ISA ISA-IEC-62443 ISA/IEC 62443 Cybersecurity Fundamentals Specialist Exam Practice Test

 Layer 2 of the OSI model is the data link layer, which is responsible for transferring data frames between nodes on a network segment. The data link layer is divided into two sublayers: logical link control (LLC) and media access control (MAC). The LLC sublayer deals with issues common to both dedicated and broadcast links, such as framing, flow control, and error control. The MAC sublayer deals with issues specific to broadcast links, such as how to access the shared medium and avoid collisions. The LLC and MAC sublayers are not related to the ISA/IEC 62443 cybersecurity standards, which focus on the security of industrial automation and control systems (IACS). References:https://www.baeldung.com/cs/data-link-sub-layers

https://bing.com/search?q=Layer+2+sublayers

 Safety management staff are stakeholders of the CSMS, which stands for Cybersecurity Management System. The CSMS is a framework for managing the cybersecurity of industrial automation and control systems (IACS) based on the ISA/IEC 62443-2-1 standard1. The CSMS defines the objectives, policies, metrics, and governance for the overall ICS security program2. The CSMS also includes the processes for risk assessment, security design, implementation, monitoring, and improvement3. Safety management staff are involved in the CSMS development and implementation, as they are responsible for ensuring the safety of the IACS and the people, environment, and assets that depend on it. Safety management staff need to coordinate with the security management staff to align the safety and security requirements, identify and mitigate the safety risks arising from cyber threats, and monitor and respond to safety incidents caused by cyberattacks. References:

• 1: ISA/IEC 62443-2-1: Establishing an Industrial Automation and Control Systems Security Program, ISA, 2010.
• 2: A Practical Approach to Adopting the IEC 62443 Standards - ISAGCA
• 3: ISA ISA-IEC-62443 ISA/IEC 62443 Cybersecurity Fundamentals Specialist Online Training - Exam4Training
• [4]: Using the ISA/IEC 62443 Standards to Secure Your Control System, ISA, 2018.

A Process Hazard Analysis (PHA) is a systematic method of identifying and evaluating the potential hazards associated with an industrial process. A PHA can help to identify the sources of cyber threats, the consequences of cyber incidents, and the existing safeguards and mitigation measures. A PHA is most frequently used as an input to a security risk assessment because it provides a comprehensive and structured overview of the process and its risks, which can then be used to determine the security level targets and security countermeasures for the industrial automation and control system (IACS). A PHA can also help to align the security objectives with the safety objectives of the process, and to ensure that the security measures do not compromise the safety or operability of the process. References:

• ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 10
• Using the ISA/IEC 62443 Standard to Secure Your Control System, page 17

Asymmetric (public) key algorithms are a type of cryptographic algorithms that require more than one key. Asymmetric key algorithms use a pair of keys, one for encryption and one for decryption, that are mathematically related but not identical1. The encryption key is usually made public, while the decryption key is kept private. This allows anyone to encrypt a message using the public key, but only the intendedrecipient can decrypt it using the private key1. Asymmetric key algorithms are also known as public key algorithms or public key cryptography1. Asymmetric key algorithms are used for various purposes, such as digital signatures, key exchange, and encryption2. Some examples of asymmetric key algorithms are RSA, Diffie-Hellman, ElGamal, and Elliptic Curve Cryptography2.

References: Asymmetric Algorithm or Public Key Cryptography - IBM, Cryptography 101: Key Principles, Major Types, Use Cases & Algorithms | Splunk.

Patches are software updates that fix bugs, vulnerabilities, or improve performance or functionality. Patches are important for maintaining the security and reliability of an IACS environment, but they also pose some challenges and risks. Applying patches in an IACS environment is not as simple as in an IT environment, because patches may affect the availability, integrity, or safety of the IACS. Therefore, patches should not be applied blindly or automatically, but based on the organization’s risk assessment. The risk assessment should consider the following factors: 1

• The severity and likelihood of the vulnerability that the patch addresses
• The impact of the patch on the IACS functionality and performance
• The compatibility of the patch with the IACS components and configuration
• The availability of a backup or recovery plan in case the patch fails or causes problems
• The testing and validation of the patch before applying it to the production system
• The communication and coordination with the stakeholders involved in the patching process
• The documentation and auditing of the patching activities and results References: ISA TR62443-2-3 - Security for industrial automation and control systems, Part 2-3: Patch management in the IACS environment

