100+ Free CSSA Practice Questions

Pass your Certified SCADA Security Architect (CSSA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

When applying CVSS scores to ICS vulnerabilities, why is it important to supplement CVSS with ICS-specific context?

CVSS does not account for safety and environmental consequences, or the operational constraints that prevent rapid patching in ICS environments

ICS vulnerabilities never score above CVSS 5.0, so standard prioritization does not apply

CVSS scores are calculated differently for ICS systems because they use a 0-100 scale instead of 0-10

CVSS requires internet connectivity to calculate scores, which ICS air-gapped systems cannot provide

to track

2026 Statistics

Key Facts: CSSA Exam

100 MCQ / 120 min

Exam Format

IACRB

IEC 62443

Primary ICS Security Standard

IEC/ISA

Levels 0–4

Purdue Model Levels

ISA-95

NERC CIP-002–013

Electric Utility Compliance Suite

NERC

NIST SP 800-82

ICS Security Guidance Publication

NIST

Not published

Passing Score

IACRB

The CSSA is a 100-question, 120-minute MCQ exam from IACRB covering ICS/OT security architecture across ten domains: ICS fundamentals, Purdue Model, IEC 62443, NERC CIP, NIST SP 800-82, SCADA threats, risk assessment, secure network architecture, remote access controls, and physical security.

Sample CSSA Practice Questions

Try these sample questions to test your CSSA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which of the following best describes an Industrial Control System (ICS)?

A.A collection of systems used to monitor and control industrial processes such as manufacturing, energy distribution, and water treatment

B.A system that manages financial transactions in enterprise environments

C.A network of servers used to host web applications for critical infrastructure

D.A cloud-based platform for managing enterprise resource planning

Explanation: An ICS is a broad category of systems used to monitor, control, and automate industrial processes. ICS includes SCADA, DCS, and PLC-based systems that operate critical infrastructure such as power grids, water treatment, oil and gas, and manufacturing. These systems have unique safety and availability requirements that differentiate them from enterprise IT.

2What is the primary difference between Operational Technology (OT) and Information Technology (IT)?

A.OT directly monitors and controls physical processes, whereas IT processes and transmits data

B.OT systems run on Linux while IT systems run on Windows

C.OT uses the TCP/IP protocol stack exclusively, while IT uses proprietary protocols

D.OT is only used in military environments, while IT is used in commercial settings

Explanation: OT encompasses hardware and software that directly monitors and controls physical devices, processes, and events in industrial environments. IT focuses on data processing, storage, and communication. This distinction is fundamental to OT security because OT failures can have physical consequences — including equipment damage, environmental harm, or loss of life — that IT failures typically do not.

3Which component of an ICS directly reads sensors and actuates field devices in a SCADA system?

A.Historian server

B.Human-Machine Interface (HMI)

C.Remote Terminal Unit (RTU) or Programmable Logic Controller (PLC)

D.Engineering workstation

Explanation: RTUs and PLCs are field devices that interface directly with physical sensors (inputs) and actuators (outputs) such as valves, motors, and relays. They execute control logic and report real-time data to the SCADA master station. PLCs are typically used in discrete manufacturing while RTUs are common in geographically distributed systems like pipelines and power grids.

4In ICS/OT environments, the priority order for the CIA triad is most commonly shifted to which order?

A.Availability, Integrity, Confidentiality

B.Confidentiality, Integrity, Availability

C.Integrity, Confidentiality, Availability

D.Availability, Confidentiality, Integrity

Explanation: In ICS/OT, Availability is typically the highest priority because process disruption can cause equipment damage, environmental incidents, or safety hazards. Integrity is second because bad process data can cause incorrect control actions. Confidentiality, while still important, is generally the lowest priority compared to the operational continuity needs of industrial systems.

5What is a Distributed Control System (DCS) most commonly used for?

A.Controlling continuous industrial processes such as chemical refining and power generation within a single plant

B.Monitoring and managing widely geographically dispersed field devices over long distances

C.Providing remote access to SCADA systems from enterprise networks

D.Storing and analyzing historical process data for compliance reporting

Explanation: A DCS is designed to control continuous process operations within a plant or facility, such as chemical processing, oil refining, or power generation. DCS controllers are distributed throughout the plant and communicate over a dedicated control network. Unlike SCADA, which monitors geographically dispersed assets, DCS focuses on tight, real-time control of a localized continuous process.

