Exercises: Securing Operational Technology

DataField.Dev

Exercises: Securing Operational Technology

These exercises move from vocabulary to design judgment. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before you read one.

A standing rule for this chapter: everything here is paper or your own sandbox. Never apply any of these techniques to a real OT network you do not own and are not explicitly authorized to assess — active probing of control systems can be a safety incident, not just a policy violation.

Part A — OT vocabulary and priorities ⭐

1.† In one sentence each, define operational technology (OT), industrial control system (ICS), SCADA, and PLC, then write a single sentence that uses all four correctly to describe a water utility.

2. State the OT priority ordering (safety / availability / integrity / confidentiality) and, for each of the four, give a one-line example of a failure of that property in a chemical plant.

3. Match each component to its role: PLC, RTU, HMI, SCADA, SIS, historian. (a) records every sensor reading over time; (b) the operator's screen; (c) the independent controller that forces a safe shutdown; (d) the controller at an unstaffed remote site; (e) the ruggedized real-time controller inside a plant; (f) the system that centralizes monitoring of many distributed controllers.

4.† Explain why confidentiality sits last in the OT priority ordering, and give one example of OT data whose disclosure genuinely would matter (so that "last" does not mean "irrelevant").

5. A new colleague says, "OT is just IT with older hardware — we'll patch it and run EDR like everything else." Identify three specific assumptions in that statement that are wrong, and correct each.

6. Define critical infrastructure in your own words and name four of the sixteen U.S. sectors. For one of them, describe a single OT failure that would have public-safety consequences.

Part B — Map to Purdue ⭐⭐

7.† Place each asset at its Purdue level (0, 1, 2, 3, 3.5, 4, or 5) and state its security domain (OT, IDMZ, or IT): (a) a pressure sensor; (b) a corporate email server; (c) a data historian; (d) an HMI in the control room; (e) a remote-access jump host that a vendor uses to reach the OT network; (f) a PLC; (g) the plant scheduling/ERP system; (h) a replica of the historian that business analysts query.

8. Two assets both "need to exchange data with the historian." One is the plant SCADA server; the other is a corporate business-intelligence dashboard. Using the Purdue model, explain why these two legitimate needs are satisfied completely differently, and draw (in words or ASCII) the data path for each.

9.† The Purdue model says levels 4–5 and 0–3 must never communicate directly. A facilities engineer objects: "But the vendor has to log into the SCADA server to service it — that's a Level-5 person reaching Level 3." Resolve the objection without violating the rule. What sits in between, and what does it do?

10. Your passive sensor reports a flow from a Level-2 HMI to a Level-1 PLC. Is this a boundary violation? Now it reports a flow from a Level-4 file server to a Level-2 HMI. Is that a boundary violation? Explain the difference using the IT/OT domain line.

11. ⭐⭐⭐ Sketch a Purdue-model diagram (levels 0–5 plus the IDMZ) for a small drinking-water utility with: turbidity and chlorine sensors, dosing-pump actuators, two PLCs, three RTUs at remote pumping stations, a control-room HMI, a SCADA server with a historian, and corporate billing in the cloud. Label where you would place a passive monitoring sensor and why.

Part C — Why you can't just patch (analyze the constraint) ⭐⭐

12.† A critical PLC has a published, unpatched vulnerability and the vendor will not ship a fix for a year. List four compensating controls, ordered by leverage, and justify the ordering. For each, state what risk it reduces and what residual risk remains.

13. For each IT reflex, name the OT constraint that breaks it and the OT-appropriate alternative: (a) "patch within 30 days of release"; (b) "run an authenticated vulnerability scan weekly"; (c) "deploy the EDR agent to every host"; (d) "enforce MFA and rotate every credential quarterly."

14. An HMI is running an end-of-life operating system with several known critical vulnerabilities. The engineers refuse to let you patch or replace it because it was validated with the process and any change risks an outage. Write a three-bullet risk-acceptance note for management that (a) states the residual risk honestly, (b) lists the compensating controls you will apply, and (c) names the condition under which the decision should be revisited.

15.† Explain what a safety instrumented system (SIS) is and why it is simultaneously (a) the reason a control-system compromise need not become a physical catastrophe and (b) the single highest-value target in the environment. What is the one segmentation rule you would never relax for it?

Part D — Monitoring OT passively / analyze this ⭐⭐

16.† You are handed this (illustrative) excerpt from a passive OT sensor's alert log. Times are UTC; addresses are documentation ranges. The IDMZ boundary is between the OT domain (10.50.0.0/16, Levels 0–3) and the IT domain (10.20.0.0/16, Levels 4–5).

03:11:00  flow  src=10.50.3.10 (L3 scada)   dst=10.50.1.5 (L1 plc)   proto=modbus  verdict=baseline
03:11:30  flow  src=10.50.2.7  (L2 hmi)     dst=10.50.1.5 (L1 plc)   proto=modbus  verdict=baseline
03:12:08  flow  src=10.20.9.40 (L4 biz)     dst=10.50.3.10 (L3 scada) proto=smb     verdict=NEW
03:12:09  write src=10.20.9.40 (L4 biz)     dst=10.50.1.5 (L1 plc)   proto=modbus  verdict=NEW

(a) Which two lines are alarming and why? (b) What is the most likely real-world scenario behind them? (c) Which single field — not the protocol — is the strongest indicator? (d) Name the control that should have prevented the 03:12:08 flow from being possible at all.

