100+ Free GICSP Practice Questions

Pass your GIAC Global Industrial Cyber Security Professional (GICSP) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-80% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

In the Purdue Enterprise Reference Architecture, which level contains the physical sensors, actuators, and field instruments that directly interact with the industrial process?

Level 3 (Site Operations)

Level 2 (Area Supervisory)

Level 0 (Process)

Level 1 (Basic Control)

to track

2026 Statistics

Key Facts: GICSP Exam

Exam Questions

GIAC

71%

Passing Score

GIAC

3 hours

Exam Duration

GIAC

$2,499

With SANS ICS410

GIAC/SANS

4 years

Validity

GIAC

Open

Book Exam

GIAC

The GICSP has 82 questions in 3 hours with a 71% passing score. It is an open-book exam delivered via ProctorU (remote) or Pearson VUE/OnVUE (onsite). Covers ICS overview, ICS components and architecture, PERA Levels 0-1 and 2-3 technologies, protocols and communications, hardening endpoints, intelligence gathering, threat modeling, wireless technologies, disaster recovery, and ICS program and policy development. The exam fee is typically $979 retake or $2,499 with SANS ICS410 training. Valid for 4 years.

Sample GICSP Practice Questions

Try these sample questions to test your GICSP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In the Purdue Enterprise Reference Architecture, which level contains the physical sensors, actuators, and field instruments that directly interact with the industrial process?

A.Level 3 (Site Operations)

B.Level 2 (Area Supervisory)

C.Level 0 (Process)

D.Level 1 (Basic Control)

Explanation: Level 0 of the Purdue Model contains the physical process equipment — sensors (pressure, temperature, flow), actuators (valves, motors), and instrumentation that directly measure or manipulate the physical process. Level 1 hosts basic control devices (PLCs, RTUs, DCS controllers). Level 2 houses HMIs and supervisory systems. Level 3 covers site operations like MES. Understanding level boundaries is foundational for ICS network segmentation.

2Which CIA/AIC priority order most accurately reflects operational technology (OT) security compared with traditional IT security?

A.OT and IT share identical priority orders

B.OT: Availability > Integrity > Confidentiality

C.OT: Integrity > Confidentiality > Availability

D.OT: Confidentiality > Integrity > Availability

Explanation: OT environments prioritize Availability first — a stopped process can cause physical damage, lost production, or safety incidents. Integrity is next (bad data can cause unsafe control decisions). Confidentiality is last because exposing temperature readings rarely endangers a plant. IT classically prioritizes Confidentiality > Integrity > Availability. This inversion explains why OT patching is cautious and why we avoid disruptive scans.

3A plant engineer connects to a Siemens S7-1500 PLC on TCP port 102. Which protocol is most likely in use?

A.Modbus TCP

B.EtherNet/IP

C.DNP3

D.S7comm (ISO-TSAP)

Explanation: Siemens S7 PLCs use S7comm (S7 Communication) encapsulated over ISO-on-TCP (RFC 1006), which uses TCP port 102. Modbus TCP uses port 502, DNP3 uses 20000, and EtherNet/IP (Rockwell/Allen-Bradley CIP) uses 44818 (explicit) and 2222 (implicit/UDP). Mapping vendor PLCs to protocol ports is essential for traffic analysis, firewall rules, and passive asset discovery.

4The Stuxnet malware targeted which specific industrial component at the Natanz nuclear facility?

A.GE Fanuc PLCs controlling grid substations

B.Siemens S7-300/S7-400 PLCs controlling uranium centrifuges

C.Allen-Bradley ControlLogix controlling turbines

D.Schneider Modicon PLCs controlling water pumps

Explanation: Stuxnet specifically targeted Siemens S7-300 and S7-400 PLCs running Step 7 software that controlled IR-1 centrifuges at Natanz. It modified centrifuge rotor speeds to cause mechanical damage while feeding operators normal readings. Stuxnet is the most-studied ICS-specific attack and introduced concepts like rootkit PLC code and HMI spoofing that shaped modern OT defense.

5What is the default TCP port used by Modbus TCP?

A.2222

B.502

C.44818

D.102

Explanation: Modbus TCP uses TCP port 502. Modbus is a widely deployed request/response protocol that encapsulates the original Modbus RTU application layer into TCP. It has no authentication or encryption by default. Port 102 is S7comm (ISO-TSAP), 2222 is EtherNet/IP implicit messaging (UDP), and 44818 is EtherNet/IP explicit messaging.

6Which IEC 62443 concept groups assets with similar security requirements and defines the communication channels between them?

A.Security Levels (SL-1 through SL-4)

B.Foundational Requirements (FR1-FR7)

C.Zones and Conduits

D.Maturity Levels

Explanation: IEC 62443-3-2 defines Zones (logical groupings of assets sharing security requirements) and Conduits (the communication channels between zones). This model is the foundation for OT network segmentation design. Security Levels (SL-T/SL-A/SL-C) describe required, achieved, and capability levels. Foundational Requirements are the seven FR categories. All three concepts work together in a 62443 risk assessment.

