Review Questions for Chapter 5
1. In ANSI/ISA-99.00.01-2007, a “potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm,” is which of the following?
a. Threat
b. Vulnerability
c. Weakness
d. Risk
Answer: a
2. The “expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular consequence” is which of the following?
a. Consequence
b. Threat source
c. Weakness
d. Risk
Answer: d
3. The program and supporting processes to manage information security risk to organizational operations (i.e., mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation are defined as which of the following?
a. Risk assessment
b. Risk management
c. Risk mitigation
d. Risk association
Answer: b
4. Which of the following is considered an asset in risk management?
a. Computer hardware
b. A control system
c. A professional with unique knowledge
d. All of the above
Answer: d
5. The ANSI/ISA-99.02.01-2009 Cybersecurity Management System (CSMS) comprises which of the following three main categories?
a. Risk analysis, addressing the risk, and monitoring and improving the CSMS
b. Risk mitigation, addressing the risk, and monitoring and improving the CSMS
c. Risk analysis, addressing the risk, and monitoring and improving the automation system
d. Risk analysis, eliminating the risk, and monitoring and improving the CSMS
Answer: a
6. In the CSMS, a business rationale is established. Which of the following is NOT one of the elements of the business rationale?
a. Establishing a basis for securing the industrial automation and control system
b. Obtaining management support for securing automation systems
c. Identifying and understanding the consequences of a successful attack on automation systems
d. Confirmation of the value of the automation system
Answer: d
7. The risk identification, classification, and assessment activities of the CSMS do NOT include which of the following?
a. Conduct a high-level risk assessment
b. Develop simple network diagrams
c. Mitigate the risk
d. Perform a detailed vulnerability assessment
Answer: c
8. Which of the following is NOT one of the areas included in “Addressing risk with the CSMS?”
a. Security policy, organization and awareness
b. Correction
c. Selected security countermeasures
d. Implementation
Answer: b
9. Subdividing a network into zones that have similar security requirements and characteristics and are separated by protective devices to screen traffic from one network segment to another is known as which of the following?
a. Network segmentation
b. Network isolation
c. Network masking
d. Network fragmentation
Answer: a
10. In the CSMS, access control is subdivided into which of the following three areas?
a. Account verification, authentication, and authorization
b. Account administration, authentication, and authorization
c. Account administration, audit, and authorization
d. Account administration, authentication, and activation
Answer: b
11. Risk management, system development and maintenance, and incident planning are part of which of the following areas of addressing risk in the CSMS?
a. Security policy, organization, and awareness
b. Selected security countermeasures
c. Implementation
d. Scope
Answer: c
12. In the monitoring and improving category of the CSMS, which element verifies that an automation system is compliant with appropriate policies, procedures, and regulations?
a. Review
b. Conformance
c. Improve
d. Maintain
Answer: b
13. NIST SP 800-39 views which of the following as a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis?
a. Risk management
b. Risk assessment
c. Risk monitoring
d. Risk evaluation
Answer: a
14. NIST SP 800-39 defines three tiers. Which of the following include those three?
a. Policy, Mission/Business Processes, Information Systems
b. Organization, Policy, Information Systems
c. Organization, Mission/Business Processes, Objectives
d. Organization, Mission/Business Processes, Information Systems
Answer: d
15. Categorizing organizational information systems and properly allocating security controls to those systems to support the organization’s mission/business processes is performed in which tier of the multitiered risk management architecture?
a. Tier 1
b. Tier 2
c. Tier 3
d. Tier 4
Answer: c
16. According to NIST SP 800-39, risk framing, risk assessment, risk response, and risk monitoring are components of which of the following?
a. Risk valuation
b. Risk determination
c. Risk management
d. Risk acceptance
Answer: c
17. Making assumptions about threats, vulnerabilities, consequences/impact, and likelihood of occurrence are part of which of the following, according to NIST SP 800-39?