6The Purdue Model for Control Hierarchy (also called the ISA-95 reference model) organizes ICS networks into how many levels?

A.3 levels

B.4 levels

C.5 levels (Levels 0–4)

D.7 levels

Explanation: The Purdue Model defines five levels (0 through 4). Level 0 = physical process devices (sensors, actuators). Level 1 = basic control (PLCs, RTUs). Level 2 = supervisory control (HMIs, SCADA). Level 3 = manufacturing operations (MES, batch control, historians). Level 4 = enterprise/business planning (ERP). A DMZ is often inserted between Levels 3 and 4 in modern implementations.

7In the Purdue Model, at which level would you find PLCs and RTUs performing basic automatic control of field devices?

A.Level 1

B.Level 0

C.Level 2

D.Level 3

Explanation: Level 1 (Basic Control) contains PLCs, RTUs, and other embedded controllers that execute control logic and communicate directly with field devices at Level 0. Level 0 contains the physical sensors and actuators themselves. Level 2 contains HMIs and supervisory SCADA software. Level 3 is manufacturing operations management.

8What security concept does the modern ICS-DMZ (Industrial DMZ) implement between the control network and the enterprise network in the Purdue Model?

A.It creates a buffered zone that mediates data flows between the enterprise (Level 4/5) and industrial (Level 3) networks without direct connectivity

B.It provides a shared flat network segment for OT and IT data exchange

C.It replaces the need for firewalls by providing a dedicated data link layer bridge

D.It hosts PLCs and RTUs in a virtualized environment accessible from both networks

Explanation: An ICS-DMZ (often between Levels 3 and 4/5) acts as an intermediary zone that allows data to flow between the enterprise and operational networks without establishing direct routed paths. Servers in the DMZ (data historians, file transfer proxies) mediate the exchange, limiting lateral movement risk. This implements defense-in-depth by ensuring no direct route from enterprise to control networks.

9Which ICS/OT architecture concept is most closely aligned with the principle of 'defense-in-depth'?

A.Deploying multiple layered security controls including network segmentation, monitoring, physical security, and access controls

B.Using a single firewall at the enterprise network boundary to protect all OT systems

C.Encrypting all SCADA communications using TLS 1.3

D.Requiring two-factor authentication only for remote access to the HMI

Explanation: Defense-in-depth in ICS/OT means layering multiple independent security controls so that the compromise of one control does not lead to a complete system breach. This includes network segmentation (zones and conduits per IEC 62443), physical security, endpoint hardening, monitoring, and access controls. No single control is relied upon exclusively.

10What does the concept of 'air gap' mean in the context of ICS/OT security, and what is a significant limitation?

A.Air gap means the OT network has no physical network connection to external networks; the limitation is that data exchange still occurs via removable media, USB devices, or compromised supply chain, which can introduce malware

B.Air gap means all OT devices are wirelessly connected; the limitation is radio interference

C.Air gap means OT firewalls block all inbound traffic; the limitation is that outbound traffic remains unfiltered

D.Air gap is an encryption standard for ICS communications; its limitation is computational overhead on PLCs

Explanation: An air gap physically isolates the OT network from external networks including the internet and enterprise IT. However, data must still flow in and out via USB drives, laptops, vendor maintenance laptops, and supply-chain firmware updates — all of which are common attack vectors. Stuxnet is the canonical example of malware crossing an air gap via infected USB media.

About the CSSA Exam

The Certified SCADA Security Architect (CSSA) by IACRB validates knowledge of securing Industrial Control Systems (ICS) and SCADA environments, including IEC 62443 zones and security levels, NERC CIP compliance, NIST SP 800-82 guidance, Purdue Model network architecture, ICS-specific threat analysis, and secure OT network design.

Questions

100 scored questions

Time Limit

120 minutes

Passing Score

Not published by IACRB

Exam Fee

Contact IACRB for current pricing (IACRB (Information Assurance Certification Review Board))

CSSA Exam Content Outline

10%

ICS/OT Environments Introduction

SCADA, DCS, PLC, RTU, HMI fundamentals; OT vs IT security priorities; AIC vs CIA triad

12%

ICS/OT Architecture and Purdue Model

Purdue Model levels 0–4, ISA-95, ICS-DMZ, defense-in-depth, air gaps, network segmentation

15%

ICS Standards, Protocols, and Frameworks

IEC 62443 security levels and zones, NERC CIP suite, NIST SP 800-82, Modbus, DNP3, OPC-UA, IEC 61511

12%

SCADA Threats and Attack Vectors

Stuxnet, TRITON, Industroyer, APT groups, FDI attacks, ICS malware, MITRE ATT&CK for ICS

12%

Risk Assessment and Vulnerability Management

HAZOP, cyber-physical consequence analysis, CVSS in ICS context, CCE, asset inventory, supply chain risk

12%

Secure Network Architecture and Zones

IEC 62443 zones and conduits, data diodes, historian DMZ placement, SIS isolation, fail-secure design

10%

Firewalls, DMZ, and Remote Access

Default-deny policies, ICS-aware firewalls, jump servers, vendor access, DPI, VPN, protocol breaks

10%

SCADA IDS and Incident Response

Passive anomaly detection, network baselining, ICS incident response, tabletop exercises, NIST CSF Recover

Preventative Controls and Patching

Application whitelisting, ICS patching constraints, compensating controls, removable media, hardening, NERC CIP-007/010

Physical Security

Physical access control, PLC enclosure locking, NERC CIP-006, tailgating, control room security

How to Pass the CSSA Exam

What You Need to Know

Passing score: Not published by IACRB
Exam length: 100 questions
Time limit: 120 minutes
Exam fee: Contact IACRB for current pricing

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CSSA Study Tips from Top Performers

1Master the Purdue Model levels 0-4 and know which components belong at each level and why boundaries are placed where they are

2Study IEC 62443 zone/conduit concepts and security levels 1-4 — know the attacker capability each level addresses

3Understand NERC CIP standards by number: CIP-002 (classification), CIP-005 (ESP/remote access), CIP-006 (physical), CIP-007 (ports/patching), CIP-010 (config management), CIP-013 (supply chain)

4Learn ICS attack case studies: Stuxnet (PLC/USB), TRITON (SIS), Industroyer (grid protocols), Colonial Pipeline (IT-OT interdependency), Oldsmar (remote access/HMI)

5Know why ICS patching is hard and what compensating controls to apply when patches cannot be deployed

6Understand the difference between passive monitoring (preferred in OT) and active scanning (risks crashing PLCs)

Frequently Asked Questions

What is the CSSA exam format?

The Certified SCADA Security Architect (CSSA) exam from IACRB consists of 100 multiple-choice questions delivered in 120 minutes via proctored exam. IACRB does not publicly publish the passing score or exam fee — check iacrb.com for current details.

What topics does the CSSA exam cover?

The CSSA covers ten domains: ICS/OT environment fundamentals, Purdue Model architecture, ICS standards and protocols (IEC 62443, NERC CIP, NIST SP 800-82), SCADA threats and attack vectors, risk assessment, secure network architecture, firewall and remote access design, ICS IDS and incident response, preventative controls and patching, and physical security.

What standards should I study for the CSSA?

Core study materials include IEC 62443 (zones, conduits, security levels 1-4), NERC CIP standards (CIP-002 through CIP-013), NIST SP 800-82 Rev. 3 (ICS security guide), IEC 61511 (functional safety/SIS), and MITRE ATT&CK for ICS. Understanding Modbus, DNP3, and OPC-UA protocol security is also essential.

What is the Purdue Model and why is it important for the CSSA?

The Purdue Model (ISA-95 reference architecture) organizes ICS networks into Levels 0-4, from physical process devices at Level 0 through enterprise systems at Level 4. It is the foundational architecture reference for ICS security segmentation, DMZ placement, and zone boundary definition — a core concept tested on the CSSA.

How does the CSSA differ from the GICSP?

Both CSSA (IACRB) and GICSP (GIAC/SANS) cover ICS security. GICSP is more widely recognized, requires SANS training or equivalent, and has a documented exam structure with publicly stated passing scores. CSSA is IACRB-administered and may be more accessible as an entry-level ICS security credential. The content domains overlap significantly.

Is prior ICS experience required for the CSSA?

IACRB does not list formal prerequisites for the CSSA. However, candidates should have working familiarity with industrial control systems, networking, and cybersecurity fundamentals. Candidates with only IT security backgrounds should invest additional study time in ICS/OT-specific topics like PLCs, SCADA protocols, and process safety.