17. Why can a true network tap never crash a PLC? Explain the physical/electrical reason, and why that property makes passive observation the default OT discovery method while active scanning is forbidden.

18.† OT networks are described as "gloriously predictable," which is a liability for patching but a gift for detection. Explain both halves of that statement, and describe how the predictability changes the way you handle a first-occurrence alert compared with an IT SOC.

19. A colleague proposes tuning the OT monitoring to suppress the recurring alert "engineering workstation downloaded a program to PLC-7," because "it happens during every maintenance window and it's noise." Argue against reflexively suppressing it. What would you do instead to keep the signal while reducing the toil?

20. Write a one-sentence detection rule (in plain English) for each of these OT threats, framed around a Purdue boundary or baseline deviation: (a) ransomware spreading from IT into OT; (b) an attacker reprogramming a controller; (c) a new, unknown device appearing on the control network; (d) any interaction with the safety instrumented system.

Part E — Find the IT/OT bridge ⭐⭐–⭐⭐⭐

21.† Find the bridges. During an OT assessment you collect the following list of remote-access and connectivity paths into a manufacturing plant. Identify every path that is (or could be) an unmanaged IT/OT bridge, explain the risk of each, and propose how to bring each into the IDMZ-brokered model. - (a) A vendor support account that connects from the internet directly to the SCADA server. - (b) A historian that pushes data up to an IDMZ replica, which the corporate BI tool reads. - (c) An engineering laptop that is used both on the corporate WiFi and physically plugged into the control network. - (d) A cellular modem on an RTU at a remote station, with a default password, reachable from the internet. - (e) A jump host in the IDMZ requiring MFA, through which all approved remote sessions pass. - (f) A "temporary" firewall rule, added two years ago, permitting the corporate patch server to reach every host in the OT network on any port.

22. Re-examine the Colonial Pipeline incident from the OT defender's seat. The malware reached only IT, yet the pipeline stopped. Explain, in terms of the IT/OT boundary, (a) why the operators could not simply keep running the pipeline, and (b) what boundary property an organization needs in order to have the option to keep a process running safely when its IT is compromised.

23. ⭐⭐⭐ Design it. You inherit a water utility whose SCADA network shares a flat subnet with the corporate network — no IDMZ, no segmentation, vendor laptops plugging in anywhere, "we thought we were air-gapped." Write a prioritized 90-day remediation plan (5–7 steps) that improves the situation without risking the process. Justify the order. What do you do first, and why is it almost certainly "deploy passive monitoring," not "patch everything"?

Part F — Analyze an OT incident ⭐⭐–⭐⭐⭐

24.† For each real incident, state in one or two sentences (at public-fact level) the path the attacker took and the single defensive lesson the OT community drew from it: (a) Stuxnet; (b) the Ukraine power-grid attacks (2015/2016); (c) Triton/Trisis; (d) Colonial Pipeline.

25. Stuxnet compromised an air-gapped facility. Define air gap, explain why the air gap did not prevent the attack, and write a two-sentence policy statement that captures the correct defensive posture toward air gaps (neither "useless" nor "magic").

26. Triton targeted the safety instrumented system. Explain why an attack on the SIS is categorically more dangerous than an attack on the normal control system, and what it implies for how you segment and monitor safety controllers.

27. ⭐⭐⭐ Pick any one of the four incidents and write a one-page "what we would have done differently" memo as the target organization's OT defender, using only this chapter's controls (Purdue segmentation, IDMZ, passive monitoring, compensating controls, SIS isolation, IT hygiene at the boundary). Be specific about which control breaks which step of the attack.

Part G — CTF-style challenge ⭐⭐⭐

28.† The confident air gap. A plant manager hands you a one-paragraph security statement to sign off on: "Our control network is fully air-gapped from the internet and the corporate network, so it requires no patching, no monitoring, and no additional controls. Vendors service equipment on site with their own laptops, and engineers move files in with USB drives as needed. We have never had an incident." Identify every flawed assumption in this paragraph, rewrite it into a defensible posture, and name the real incident that most directly refutes its central claim.

Part H — Interleaved & forward-looking ⭐⭐

29. (Interleaved with Chapter 6.) The IDMZ is "the network DMZ, with the stakes raised." Compare the two: what does each keep away from what, and why is a direction-based detection (an IT→OT crossing) higher-fidelity in OT than the equivalent would typically be in a busy IT DMZ?

30. (Interleaved with Chapter 11.) Patch management is a non-negotiable hygiene control in IT and frequently impossible in OT. Reconcile these two facts: what is the shared underlying goal of patching and of OT compensating controls, and why do the two worlds pursue it so differently?

31. (Interleaved with Chapter 14.) You met default credentials and device segmentation as IoT problems. Explain how each reappears, aged and amplified, in OT — and why the OT version is often harder to fix than the IoT version.

32. ⭐⭐⭐ Open reflection. This chapter argues that "the boundary between IT and OT is where critical-infrastructure incidents are won or lost," and Chapter 1 argued that "attackers need to be right once; defenders need to be right every time." Write half a page connecting the two claims: how does the offense/defense asymmetry look different — better or worse for the defender — at the IT/OT boundary specifically?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group, an instructor, or an OT engineer who will tell you where the textbook meets reality.