a. Risk assessment
b. Risk framing
c. Risk response
d. Risk monitoring
Answer: b
18. Which of the following is NOT an element of responding to risk, according to NIST SP 800-39?
a. Evaluating the effectiveness of implemented risk response measures
b. Developing alternative courses of action
c. Selecting the best courses of action
d. Implementing selected responses
Answer: a
19. According to NIST SP 8000-37, which of the following “provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle?”
a. Risk Monitoring Framework (RMF)
b. Risk Assessment Framework (RAF)
c. Risk Management Framework (RMF)
d. Risk Evaluation Framework (REF)
Answer: c
20. Which of the following groups of elements is presented in NIST SP 800-37 to manage risk?
a. Categorize, Select, Implement, Authorize
b. Categorize, Evaluate, Implement, Monitor
c. Determine, Select, Implement, Authorize
d. Determine, Evaluate, Implement, Monitor
Answer: a
21. Which of the following is NOT characteristic of an insider threat?
a. Many insider attacks are conducted by disgruntled insiders
b. Most insider attacks do not result in serious losses or harm
c. Many insider attacks are conducted remotely
d. Many inside attackers have privileged access to computer systems
Answer: b
22. Which of the following best describes Stuxnet?
a. A worm that was designed to change control outputs on specific PLCs and conceal its existence from control room observers
b. A worm that was designed to modify email messages and conceal its existence from control room observers
c. A virus that was designed to modify disk storage and send random messages to users’ computers
d. A virus that was designed to crash computers when email attachments were opened
Answer: a
23. Which of the following is NOT true regarding Stuxnet?
a. Attacks both networked and non-networks PCs
b. Installs device drivers using valid, digital certificates
c. Infects Apple Macintosh computers
d. Infection is accomplished through USB flash drives
Answer: c
24. The process that only uses software that is “clean” and not compromised and is verified before running is known as which of the following?
a. Confirming
b. Whitelisting
c. Cleanlisting
d. Prechecking
Answer: b
25. An electromagnetic pulse generated by a high-altitude nuclear detonation in space at heights above 30 km is known as which of the following?
a. Intentional Electromagnetic Interference (IEMI)
b. Space Generated EMP (SGEMP)
c. Intensive Electromagnetic Interference (IEMI)
d. High Altitude EMP (HEMP)
Answer: d
26. Which one of the following is NOT a component of a High Power Electromagnetic (HPEM) burst?
a. Final-time (E4) – Several hundred seconds after the burst
b. Early-time (E1) – Within 10 ns of the burst
c. Intermediate-time (E2) – Between 1 microsecond and 1 second after the burst
d. Late-time (E3) – Between 1 second and several hundred seconds after the burst
Answer: a
27. Solar-generated EMP is the result of which of the following actions?
a. Changes in the sun’s orbit
b. Solar eclipses
c. Geomagnetic storms on the sun
d. Changes in the earth’s orbit
Answer: c
28. Which of the following statements is NOT true regarding EMP?
a. High-frequency pulses can induce currents in floating wires.
b. High-frequency pulses can penetrate through windows and gaps in metal shields.
c. High-frequency grounding with filters and surge arrestors can be used to protect sensors, smart meters, and communications systems.
d. Fiber optic cabling cannot minimize coupling.
Answer: d
Review Questions for Chapter 6
1. NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, partitions security controls into which one of the following groups?
a. Management controls, operational controls, and technical controls
b. Management controls, administrative controls, and technical controls
c. Management controls, operational controls, and physical controls
d. Logical controls, operational controls, and technical controls
Answer: a
2. NIST SP 800-82 defines five major security objectives for an industrial control system (ICS) implementation. Which of the following is NOT one of those objectives?
a. Restricting logical access to the ICS network and network activity
b. Restricting physical access to the ICS network and devices
c. Protecting individual ICS components from exploitation
d. Shutting down the ICS after an incident
Answer: d
3. In NIST SP 800-82, policies and procedures for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications prior to, during, and after system implementation is known as which of the following?
a. Configuration management
b. Risk management
c. System management
d. System maintenance
Answer: a
4. In the NIST SP 800-82 controls, the process of granting or denying specific requests for obtaining and using information and related information processing services for physical access to areas within the information system environment is known as which of the following?