Cybersecurity and physical security regulations are intended to provide guidance and requirements for protecting industrial control systems from various threats and risks. However, these regulations may face mixed resistance from different stakeholders for various reasons. One of the reasons is that there are a limited number of enforced cybersecurity and physical security regulations, especially at the international level. This means that some regions or countries may have more stringent or comprehensiveregulations than others, creating inconsistencies and challenges for cross-border cooperation and compliance. Moreover, some regulations may be outdated or not aligned with the current best practices and standards, such as ISA/IEC 62443, which may limit their effectiveness and applicability. Therefore, some organizations may prefer to follow voluntary standards or frameworks, such as ISA/IEC 62443, rather than mandatory regulations, as they may offer more flexibility and adaptability to the specific needs and contexts of each industrial control system. References:

• ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 3
• Using the ISA/IEC 62443 Standard to Secure Your Control System, page 9

 The ISA/IEC 62443 series of standards is organized into four main categories for documents, based on the topics and perspectives that they cover. These categories are: General, Policies and Procedures, System, and Component12.

• General: This category covers topics that are common to the entire series, such as terms, concepts, models, and overview of the standards1. For example, ISA/IEC 62443-1-1 defines the terminology, concepts, and models for industrial automation and control systems (IACS) security3.
• Policies and Procedures: This category focuses on methods and processes associated with IACS security, such as risk assessment, system design, security management, and security program development1. For example, ISA/IEC 62443-2-1 specifies the elements of an IACS security management system, which defines the policies, procedures, and practices to manage the security of IACS4.
• System: This category is about requirements at the system level, such as security levels, security zones, security lifecycle, and technical security requirements1. For example, ISA/IEC 62443-3-3 specifies the system security requirements and security levels for zones and conduits in an IACS5.
• Component: This category provides detailed requirements for IACS products, such as embedded devices, network devices, software applications, and host devices1. For example, ISA/IEC 62443-4-2 specifies the technical security requirements for IACS components, such as identification and authentication, access control, data integrity, and auditability.

The other options are not valid categories for documents in the ISA/IEC 62443 series of standards, as they either do not reflect the structure and scope of the standards, or they mix different aspects of IACS security that are covered by different categories. For example, end-user, integrator, vendor, and regulator are not categories for documents, but rather roles or stakeholders that are involved in IACS security. Assessment, mitigation, documentation, and maintenance are not categories for documents, but rather activities or phases that are part of the IACS security lifecycle. People, processes, technology, and training are not categories for documents, but rather elements or dimensions that are essential for IACS security.

References:

• ISA/IEC 62443 Series of Standards - ISA1
• IEC 62443 - Wikipedia2
• ISA/IEC 62443-1-1: Concepts and models3
• ISA/IEC 62443-2-1: Security management system4
• ISA/IEC 62443-3-3: System security requirements and security levels5
• ISA/IEC 62443-4-2: Technical security requirements for IACS components

A Wide Area Network (WAN) is a communications system that covers a large geographic area, such as a city, a country, or even several countries or continents1. WANs are often used to connect local area networks (LANs) and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations2. WANs use various communication infrastructures, such as public telephone lines, undersea cables, and communication satellites, to transmit data over long distances1. WANs are typically established with leased telecommunication circuits or less costly circuit switching or packet switching methods2. WANs are often built by Internet service providers, who provide connections from an organization’s LAN to the Internet2. The Internet itself may be considered a WAN2. References: Hardware and network technologies - CCEA LAN and WAN - BBC, Wide area network - Wikipedia.

IT systems and IACS have different security priorities, requirements, and challenges. According to the ISA/IEC 62443 standards, the security priority for IT systems is confidentiality, which means protecting the data from unauthorized access or disclosure. The security priority for IACS is integrity, which means ensuring the accuracy and consistency of the data and the functionality of the system. A loss of integrity in an IACS can have severe consequences, such as physical damage, environmental harm, or human injury. Therefore, IACS cybersecurity must address safety issues, which are not typically considered in IT security. Safety is the ability of the system to prevent or mitigate hazardous events that can cause harm to people, property, or the environment. The ISA/IEC 62443 standards provide guidance and best practices for ensuring the safety and security of IACS, as well as the availability and reliability of the system. Availability is the ability of the system to perform its intended function when required, and reliability is the ability of the system to perform its intended function without failure. These properties are also important for IT systems, but they may have different trade-offs and implications for IACS. For example, an IACS may have stricter performance and availability requirements than an IT system, as a delay or disruption in the IACS operation can affect the industrial process and its outcomes. Additionally, an IACS may have longer equipment lifetimes and less frequent maintenance windows than an IT system, which can make patching and updating more difficult and risky. Furthermore, an IACS may use different technologies and architectures than an IT system, such as legacy devices, proprietary protocols, or specialized hardware. These factors can create compatibility and interoperability issues, as well as increase the attack surface and complexity of the IACS. Therefore, IT security solutions and practices may not be sufficient or suitable for IACS, and they may need to be adapted or supplemented by IACS-specific security measures. The ISA/IEC 62443 standards address these differences and provide a comprehensive framework for securing IACS throughout their lifecycle.

References: 1: Security of Industrial Automation and Control Systems - ISAGCA 2: ISA/IEC 62443 Series of Standards - ISA 3: ISA/IEC 62443 Series of Standards | ISAGCA 4: Securing IACS based on ISA/IEC 62443 – Part 1: The Big Picture

• The key differences between IT (Information Technology) systems and IACS (Industrial Automation and Control Systems) are centered on their primary security objectives and operational requirements:
• Option A: The IACS security priority is integrity. This is crucial because any unauthorized modification of data or commands can lead to severe operational disruptions and safety hazards.
• Option C: IACS cybersecurity must address safety issues. Safety is a primary concern in IACS environments where process disruptions or malfunctions can result in harm to human operators or damage to equipment. The primary security priority in traditional IT systems is often confidentiality, not availability as stated in Option B, and routers are commonly used in IACS networks, contrary to Option D.

A Process Hazard Analysis (PHA) is a systematic and structured method of identifying and evaluating the potential hazards and risks associated with an industrial process. A PHA can help to identify the possible causes and consequences of undesired events, such as equipment failures, human errors, cyberattacks, natural disasters, etc. A PHA can also provide recommendations for reducing the likelihood and severity of such events, as well as improving the safety and security of the process. A PHA is one of the most frequently used analysis methods as an input to a security risk assessment, as it can help to identify the assets, threats, vulnerabilities, and impacts related to the process, and provide a basis for determining the security risk level and the appropriate security countermeasures. A PHA is also a requirement of the ISA/IEC 62443 standard, as part of the security program development and implementation phase12. References: 1: ISA/IEC 62443-2-1: Security for industrial automation and control systems: Establishing an industrial automation and control systems security program 2: ISA/IEC 62443-3-2: Security for industrial automation and control systems: Security risk assessment for system design

According to the ISA/IEC 62443 standards, the level of risk an organization is willing to tolerate is determined by the management, as they are responsible for defining the business and risk objectives, as well as the security policies and procedures for the organization. The management also has the authority to allocate the necessary resources and assign the roles and responsibilities for implementing and maintaining the security program. The legal, operations, and safety departments may provide input and feedback to the management, but they do not have the final say in determining the risk tolerance level. References: ISA/IEC 62443-2-1:2010 - Establishing an industrial automation and control systems security program, section 4.2.1.

PROFINET is the implementation of PROFIBUS over Ethernet for non-safety-related communications. It is a standard for industrial Ethernet that enables real-time data exchange between automation devices, controllers, and higher-level systems. PROFINET uses standard Ethernet hardware and software, but adds a thin software layer that allows deterministic and fast communication. PROFINET supports different communication profiles for different applications, such as motion control, process automation, and functional safety. PROFINET is compatible with PROFIBUS, and allows seamless integration of existing PROFIBUS devices and networks123

References: 1: What is PROFINET? - PI North America 2: PROFINET - Wikipedia 3: PROFINET Technology and Application - System Description

