GICSP Exam Prep Free practice test →

Free GICSP Practice Questions

10 free, exam-style Global Industrial Cyber Security Professional (GICSP) practice questions with answers and explanations. No signup required. Work through them below, then take the full free GICSP practice test to study every exam domain.

Question 1

A newly hired IT security manager proposes monthly patch Tuesday deployments across all OT systems. The control engineer objects. What is the MOST valid reason for the objection?

  1. Patching OT systems requires extensive testing and scheduled maintenance windows to avoid disrupting critical processes
  2. OT systems automatically update themselves through vendor-managed channels
  3. OT systems lack internet connectivity required for standard patch deployment methods
  4. The IT security manager lacks authority to implement changes in operational technology environments
Show answer & explanation

Correct answer: A - Patching OT systems requires extensive testing and scheduled maintenance windows to avoid disrupting critical processes

Question 2

A plant network assessment reveals that a vendor has installed a cellular modem directly on a Level 1 PLC for remote support. According to Purdue Model principles, this is problematic because:

  1. Cellular modems are not approved for industrial environments
  2. PLCs require hardwired connections for reliability
  3. It bypasses network segmentation by connecting Level 1 directly to Level 5
  4. Cellular communications create electromagnetic interference with control systems
Show answer & explanation

Correct answer: C - It bypasses network segmentation by connecting Level 1 directly to Level 5

Question 3

Stuxnet caused physical damage by:

  1. Manipulating PLC logic to alter centrifuge speeds
  2. Deleting critical operational data from historians
  3. Overheating industrial control system processors
  4. Disrupting electrical power to critical systems
Show answer & explanation

Correct answer: A - Manipulating PLC logic to alter centrifuge speeds

Question 4

An operator notices the HMI shows reactor temperature at a steady 350°F, but a local thermocouple gauge on the reactor reads 420°F and climbing. What should the operator suspect?

  1. The local gauge must be malfunctioning
  2. Nothing - minor discrepancies are normal
  3. The HMI is always more accurate than local instruments
  4. A potential HMI compromise or data integrity issue
Show answer & explanation

Correct answer: D - A potential HMI compromise or data integrity issue

Question 5

An ICS analyst examining a Wireshark capture sees a Modbus TCP packet with function code 0x06 sent from IP 192.168.1.50 to IP 10.1.1.100. What is happening?

  1. 192.168.1.50 is reading input registers from 10.1.1.100
  2. 192.168.1.50 is writing a single holding register to 10.1.1.100
  3. 192.168.1.50 is writing multiple coils to 10.1.1.100
  4. 192.168.1.50 is reading holding registers from 10.1.1.100
Show answer & explanation

Correct answer: B - 192.168.1.50 is writing a single holding register to 10.1.1.100

Question 6

Which of the three eternal wireless risks is MOST difficult to prevent with cryptographic controls alone?

  1. Sniffing - encryption prevents content interception
  2. Masquerading - certificate-based authentication prevents impersonation
  3. Denial of service (jamming) - operates at the physical/RF layer
  4. All three are equally easy to prevent with encryption
Show answer & explanation

Correct answer: C - Denial of service (jamming) - operates at the physical/RF layer

Question 7

An analyst runs `Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Select-Object -First 50` on an HMI and sees 47 failed logon attempts for 'Administrator' from IP 10.1.3.99 in the last hour. This indicates:

  1. Normal operator login activity during shift change
  2. A brute-force password attack targeting the Administrator account
  3. The Administrator account has an expired password
  4. A scheduled task with incorrect authentication credentials
Show answer & explanation

Correct answer: B - A brute-force password attack targeting the Administrator account

Question 8

The MITRE ATT&CK for ICS tactic 'Inhibit Response Function' is UNIQUE to ICS (not in Enterprise ATT&CK) and refers to:

  1. Preventing attackers from responding to defensive countermeasures
  2. Preventing incident response teams from accessing control systems
  3. Inhibiting network response time in SCADA communications
  4. Preventing operators and safety systems from responding to dangerous conditions
Show answer & explanation

Correct answer: D - Preventing operators and safety systems from responding to dangerous conditions

Question 9

The PRIMARY difference between NERC CIP and the NIST CSF is:

  1. NERC CIP is mandatory for electric utilities, while NIST CSF is voluntary
  2. NERC CIP focuses on operational technology, while NIST CSF addresses information technology
  3. NERC CIP is updated annually, while NIST CSF remains static over time
  4. NERC CIP requires third-party audits, while NIST CSF uses self-assessment only
Show answer & explanation

Correct answer: A - NERC CIP is mandatory for electric utilities, while NIST CSF is voluntary

Question 10

An ICS incident response scenario: malware is detected on an HMI controlling a chemical reactor. The process is in a critical phase. The responder should:

  1. Immediately disconnect the HMI from the network regardless of consequences
  2. First ensure the operator can safely control the reactor, then contain the compromised HMI
  3. Wait until the chemical process completes before responding to the malware
  4. Shut down the entire plant immediately to prevent malware spread
Show answer & explanation

Correct answer: B - First ensure the operator can safely control the reactor, then contain the compromised HMI

Ready for the real thing?

Practice hundreds more GICSP questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing