GICSP GIAC Global Industrial Cyber Security Professional (GICSP) Free Practice Exam Questions (2025 Updated)

An industrial historian is a specialized database system designed to collect, store, and retrieve time-series data from industrial control systems. It primarily stores process data, event logs, and measurements over time, which are essential for trend analysis, reporting, and regulatory compliance.

Historian data is often used for billing purposes (A), especially in utilities and process industries, where consumption data is recorded and later used to generate customer bills.

Option (B), real-time supervision of lower-level controllers, is typically handled by SCADA or control system software, not the historian itself.

(C) Diagrams are stored in engineering tools or documentation repositories, not historians.

(D) Runtime libraries are software components and not stored on historians.

The GICSP curriculum clarifies that historians are central to operational analytics and long-term data storage but are not real-time control systems themselves.

A Guideline (A) provides general recommendations and best practices without mandatory requirements or detailed instructions.

Procedures (B) are step-by-step instructions for specific tasks.

Standards (C) specify mandatory requirements, often with measurable criteria.

Policies (D) establish high-level organizational directives and rules.

Martin’s document provides general, non-mandatory advice applicable broadly, fitting the definition of a guideline.

In risk analysis, high consequence, low probability risks—such as catastrophic failures or attacks—require special attention. The best approach to ensure these risks are properly considered is to prioritize risks based on impact (A), focusing on the potential severity of consequences if the event occurs, regardless of its frequency.

Giving frequency or likelihood (B, D) a higher weight can lead to underestimating rare but highly damaging risks.

Mitigation cost (C) is a factor in decision-making but does not ensure identification or prioritization of high-impact risks.

GICSP emphasizes a balanced risk management process where impact or consequence is a critical criterion, especially in ICS environments where safety and critical infrastructure availability are paramount.

A keyed lock is a delaying control (D) because it physically slows down or impedes unauthorized access to a facility, giving security personnel more time to respond.

Avoidant controls (A) prevent risk by eliminating it.

Responsive controls (B) act after an incident occurs.

Corrective controls (C) fix or restore systems after an incident.

GICSP emphasizes physical delaying controls as part of defense-in-depth strategies.

The Respond function of the NIST Cybersecurity Framework (CSF) focuses on activities to contain, mitigate, and eradicate incidents once detected.

Performing forensic analysis and eradicating malware (B) falls clearly within the Respond function.

(A) Discovering malicious activity is part of the Detect function.

(C) Restoring from backup is part of the Recover function.

(D) Limiting user access is a Preventive control under the Protect function.

GICSP training maps ICS security activities to the NIST CSF to guide structured incident response.

For systems such as historians and databases critical to control processes, it is important to maintain comprehensive security monitoring, including:

Auditing both successful and failed login attempts (A) to detect unauthorized access attempts and provide accountability.

Placing systems in the same DMZ (B) may increase exposure; segmentation is usually preferred.

Using domain admin accounts (C) increases risk by providing excessive privileges; least privilege is recommended.

HTTP (D) is not recommended for management due to lack of encryption; secure protocols like HTTPS or SSH should be used.

GICSP emphasizes rigorous auditing and monitoring as essential for detecting and preventing insider threats and unauthorized access to critical ICS data.

An attacker often tries to cover their tracks by deleting or modifying logs on the compromised system to hide evidence of their activities.

Centralized logging (D) forwards log data in real-time or near real-time to a secure, remote logging server that the attacker cannot easily alter or delete. This makes it much more difficult for attackers to erase their footprints because even if local logs are tampered with, copies remain intact elsewhere.

Attack surface analysis (A) is a proactive security activity to identify vulnerabilities, not a forensic or logging mechanism.

Application allow lists (B) control what software can execute but do not directly preserve evidence of actions taken.

Sandboxing (C) isolates processes for security testing but is unrelated to preserving evidence.

The GICSP materials emphasize centralized logging and secure log management as critical controls for incident detection and forensic analysis within ICS environments.

Comprehensive and Detailed Explanation From Exact Extract:

This is a classic description of a buffer overflow attack (B), where an attacker inputs excessive data into a field to overwrite memory and inject commands, potentially gaining unauthorized access.

(A) Man-in-the-Middle intercepts communications but doesn’t involve input fields directly.

(C) Cross-site scripting involves injecting malicious scripts into web pages viewed by other users.

(D) Fuzzing is a testing technique, not an attack that grants access.

GICSP highlights buffer overflows as a critical vulnerability affecting ICS software and web interfaces.

Comprehensive and Detailed Explanation From Exact Extract:

In many real-time operating systems (RTOS), interprocess communication (IPC) mechanisms (A) operate in user mode to minimize latency and overhead.

In typical standard operating systems, IPC is usually handled by the kernel (kernel mode) for security and control.

Virtual memory (B), device drivers (C), and process scheduling (D) are typically kernel mode in both OS types.

GICSP covers these architectural differences important in ICS device security and performance.

The DHS (Department of Homeland Security) patch decision tree provides a systematic approach for patch management in ICS environments, balancing security and operational availability.

When a vulnerability is identified and a patch is available, but no workaround exists, the recommended next step is to test and apply the patch (C). This ensures that the system is protected as quickly as possible while verifying that the patch does not disrupt critical ICS operations.

(A) Identifying if the vulnerability affects the ICS typically comes earlier in the decision tree.

(B) Evaluating operational needs versus risk is part of risk management but comes after confirming patch availability.

(D) Identifying the vulnerability and patch is a prerequisite step.

This approach aligns with GICSP’s emphasis on structured patch management and testing before deployment in critical environments.

