GICSP Global Industrial Cyber Security Professional (GICSP) Questions and Answers

Within the GICSP domain covering ICS Protocol Analysis and Incident Response, analyzing packet captures (PCAPs) is a critical skill. Modbus traffic can be observed to detect malicious activity such as unauthorized writes to registers.

The “write single register” command corresponds to Modbus function code 0x06.

By filtering Modbus packets in Wireshark and identifying the function codes, the analyst can pinpoint the exact packet where the first attempt to overwrite occurs.

Packet 72 typically corresponds to this first write operation in the “hickory.pcap” capture used in GICSP labs, as verified in official training capture examples.

This confirms the attacker’s transition from reconnaissance (read commands) to active manipulation attempts, a key red flag in industrial cybersecurity.

Comprehensive and Detailed Explanation From Exact Extract:

In Purdue Level 3, which typically houses operations management systems and network devices, best practices for retrofitting security devices include placing those devices on their own subnet (B). This segmentation:

Limits broadcast domains and reduces unnecessary traffic

Enables easier management of security policies specific to cybersecurity devices

Provides isolation that helps protect security devices from general network traffic and potential attacks

Adding a firewall (A) is useful but does not replace subnet segregation. Moving devices to a DMZ (C) is typically reserved for systems that bridge between enterprise and ICS networks (often at Purdue Level 3 to Level 4 boundaries), not internal device placement within Level 3.

This approach is emphasized in GICSP’s ICS Security Architecture & Network Segmentation domain as a fundamental network design principle.

An Ethernet switch (C) is a network device that learns the MAC addresses of connected devices and forwards packets only to the port associated with the destination node, reducing unnecessary traffic and improving security and efficiency.

An Ethernet hub (A) broadcasts incoming packets to all ports, not selectively.

A wireless access point (B) broadcasts signals to multiple wireless clients within range.

A wireless bridge (D) connects two network segments wirelessly but forwards traffic according to device types, not necessarily selectively to single nodes.

GICSP’s ICS network segmentation and architecture domain underline the use of switches to limit broadcast traffic and reduce attack surfaces.

Comprehensive and Detailed Explanation From Exact Extract:

LDAP (Lightweight Directory Access Protocol) is used to manage authentication and authorization services, controlling user access to systems and resources.

This function aligns with the Protect function (A) of the NIST Cybersecurity Framework (CSF), which focuses on access control, identity management, and protective technology to safeguard systems.

Identify (B) relates to asset management and risk assessment.

Respond (C) deals with incident response.

Detect (D) relates to discovering cybersecurity events.

GICSP maps LDAP implementation as a key protective control to ensure authorized access in ICS environments.

Comprehensive and Detailed Explanation From Exact Extract:

This is a classic description of a buffer overflow attack (B), where an attacker inputs excessive data into a field to overwrite memory and inject commands, potentially gaining unauthorized access.

(A) Man-in-the-Middle intercepts communications but doesn’t involve input fields directly.

(C) Cross-site scripting involves injecting malicious scripts into web pages viewed by other users.

(D) Fuzzing is a testing technique, not an attack that grants access.

GICSP highlights buffer overflows as a critical vulnerability affecting ICS software and web interfaces.

Integrity in cybersecurity ensures that data and systems are not altered or tampered with in an unauthorized manner. To protect integrity, controls must verify that data originates from a trusted source and has not been changed.

Digital signatures (D) provide cryptographic proof of data origin and integrity by enabling recipients to verify that the data has not been altered since it was signed.

Firewall egress filtering (A) limits outbound traffic but primarily protects confidentiality and availability, not directly integrity.

Logging IDS alerts (B) supports detection and auditing but is reactive rather than preventive.

Centralized LDAP authentication (C) manages user authentication and access control, mainly protecting confidentiality and accountability.

GICSP highlights digital signatures as a core control to maintain data integrity, especially for firmware, configuration files, and critical commands within ICS.

The diagram shows multiple subnets/zones (Levels 0-3) connected via routers and switches. To enforce traffic flow policies between these zones/subnets, the router should implement Access Control Lists (ACLs) (B).

ACLs can:

Filter traffic between subnets based on IP addresses, ports, and protocols

Enforce security boundaries as per ICS segmentation principles

(A) MAC-based port security controls device-level access but is less effective for inter-subnet traffic control.

(C) Secure Shell (SSH) is for secure device management, not traffic control.

(D) 802.1x provides port-based network access control but is less relevant for routing traffic between subnets.

GICSP highlights ACLs as fundamental tools for network segmentation enforcement in ICS.

CERT (Computer Emergency Response Team) (C) is a designated group of cybersecurity experts who provide incident response, threat intelligence, and coordination with organizations and law enforcement to manage and reduce cybersecurity risks.

CVE (A) is a list of publicly disclosed vulnerabilities.

COBIT (B) is a framework for IT governance and management.

CVSS (D) is a scoring system for vulnerabilities.

GICSP highlights CERTs as critical entities in incident handling and collaborative cyber defense.

The configuration line denies a specific Modbus function code, which is a command-level filter for industrial protocols.

This type of control is typical of an application firewall (D) designed to understand and filter industrial control system protocols at the application layer.

A network firewall (A) typically filters traffic based on IP addresses, ports, and protocols, but not protocol function codes.

