqueness of the password.

SR 1.2 requires that the IACS shall provide the capability to enforce the use of logical connections in accordance with the security policy of the organization. This means that the IACS should have a mechanism to control the access rights and permissions of users, processes, and devices based on their roles, responsibilities, and needs. It also means that the IACS should have a mechanism to audit and log the activities and events related to access control, such as successful or failed login attempts, password changes, privilege escalations, or unauthorized actions.

Therefore, account management and password strength are the critical variables related to access control, as they directly affect the identification, authentication, and authorization of users, processes, and devices in the IACS.

Transport Layer Security (TLS) is the primary cryptographic protocol used to secure web-based communications such as HTTPS in web browsers.

From ISA/IEC 62443-3-3 (System Security Requirements and Security Levels), Annex B:

“TLS provides confidentiality, integrity, and authentication for communications over untrusted networks. It is commonly used to secure HTTPS, SMTP, and other application protocols.”

TLS superseded SSL and is the backbone of secure data transmission over the Internet.

Incorrect Options:

B. L2TP – Used for VPNs; not typically browser-related.

C. PPTP – An older VPN protocol, not used for browser encryption.

D. IPsec – Used to secure IP traffic at the network layer; not directly used in browser-based communication.

 Network security is important in IACS environments because PLCs, or programmable logic controllers, are devices that control physical processes and equipment in industrial settings. PLCs under cyber attack can have costly and dangerous impacts, such as disrupting production, damaging equipment, compromising safety, and harming the environment. Therefore, network security is essential to protect PLCs and other IACS components from unauthorized access, modification, or disruption. The other choices are not primary reasons why network security is important in IACS environments. PLCs are not inherently unreliable, but they can be affected by environmental factors, such as temperature, humidity, and electromagnetic interference. PLCs are programmed using ladder logic, which is a graphical programming language that resembles electrical schematics. PLCs use serial or Ethernet communications methods, depending on the type and age of the device, to communicate with other IACS components, such as human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCSs). References:

ISA/IEC 62443 Standards to Secure Your Industrial Control System training course1

ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide2

Using the ISA/IEC 62443 Standard to Secure Your Control Systems3

A demilitarized zone (DMZ) in network architecture provides indirect (controlled and monitored) access to the Internet or untrusted networks, usually by isolating publicly accessible services (like web servers) from internal control networks. This prevents direct exposure of sensitive IACS assets to external threats. While DMZs can support secure data transfer, their primary function is segmentation and indirect access.

 A router and a VPN can be employed as barrier devices in a segmented network. A barrier device is a device that controls the flow of traffic between different network segments, based on predefined rules and policies1. A router is a device that forwards packets between different networks, based on their IP addresses2. A router can act as a barrier device by applying access control lists (ACLs) or firewall rules to filter or block unwanted or malicious traffic2. A VPN is a technology that creates a secure and encrypted tunnel between different networks, such as a remote site and a corporate network3. A VPN can act as a barrier device by encrypting the traffic and authenticating the users or devices that access the network3. A VPN can also prevent unauthorized access or eavesdropping by outsiders3.

ISA/IEC TR 62443-1-5 describes how to create cybersecurity profiles tailored to specific sectors or applications. While the core structure of security requirements remains, modifications are allowed to align with sector-specific needs or regulatory requirements.

“Profiles can tailor existing security requirements to better fit sector-specific needs. Modification of requirement wording, priority, or applicability may be made in line with risk tolerance and context.”

— ISA/IEC TR 62443-1-5:2018, Clause 5.3 – Profile Customization

This enables flexibility while retaining consistency across profiles.

