SCADA Network Architecture Compliance

Questions and Answers

What is the first stage in the ICS Vulnerability Assessment work plan?

• Client Review
• Onsite Data Collection (correct)
• Developing the Report Deliverable
• Offsite Data Analysis

Offsite work includes analyzing physical security risks.

False (B)

Name one of the tasks involved in the Offsite Work stage.

Collect all documentation, drawings, and configuration files

During the Onsite Work, it is important to look for __________ risks.

physical security

Which of the following is NOT included in the phases of the ICS Vulnerability Assessment?

Client Training (B)

Match the following tasks with their respective phases in the ICS Vulnerability Assessment:

Facility Tour = Onsite Work Document Drawing Collection = Offsite Work Draft Report = Review with Client System Architecture Validation = Offsite Work

The purpose of the review with the client is to finalize the report without any suggestions.

False (B)

What is a primary goal of conducting interviews during the onsite work?

System discovery

What does the ISA 99 standard primarily focus on?

Industrial control system security (C)

It is safe to actively scan live ICS networks.

False (B)

What should be captured to assess the current state of a network?

Operating system, patches, installed applications, users/groups/permissions, local security policy, network configuration, network connections, services/active ports

To understand all ports and services on the devices, which tool should be used for scanning controllers?

NMAP

Match the following types of tests with their descriptions:

Passive capture = Analyze live ICS traffic for vulnerabilities NMAP scan = Identify open ports and services on a device Nessus scan = Evaluate device behavior under active scanning DoS simulation = Test system resilience against denial of service attacks

What type of information is critical to document during an onsite facility tour?

Physical security risks (D)

Denial of Service (DoS) attacks can be simulated on a live environment.

False (B)

What is the goal of analyzing router, switch, and firewall configurations during offsite work?

To validate current architecture and make recommended changes to system architecture.

Gathering and analyzing ___________ is critical for identifying vulnerabilities within the network.

documentation, drawings, and configuration files

Which method helps in analyzing the system's automatic recovery post-attack?

Simulation of adverse network conditions (B)

Passive capturing of ICS traffic can effectively detect clear text transfers.

True (A)

What does the acronym NERC CIP stand for?

North American Electric Reliability Corporation Critical Infrastructure Protection

Scanning controllers with ___________ helps determine if the device is running any vulnerable services.

Nessus

Match the following tools or techniques with their respective purposes:

ping -f = Simulate DoS attacks isic = Generate random payloads for testing hping = Craft custom packets for testing NMAP = Scan for open ports and services

Which of the following protocols is considered vulnerable and should be researched further?

TELNET (A)

Offsite data analysis does not include reviewing traffic dumps from network devices.

False (B)

What should be documented for each vulnerability found during the security assessment?

A recommended remediation strategy

Vulnerabilities found on multiple devices should be grouped under one vulnerability, but should specify the '______ Impacted'.

Systems

Match the following activities with their corresponding focus areas:

Review traffic dumps = Network security assessment Conduct vulnerability scans = Identify security weaknesses Develop network diagrams = System architecture validation Create remediation strategies = Security risk management

Which of the following is NOT a noteworthy item to check in operating system DUMP logs?

Active firewall configuration (D)

The Project Manager compiles all findings into a Rough Draft report after analyzing physical security findings.

True (A)

What is the purpose of creating communication matrices by IP address?

To identify device communications during the assessment

Excessive use of ______ accounts should be monitored in host DUMP logs.

Administrator

Match the term with its definition:

DoS Attack = An attempt to make a service unavailable Vulnerability Scan = A process to identify security weaknesses Malformed Packet Attack = A maliciously altered data packet Network Diagram = A visual representation of network architecture

How should vulnerabilities found across different systems be handled?

They should be ranked and grouped under one finding. (B)

All devices connected to the network should be assumed secure until proven otherwise.

False (B)

What role does the ICS engineer play during the offsite analysis?

Conduct bin dumps and analyze vulnerabilities

The ______ engineer should create the network diagrams as part of the analysis process.

Network

Flashcards are hidden until you start studying

Study Notes

Current and Recommended Architecture Changes

• Diagrams illustrate current and proposed network designs in compliance with ISA 99 standards.
• Current network architecture must be assessed, followed by suggested improvements.

Data Capture for Assessment

• Obtain permission to capture details on operating systems, patches, applications, user permissions, security policies, and network configurations.
• Automation through system-specific scripts advised to streamline data collection.

Testing Methodologies

• Live ICS traffic should be passively captured for analysis; active scans are prohibited on live networks.
• Utilize NMAP for exhaustive port and service exposure scans on controllers, ensuring NERC CIP compliance.
• Execute vulnerability assessments with NESSUS to check for potentially exploitable services.

Simulating Network Conditions

• Conduct tests to understand impacts of adverse network conditions on controllers.
• Focus on controller response during DoS and malformed packet attacks; aim for recovery analysis post-attack.

Denial of Service (DoS) Attacks

• Various ping commands can be used for testing resilience against DoS attacks, with increasing packet sizes.

Malicious Payload Attacks

• Use tools like hping to simulate attacks via arbitrary and malformed packets on specific target IPs.

Offsite Data Analysis Overview

• Offsite evaluation includes data collected from onsite visits and a comprehensive review with clients.
• Facility tours aim to identify physical security risks, supported by documentation and network configurations.

Vulnerability Assessment Work Plan

• Structure the vulnerability assessment into three phases: onsite data collection, offsite analysis, and report development.
• Efficient organization of tasks increases clarity and accountability.

Report Deliverable Insights

• Provide client with drafts that include current and proposed network diagrams, underpinning design changes with rationale.
• Document how changes improve security posture against vulnerabilities.

ICS Engineer Focus Areas

• Analysis of system logs should include scrutiny of security patches, unnecessary applications, user permissions, and network configurations.
• Essential to verify that critical services remain secure and operational during vulnerability scans.

Project Management Responsibilities

• Physical security findings must be prioritized and documented.
• Compile and coordinate findings from team members into a Rough Draft report, including an executive summary for internal teams.

Conclusion and Review with Client

• Final client review involves presenting findings and recommendations, ensuring transparency and openness to feedback on security measures.