NIDS (B) detects and alerts on suspicious traffic but does not usually enforce blocking rules.

SIEM (C) collects and analyzes logs, not real-time blocking.

GICSP emphasizes the role of application-layer firewalls in protecting ICS protocols like Modbus.

The host with IP 10.10.4.11 in the network diagram is labeled as the Historian Server. ICS historians are specialized databases designed to collect and store process data from control systems over time for analysis, reporting, and feedback to control processes.

10.10.31.217 is a Microsoft Access Workstation (not a database server).

10.10.4.123 represents NTP servers (time servers), not data storage.

10.10.4.239 is an Engineering Workstation.

10.103.17 is an SQL Server, but per the diagram it is outside the ICS network in a different subnet related to public or enterprise servers.

Thus, 10.10.4.11 (A) is the host intended to store ICS process data.

The Respond function of the NIST Cybersecurity Framework (CSF) focuses on activities to contain, mitigate, and eradicate incidents once detected.

Performing forensic analysis and eradicating malware (B) falls clearly within the Respond function.

(A) Discovering malicious activity is part of the Detect function.

(C) Restoring from backup is part of the Recover function.

(D) Limiting user access is a Preventive control under the Protect function.

GICSP training maps ICS security activities to the NIST CSF to guide structured incident response.

The DHS (Department of Homeland Security) patch decision tree provides a systematic approach for patch management in ICS environments, balancing security and operational availability.

When a vulnerability is identified and a patch is available, but no workaround exists, the recommended next step is to test and apply the patch (C). This ensures that the system is protected as quickly as possible while verifying that the patch does not disrupt critical ICS operations.

(A) Identifying if the vulnerability affects the ICS typically comes earlier in the decision tree.

(B) Evaluating operational needs versus risk is part of risk management but comes after confirming patch availability.

(D) Identifying the vulnerability and patch is a prerequisite step.

This approach aligns with GICSP’s emphasis on structured patch management and testing before deployment in critical environments.

A Guideline (A) provides general recommendations and best practices without mandatory requirements or detailed instructions.

Procedures (B) are step-by-step instructions for specific tasks.

Standards (C) specify mandatory requirements, often with measurable criteria.

Policies (D) establish high-level organizational directives and rules.

Martin’s document provides general, non-mandatory advice applicable broadly, fitting the definition of a guideline.

The chroot command changes the apparent root directory (/) for the current running process and its children to the specified directory—in this case, /home/jdoe.

This "jails" the shell (bash) into /home/jdoe, limiting file system access to that subtree.

It does not change ownership (A), grant privileges (B or C), but provides a confined environment (sandbox).

GICSP discusses chroot as a containment and security mechanism in ICS system hardening.

Comprehensive and Detailed Explanation From Exact Extract:

The URL indicates a command to disconnect a sensor on an HMI interface, likely part of a Cross-Site Request Forgery (CSRF) or similar web-based attack.

For such an attack to succeed, the user must be authenticated to the HMI interface before clicking the link (C), so that the request is executed with valid session privileges.

(A) Obtaining a session cookie would help but is not strictly necessary if the user is already authenticated.

(B) User administrative rights may not be necessary depending on HMI design, but authentication is essential.

(D) URL parameters generally don’t require script tags unless exploiting Cross-Site Scripting (XSS).

GICSP emphasizes authentication and session management as critical controls to mitigate web-based attacks on ICS interfaces.

Comprehensive and Detailed Explanation From Exact Extract:

A Business Impact Analysis (BIA) primarily produces a prioritization of the business’s processes (B) based on their criticality and impact on organizational goals.

While BIAs help understand downtime tolerance (A) and financial impacts (C), prioritization is the core output guiding recovery efforts.

Understanding technology functions (D) is part of broader asset and risk management but not the primary BIA output.

GICSP highlights BIA as essential for aligning ICS recovery priorities with business needs.

A keyed lock is a delaying control (D) because it physically slows down or impedes unauthorized access to a facility, giving security personnel more time to respond.

Avoidant controls (A) prevent risk by eliminating it.

Responsive controls (B) act after an incident occurs.

Corrective controls (C) fix or restore systems after an incident.

GICSP emphasizes physical delaying controls as part of defense-in-depth strategies.

Comprehensive and Detailed Explanation From Exact Extract:

Microsoft Endpoint Configuration Manager (MECM) provides advanced features compared to Windows Server Update Services (WSUS), including:

Integrated hardware and software inventory control (A), enabling administrators to track detailed system configurations and installed applications across endpoints.

WSUS primarily focuses on patch deployment and update management without comprehensive inventory capabilities.

MECM’s enhanced management capabilities justify its greater resource use and complexity, making it more suitable for enterprise-scale patching and asset management in ICS environments.

Comprehensive and Detailed Explanation From Exact Extract:

The grep command (C) is a powerful and widely used Linux utility for searching text or data patterns within files and returning matching lines to the screen. It supports regular expressions, making it flexible for complex searches.

type (A) displays the kind of command (shell builtin, file, alias).

cat (B) outputs entire file contents but does not search.

tail (D) shows the last lines of a file but also does not perform searches.

In ICS security and forensic investigations (covered in GICSP), grep is essential for quickly finding relevant log entries or configuration data.