a. Authentication
b. Audit and accountability
c. Access control
d. Identification
Answer: c
5. The controls of ANSI/ISA-TR99.00.01-2007 are organized into six categories. Which of the following is NOT one of those categories?
a. Encryption Technologies and Data Validation
b. Risk Mitigation Technologies
c. Authentication and Authorization Technologies
d. Filtering/Blocking/Access Control Technologies
Answer: b
6. ANSI/ISA-TR99.00.01-2007 describes which of the following as “the initial step in protecting an industrial automation and control system (IACS) and its critical assets from unwanted breaches. It is the process of determining who and what should be allowed into or out of a system”?
a. Authorization
b. Authentication
c. Identification
d. Confirmation
Answer: a
7. Which of the following are the major components of authentication and authorization technologies spelled out in ANSI/ISA-TR99.00.01-2007?
a. Role-based, password, and challenge response
b. Rule-based, user ID, and challenge response
c. Role-based, password, and call-back
d. Rule-based, password, and call-back
Answer: a
8. Which of the following does ANSI/ISA-TR99.00.01-2007 identify as the three main types of software that have to be considered in industrial automation and control system software?
a. Mobile operating systems, real-time and embedded operating systems, and Web servers and Internet technologies
b. Server and workstation operating systems, real-time and embedded operating systems, and wireless technologies
c. Server and workstation operating systems, real-time and embedded operating systems, and Web servers and Internet technologies
d. Server and workstation operating systems, real-time and embedded operating systems, and mobile technologies
Answer: c
9. In ANSI/ISA-TR99.00.01-2007, what are the three main categories of physical security elements?
a. Active, identification and monitoring devices, and passive
b. Active, real-time, and passive
c. Active, identification and monitoring devices, and real-time
d. Reactive, identification and monitoring devices, and passive
Answer: a
10. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cybersecurity Standards are divided into Standards CIP-002-4 through CIP-009-4 and address “the identification and protection of critical cyber assets to support reliable operation of the Bulk Electric System (BES).” Which of the following is NOT one of the eight standards?
a. Risk assessment
b. Critical cyber asset identification
c. Security management controls
d. Electronic security perimeters
Answer: a
11. Which NERC CIP standard “ensures the identification, classification, response, and reporting of cybersecurity incidents related to critical cyber assets?”
a. Physical security of critical cyber assets
b. Systems security management
c. Recovery plans for critical cyber assets
d. Incident reporting and response planning
Answer: d
12. In NIST SP 800-53, the security controls are divided into 17 families, each with a unique, two-character identifier. The control families are themselves partitioned into three classes. Which of the three classes does the control family titled CP (contingency planning) fall under?
a. Technical
b. Management
c. Operational
d. Administrative
Answer: c
13. The NIST SP 800-53 controls are considered baseline controls, which can be tailored to more closely meet the needs of a particular organization and automation system. Which of the following is NOT one of the elements of the NIST SP 800-53 tailoring process?
a. Selecting (or specifying) compensating security controls, if needed, to adjust the preliminary set of controls to obtain an equivalent set deemed to be more feasible to implement
b. Applying scoping guidance to the initial baseline security controls to obtain a preliminary set of applicable controls for the tailored baseline
c. Specifying organization-defined parameters in the security controls via explicit assignment and selection statements to complete the definition of the tailored baseline
d. Developing custom parameters to meet the needs of the control system
Answer: d
14. The NIST SP 800-53 tailoring process refers to guidance “designed to ensure that only the controls appropriate to the particular mission and requirements of the organization are used.” This guidance is referred to as which of the following?
a. Correlating
b. Assessing
c. Evaluating
d. Scoping
Answer: d
15. NIST SP 800-53 provides for the use of security controls, which the publication defines as “a management, operational, or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control … that provides an equivalent or comparable level of protection for an information system and the information processed, stored, or transmitted by that system.” This type of additional control is known as which of the following?
a. Supporting
b. Supplemental
c. Compensating
d. Custom
Answer: c
16. Recognizing some of the special requirements of industrial automation and control systems, NIST SP 800-53 defines supplements to the baseline control systems to address automation and control issues. Which one of the following is NOT one of these supplements?
