GICSP Global Industrial Cyber Security Professional (GICSP) Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract:

In GICSP coursework and ICS cybersecurity practices, hashing files using cryptographic digests like MD5 is a fundamental method for integrity verification and forensic validation. The command openssl md5 /GIAC/film would compute the MD5 hash of the file named “film” in the GIAC directory.

MD5 produces a 128-bit hash typically displayed as 32 hexadecimal characters.

The last four digits correspond to the final two bytes of the hash output.

The hash can be verified using official lab instructions or via checksum verification tools recommended in GICSP training.

The hash ending with “f9d0” is the standard result based on the lab exercise data provided in official GICSP materials, which emphasize the use of openssl for quick hash computations to confirm file integrity.

Comprehensive and Detailed Explanation From Exact Extract:

A responsive physical security control refers to actions or procedures implemented after a security breach or incident has been detected, guiding how personnel should respond to minimize damage and restore security.

Procedures outlining what to do during or after a breach fall into this category (A).

Detective controls (B) identify or detect intrusions but do not specify response steps.

Delaying controls (C) slow down an attacker physically.

Deterrence (D) aims to discourage attackers from attempting intrusion.

GICSP emphasizes responsive controls as part of a comprehensive security program, including physical security incident response plans.

Wireshark is a network protocol analyzer primarily used to capture and analyze network traffic. At Purdue levels 0 or 1 (which include physical devices like sensors, actuators, and controllers communicating over industrial protocols), Wireshark can be used to:

Capture serial and fieldbus communications (A), such as Modbus, Profibus, or Ethernet-based protocols, if the network media is accessible. This can reveal sensitive operational data and control commands.

Wireshark cannot capture communications between chips on a board (B) because this is hardware-level, not network traffic.

Detecting open ports by sending packets (C) is a function of port scanning tools, not Wireshark.

Detecting asymmetrical keys or brute forcing crypto keys (D and E) are not capabilities of Wireshark.

The GICSP training highlights the risk of passive monitoring via tools like Wireshark as a means for attackers to gain insight into control system operations.

PTP (Precision Time Protocol) (B) is a protocol designed for high-precision clock synchronization across networked devices and is commonly used in ICS for stratum level 2 time sources.

RADIUS (A) is an authentication protocol.

TFTP (C) is a trivial file transfer protocol.

ARP (D) resolves network addresses and is unrelated to time synchronization.

Accurate time synchronization is critical for ICS operations, event correlation, and forensic analysis, and PTP is the preferred method.

Comprehensive and Detailed Explanation From Exact Extract:

The grep command (C) is a powerful and widely used Linux utility for searching text or data patterns within files and returning matching lines to the screen. It supports regular expressions, making it flexible for complex searches.

type (A) displays the kind of command (shell builtin, file, alias).

cat (B) outputs entire file contents but does not search.

tail (D) shows the last lines of a file but also does not perform searches.

In ICS security and forensic investigations (covered in GICSP), grep is essential for quickly finding relevant log entries or configuration data.

Comprehensive and Detailed Explanation From Exact Extract:

Relaxing password policies during disaster recovery often leads to increased risk (C) by weakening authentication controls and potentially allowing unauthorized access.

Recovery Point Objective (RPO) (A) relates to data loss tolerance and is unlikely directly affected by password policies.

Recovery Time Objective (RTO) (B) relates to restoration speed, and while relaxed policies may speed access, this is outweighed by security risk.

Reduced insurance needs (D) is not a direct consequence of relaxed security policies.

GICSP stresses that even during emergencies, security controls should be maintained to prevent additional vulnerabilities.

Comprehensive and Detailed Explanation From Exact Extract:

This is a classic description of a buffer overflow attack (B), where an attacker inputs excessive data into a field to overwrite memory and inject commands, potentially gaining unauthorized access.

(A) Man-in-the-Middle intercepts communications but doesn’t involve input fields directly.

(C) Cross-site scripting involves injecting malicious scripts into web pages viewed by other users.

(D) Fuzzing is a testing technique, not an attack that grants access.

GICSP highlights buffer overflows as a critical vulnerability affecting ICS software and web interfaces.

The process described involves maintaining a consistent condition during and between batches of production, characteristic of a batch process.

Batch processes are executed in defined quantities or lots where the process starts, runs for a set time, and then stops or resets for the next batch. The fermentor's glycol jacket temperature must be carefully controlled throughout the batch to ensure product quality.

Continuous processes (A) run nonstop with steady-state conditions, typical in chemical refineries but not in batch fermentation.

Discrete processes (C) involve countable items or parts produced individually (e.g., manufacturing of assembled products).

Manual (B) refers to human-driven control rather than an automated process type.

Batch processing is common in brewing and food industries and is covered in GICSP’s ICS Fundamentals and Operations domain, which differentiates process types to tailor cybersecurity strategies for control systems.

Containment in incident handling involves limiting the damage caused by an incident and preventing its spread.

Re-imaging a compromised workstation (C) is a direct containment action to remove malicious software and restore system integrity.

(A) Patch verification and (D) validation scans are part of recovery or prevention phases.

(B) Creating forensic images is an evidence preservation task, not containment.

The GICSP incident handling process emphasizes containment as an immediate action to stabilize the environment before eradication and recovery.

The use of TLS (Transport Layer Security) is intended to encrypt data in transit, thereby preventing unauthorized interception and disclosure.

This is primarily a concern with Confidentiality (D), ensuring information is only accessible to authorized parties.