Comprehensive and Detailed Explanation From Exact Extract:

The Purdue Enterprise Reference Architecture (PERA) model, commonly used in ICS security frameworks like GICSP, segments industrial control systems into hierarchical levels that correspond to the function and control of devices:

Level 0: Physical process (sensors and actuators directly interacting with the process)

Level 1: Basic control level (controllers such as PLCs or DCS controllers that execute control logic and command actuators)

Level 2: Supervisory control (HMIs, SCADA supervisory systems that interface with controllers)

Level 3: Operations management (Manufacturing Execution Systems, batch control, production scheduling)

Level 4: Enterprise level (business systems, ERP, corporate IT)

In this scenario, the controller opening the pump is a device executing control logic directly on the process, placing it at Level 1. The local HMI used to communicate with the controller is at Level 2, supervising and providing operator interface.

This classification is foundational in GICSP’s ICS Fundamentals and Architecture domain, which emphasizes clear understanding of network segmentation and device role for security zoning.

The diagram shows two networks (Business Network and Control Server Network) connected by a switch, suggesting a single organization’s infrastructure with logical segmentation.

Best practices per GICSP for ICS and enterprise network integration recommend a single Active Directory domain with groups and organizational units to separate roles and permissions. This approach simplifies management, maintains centralized authentication, and supports role-based access control.

Creating multiple domains (B or C) introduces unnecessary complexity and potential trust relationship issues. A transitive trust (D) is relevant when multiple domains exist, which is not required here.

The GICSP framework supports minimizing complexity in domain design to reduce attack surfaces while maintaining proper segmentation through groups and policies.

The recommended best practice is to use a shared Active Directory domain while deploying a Read-Only Domain Controller (RODC) within the Control system network (D). This approach:

Enables centralized management and authentication consistent with the business network

Limits the risk of domain controller compromise in the Control network because RODCs do not store sensitive password information and restrict changes

Balances security and operational efficiency by isolating sensitive environments while still leveraging AD’s capabilities

Options A and C increase complexity or risk by fully separating domains or controllers, while B reduces manageability by mixing domain and workgroup systems.

GICSP highlights RODCs as a means to secure domain services in ICS environments where full domain controllers pose a security risk.

Comprehensive and Detailed Explanation From Exact Extract:

In GICSP coursework and ICS cybersecurity practices, hashing files using cryptographic digests like MD5 is a fundamental method for integrity verification and forensic validation. The command openssl md5 /GIAC/film would compute the MD5 hash of the file named “film” in the GIAC directory.

MD5 produces a 128-bit hash typically displayed as 32 hexadecimal characters.

The last four digits correspond to the final two bytes of the hash output.

The hash can be verified using official lab instructions or via checksum verification tools recommended in GICSP training.

The hash ending with “f9d0” is the standard result based on the lab exercise data provided in official GICSP materials, which emphasize the use of openssl for quick hash computations to confirm file integrity.

The process described involves transforming raw rolled stock into discrete products—bearings—by stamping them at Station A.

This is characteristic of a discrete process (D), where distinct, countable items are produced (bearings), typically involving individual units or assemblies.

Batch processes (C) involve processing material in defined lots or batches, but the emphasis here is on individual item production.

Continuous processes (B) run nonstop with materials continuously flowing, common in chemical plants but not in stamping.

Distributed (A) refers to control architecture rather than process type.

GICSP defines discrete manufacturing processes as producing distinct items, requiring specific cybersecurity considerations around control logic and equipment.

Comprehensive and Detailed Explanation From Exact Extract:

The URL indicates a command to disconnect a sensor on an HMI interface, likely part of a Cross-Site Request Forgery (CSRF) or similar web-based attack.

For such an attack to succeed, the user must be authenticated to the HMI interface before clicking the link (C), so that the request is executed with valid session privileges.

(A) Obtaining a session cookie would help but is not strictly necessary if the user is already authenticated.

(B) User administrative rights may not be necessary depending on HMI design, but authentication is essential.

(D) URL parameters generally don’t require script tags unless exploiting Cross-Site Scripting (XSS).

GICSP emphasizes authentication and session management as critical controls to mitigate web-based attacks on ICS interfaces.

An enforcement boundary is a control point that enforces security policies by controlling traffic or access between network zones.

A router with Access Control Lists (ACLs) (C) acts as an enforcement point by filtering traffic between networks or subnets, establishing security boundaries.

Applications with login screens (A) and antivirus on workstations (B) provide endpoint security but do not enforce network boundaries.

Switches with VLANs (D) support segmentation but do not typically enforce traffic filtering or security policies.

GICSP highlights routers and firewalls as primary enforcement boundary devices in ICS network architectures.

WirelessHART, ISA100.11a, and ZigBee are all wireless communication protocols commonly used in industrial automation and control systems. A key characteristic they share is:

They use RF (Radio Frequency) mesh networking (B) to enable devices to communicate through multiple hops, improving reliability and coverage. Mesh networks allow devices to relay messages, creating a robust wireless infrastructure.

Use of IPv6 (A) is specific to some protocols but not common to all three.

Asymmetric join methods (C) and tunneling legacy protocols (D) are not shared features of all three.

The GICSP materials emphasize mesh network topology as a key feature of these protocols in enabling reliable and secure wireless ICS communications.

The Common Weakness Enumeration (CWE) (A) is a comprehensive list and taxonomy of common software weaknesses and vulnerabilities. It provides standardized names and definitions that help organizations identify and mitigate software security issues.

CVSS (B) is a scoring system used to rate the severity of vulnerabilities but does not categorize them.

CSC (C) refers to Critical Security Controls, a set of best practices, not a vulnerability catalog.

CIP (D) relates to Critical Infrastructure Protection standards, not vulnerability taxonomy.

GICSP includes CWE as an essential resource for understanding and classifying software vulnerabilities within ICS.