7Which ICS-specific malware is known for targeting safety instrumented systems (SIS), specifically Schneider Triconex controllers?

A.Stuxnet

B.Triton/Trisis/HatMan

C.Industroyer/CrashOverride

D.BlackEnergy

Explanation: Triton (also known as Trisis or HatMan) specifically targeted Schneider Electric Triconex Tricon safety controllers at a petrochemical facility in Saudi Arabia (2017). It attempted to reprogram SIS logic — a uniquely dangerous attack because SIS exist to prevent catastrophic physical events. Industroyer/CrashOverride targeted Ukrainian grid substations (IEC 60870-5-104). BlackEnergy targeted Ukrainian utilities as well but via traditional IT footholds.

8An asset owner wants to perform passive discovery of ICS devices without sending any active probes. Which tool category is most appropriate?

A.Active vulnerability scanner like Nessus with default settings

B.Nmap with -sS SYN scanning

C.Passive ICS monitoring platform like Claroty, Nozomi, or Dragos

D.Aggressive Metasploit reconnaissance modules

Explanation: Claroty, Nozomi Networks, and Dragos are the leading passive OT monitoring platforms. They listen on SPAN ports and identify assets, firmware versions, and vulnerabilities by decoding industrial protocols — without sending packets to fragile ICS devices. Active scanners can crash legacy PLCs (classic example: Nmap crashing older Allen-Bradley CPUs). Passive discovery is the default safe posture for OT.

9Which NERC CIP standard addresses electronic security perimeters, including identification and protection of the ESP and its access points?

A.CIP-010 Configuration Change Management and Vulnerability Assessment

B.CIP-003 Security Management Controls

C.CIP-007 System Security Management

D.CIP-005 Electronic Security Perimeter(s)

Explanation: NERC CIP-005 defines requirements for Electronic Security Perimeters (ESPs), including identifying all access points, implementing Interactive Remote Access controls, and applying malicious communication detection. CIP-003 covers overall security policy. CIP-007 covers system hardening (ports, patches). CIP-010 covers configuration management and vulnerability assessments. These are the core technical standards in the CIP family.

10A refinery installs a Waterfall Unidirectional Gateway between the OT network (Level 3) and the corporate IT network (Level 4/5). What primary security property does this device provide?

A.Automatic patch deployment to PLCs

B.Deep packet inspection of all industrial protocols

C.Hardware-enforced one-way data flow (OT to IT only)

D.Bidirectional encrypted tunnel with strong authentication

Explanation: Unidirectional gateways (Waterfall, Owl) use hardware (a transmitter on one side, receiver on the other, fiber between) to physically enforce one-way data flow, typically OT-to-IT. This allows historian replication or data sharing to corporate without any possibility of return traffic reaching OT. They are stronger than firewalls for NERC CIP external connectivity and are used widely in nuclear, generation, and critical pipelines.

About the GICSP Exam

The GIAC Global Industrial Cyber Security Professional (GICSP) validates knowledge of industrial control systems (ICS) and operational technology (OT) security. It covers PLCs, SCADA, DCS, RTUs, HMIs, the Purdue Enterprise Reference Architecture (PERA Levels 0-5), industrial protocols (Modbus, DNP3, EtherNet/IP, PROFINET, OPC UA, IEC 61850), safety instrumented systems, IEC 62443/ISA 99, NIST SP 800-82, NERC CIP, and ICS-specific threats like Stuxnet, Triton, Industroyer, and Pipedream.

Questions

82 scored questions

Time Limit

180 minutes (3 hours)

Passing Score

71%

Exam Fee

$2,499 (with SANS ICS410) / $979 retake (GIAC / ProctorU / OnVUE)

GICSP Exam Content Outline

~10%

ICS Overview & Concepts

ICS vs IT security differences, availability priority, Purdue Enterprise Reference Architecture (Levels 0-5), ICS components overview, and CIA vs AIC priorities in OT

~10%

ICS Components & Architecture

PLCs (Allen-Bradley, Siemens S7, Schneider), DCS, RTUs, HMIs, historians (OSIsoft PI, GE Proficy), engineering workstations, and ICS network topology

~12%

PERA Level 0 & 1 Technology Overview and Compromise

Field devices, sensors, actuators, controllers, safety systems, fieldbus protocols (HART, Profibus, Foundation Fieldbus), and Level 0/1 attack vectors

~12%

PERA Level 2 & 3 Technology Overview and Compromise

Supervisory/control systems, HMIs, SCADA servers, historians, engineering workstations, MES, and Level 2/3 attack surfaces

~12%

Protocols, Communications, & Compromises

Modbus TCP/RTU, DNP3, EtherNet/IP, PROFINET, IEC 61850 (GOOSE/MMS/SV), IEC 60870-5-104, OPC UA/DA, BACnet, HART, and protocol-level attacks

~10%

Hardening & Protecting Endpoints

OT endpoint hardening, application allowlisting, patch management in OT (slower, risk-based), compensating controls, USB/removable media controls, and host-based defenses