 Layer 1 of the ISO/OSI protocol stack is the physical layer, which provides the means of transmitting and receiving raw data bits over a physical medium. It defines the electrical and physical specifications of the data connection, such as the voltage levels, signal timing, cable types, connectors, and pin assignments. It does not perform any data encryption, routing, end-to-end connectivity, framing, error checking, or user applications. These functions are performed by higher layers of the protocol stack, such as the data link layer, the network layer, the transport layer, and the application layer. References: ISO/IEC 7498-1:1994, Section 6.11; ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 3.1.12

The “Addressing Risk” CSMS category consists of three element groups: Security Policy, Organization and Awareness; Selected Security Countermeasures; and Implementation of Security Program1. These element groups cover the aspects of defining the security objectives, roles and responsibilities, policies and procedures, awareness and training, security countermeasures selection and implementation, and security program execution and maintenance1. The “Addressing Risk” CSMS category aims to reduce the security risk to an acceptable level by applying appropriate security measures to the system under consideration (SuC)1. References: 1: ISA/IEC 62443-2-1: Security for industrial automation and control systems: Establishing an industrial automation and control systems security program

 According to the ISA/IEC 62443-2-4 standard, a training and security awareness program should include all personnel who have access to the industrial automation and control system (IACS) or who are involved in its operation, maintenance, or management. This includes vendors and suppliers, employees, temporary staff, contractors, and visitors. The purpose of the program is to ensure that all personnel are aware of the security risks and policies related to the IACS, and that they have the necessary skills and knowledge to perform their roles in a secure manner. The program should also cover the roles and responsibilities of different personnel, the reportingprocedures for security incidents, and the best practices for security hygiene. References:

• ISA/IEC 62443-2-4:2015 - Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers1
• ISA/IEC 62443 Cybersecurity Fundamentals Specialist Training Course2

According to the OSI model, the physical address is assigned in the layer 2, also known as the data link layer. The physical address is a unique identifier for each device on a network, such as a MAC address or a serial number. The data link layer is responsible for transferring data between adjacent nodes on a network, using the physical address to identify the source and destination of each frame. The data link layer also provides error detection and correction, flow control, and media access control. References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist Exam Prep, section 2.2; ISA/IEC 62443 Standards to Secure Your Industrial Control System, section 3.1.2.

An asymmetric key is a feature of asymmetric cryptography, also known as public-key cryptography, which is a method of encrypting and decrypting data using two different keys: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret by the owner. The public key and the private key aremathematically related, but it is computationally infeasible to derive one from the other. Asymmetric cryptography can be used for various purposes, such as digital signatures, key exchange, and encryption. For example, if Alice wants to send a message to Bob, she can use Bob’s public key to encrypt the message, and only Bob can decrypt it using his private key. Alternatively, if Bob wants to prove that he is the author of a message, he can use his private key to sign the message, and anyone can verify it using his public key. Asymmetric cryptography has some advantages over symmetric cryptography, which uses the same key for both encryption and decryption. For instance, asymmetric cryptography does not require a secure channel to distribute the keys, and it can provide non-repudiation and authentication. However, asymmetric cryptography also has some drawbacks, such as higher computational complexity, larger key sizes, and higher network overhead.

References:

• ISA/IEC 62443-3-3:2018, Section 4.2.3.6.1, Cryptography1
• ISA/IEC 62443-4-2:2019, Section 4.2.3.6.1, Cryptography
• ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 5.3.1, Cryptography
• ISA/IEC 62443 Cybersecurity Fundamentals Specialist Exam Specification, Section 5.3.1, Cryptography

In ANSI/ISA-99.00.01:2007, which is part of the ISA/IEC 62443 standards, electronic security encompasses both the technical and human aspects of cybersecurity within industrial automated and control systems (IACS). Option B correctly highlights components such as computers, networks, operating systems, applications, and other programmable configurable components which are intrinsic to the system's electronic security framework. Option C is also correct as it includes the personnel, policies, andprocedures which play a crucial role in securing these systems. This emphasizes that security is not only about the technological solutions but also about managing human elements and organizational processes effectively.ISA/IEC 62443 Cybersecurity Fundamentals References:

• ISA/IEC 62443 standards focus on the holistic nature of security which is clearly supported by including both the technological (Option B) and human elements (Option C) in the definition of electronic security.