a. Risk evaluation
b. Predictable failure prevention
c. Emergency power
d. Access enforcement
Answer: a
17. The Department of Homeland Security’s Catalog of Control Systems Security is based on which of the following security controls documents?
a. NIST SP 800-82
b. NIST SP 800-53
c. NIST SP 800-39
d. The NERC CIP Cybersecurity Standards
Answer: b
18. The Advanced Metering Infrastructure (AMI) Security Requirements are characterized by letters. Which of the following is NOT one of the AMI security requirements categories?
a. “R” are risk requirements
b. “F” are functional requirements
c. “S” are supporting services to functional requirements
d. “A” are assurance requirements
Answer: a
19. The Advanced Metering Infrastructure (AMI) security requirement FIN refers to which of the following security principles?
a. Inventory
b. Final evaluation
c. Integrity
d. Internal
Answer: c
20. The recording of activity by actors/elements throughout the system and providing the means to perform a successful audit of events that occur on the system refers to which of the following Advanced Metering Infrastructure (AMI) security controls?
a. Accounting
b. Anomaly detection
c. Authentication
d. Authorization
Answer: a
21. Which of the following is NOT one of the Department of Defense Instruction 8500.2 security control subject areas?
a. Security design and configuration
b. Risk management
c. Physical and environmental
d. Continuity
Answer: b
22. Department of Defense Instruction 8500.2, control CODP, Disaster and Recovery Planning, provides which of the following information security principles?
a. Availability
b. Integrity
c. Accountability
d. Authentication
Answer: a
23. In NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, risk assessment, planning, systems and services acquisition, certification, accreditation, and security assessments fall under what category of controls?
a. Technical
b. Logical
c. Management
d. Operational
Answer: c
24. In NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, controls such as personnel security and contingency planning fall under which of the following control categories?
a. Management
b. Operational
c. Technical
d. Physical
Answer: b
25. In NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, controls, such as identification and authentication, access control, and audit and accountability fall under which of the following control categories?
a. Administrative
b. Operational
c. Management
d. Technical
Answer: d
26. ANSI/ISA-TR99.00.01-2007, Security Technologies for Industrial Automation and Control Systems, defines which of the following principles as “the process of positively identifying potential network users, hosts, applications, services, and resources, using a combination of identification factors or credentials. The result of this process then becomes the basis for permitting or denying further actions”?
a. Authentication
b. Authorization
c. Accountability
d. Accessibility
Answer: a
27. ANSI/ISA-TR99.00.01-2007, Security Technologies for Industrial Automation and Control Systems, divides authentication into which of the following two areas?
a. User authentication and group authentication
b. Group authentication and network service authentication
c. User authentication and network service authentication
d. Platform authentication and user authentication
Answer: c
28. ANSI/ISA-TR99.00.01-2007 defines which of the following as “can be used to distinguish communication by devices that are not part of the desired network. This feature is generally attractive for SCADA and other process control systems that wish to allow little or no access to the control network, but is difficult to deploy in systems requiring unrestricted Internet access”?
a. Asymmetric key encryption
b. Digital signature
c. Biometrics
d. Symmetric key encryption
Answer: d
29. ANSI/ISA-TR99.00.01-2007 states that encryption can also be employed in a virtual private network (VPN), which provides for authentication, integrity, and protection from unauthorized disclosure. Which of the following is NOT one of the most common VPN implementations?
a. Hyper Text Transfer Protocol (HTTP)
b. Internet Protocol Security (IPSec)
c. Secure Shell (SSH)
d. Secure Sockets Layer (SSL)
Answer: a
30. What standards address “the identification and protection of critical cyber assets to support reliable operation of the Bulk Electric System (BES)?”
