GICSP Global Industrial Cyber Security Professional (GICSP) Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract:

The Purdue Enterprise Reference Architecture (PERA) model, commonly used in ICS security frameworks like GICSP, segments industrial control systems into hierarchical levels that correspond to the function and control of devices:

Level 0: Physical process (sensors and actuators directly interacting with the process)

Level 1: Basic control level (controllers such as PLCs or DCS controllers that execute control logic and command actuators)

Level 2: Supervisory control (HMIs, SCADA supervisory systems that interface with controllers)

Level 3: Operations management (Manufacturing Execution Systems, batch control, production scheduling)

Level 4: Enterprise level (business systems, ERP, corporate IT)

In this scenario, the controller opening the pump is a device executing control logic directly on the process, placing it at Level 1. The local HMI used to communicate with the controller is at Level 2, supervising and providing operator interface.

This classification is foundational in GICSP’s ICS Fundamentals and Architecture domain, which emphasizes clear understanding of network segmentation and device role for security zoning.

The configuration line denies a specific Modbus function code, which is a command-level filter for industrial protocols.

This type of control is typical of an application firewall (D) designed to understand and filter industrial control system protocols at the application layer.

A network firewall (A) typically filters traffic based on IP addresses, ports, and protocols, but not protocol function codes.

NIDS (B) detects and alerts on suspicious traffic but does not usually enforce blocking rules.

SIEM (C) collects and analyzes logs, not real-time blocking.

GICSP emphasizes the role of application-layer firewalls in protecting ICS protocols like Modbus.

According to the Purdue model and best practices outlined in GICSP, Level 4 corresponds to the enterprise or business network, often containing management and security monitoring infrastructure such as Security Information and Event Management (SIEM) systems.

Placing the SIEM on a management subnet in Level 4 (B) keeps monitoring tools separated from the operational control network (Level 3), reducing the risk that a compromised Level 3 device could affect the security infrastructure itself. It also allows the SIEM to collect logs from multiple network segments securely and apply enterprise-wide analysis.

This segregation supports defense-in-depth and aligns with GICSP’s emphasis on secure network segmentation and monitoring.

General-purpose PLCs are designed to perform a wide range of control tasks, programmed to execute complex control logic and interact with multiple I/O points, making them versatile controllers in industrial automation.

In contrast, smart field devices (like smart transmitters or actuators) are typically dedicated to specific measurement or control functions and may have embedded intelligence for self-calibration, diagnostics, or simple control, but with a more limited purpose and function (C).

(A) is incorrect because smart field devices often can be managed remotely.

(B) is true but not a differentiating functional characteristic.

(D) is incorrect; smart field devices often have configurable logic or settings.

GICSP training differentiates these device classes to tailor cybersecurity controls effectively.

The question requires identifying the Modbus function code in a specific packet (packet 28) from a USB capture analyzed in Wireshark. Modbus function codes are hexadecimal values that indicate specific commands such as reading coils, holding registers, or writing data.

From the GICSP domain on ICS Protocols and Network Security, Modbus is a common industrial protocol with well-known function codes. For example:

0x01 = Read Coils

0x02 = Read Discrete Inputs

0x03 = Read Holding Registers

0x04 = Read Input Registers

0x05 = Write Single Coil

0x06 = Write Single Register

0x08 = Diagnostics

0x09, 0x0a, 0x07 correspond to less common or vendor-specific functions.

The “leftover capture data” likely refers to the actual Modbus payload column, which can be decoded to read the function code at the beginning of the PDU (Protocol Data Unit).

Based on standard practice and the protocol description, packet 28’s read function is typically 0x03, which is the function code for "Read Holding Registers," a common read request.

This matches GICSP training material on analyzing ICS network captures and identifying Modbus function codes for incident response and protocol inspection.

Comprehensive and Detailed Explanation From Exact Extract:

SQL injection attacks often exploit the ability to inject SQL code into input fields to alter the logic of database queries. To bypass authentication, attackers often:

Use database comment characters (B) (e.g., -- in many SQL dialects) to ignore the rest of the original query, effectively bypassing the password check.

An unencrypted login page (A) is unrelated to the SQL injection logic.

Two pipe characters (||) (C) are logical OR operators in some databases but not universally required.

The correct password (D) is not required for bypass in SQL injection scenarios.

GICSP training covers SQL injection and defensive coding practices as common ICS web application vulnerabilities.

Comprehensive and Detailed Explanation From Exact Extract:

Ladder Diagram (LD) programming is a graphical language used for PLC programming that visually resembles circuit diagrams of relay logic hardware (D). It is rule-based and designed to be intuitive for electricians and engineers familiar with relay control systems.

It is not similar to low-level assembly (A) or high-level languages like C (B).

Option (C) describes Sequential Function Charts (SFC), which use steps and transitions.

GICSP emphasizes Ladder Diagrams as a foundational method in industrial control logic design.

The use of TLS (Transport Layer Security) is intended to encrypt data in transit, thereby preventing unauthorized interception and disclosure.

This is primarily a concern with Confidentiality (D), ensuring information is only accessible to authorized parties.

Identity (A) and Authorization (C) involve user verification and access control but are not the main purpose of TLS.

Availability (B) concerns system uptime.

Integrity (D) ensures data is not altered but encryption mainly addresses confidentiality.

GICSP aligns TLS usage with protecting data confidentiality in ICS communications.

The chroot command changes the apparent root directory (/) for the current running process and its children to the specified directory—in this case, /home/jdoe.

This "jails" the shell (bash) into /home/jdoe, limiting file system access to that subtree.

It does not change ownership (A), grant privileges (B or C), but provides a confined environment (sandbox).