A security policy refers to internal rules that govern how an organization protects critical system resources, such as industrial control systems (ICS). A security policy defines the objectives, scope, roles, responsibilities, and requirements for securing the ICS environment, as well as the procedures and guidelines for implementing, monitoring, and enforcing the security measures. A security policy also establishes the baseline for assessing and managing the security risks to the ICS, and for ensuring compliance with relevant standards, regulations, and best practices. A security policy is a key component of the ICS security program, and it should be documented, communicated, and reviewed regularly.

The other choices are not correct because:

• A. Formal guidance. Formal guidance refers to external sources of information and recommendations that can help an organization improve its ICS security posture, such as standards, frameworks, guidelines, and best practices. Formal guidance is not an internal rule, but rather a reference that can be used to develop, implement, and evaluate the security policy and controls. For example, the ISA/IEC 62443 series of standards provide formal guidance on how to secure ICS from cyber threats1.
• B. Legislation. Legislation refers to external laws and regulations that impose legal obligations and penalties on an organization for its ICS security performance, such as the NERC CIP standards for the electric sector2, or the EU NIS Directive for critical infrastructure operators3. Legislation is not an internal rule, but rather a compliance requirement that must be met by the organization. Legislation may also influence the security policy and controls, as the organization needs to align its security objectives and practices with the legal expectations and consequences.
• D. Code of conduct. A code of conduct refers to a set of ethical principles and values that guide the behavior and decision-making of an organization and its employees, such as honesty, integrity, respect, and accountability. A code of conduct is not an internal rule for protecting critical system resources, but rather a general norm for conducting business and maintaining a positive reputation. A code of conduct may also support the security policy and culture, as it can foster a sense of responsibility and trust among the ICS stakeholders.

References:

• 1: ISA/IEC 62443 Standards to Secure Your Industrial Control System
• 2: NERC Critical Infrastructure Protection Standards
• 3: EU Network and Information Systems Directive

Datagram Transport Layer Security (DTLS) and Secure Sockets Layer (SSL) are both commonly used protocols for managing secure data transmission on the Internet. DTLS is a variant of SSL that is designed to work over datagram protocols such as UDP, which are used for real-time applications such as voice and video. SSL is a protocol that provides encryption, authentication, and integrity for data transmitted over TCP, which is used for reliable and ordered delivery of data. Both DTLS and SSL use certificates and asymmetric cryptography to establish a secure session between the communicating parties, and then use symmetric cryptography to encrypt the data exchanged. DTLS and SSL are widely used in web browsers, email clients, VPNs, and other applications that require secure communication over the Internet. References:

• ISA/IEC 62443 Standards to Secure Your Industrial Control System, Module 3: Introduction to Cryptography, pages 3-5 to 3-7
• Using the ISA/IEC 62443 Standards to Secure Your Control System, Chapter 6: Securing Communications, pages 125-126

At layer 4 of the OSI model, also known as the transport layer, the application that will handle a packet inside a host is identified by a TCP/UDP port number. A port number is a 16-bit integer that is assigned to a specific application or service that runs on a host. Port numbers are used to multiplex and demultiplex the data streams that are exchanged between hosts and end systems. Multiplexing is the process of combining multiple data streams into one, while demultiplexing is the process of separating one data stream into multiple ones. Port numbers are part of the header of the transport layer protocol data unit (PDU), which is called a segment for TCP and a datagram for UDP. The header contains the source port number and the destination port number, which indicate the applications that are involved in the communication. For example, if a host sends a packet to another host using the HTTP protocol, which runs on port 80 by default, the source port number would be a random number chosen by the sender, and the destination port number would be 80. The receiver would then use the destination port number to demultiplex the packet and deliver it to the HTTP application.

Port numbers are divided into three ranges: well-known ports (0-1023), registered ports (1024-49151), and dynamic or private ports (49152-65535). Well-known ports are reserved for common and standardized applications and services, such as HTTP (80), FTP (21), and SSH (22). Registered ports are assigned by the Internet Assigned Numbers Authority (IANA) to specific applications and services that request them, such as Skype (49175) and Minecraft (25565). Dynamic or private ports are not assigned by any authority and can be used by any application or service that needs them, such as ephemeral ports that are used for temporary connections.