a. ANSI/ISA-TR99.00.01-2007
b. NIST SP 800-53
c. NIST SP 800-82
d. NERC CIP Cybersecurity Standards
Answer: d
31. Which of the following is NOT one of the NERC CIP Cybersecurity Standards?
a. Risk Management
b. Critical Cyber Asset Identification
c. Security Management Controls
d. Personnel and Training
Answer: a
32. The following are characterized as what type of guidance in NIST SP 800-53: determining the primary security objectives, which system components the controls are applicable to, and what technologies are employed in the system?
a. Custom
b. Complementary
c. Scoping
d. Supplemental
Answer: c
33. In NIST SP 800-53, one of the industrial control system supplemental controls states that “it protects the information system from harm by considering mean time to failure for [Assignment: organization-defined list of information system components] in specific environments of operation.” This industrial control system industrial supplemental control is which of the following?
a. Predictable Failure Prevention
b. Fail in a Known State
c. Access Enforcement
d. Emergency Power
Answer: a
34. The Organizational Security controls in the Department of Homeland Security Catalog of Control Systems Security relate to which of the following control categories in NIST SP 800-53?
a. Personnel Security (PS)
b. System and Services Acquisition (SA)
c. Access Control (AC) and Program Management (PM)
d. Contingency Planning (CP) and Media Protection (MP)
Answer: c
35. The Monitoring and Reviewing Control System Security Policy controls in the Catalog of Control Systems Security relate to which of the following control categories in NIST SP 800-53?
a. Audit and Accountability (AU)
b. Program Management (PM)
c. Security Assessment and Authorization (CA)
d. System and Information Integrity (SI)
Answer: c
36. The AMI System Security Requirement that addresses “the proof of identity of an actor” is which of the following?
a. Authentication
b. Identification
c. Authorization
d. Nonrepudiation
Answer: a
37. The AMI System Security Requirement that is “based on security auditing and recognizing, recording, storing, and analyzing information related to security relevant activities” is which of the following?
a. Authorization
b. Authentication
c. Accountability
d. Integrity
Answer: c
Review Questions for Chapter 7
1. What organizations host the National SCADA Test Bed (NSTB) program?
a. NIST and the NSA
b. The Idaho National Laboratory and the Sandia National Laboratories
c. ISA and SANS
d. US-CERT and NIST
Answer: b
2. Which of the following is NOT a function of the National SCADA Test Bed (NSTB)?
a. Assess selected control systems and control system components to identify cyber vulnerabilities
b. Develop new standards and guidelines for governmental agencies
c. Provide control system security training through workshops that describe common cyber vulnerabilities found in control systems
d. Share with appropriate standards organizations information that can be used to support the development of improved industry standards applicable to control system security
Answer: b
3. What organization developed and teaches the application of 99.02.01-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program?
a. SANS
b. NIST
c. ISA
d. NSA
Answer: c
4. In a training program hands-on exercise, what is the function of the Red Team?
a. Mitigating
b. Scanning
c. Defending
d. Attacking
Answer: d
5. In a training program hands-on exercise, what is the function of the Blue Team?
a. Defending
b. Attacking
c. Scanning
d. Mitigating
Answer: a
6. What is fuzzing?
a. Modifying memory locations
b. An attack using random or malformed bad data
c. Scanning to determine vulnerabilities
d. Responding to an attack by counterattacking
Answer: b
7. The National Initiative for Cybersecurity Education (NICE) is a partnership of government, industrial, educational, and professional organizations. Which of the following is NOT one of the goals of NICE?
a. Raise awareness among the American public about the risks of online activities
b. Broaden the pool of skilled workers capable of supporting a cyber-secure nation
c. Develop and maintain an unrivaled, globally competitive cybersecurity workforce
d. Develop secure digital control systems
Answer: d
8. Which of the following organizations is NOT a participant in the NICE initiative?
a. NIST
b. NASA
c. Department of Homeland Security (DHS)
d. NSA
Answer: b
9. The NICE Cybersecurity Workforce Framework develops a vocabulary that can be used by any type of organization in categorizing cybersecurity work. Which of the following is NOT a category in this framework?
