Quiz: Securing Operational Technology

DataField.Dev

Quiz: Securing Operational Technology

A 26-question self-check covering OT priorities, ICS/SCADA components, the Purdue model, OT-appropriate controls, passive monitoring, and the lessons of real incidents. Questions tagged [Sec+] map to CompTIA Security+ objectives and [CISSP] to (ISC)² CISSP domains. Answers and one-line explanations are at the end — attempt the whole quiz first.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] In operational technology, the property that sits above the entire CIA triad is: A. confidentiality B. safety C. non-repudiation D. accountability

2. Which OT component is a ruggedized controller that reads sensors, runs real-time logic, and drives actuators on a deterministic cycle? A. HMI B. SCADA server C. PLC D. historian

3. [Sec+] The graphical screen and computer an operator uses to watch and command a process is the: A. RTU B. HMI C. PLC D. SIS

4. In the Purdue model, the industrial demilitarized zone (IDMZ) sits at level: A. 0 B. 2 C. 3.5 D. 5

5. [CISSP] The defensive heart of the Purdue model is the rule that: A. PLCs must run antivirus B. the IT domain (4–5) and OT domain (0–3) never communicate directly C. all OT traffic must be encrypted D. operators must use MFA on every HMI

6. The primary reason "reachability equals control" on an OT network is that most industrial protocols: A. are encrypted B. do not authenticate commands C. use TCP D. run only over serial links

7. [Sec+] Active vulnerability scanning is generally prohibited on OT networks because it can: A. reveal too much B. violate GDPR C. crash fragile controllers and disrupt the physical process D. exhaust the SIEM license

8. A network tap is the default OT monitoring method because it: A. encrypts traffic B. only copies traffic and cannot transmit, so it cannot disturb a controller C. blocks malicious packets D. authenticates devices

9. [CISSP] An independent control system whose sole job is to force a process to a safe state when conditions become dangerous is a: A. PLC B. SCADA master C. safety instrumented system (SIS) D. historian

10. Stuxnet's single most important defensive lesson is that: A. firewalls are useless B. an air gap is a boundary to monitor and enforce, not a guarantee C. PLCs cannot be attacked D. antivirus stops nation-states

11. [Sec+] In the Colonial Pipeline incident, the malware directly compromised: A. the pipeline's PLCs B. the safety instrumented system C. the IT/business network only D. the field sensors

12. The highest-fidelity alert to build in an OT environment is: A. a CPU-usage threshold B. any direct IT→OT boundary crossing C. a failed-login counter D. a disk-space warning

13. [CISSP] Compared with patching in IT, patching in OT is frequently impossible because: A. OT staff are lazy B. there may be no vendor fix, no outage window, and no validation for the patch C. OT has no vulnerabilities D. patches are illegal in OT

14. The Triton/Trisis malware was notable because it targeted: A. a corporate email server B. the safety instrumented system itself C. a cloud database D. an ATM network

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "Because OT data is rarely sensitive, an OT environment needs no security."

16. [Sec+] "An air-gapped control network cannot be compromised."

17. "Rebooting an HMI to apply a patch is as low-risk as rebooting an office laptop."

18. "In OT, availability can be more important than confidentiality."

19. [CISSP] "A safety instrumented system should be one of the least isolated systems so engineers can reach it quickly."

Section 3 — Fill in the blank (1 pt each)

20. The reference architecture that organizes an industrial enterprise into levels 0–5 is the __ model.

21. Because most OT protocols do not authenticate commands, __ is the primary control — if a packet can reach a controller, it can likely command it.

22. [Sec+] Detecting threats by observing a copy of network traffic without ever transmitting is called __ OT monitoring.

23. Measures that reduce the risk of a vulnerability you cannot directly remove (e.g., when a PLC cannot be patched) are called __ controls.

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain why the OT priority ordering (safety → availability → integrity → confidentiality) inverts the usual IT ordering, and give one concrete control decision that changes because of the inversion.

25. The Ukraine grid attacks and Colonial Pipeline are, at root, the same story. State that shared story in one sentence, and name the control category that addresses it.