Datagram Transport Layer Security (DTLS) and Secure Sockets Layer (SSL) are both commonly used protocols for managing secure data transmission on the Internet. DTLS is a variant of SSL that is designed to work over datagram protocols such as UDP, which are used for real-time applications such as voice and video. SSL is a protocol that provides encryption, authentication, and integrity for data transmitted over TCP, which is used for reliable and ordered delivery of data. Both DTLS and SSL use certificates and asymmetric cryptography to establish a secure session between the communicating parties, and then use symmetric cryptography to encrypt the data exchanged. DTLS and SSL are widely used in web browsers, email clients, VPNs, and other applications that require secure communication over the Internet. References:

ISA/IEC 62443 Standards to Secure Your Industrial Control System, Module 3: Introduction to Cryptography, pages 3-5 to 3-7

Using the ISA/IEC 62443 Standards to Secure Your Control System, Chapter 6: Securing Communications, pages 125-126

The ISA/IEC 62443 series is structured into logical groups to address different aspects of industrial cybersecurity. Historically, the series was organized into Parts 1 through 4, covering general concepts, management system requirements, system requirements, and component requirements. As the standard evolved, the need arose to address sector-specific and application-specific cybersecurity needs without modifying the core requirements.

To address this, ISA introduced the concept of cybersecurity profiles. These profiles allow industries (such as oil and gas, power, water, or manufacturing) to select and tailor existing ISA/IEC 62443 requirements for their specific operational context while preserving consistency with the base standard.

The Profiles Group is formally designated as ISA/IEC 62443-5-x. This numbering clearly distinguishes profiles from foundational requirements and ensures that:

No new security requirements are created

Existing requirements are selected, scoped, and referenced appropriately

Alignment with Parts 2, 3, and 4 is preserved

By allocating profiles to the 5-x series, ISA ensures modularity and prevents fragmentation of the standard. Profiles serve as an application layer over existing requirements, enabling consistent adoption across sectors without redefining core security controls.

Parts 3-x and 4-x remain dedicated to system and component requirements, while 6-x does not exist in the published structure for profiles. Therefore, 5-x is the correct and formally defined answer.

ISA/IEC 62443-2-5 provides requirements and guidance specifically for service providers (such as those delivering IACS-related managed services, maintenance, or cybersecurity services). While system integrators and asset owners use this guidance, its main audience is service providers, ensuring that their procedures align with cybersecurity best practices for IACS.

A control system, particularly in the context of IACS, is defined as a collection of hardware and software components used to monitor and control industrial processes. This includes PLCs, RTUs, SCADA software, HMIs, and communication networks.

“Control system: A set of hardware and software components that work together to monitor and control industrial or process operations.”

— ISA/IEC 62443-1-1:2007, Clause 3.3.5 – Terminology

While the other options describe security functions or consequences, only Option C accurately describes what a control system is.

A Local Area Network (LAN) is not a strategy for deploying a Wide Area Network (WAN). WAN deployment strategies include using the public Internet, private enterprise WANs, or carrier-managed WANs. LANs, by definition, serve local, not wide-area, connectivity. ISA/IEC 62443 standards refer to different strategies for extending network communications over broader geographic regions, but do not classify LAN as a WAN deployment option.

IACS stands for “Industrial Automation and Control Systems.” The ISA/IEC 62443 series defines IACS as systems used for industrial automation, process control, and related functions. These include systems such as Distributed Control Systems (DCS), SCADA systems, and PLCs. The term encompasses all electronic systems, networks, and equipment used to automate industrial processes.

Ethernet/IP is an industrial network protocol that adapts the Common Industrial Protocol (CIP) to standard Ethernet. CIP is an object-oriented protocol that provides a unified communication architecture for various industrial automation applications, such as control, safety, security, energy, synchronization and motion, information and network management. CIP defines a set of messages and services for interacting with devices and data on the network, as well as a set of device profiles for consistent implementation of automation functions across different products. Ethernet/IP uses the transport and control protocols of standard Ethernet, such as TCP/IP and IEEE 802.3, to define the features and functions for its lower layers. Ethernet/IP also uses UDP to transport I/O messages and supports various network topologies, such as star, linear, ring and wireless. Ethernet/IP is one of the leading industrial protocols in the United States and is widely used in a range of industries, such as factory, hybrid and process. Ethernet/IP is managed by ODVA, Inc., a global trade and standards development organization. References:

