Pass the ISA Cybersecurity ISA-IEC-62443 Questions and answers with CertsForce

Maintenance service activities typically begin after the system is deployed and handed over to the asset owner. This is aligned with the Operation and Maintenance phase of the IACS lifecycle.

“Maintenance service providers typically become responsible for cybersecurity-related activities after the asset owner takes ownership of the system, following handover.”

— ISA/IEC 62443-2-4:2015, Clause 4.2.3 – Transition and Handover

Prior to handover, integrators and product suppliers manage the system. Maintenance providers take over only post-commissioning.

Ethernet/IP is an industrial network protocol that adapts the Common Industrial Protocol (CIP) to standard Ethernet. CIP is an object-oriented protocol that provides a unified communication architecture for various industrial automation applications, such as control, safety, security, energy, synchronization and motion, information and network management. CIP defines a set of messages and services for interacting with devices and data on the network, as well as a set of device profiles for consistent implementation of automation functions across different products. Ethernet/IP uses the transport and control protocols of standard Ethernet, such as TCP/IP and IEEE 802.3, to define the features and functions for its lower layers. Ethernet/IP also uses UDP to transport I/O messages and supports various network topologies, such as star, linear, ring and wireless. Ethernet/IP is one of the leading industrial protocols in the United States and is widely used in a range of industries, such as factory, hybrid and process. Ethernet/IP is managed by ODVA, Inc., a global trade and standards development organization. References:

EtherNet/IP - Wikipedia

EtherNet/IP | ODVA Technologies | Industrial Automation

According to the ISA/IEC 62443 standards, the level of risk an organization is willing to tolerate is determined by the management, as they are responsible for defining the business and risk objectives, as well as the security policies and procedures for the organization. The management also has the authority to allocate the necessary resources and assign the roles and responsibilities for implementing and maintaining the security program. The legal, operations, and safety departments may provide input and feedback to the management, but they do not have the final say in determining the risk tolerance level. References: ISA/IEC 62443-2-1:2010 - Establishing an industrial automation and control systems security program, section 4.2.1.

ISA/IEC 62443 references OPC technologies as common industrial communication mechanisms that must be secured appropriately. OPC Unified Architecture (OPC UA) was designed specifically to overcome the limitations of OPC Classic while improving interoperability and security.

Step 1: Need for structured data modeling

Modern IACS environments require standardized, vendor-neutral data exchange across heterogeneous devices. OPC UA introduces a browsable namespace that organizes data into objects, folders, variables, methods, and relationships.

Step 2: Alignment with security and architecture goals

The browsable namespace enables consistent access control, integrity protection, and secure session management, aligning with ISA/IEC 62443 principles of controlled data flow and least privilege.

Step 3: Why other options are incorrect

OPC tunneling addresses connectivity, not data modeling.

DCOM-based firewalls relate to legacy OPC Classic.

OLE/COM technologies lack platform independence and modern security features.

Thus, OPC UA’s browsable namespace is the correct feature.

Foundational Requirement 1 (FR 1) in the ISA/IEC 62443 series is titled “Identification and Authentication Control (IAC)”. Its purpose is to control access to selected devices by ensuring that only authenticated and authorized users or systems can interact with critical IACS components.

“FR 1 – Identification and Authentication Control (IAC): This foundational requirement ensures that all users and components interacting with the system are uniquely identified and authenticated before access is granted.”

— ISA/IEC 62443-3-3:2013, Clause 4.2.1 – FR 1

This foundational layer supports higher-level security goals like use control, confidentiality, and system integrity.

API 1164 is an industry sector-specific standard that provides guidance on the cybersecurity of pipeline supervisory control and data acquisition (SCADA) systems. API stands for American Petroleum Institute, which is the largest U.S. trade association for the oil and natural gas industry. API 1164 was first published in 2004 and revised in 2009 and 2021. The latest version of the standard aligns with the ISA/IEC 62443 series of standards and incorporates the concepts of security levels, zones, and conduits. API 1164 covers the security lifecycle of pipeline SCADA systems, from risk assessment and policy development to implementation and maintenance. The standard also defines roles and responsibilities, security requirements, security controls, and security assessment methods for pipeline SCADA systems.

Asymmetric (public) key algorithms are a type of cryptographic algorithms that require more than one key. Asymmetric key algorithms use a pair of keys, one for encryption and one for decryption, that are mathematically related but not identical1. The encryption key is usually made public, while the decryption key is kept private. This allows anyone to encrypt a message using the public key, but only the intended recipient can decrypt it using the private key1. Asymmetric key algorithms are also known as public key algorithms or public key cryptography1. Asymmetric key algorithms are used for various purposes, such as digital signatures, key exchange, and encryption2. Some examples of asymmetric key algorithms are RSA, Diffie-Hellman, ElGamal, and Elliptic Curve Cryptography2.

The four documents classified under the General category of ISA/IEC 62443 are:

Part 1-1: Terminology, concepts, and models

Part 1-2: Master glossary of terms and definitions

Part 1-3: System security conformance metrics