Section 5 — Applied scenario (5 pts)

26. Meridian's data-center building management system (BMS) is found to have a vendor remote-access account that connects from the internet directly to the Level-3 BMS supervisory server, bypassing the IDMZ. (a) Place the relevant assets in their Purdue levels. (b) Explain precisely why this path is dangerous, referencing the IT/OT boundary rule. (c) Describe the brokered design that should replace it. (d) Name the passive detection that would catch this path being abused, and the single field that would trigger it.

Answer Key

Click to reveal answers and explanations

1. **B** — safety sits above the CIA triad in OT. 2. **C** — the PLC runs deterministic real-time control logic. 3. **B** — the HMI is the operator's screen. 4. **C** — the IDMZ is level 3.5. 5. **B** — IT (4–5) and OT (0–3) must never communicate directly; everything is brokered through the IDMZ. 6. **B** — most industrial protocols do not authenticate commands, so reachability equals control. 7. **C** — active scans can crash controllers and disrupt the process. 8. **B** — a true tap only copies traffic and cannot transmit. 9. **C** — the safety instrumented system. 10. **B** — the air gap was crossed (via removable media); it is a boundary to monitor, not a guarantee. 11. **C** — only the IT/business network was directly compromised; the OT was not touched. 12. **B** — an IT→OT boundary crossing is the highest-fidelity OT indicator. 13. **B** — no vendor fix, no outage window, no validation. 14. **B** — the safety instrumented system itself. 15. **F** — OT controls physical processes; a loss of availability or integrity can injure people or damage the environment regardless of data sensitivity. 16. **F** — Stuxnet compromised an air-gapped facility via removable media; air gaps are porous and must be monitored and enforced. 17. **F** — an HMI is load-bearing for operators running a physical process; an unexpected reboot can blind them at a dangerous moment. 18. **T** — in OT, stopping the process can be hazardous or hugely costly, so availability often outranks confidentiality. 19. **F** — the SIS is the last line of physical defense and the highest-value target (cf. Triton), so it must be the *most* isolated system in the environment. 20. Purdue. 21. segmentation. 22. passive. 23. compensating. 24. The inversion happens because OT controls physical processes where a failure can injure people or the environment (safety) and where stopping the process is itself hazardous or extremely costly (availability), whereas a disclosed data point usually causes no direct physical harm (confidentiality last). A concrete consequence: you do *not* actively scan or patch-and-reboot a controller on demand the way you would a server, because the availability/safety cost can exceed the security benefit — you use compensating controls instead. 25. Both began as ordinary IT compromises (phishing/credential theft) that were allowed to cross into OT and affect a physical process; the control category is rigorous IT/OT segmentation with a brokered, monitored boundary (the Purdue model and the IDMZ, backed by passive boundary monitoring). 26. (a) BMS controllers = Level 1; facilities HMI = Level 2; BMS supervisory server = Level 3; the proper jump host = Level 3.5 (IDMZ); corporate internet/email = Level 5. (b) It is a direct IT/internet→OT path, which the Purdue model forbids: because OT protocols do not authenticate and the supervisory server can reach the controllers, anyone who compromises that path (or the vendor's credentials) can reach the systems that command the physical environment — and a BMS failure (e.g., disabling cooling) takes the data center offline. (c) Replace it with an IDMZ-brokered design: the vendor connects to a Level-3.5 jump host requiring MFA, with session recording, and from there reaches the BMS; no direct internet-to-OT route exists, and historian data flows OT→IDMZ replica only. (d) A passive sensor at the IDMZ boundary with an IT→OT boundary-violation rule; the triggering field is the *direction* of the flow (a Level-4/5 source initiating a connection into the OT domain), independent of protocol. **Topics to review by question:** missed 1, 15, 18, 24 → §33.1; 2–3 → §33.2; 4–5, 26 → §33.3; 6, 21 → §33.2–33.3; 7, 13, 23, 30(ex.) → §33.4; 8, 12, 17, 19, 22 → §33.4–33.5; 9, 14 → §33.4 + §33.6; 10–11, 25 → §33.6.