EtherNet/IP - Wikipedia

EtherNet/IP | ODVA Technologies | Industrial Automation

The selection of countermeasures is driven by the output from a risk assessment, which identifies the risks and their associated likelihood and consequences for each zone and conduit in the industrial automation and control system (IACS). The risk assessment also determines the target security level (SL-T) for each zone and conduit, which represents the desired level of protection against the identified threats. The countermeasures are then selected based on the SL-T and the existing security level (SL-A) of the zone and conduit, as well as the cost and feasibility of implementation. The countermeasures should aim to reduce the risk to an acceptable level by increasing the SL-A to meet or exceed the SL-T. References: ISA/IEC 62443-3-2:2018 - Security risk assessment for system design, ISA/IEC 62443-3-3:2013 - System security requirements and security levels, ISA/IEC 62443 Cybersecurity Fundamentals Specialist Training Course

ISA/IEC 62443 defines zones and conduits as a core architectural concept for managing cybersecurity risk in IACS environments. During risk assessment, zones must be clearly separated based on risk, function, and criticality, not convenience.

Step 1: Definition of zones in ISA/IEC 62443

A zone is a grouping of assets that share similar security requirements and risk profiles. Business systems, safety-critical control systems, and wireless systems inherently have different threat exposures and consequences of compromise.

Step 2: Risk-based separation principle

ISA/IEC 62443-3-2 requires that risk assessments identify differences in impact and threat likelihood. Safety-critical zones typically require higher Security Levels due to potential impacts on human safety and the environment. Business zones, by contrast, tolerate different risk levels.

Step 3: Purpose of separation

Clear separation ensures that security requirements can be applied appropriately to each zone. It also limits the propagation of attacks from lower-criticality zones (such as business or wireless networks) into higher-criticality zones.

Step 4: Why other options are incorrect

Combining all zones ignores risk differentiation and violates the core zone concept.

Ignoring physical location is incorrect; while zones are logical, physical access and connectivity still matter in risk assessment.

Treating temporary connections as permanent safety assets distorts the risk model and security requirements.

Step 5: Outcome of proper zone management

By establishing clear separation based on criticality, asset owners can correctly assign Security Levels, define conduits, and apply appropriate technical and procedural controls.

Therefore, ISA/IEC 62443 requires clear separation between zones based on criticality during risk assessment.

The NIST Cybersecurity Framework (CSF) was developed to enhance the security and resilience of critical infrastructure in the United States by providing a flexible, repeatable, and cost-effective risk-based approach to managing cybersecurity risk. It is designed to complement, not replace, existing standards and guidelines, and is intended for voluntary adoption by critical infrastructure organizations.

In the NIST Cybersecurity Framework (CSF), “tiers” represent the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework (such as risk awareness, repeatability, and adaptability). Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe the organization's overall cybersecurity maturity or profile.

When using the security level (SL) vector approach in ISA/IEC 62443, each Foundational Requirement (FR) can have its own SL-T value. However, these values must reflect the organization’s specific risk assessment outcomes, not generic or industry default values.

“SL vectors should be derived based on the asset owner’s own risk matrix and risk tolerance, ensuring that the security levels support operational needs and business requirements.”

— ISA/IEC 62443-3-2:2020, Clause 6.5.2 – SL-T Vector Selection

Misalignment could lead to over- or under-protection of critical zones or conduits.

The Risk Analysis category contains background information that is used to identify and assess the risks associated with the cyber-physical system (CPS) under consideration. This information includes the system description, the threat model, the vulnerability analysis, the risk assessment method, and the risk acceptance criteria. The Risk Analysis category is used as an input for many other elements in the CSMS, such as the Risk ID, Risk Reduction, Risk Acceptance, and Risk Monitoring elements. The Risk Analysis category provides the basis for the risk management process and helps to ensure a consistent and systematic approach to cybersecurity in the CPS. References:

Using the ISA/IEC 62443 Standards to Secure Your Control System, page 13

[ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide], page 34

Application whitelisting (AWL) is a technique that allows only authorized applications to run on a system, and blocks any unauthorized or malicious code from executing. AWL is one of the most effective methods for preventing malware infections and reducing the attack surface of a system. AWL can be implemented at different levels, such as the operating system, the network, or the application itself. AWL is especially useful for industrial automation and control systems (IACS), which often run on legacy or proprietary platforms that are not compatible with traditional antivirus software or other security solutions. AWL can also help protect IACS from zero-day attacks, which exploit unknown vulnerabilities that have not been patched or detected by security vendors. AWL is recommended by the ISA/IEC 62443 standards as a key component of malicious code protection for IACS. According to the standards, AWL should be applied to all IACS components that support it, and should be configured and maintained according to the security policies and procedures of the organization. AWL should also be complemented by other security measures, such as network segmentation, zones and conduits, and patch management, to provide a defense-in-depth approach to IACS security. References:

ISA/IEC 62443-3-3:2013, System security requirements and security levels, Section 5.2.3.41

ISA/IEC 62443-2-1:2010, Establishing an industrial automation and control systems security program, Section 4.3.3.6.42

ISA/IEC 62443-4-2:2019, Technical security requirements for IACS components, Section 4.2.3.43

ISA/IEC 62443-3-2:2020, Security risk assessment for system design, Section 7.3.3.44

ISA/IEC 62443-4-1:2018, Product development requirements, Section 5.2.3.45

 The ISA/IEC 62443 standards are focused on industrial automation and control systems security. The assess phase within the ISA/IEC 62443 framework is designed to identify and analyze potential vulnerabilities in the industrial control system (ICS) environment. One of the key steps in this phase is the specification of cybersecurity requirements. Additionally, it involves the allocation of industrial automation and control system (IACS) assets to defined zones and conduits to manage and segregate the network and improve security. These measures help to ensure that security requirements are met and that the assets are protected according to their security needs. Therefore, the correct answer is B, which mentions both the cybersecurity requirements specification and the allocation of IACS assets to zones and conduits as part of the assess phase.

The ISA/IEC 62443 series of standards is divided into four main parts, each covering a different aspect of industrial automation and control systems (IACS) cybersecurity1:

Part 1: Terminology, Concepts, and Models

Part 2: Policies and Procedures

Part 3: System Requirements

Part 4: Component Requirements The part 4 of the series focuses on the requirements for the secure development and maintenance of products that are used in IACS, such as controllers, sensors, actuators, network devices, software applications, and cloud services. The part 4 consists of two standards1:

Separation of duties is a security principle that aims to prevent fraud, errors, conflicts of interest, or misuse of resources by dividing critical tasks or functions among different people or teams. It is one of the foundational requirements (FRs) of the ISA/IEC 62443 standards for securing industrial automation and control systems (IACSs). According to the ISA/IEC 62443-2-1 standard, separation of duties includes the following system requirements (SRs):

SR 2.1: Security management policy

SR 2.2: Personnel security

SR 2.3: System development and maintenance

SR 2.4: Incident response and recovery

SR 2.5: Compliance and review

Among these SRs, the one that is most related to the example of system development and maintenance is SR 2.3. SR 2.3 requires that the IACS shall provide the capability to ensure that the development and maintenance of the system and its components are performed in a secure manner. This means that the IACS should have a mechanism to control the access and authorization of developers, testers, integrators, and maintainers who work on the system and its components. It also means that the IACS should have a mechanism to verify and validate the quality and security of the system and its components before, during, and after the development and maintenance processes.

Therefore, an example of separation of duties as a part of system development and maintenance is that changes are approved by one party and implemented by another. This ensures that the changes are authorized, documented, and reviewed by someone who is not involved in the implementation. This reduces the risk of introducing errors, vulnerabilities, or malicious code into the system and its components.

The primary responsibility of the network layer of the Open Systems Interconnection (OSI) model is to forward packets, including routing through intermediate routers. The network layer is the third layer from the bottom of the OSI model, and it is responsible for maintaining the quality of the data and passing and transmitting it from its source to its destination. The network layer also assigns logical addresses to devices, such as IP addresses, and uses various routing algorithms to determine the best path for the packets to travel. The network layer operates on packets, which are units of data that contain the source and destination addresses, as well as the payload. The network layer forwards packets from one node to another, using routers to switch packets between different networks. The network layer also handles host-to-host delivery, which means that it ensures that the packets reach the correct destination host.