The other options are not valid identifiers for the application that will handle a packet inside a host at layer 4 of the OSI model. A TCP/UDP application ID is not a term that is used in the OSI model or the TCP/IP model. A TCP/UDP host ID is not a term that is used in the OSI model or the TCP/IP model, and it would be more appropriate for layer 3, which is the network layer, where the host is identified by an IP address. A TCP/UDP registry number is not a term that is used in the OSI model or the TCP/IP model, and it would be more appropriate for layer 5, which is the session layer, where the registry number is used to identify a session between two hosts.

References:

• Transport Layer | Layer 4 | The OSI-Model1
• OSI model - Wikipedia2
• What is Layer 4 of the OSI Model? | Glossary | A10 Networks3
• What Are the 7 Layers of the OSI Model? | Webopedia4

One of the trends that has increased the security risks for industrial automation and control systems (IACS) is the integration of these systems with business and enterprise systems, such asenterprise resource planning (ERP), manufacturing execution systems (MES), and supervisory control and data acquisition (SCADA). This integration exposes the IACS to the same threats and vulnerabilities that affect the business and enterprise systems, such as malware, denial-of-service attacks, unauthorized access, and data theft. Moreover, the integration also creates new attack vectors and pathways for adversaries to compromise the IACS, such as through remote access, wireless networks, or third-party devices. Therefore, the integration of IACS with business and enterprise systems is a trend that has caused a significant percentage of security vulnerabilities. References: ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 1-2.

The ISASecure certification program, aligned with the ISA/IEC 62443 standards, defines three distinct security levels that categorize the robustness of industrial control systems against known cybersecurity threats. These levels are designed to provide a scalable approach to securing industrial automation and control systems, with each level offering a higher degree of security. The levels are typically identified as SL1 (Security Level 1), SL2 (Security Level 2), and SL3 (Security Level 3), each addressing increasingly stringent security capabilities and resilience against cyber attacks.

According to the ISA/IEC 62443-2-1 standard, a review of the CSMS should be triggered by any changes that affect the cybersecurity risk of the industrial automation and control system (IACS), such as new technical controls, organizational restructuring, or security incidents1. Budgeting is not a trigger for CSMS review, unless it impacts the cybersecurity risk level or the CSMS itself2. References: 1: ISA/IEC 62443-2-1:2010, Section 4.3.3.3 2: A Practical Approach to Adopting the IEC 62443 Standards, ISAGCA Blog3

 OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535. Comprehensive Explanation: OPC Classic is a software interface technology that uses the Distributed Component Object Model (DCOM) protocol to facilitate the transfer of data between different industrial control systems. DCOM is a Microsoft technology that allows applications to communicate across a network. However, DCOM is not designed with security in mind, and it poses several challenges for firewall configuration. One of the main challenges is that DCOM does not use fixed TCP port numbers, but rather negotiates new port numbers within the first open connection. This means that intermediary firewalls can only be used with wide-open rules, leaving a large range of ports open for potential attacks. This makes OPC Classic very “firewall unfriendly” and reduces the security and protection they provide. References:

• Tofino Security OPC Foundation White Paper
• Step 2 (for client or server): Configuring firewall settings - GE
• Secure firewall for OPC Classic - Design World

According to the ISA/IEC 62443-3-2 standard, a security zone is a grouping of systems and components based on their functional, logical, and physical relationship that share common security requirements. The primary objective of defining a security zone is to apply a consistent level of protection to the assets within the zone, based on their criticality and risk assessment. A security zone may contain assets from different vendors, different levels in the Purdue model, or different physical locations, as long as they have the same security requirements. A security zone may also be subdivided into subzones, if there are different security requirements within the zone. A conduit is a logical or physical grouping of communication channels connecting two or more zones that share common security requirements.

References:

• ISA/IEC 62443-3-2:2020, Security for industrial automation and control systems - Part 3-2: Security risk assessment for system design, Clause 4.3.21
• ISA/IEC 62443-1-1:2009, Security for industrial automation and control systems - Part 1-1: Terminology, concepts and models, Clause 3.2.42