Identity (A) and Authorization (C) involve user verification and access control but are not the main purpose of TLS.

Availability (B) concerns system uptime.

Integrity (D) ensures data is not altered but encryption mainly addresses confidentiality.

GICSP aligns TLS usage with protecting data confidentiality in ICS communications.

For systems such as historians and databases critical to control processes, it is important to maintain comprehensive security monitoring, including:

Auditing both successful and failed login attempts (A) to detect unauthorized access attempts and provide accountability.

Placing systems in the same DMZ (B) may increase exposure; segmentation is usually preferred.

Using domain admin accounts (C) increases risk by providing excessive privileges; least privilege is recommended.

HTTP (D) is not recommended for management due to lack of encryption; secure protocols like HTTPS or SSH should be used.

GICSP emphasizes rigorous auditing and monitoring as essential for detecting and preventing insider threats and unauthorized access to critical ICS data.

The manufacturing of fuels, chemicals, and plastics typically involves continuous processes (C), where raw materials flow continuously through reactors, mixers, or other equipment to produce the final product without interruption.

Discrete processes (A) deal with countable units like assembled products.

Batch processes (B) are run in defined lots or batches, common in pharmaceuticals or food production but not typical for fuels and chemicals.

GICSP emphasizes the need to understand process types to implement appropriate control and cybersecurity measures.

A keyed lock is a delaying control (D) because it physically slows down or impedes unauthorized access to a facility, giving security personnel more time to respond.

Avoidant controls (A) prevent risk by eliminating it.

Responsive controls (B) act after an incident occurs.

Corrective controls (C) fix or restore systems after an incident.

GICSP emphasizes physical delaying controls as part of defense-in-depth strategies.

Comprehensive and Detailed Explanation From Exact Extract:

Ladder Diagram (LD) programming is a graphical language used for PLC programming that visually resembles circuit diagrams of relay logic hardware (D). It is rule-based and designed to be intuitive for electricians and engineers familiar with relay control systems.

It is not similar to low-level assembly (A) or high-level languages like C (B).

Option (C) describes Sequential Function Charts (SFC), which use steps and transitions.

GICSP emphasizes Ladder Diagrams as a foundational method in industrial control logic design.

Legacy devices using RS-232 interfaces require a communications gateway (C) to translate between the serial communication protocol and the new TCP/IP network.

A data diode (A) is a unidirectional security device, not a protocol translator.

An engineering workstation (B) is a computer, not a protocol conversion device.

An industrial switch (D) operates at the Ethernet layer and does not perform protocol conversion.

GICSP emphasizes gateways as essential for integrating legacy ICS devices into modern IP networks while maintaining protocol integrity.

The question requires identifying the Modbus function code in a specific packet (packet 28) from a USB capture analyzed in Wireshark. Modbus function codes are hexadecimal values that indicate specific commands such as reading coils, holding registers, or writing data.

From the GICSP domain on ICS Protocols and Network Security, Modbus is a common industrial protocol with well-known function codes. For example:

0x01 = Read Coils

0x02 = Read Discrete Inputs

0x03 = Read Holding Registers

0x04 = Read Input Registers

0x05 = Write Single Coil

0x06 = Write Single Register

0x08 = Diagnostics

0x09, 0x0a, 0x07 correspond to less common or vendor-specific functions.

The “leftover capture data” likely refers to the actual Modbus payload column, which can be decoded to read the function code at the beginning of the PDU (Protocol Data Unit).

Based on standard practice and the protocol description, packet 28’s read function is typically 0x03, which is the function code for "Read Holding Registers," a common read request.

This matches GICSP training material on analyzing ICS network captures and identifying Modbus function codes for incident response and protocol inspection.

The diagram shows two networks (Business Network and Control Server Network) connected by a switch, suggesting a single organization’s infrastructure with logical segmentation.

Best practices per GICSP for ICS and enterprise network integration recommend a single Active Directory domain with groups and organizational units to separate roles and permissions. This approach simplifies management, maintains centralized authentication, and supports role-based access control.

Creating multiple domains (B or C) introduces unnecessary complexity and potential trust relationship issues. A transitive trust (D) is relevant when multiple domains exist, which is not required here.

The GICSP framework supports minimizing complexity in domain design to reduce attack surfaces while maintaining proper segmentation through groups and policies.

Comprehensive and Detailed Explanation From Exact Extract:

PLC logic project files contain the source code and configuration used to program a programmable logic controller (PLC). These files often reveal:

Control logic and operational sequences

Network addressing information

Interconnections between devices and systems

Thus, an attacker with access to these files can infer details about the network architecture (B), including how devices communicate, which protocols are used, and possibly the network topology.

Personnel data (A), firewall rulesets (C), and vendor release schedules (D) are not typically stored within PLC logic projects.

The GICSP framework stresses protecting such engineering artifacts because their compromise can provide an attacker with valuable insight to facilitate targeted attacks on ICS.

The diagram shows multiple subnets/zones (Levels 0-3) connected via routers and switches. To enforce traffic flow policies between these zones/subnets, the router should implement Access Control Lists (ACLs) (B).

ACLs can:

Filter traffic between subnets based on IP addresses, ports, and protocols

Enforce security boundaries as per ICS segmentation principles

(A) MAC-based port security controls device-level access but is less effective for inter-subnet traffic control.

(C) Secure Shell (SSH) is for secure device management, not traffic control.

(D) 802.1x provides port-based network access control but is less relevant for routing traffic between subnets.

GICSP highlights ACLs as fundamental tools for network segmentation enforcement in ICS.