The other choices are not correct because:

B. Gives transparent transfer of data between end users. This is the responsibility of the transport layer, which is the fourth layer from the bottom of the OSI model. The transport layer provides reliable and error-free data transfer between end users, using protocols such as TCP and UDP. The transport layer operates on segments, which are units of data that contain the source and destination port numbers, as well as the payload. The transport layer also handles flow control, congestion control, and multiplexing.

C. Provides the rules for framing, converting electrical signals to data. This is the responsibility of the data link layer, which is the second layer from the bottom of the OSI model. The data link layer provides the means for transferring data between adjacent nodes on a network, using protocols such as Ethernet and WiFi. The data link layer operates on frames, which are units of data that contain the source and destination MAC addresses, as well as the payload. The data link layer also handles error detection, error correction, and media access control.

D. Handles the physics of getting a message from one device to another. This is the responsibility of the physical layer, which is the lowest layer of the OSI model. The physical layer provides the means for transmitting bits over a physical medium, such as copper wire, fiber optic cable, or radio waves. The physical layer operates on bits, which are the smallest units of data that can be either 0 or 1. The physical layer also handles modulation, demodulation, encoding, decoding, and synchronization.

 According to the ISA/IEC 62443 Cybersecurity Fundamentals Specialist course, establishing policy, organization, and awareness is one of the four steps of the IACS cybersecurity lifecycle. This step involves defining the cybersecurity policies, roles, and responsibilities, as well as communicating them to the relevant stakeholders. It also involves establishing the risk tolerance level, which is the acceptable level of risk for the organization. Communicating policies and establishing the risk tolerance are both activities that are part of this step. Identifying detailed vulnerabilities and implementing countermeasures are activities that belong to the next steps of the lifecycle, which are assessing the current situation and implementing the cybersecurity program, respectively. References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist course, Module 2: IACS Cybersecurity Lifecycle1

ISA/IEC 62443 is explicitly lifecycle-based, requiring cybersecurity considerations to be integrated across all phases of an automation solution’s lifecycle. This includes concept, design, implementation, verification, operation, maintenance, and decommissioning.

Step 1: Lifecycle philosophy of ISA/IEC 62443

The standard recognizes that cybersecurity risks emerge and evolve throughout the system lifecycle. Addressing security in only one phase leaves gaps that attackers can exploit.

Step 2: Design and implementation are not sufficient

While secure architecture and configuration are critical, they must be supported by secure development practices, verification, operational procedures, incident response, patching, and change management.

Step 3: Operational importance

Many cybersecurity failures occur during operation due to poor maintenance, weak access control, or unmanaged changes. ISA/IEC 62443-2-1 and 3-3 explicitly address these phases.

Step 4: End-of-life considerations

Decommissioning must also be planned to ensure data, credentials, and access paths are securely removed.

Because the standard spans management (2-x), system (3-x), and component (4-x) requirements across the lifecycle, all phases must be integrated.

In the ISA/IEC 62443 framework, Security Levels (SLs) are categorized into three distinct types:

Target SL (SL-T) – The security level required based on risk assessment

Capability SL (SL-C) – The level a component or system can support

Achieved SL (SL-A) – The level actually implemented in the system

“Three types of security levels are defined:

Target (SL-T): derived from risk analysis

Capability (SL-C): supported by the product or system

Achieved (SL-A): implemented and operational in the environment”

— ISA/IEC 62443-1-1:2007, Clause 3.2.4 and Table 3

This classification supports gap analysis and helps asset owners ensure their system meets both required and feasible security levels.