a. Penetration testing
b. Design
c. Operation
d. Maintenance
Answer: a
10. The U.S. National Centers of Academic Excellence initiative is sponsored by which of the following organizations?
a. NIST and the Department of Energy
b. SANS and the Department of Education
c. NSA and the Department of Homeland Security
d. The Department of Defense and the US-CERT
Answer: c
11. The designation of an institution as a National Center of Academic Excellence has a duration of how many years before the institution has to reapply?
a. Two years
b. Ten years
c. Five years
d. Seven years
Answer: c
12. Which of the following is NOT one of the critical steps in the life cycle of a security awareness and training program as described in NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program?
a. Awareness and training program design
b. Program implementation
c. Post-implementation
d. Pre-implementation needs review
Answer: d
13. Which of the following is NOT one of the three common models used in managing a security training function as described in NIST Special Publication 800-50?
a. Centralized
b. Partially Decentralized
c. Partitioned
d. Fully Decentralized
Answer: c
14. According to NIST SP 800-50, learning is a continuum comprising which of the following elements?
a. Awareness, skill, knowledge
b. Awareness, training, education
c. Training, education, skill
d. Education, awareness, skill
Answer: b
15. NIST SP 800-16, Information Security Training Requirements: A Role- and Performance-Based Model (Draft), defines the following as what type of training?
“Focuses on providing the knowledge, skills, and abilities specific to an individual’s roles and responsibilities relative to information systems. At this level, training recognizes the differences between beginning, intermediate, and advanced skill requirements.”
a. Role-based training
b. Task-oriented training
c. Responsibility training
d. Knowledge and skills training
Answer: a
16. Which one of the following is NOT one of the five phases of the industrial design model described in NIST SP 800-16?
a. Analysis
b. Training
c. Design
d. Evaluation
Answer: b
17. What are the two types of evaluations in the evaluation phase of the industrial design model described in NIST SP 800-16?
a. Formative and summative
b. Formative and intuitive
c. Summative and descriptive
d. Descriptive and formative
Answer: a
Review Questions for Chapter 8
1. The technology that eliminates the binding of software to specific hardware platforms is known as which of the following?
a. Artificial intelligence
b. Virtualization
c. Cloud computing
d. Software as a service
Answer: b
2. A hypervisor is which of the following?
a. A virtual machine monitor
b. An advanced HMI
c. A manager
d. An alarm mechanism
Answer: a
3. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, defines the process for developing an ISCM strategy and implementing an ISCM program. Which one of the following best describes the ISCM strategy?
a. Providing security mechanisms to reduce risks to automation systems
b. Developing security policies to specify management intent for information systems and automation systems
c. Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions
d. Maintaining ongoing awareness of risk mitigation alternatives
Answer: c
4. Which of the following is NOT one of the ISCM program steps?
a. Define
b. Establish
c. Respond
d. Mitigate
Answer: d
5. In the ISCM process, the status of automation security in a facility can be determined by establishing appropriate metrics. Which of the following activities is NOT used to define the metrics?
a. Evaluating applicable mitigation approaches
b. Assessing all security controls
c. Providing actionable communication of security status across all tiers of the organization
d. Collecting, correlating, and analyzing security-related information
Answer: a
6. NIST SP 800-137 defines the process for managing information security and information system–related risk as which of the following?
a. Risk Management Framework (RMF)
b. Risk-Impact Criteria (RIC)
c. Vulnerability Analysis (VA)
d. Risk-Vulnerability Matrix (RVM)
Answer: a
7. Security control volatility, system categorizations/impact levels, organizational risk tolerance, and security controls with identified weaknesses are associated with what characteristic discussed in NIST 800-137?
a. The necessity of adding compensating controls
b. The risk impact levels
c. The level of risk
d. The frequency of monitoring security controls for effectiveness
Answer: d
8. Appendix D of NIST SP 800-137 defines a term as “an information security area that includes a grouping of tools, technologies, and data.” What is this term?