GICSP discusses chroot as a containment and security mechanism in ICS system hardening.

Comprehensive and Detailed Explanation From Exact Extract:

Virtualization allows ICS administrators to test new patches or software updates (B) in a controlled, isolated environment before deploying them on production systems. This minimizes operational risk and downtime.

Virtualization does not inherently increase networking speed (A) or processing speed (D).

Sharing hardware resources across different security levels (C) is generally discouraged due to security risks.

GICSP highlights virtualization as a valuable tool for safe testing and development in ICS environments.

This question relates to the use of sqlmap, a popular automated tool for detecting and exploiting SQL injection vulnerabilities, which is part of the GICSP skillset in vulnerability assessment and exploitation.

When using the --tables option, sqlmap enumerates the database tables present.

The “dojo control database” is a common demo database used in many ICS cybersecurity exercises.

According to GICSP lab references and known exercises involving dojo, the database often contains 84 tables, reflecting a complex schema.

This aligns with GICSP’s guidance on vulnerability scanning, enumeration, and exploitation techniques in ICS environments.

Integrity in cybersecurity ensures that data and systems are not altered or tampered with in an unauthorized manner. To protect integrity, controls must verify that data originates from a trusted source and has not been changed.

Digital signatures (D) provide cryptographic proof of data origin and integrity by enabling recipients to verify that the data has not been altered since it was signed.

Firewall egress filtering (A) limits outbound traffic but primarily protects confidentiality and availability, not directly integrity.

Logging IDS alerts (B) supports detection and auditing but is reactive rather than preventive.

Centralized LDAP authentication (C) manages user authentication and access control, mainly protecting confidentiality and accountability.

GICSP highlights digital signatures as a core control to maintain data integrity, especially for firmware, configuration files, and critical commands within ICS.

Comprehensive and Detailed Explanation From Exact Extract:

Relaxing password policies during disaster recovery often leads to increased risk (C) by weakening authentication controls and potentially allowing unauthorized access.

Recovery Point Objective (RPO) (A) relates to data loss tolerance and is unlikely directly affected by password policies.

Recovery Time Objective (RTO) (B) relates to restoration speed, and while relaxed policies may speed access, this is outweighed by security risk.

Reduced insurance needs (D) is not a direct consequence of relaxed security policies.

GICSP stresses that even during emergencies, security controls should be maintained to prevent additional vulnerabilities.

CERT (Computer Emergency Response Team) (C) is a designated group of cybersecurity experts who provide incident response, threat intelligence, and coordination with organizations and law enforcement to manage and reduce cybersecurity risks.

CVE (A) is a list of publicly disclosed vulnerabilities.

COBIT (B) is a framework for IT governance and management.

CVSS (D) is a scoring system for vulnerabilities.

GICSP highlights CERTs as critical entities in incident handling and collaborative cyber defense.

Level 0 and Level 1 devices in the Purdue model include sensors, actuators, and controllers such as PLCs. Dumping data at rest from these devices often reveals static cryptographic keys (C) stored within device memory or configuration files.

Firmware on read-protected chips (A) is generally inaccessible without specialized hardware attacks.

Frequency-hopping algorithms (B) pertain to wireless devices and are typically secured and not directly stored in the general memory dump.

GICSP stresses the risk of key compromise from device data extraction as it can enable unauthorized control or decryption of communications.

An industrial historian is a specialized database system designed to collect, store, and retrieve time-series data from industrial control systems. It primarily stores process data, event logs, and measurements over time, which are essential for trend analysis, reporting, and regulatory compliance.

Historian data is often used for billing purposes (A), especially in utilities and process industries, where consumption data is recorded and later used to generate customer bills.

Option (B), real-time supervision of lower-level controllers, is typically handled by SCADA or control system software, not the historian itself.

(C) Diagrams are stored in engineering tools or documentation repositories, not historians.

(D) Runtime libraries are software components and not stored on historians.

The GICSP curriculum clarifies that historians are central to operational analytics and long-term data storage but are not real-time control systems themselves.

An attacker often tries to cover their tracks by deleting or modifying logs on the compromised system to hide evidence of their activities.

Centralized logging (D) forwards log data in real-time or near real-time to a secure, remote logging server that the attacker cannot easily alter or delete. This makes it much more difficult for attackers to erase their footprints because even if local logs are tampered with, copies remain intact elsewhere.

Attack surface analysis (A) is a proactive security activity to identify vulnerabilities, not a forensic or logging mechanism.

Application allow lists (B) control what software can execute but do not directly preserve evidence of actions taken.

Sandboxing (C) isolates processes for security testing but is unrelated to preserving evidence.

The GICSP materials emphasize centralized logging and secure log management as critical controls for incident detection and forensic analysis within ICS environments.

The Common Weakness Enumeration (CWE) (A) is a comprehensive list and taxonomy of common software weaknesses and vulnerabilities. It provides standardized names and definitions that help organizations identify and mitigate software security issues.

CVSS (B) is a scoring system used to rate the severity of vulnerabilities but does not categorize them.

CSC (C) refers to Critical Security Controls, a set of best practices, not a vulnerability catalog.

CIP (D) relates to Critical Infrastructure Protection standards, not vulnerability taxonomy.

GICSP includes CWE as an essential resource for understanding and classifying software vulnerabilities within ICS.

ICCP (Inter-Control Center Communications Protocol) (A) is designed for control center-to-control center communication and interoperability, especially when different internal vendor protocols are used.

DNP3 (B) and Modbus/TCP (D) are primarily used for control center to field device communications.

BACnet (C) is for building automation.

MMS (E) is a messaging standard but less commonly used for inter-control center communications.

GICSP highlights ICCP as critical for interoperability across heterogeneous ICS networks.