ISO/IEC 15408, also known as the Common Criteria for Information Technology Security Evaluation, is an international standard that provides a framework for evaluating the security of IT products and systems. The purpose of the standard is to define a common set of requirements for the security functions and assurance measures of IT products and systems, and to establish a common methodology for conducting security evaluations. The standard allows users to specify their security needs and expectations in a Security Target (ST), which may be based on one or more Protection Profiles (PPs) that define security requirements for a class of products or systems. Vendors can then implement or claim compliance with the ST or PPs, and have their products or systems evaluated by independent testing laboratories against the security criteria defined in the standard. The standard also defines a scale of Evaluation Assurance Levels (EALs) that indicate the degree of confidence in the security of the evaluated product or system. The standard is intended to facilitate the development, procurement, and use of secure IT products and systems, and to promote the recognition and acceptance of evaluation results across different countries and regions. References:

ISO/IEC 15408-1:2009 - Common Criteria Evaluation for IT Security - Nemko1

Common Criteria - Wikipedia2

ISO/IEC Standard 15408 — ENISA3

One of the trends that has increased the security risks for industrial automation and control systems (IACS) is the integration of these systems with business and enterprise systems, such as enterprise resource planning (ERP), manufacturing execution systems (MES), and supervisory control and data acquisition (SCADA). This integration exposes the IACS to the same threats and vulnerabilities that affect the business and enterprise systems, such as malware, denial-of-service attacks, unauthorized access, and data theft. Moreover, the integration also creates new attack vectors and pathways for adversaries to compromise the IACS, such as through remote access, wireless networks, or third-party devices. Therefore, the integration of IACS with business and enterprise systems is a trend that has caused a significant percentage of security vulnerabilities. References: ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 1-2.

A Process Hazard Analysis (PHA) is a systematic method of identifying and evaluating the potential hazards associated with an industrial process. A PHA can help to identify the sources of cyber threats, the consequences of cyber incidents, and the existing safeguards and mitigation measures. A PHA is most frequently used as an input to a security risk assessment because it provides a comprehensive and structured overview of the process and its risks, which can then be used to determine the security level targets and security countermeasures for the industrial automation and control system (IACS). A PHA can also help to align the security objectives with the safety objectives of the process, and to ensure that the security measures do not compromise the safety or operability of the process. References:

ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 10

Using the ISA/IEC 62443 Standard to Secure Your Control System, page 17

An asymmetric key is a feature of asymmetric cryptography, also known as public-key cryptography, which is a method of encrypting and decrypting data using two different keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret by the owner. The public key and the private key are mathematically related, but it is computationally infeasible to derive one from the other. Asymmetric cryptography can be used for various purposes, such as digital signatures, key exchange, and encryption. For example, if Alice wants to send a message to Bob, she can use Bob’s public key to encrypt the message, and only Bob can decrypt it using his private key. Alternatively, if Bob wants to prove that he is the author of a message, he can use his private key to sign the message, and anyone can verify it using his public key. Asymmetric cryptography has some advantages over symmetric cryptography, which uses the same key for both encryption and decryption. For instance, asymmetric cryptography does not require a secure channel to distribute the keys, and it can provide non-repudiation and authentication. However, asymmetric cryptography also has some drawbacks, such as higher computational complexity, larger key sizes, and higher network overhead.

OPC Unified Architecture (OPC UA) introduces a browsable namespace that supports hierarchical organization of data including folders, classes, methods, and object types. This is critical for structured access to real-time and historical data across heterogeneous control systems.

“OPC UA provides a flexible, secure, and platform-independent mechanism for exchanging information. Its browsable namespace allows structured navigation of nodes, types, and attributes in a hierarchical format.”

— OPC UA Specification, Part 3 – Address Space Model

This is a key improvement over OPC Classic, which was tightly coupled to DCOM and lacked standardized structures across systems.

The reference model provides the overall conceptual basis in the design of an appropriate security program. It defines the common terminology, concepts, and models that can be used by all stakeholders responsible for IACS security. The reference model describes the general characteristics of IACS, the typical threats and vulnerabilities, the security lifecycle phases, and the security levels. The reference model also introduces the concepts of zones and conduits, which are used to group and isolate assets with similar security requirements and to control the communication between them. References https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/IoT_Security_Lab/IEC62443_WP.pdf

https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/IoT_Security_Lab/IEC62443_WP.pdf

Foundational Requirement 6 (FR 6), Timely Response to Events (TRE), as described in ISA/IEC 62443-3-3, requires that the system detect and respond to security-relevant events, including notifying the proper authority or personnel about security violations in a timely manner. This enables rapid incident response, containment, and recovery actions, all of which are critical to minimizing damage.