Chapter 21 Quiz: OT/ICS/SCADA Security¶

B — In OT environments, availability and safety are the primary concerns — a security control that causes downtime or interferes with process control can be more catastrophic than a cyber intrusion

The CIA triad is inverted in OT: Availability → Integrity → Confidentiality. Rebooting a firewall during a chemical process or patching a PLC mid-operation can cause equipment damage, personnel injury, or environmental harm. This is why traditional IT security controls (frequent patching, active scanning, endpoint agents) must be adapted or avoided in OT contexts.

C — Level 2 — Area Supervisory Control (DCS, SCADA HMI)

The Purdue model: Level 0 (physical devices: sensors, actuators), Level 1 (PLCs/RTUs executing control logic), Level 2 (SCADA/DCS supervisory systems with HMIs), Level 3 (site operations: MES, historians), DMZ, Level 4 (enterprise IT). Level 2 is particularly critical as it bridges real-time process control and operational visibility.

B — Modbus has no authentication or authorization — any device on the network can issue function code 06 to write values to any register on any Modbus-speaking device, directly manipulating physical setpoints

Modbus was designed in 1979 for isolated serial networks. It has no built-in authentication, encryption, or authorization. In a networked environment, any system that can reach a Modbus-speaking device can read sensor values or write control setpoints. This was exploited in the Triton/TRISIS attack against Safety Instrumented Systems and is a fundamental protocol-level risk in legacy OT environments.

B — Overwriting centrifuge control logic to vary rotor speeds beyond safe limits while simultaneously feeding false "normal operation" readings to the monitoring HMI

Stuxnet's genius was its dual nature: it corrupted the PLC control programs to physically stress centrifuges (causing mechanical failures over months) while intercepting process monitoring systems and replaying recorded "normal" values to operators. This caused physical destruction that appeared to be normal equipment wear, delaying detection for over a year. It remains the canonical example of a cyber-physical attack.

B — A measure of the robustness of security controls against increasing levels of attack capability — from SL 1 (casual/unintentional violation) to SL 4 (state-sponsored, highly sophisticated attack)

ISA/IEC 62443-3-3 defines Security Levels 1–4 based on attacker capability, motivation, and resources. SL 1 protects against accidental/unintentional incidents; SL 2 against intentional violation with simple means; SL 3 against sophisticated means; SL 4 against state-level actors with extended resources. Organizations assess their "Target SL" based on consequence analysis and implement corresponding controls.

B — The attacker can disable or manipulate the safety shutdown logic, allowing physical processes to operate in dangerous conditions without automatic shutdown — potentially causing catastrophic safety incidents

Triton (2017, targeting a Saudi petrochemical plant) targeted Schneider Electric Triconex Safety Instrumented Systems. By disabling the SIS, attackers could have allowed the plant to operate past safe operating limits without automatic emergency shutdown. The explicit goal was to cause physical destruction and potential casualties — the most severe consequence in OT security.

B — Many legacy PLCs and RTUs have limited TCP/IP stacks that crash or lock up when they receive unexpected or rapid probe packets, potentially disrupting physical processes

Unlike enterprise servers, PLCs often run on microcontrollers with minimal networking stacks designed for deterministic industrial protocols. Sending port scans, SYN floods (even inadvertent from aggressive scanners), or unexpected TCP sessions can cause watchdog timeouts, buffer overflows in the networking stack, or complete controller resets — stopping physical processes. Passive monitoring (network tap + protocol analysis) is the safe alternative.

B — An industrial DMZ (IDMZ) with unidirectional data diodes or dual firewalls from different vendors, allowing data to flow from OT to IT but not the reverse

The IDMZ pattern places jump servers, historian mirrors, and file-transfer intermediaries in a DMZ between OT and IT networks. Data diodes (hardware-enforced unidirectional channels) or dual firewalls from different vendors (defense in depth against vendor-specific vulnerabilities) allow OT data to reach business systems for reporting without creating a bidirectional attack path from enterprise IT into OT.

B — Challenge-response authentication that requires devices to prove identity before accepting control commands, preventing unauthenticated command injection

Original DNP3 (like Modbus) had no authentication, allowing any device to send control commands to RTUs. DNP3 SA v5 added HMAC-based challenge-response authentication: before a master station's command is accepted by an outstation, the outstation challenges the master to prove it knows a shared key. This specifically addresses the "unauthenticated command injection" attack vector used in attacks on electrical grids.

B — Stopping or rebooting a PLC for forensic purposes may halt physical processes, cause equipment damage, or create safety hazards — forcing responders to develop non-disruptive collection methods such as network traffic capture and logic ladder program backups

In OT incident response, the first priority is maintaining safe process operation. Unlike IT systems where taking a server offline for forensics is disruptive-but-recoverable, halting a PLC mid-process can cause uncontrolled equipment states, product loss, or physical hazards. Responders instead use network-passive collection (taps), read-only PLC logic backups, and historian analysis to investigate while the process continues running.