~8%

Wireless Technologies & Compromises

Industrial wireless (WirelessHART, ISA100.11a, Zigbee), Wi-Fi in OT, 4G/5G LTE for SCADA, cellular modems, and wireless threats

~10%

Intelligence Gathering & Threat Modeling

ICS Kill Chain, MITRE ATT&CK for ICS, passive discovery (Claroty, Nozomi, Dragos), OSINT for OT, Shodan, and ICS threat actors (Dragos Xenotime, Electrum, Chernovite)

~8%

Risk-Based Disaster Recovery & Incident Response

OT-specific IR, CRR, C2M2, backup strategies for PLCs/HMIs, ICS-CERT advisories, and safe shutdown procedures

~8%

ICS Program & Policy Development

IEC 62443/ISA 99 zones and conduits, NIST SP 800-82, NERC CIP v5/v6/v7, TSA Security Directives, governance, and OT-IT convergence policy

How to Pass the GICSP Exam

What You Need to Know

Passing score: 71%
Exam length: 82 questions
Time limit: 180 minutes (3 hours)
Exam fee: $2,499 (with SANS ICS410) / $979 retake

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GICSP Study Tips from Top Performers

1Master the Purdue Enterprise Reference Architecture (PERA) Levels 0-5 — know what lives at each level

2Know industrial protocols cold: Modbus TCP/RTU, DNP3, EtherNet/IP, PROFINET, OPC UA, IEC 61850 GOOSE/MMS

3Understand OT vs IT security priorities — availability (A-I-C) over confidentiality (C-I-A)

4Study real ICS attacks: Stuxnet, Triton/Trisis, Industroyer/CrashOverride, Havex, BlackEnergy, Pipedream/Incontroller

5Know IEC 62443/ISA 99 zones and conduits, security levels SL-T and SL-A

6Memorize NIST SP 800-82 core guidance and NERC CIP v5/v6/v7 requirements

7Understand safety instrumented systems (SIS), SIL levels, and IEC 61511

8Learn ICS asset discovery vendors: Claroty, Nozomi Networks, Dragos, Armis

9Build a tabbed index for the open-book exam — know where to find protocol ports, Purdue levels, and standards

10Complete all 100 practice questions and review explanations — focus on weak domains

Frequently Asked Questions

What is the GIAC GICSP exam format?

The GICSP consists of 82 questions with a 3-hour (180-minute) time limit. The exam is open-book — candidates may use printed reference materials. The passing score is 71%. The exam is proctored remotely via ProctorU or onsite via Pearson VUE/OnVUE. Candidates have 120 days from activation to complete their attempt.

What are the main GICSP exam domains?

GICSP covers 10 domains: ICS Overview & Concepts, ICS Components & Architecture, PERA Level 0 & 1 Technology, PERA Level 2 & 3 Technology, Protocols & Communications, Hardening Endpoints, Wireless Technologies, Intelligence Gathering & Threat Modeling, Risk-Based Disaster Recovery & Incident Response, and ICS Program & Policy Development.

How does GICSP compare to ISA/IEC 62443 certifications?

GICSP is a broad ICS cyber security professional certification covering technical and programmatic aspects. ISA 62443 certifications (Fundamentals, Specialist, Expert) are narrower and aligned to the IEC 62443 series (zones, conduits, security levels). GICSP is typically paired with SANS ICS410, while ISA certs align with ISA training. Many practitioners hold both.

What are the GICSP renewal requirements?

GIAC certifications are valid for 4 years. Renewal requires 36 Continuing Professional Education (CPE) credits plus a renewal fee (currently $499), or retaking the current exam. CPEs can be earned through SANS training, industry conferences, ICS-CERT webinars, publishing articles, or other approved activities.

What jobs can I get with GICSP certification?

GICSP qualifies you for ICS/OT security roles: OT Security Engineer ($110,000-155,000), ICS Security Analyst ($100,000-145,000), SCADA Security Specialist ($115,000-160,000), NERC CIP Compliance Analyst ($105,000-145,000), and OT SOC Analyst ($95,000-135,000). Critical infrastructure sectors — energy, water, oil & gas, manufacturing, pharma, and transportation — actively recruit GICSP holders.

How long should I study for GICSP?

Plan for 80-120 hours over 6-10 weeks. The SANS ICS410 course (ICS/SCADA Security Essentials) is the official training and highly recommended. Build familiarity with PLCs, SCADA, industrial protocols (Modbus, DNP3, EtherNet/IP), and the Purdue Model. Complete all 100 practice questions multiple times and build a well-tabbed reference index for the open-book exam.

Is GICSP open book?

Yes. GICSP, like all GIAC exams, is open-book. Candidates may bring printed reference materials (SANS ICS410 books, IEC 62443, NIST SP 800-82, personal notes). Electronic materials are not permitted. A well-indexed, tabbed reference set is critical — the 3-hour time limit does not allow unlimited lookups.