a. Security automation domain
b. Compensating domain
c. Risk management domain
d. Risk mitigation domain
Answer: a
9. The SEI-maintained Smart Grid Maturity Model (SGMM) is described best by which of the following statements?
a. Provides a framework for understanding the current state of Smart Grid deployment and capability within an electric utility and provides a context for establishing future strategies and work plans as they pertain to Smart Grid implementations
b. Provides a management perspective of Smart Grid deployment and capability within an electric utility and develops guidelines for Smart Grid implementations
c. Provides a targeted hierarchical methodology applicable to Smart Grid evaluation and maintenance within an electric utility and provides a basis for implementing effective Smart Grid controls
d. Provides a Smart Grid assurance model and algorithms for future deployment and implementation of Smart Grid systems
Answer: a
10. Which of the following is NOT one of the eight domains of the SGMM?
a. Strategy, Management, and Regulatory (SMR)
b. Organization and Structure (OS)
c. Metering and Monitoring (MAM)
d. Work and Asset Management (WAM)
Answer: c
11. Which of the following is NOT one of the six maturity levels defined in the SGMM?
a. Default
b. Evaluating
c. Initiating
d. Integrating
Answer: b
12. The SGMM maturity rating for each domain in an organization is determined by which of the following means?
a. The SGMM Domain survey
b. The SGMM Risk survey
c. The SGMM Level survey
d. The SGMM Compass survey
Answer: d
13. NIST 7628, Introduction to NISTIR 7628 Guidelines for Smart Grid Cybersecurity, is a three-volume document that provides a methodical approach to implementing customized cybersecurity and privacy protection strategies for Smart Grid implementations. Which of the following areas is NOT addressed in the volumes comprising NISTIR 7628?
a. Risk assessment processes
b. Privacy issues
c. Cost evaluation matrices
d. Research and development topics
Answer: c
14. Which of the following describes the optimizing level (Level 4) of the SGMM?
a. Focuses on implementing features that will enable an organization to achieve and sustain grid modernization
b. Smart Grid implementations within a given domain are being fine-tuned and used to further increase organizational performance
c. Smart Grid deployments are being integrated across the organization
d. Organizations are achieving new results with a given domain and advancing the state of the practice
Answer: b
15. What entity in the SGMM is defined as “the stages of an organization’s progress toward achieving its Smart Grid vision in terms of automation, efficiency, reliability, energy and cost savings, integration of alternative energy sources, improved customer interaction, and access to new business opportunities and markets?”
a. Maturity
b. Capability
c. Characteristics
d. Value
Answer: a
16. In the ISCM process, the status of automation security in a facility can be determined by establishing appropriate metrics. The metrics are defined through the following activities, except one, which is not applicable. Which of the following is NOT applicable?
a. Maintaining an understanding of threats and threat activities
b. Conducting security awareness training
c. Collecting, correlating, and analyzing security-related information
d. Active management of risk by organizational officials
Answer: b
17. What technology reduces the effort required to maintain hardware and software systems by eliminating the binding of software to specific hardware platforms through the logical partitioning of physical computing resources into multiple execution environments, including servers, applications, and operating systems?
a. Virtualization
b. Cloud computing
c. Distributed computing
d. Multi-core chips
Answer: a
18. Which of the following statements is FALSE regarding penetration testing of industrial automation and control systems?
a. If not properly conducted, penetration testing can cause damage to automation systems and disrupt operations.
b. Penetration testing tools do not create additional traffic on automation networks and do not affect systems with limited memory capacity.
c. If executed properly, penetration testing can provide important information regarding the security of automation systems.
d. It is useful to use nonintrusive methods when conducting penetration testing.
Answer: b
19. Penetration testing conducted with no prior knowledge of the automation system is known as which of the following?
a. Black box
b. White box
c. Grey box
d. Auto box
Answer: a
20. Which of the following is NOT a component of the reconnaissance phase of penetration testing?
a. Footprinting
b. Scanning
c. Controlling
d. Enumerating
Answer: c
21. Which of the following is NOT one of the maturity levels of the Automation Maturity Model?
a. Local digital control
b. Remote auto control
c. Optimized operations
d. Enabled control
Answer: d
22. What level of the Automation Maturity Model is characterized by full automation and automated closed-loop control around a set point?
a. Local digital control
b. Enhanced operations
c. Remote auto control
d. Optimized operations
Answer: c