Page 1 of 138
ISA/IEC 62443 Cybersecurity Maintenance
Specialist (Certificate 4) (IC37) Latest Version:
6.0 Newest Version Question And Correct
Answers.
Q1. According to ISA/IEC 62443-2-4, which role is specifically
responsible for the integration of security patches and ongoing
maintenance activities?
A) Asset Owner
B) Product Supplier
C) Maintenance Provider
D) System Integrator
Answer: C
Rationale: ISA/IEC 62443-2-4 explicitly defines the
"Maintenance Provider" (formerly known as "Service Provider")
as the entity responsible for executing the security maintenance
,Page 2 of 138
program, including patch integration and configuration updates
on behalf of the Asset Owner .
Q2. Scenario: You are the Maintenance Specialist for a water
treatment facility. The Asset Owner wants to deactivate a legacy
Windows 2008 HMI because "it takes too long to patch." What
is the correct first step per the 62443 lifecycle?
A) Immediately air-gap the device from the network.
B) Perform a risk assessment to evaluate the impact of removing
the HMI on operational availability.
C) Upgrade the HMI to Windows 11 using an unauthorized
license.
D) Ignore the request, as maintenance is only for software
updates.
Answer: B
Rationale: Before any major change, a risk assessment must be
performed to understand the impact on the Safety Integrity Level
,Page 3 of 138
(SIL) and operational availability. IACS prioritizes availability;
removing a critical HMI without assessment could shut down the
plant .
Q3. What is the primary purpose of the "Operate" phase in
the IACS cybersecurity lifecycle?
A) To design the initial network architecture.
B) To ensure that security controls remain effective throughout the
system's operational life.
C) To conduct factory acceptance testing (FAT).
D) To decommission end-of-life assets.
Answer: B
Rationale: The Operate (or Maintain) phase focuses on the
continuous operation of security controls, monitoring for
degradation, and responding to incidents, ensuring the system
stays within its defined risk tolerance .
, Page 4 of 138
Q4. Which of the following best describes "Defense in Depth"
as applied to IACS maintenance?
A) Installing only one very expensive firewall at the perimeter.
B) Applying multiple layers of security controls (e.g., firewall, IDS,
hardening) so that if one fails, others protect.
C) Ensuring all passwords are changed monthly.
D) Focusing only on physical security since OT networks are air-
gapped.
Answer: B
Rationale: Defense in depth uses layered security measures. In
maintenance, this means combining network segmentation
(Zone/Conduit), host hardening, and application whitelisting to
protect against threats that bypass the perimeter .
Q5. What does "SL-A" (Achieved Security Level) represent
during system verification?
A) The security level requested by the sales team.
ISA/IEC 62443 Cybersecurity Maintenance
Specialist (Certificate 4) (IC37) Latest Version:
6.0 Newest Version Question And Correct
Answers.
Q1. According to ISA/IEC 62443-2-4, which role is specifically
responsible for the integration of security patches and ongoing
maintenance activities?
A) Asset Owner
B) Product Supplier
C) Maintenance Provider
D) System Integrator
Answer: C
Rationale: ISA/IEC 62443-2-4 explicitly defines the
"Maintenance Provider" (formerly known as "Service Provider")
as the entity responsible for executing the security maintenance
,Page 2 of 138
program, including patch integration and configuration updates
on behalf of the Asset Owner .
Q2. Scenario: You are the Maintenance Specialist for a water
treatment facility. The Asset Owner wants to deactivate a legacy
Windows 2008 HMI because "it takes too long to patch." What
is the correct first step per the 62443 lifecycle?
A) Immediately air-gap the device from the network.
B) Perform a risk assessment to evaluate the impact of removing
the HMI on operational availability.
C) Upgrade the HMI to Windows 11 using an unauthorized
license.
D) Ignore the request, as maintenance is only for software
updates.
Answer: B
Rationale: Before any major change, a risk assessment must be
performed to understand the impact on the Safety Integrity Level
,Page 3 of 138
(SIL) and operational availability. IACS prioritizes availability;
removing a critical HMI without assessment could shut down the
plant .
Q3. What is the primary purpose of the "Operate" phase in
the IACS cybersecurity lifecycle?
A) To design the initial network architecture.
B) To ensure that security controls remain effective throughout the
system's operational life.
C) To conduct factory acceptance testing (FAT).
D) To decommission end-of-life assets.
Answer: B
Rationale: The Operate (or Maintain) phase focuses on the
continuous operation of security controls, monitoring for
degradation, and responding to incidents, ensuring the system
stays within its defined risk tolerance .
, Page 4 of 138
Q4. Which of the following best describes "Defense in Depth"
as applied to IACS maintenance?
A) Installing only one very expensive firewall at the perimeter.
B) Applying multiple layers of security controls (e.g., firewall, IDS,
hardening) so that if one fails, others protect.
C) Ensuring all passwords are changed monthly.
D) Focusing only on physical security since OT networks are air-
gapped.
Answer: B
Rationale: Defense in depth uses layered security measures. In
maintenance, this means combining network segmentation
(Zone/Conduit), host hardening, and application whitelisting to
protect against threats that bypass the perimeter .
Q5. What does "SL-A" (Achieved Security Level) represent
during system verification?
A) The security level requested by the sales team.
