Questions for the ICS-SCADA were updated on : Dec 01 ,2025
In physical to logical asset protections, what threat can be directed against the network?
C
Explanation:
In the context of physical to logical asset protection in network security, several threats can be
directed against the network, including:
Elevation of Privileges: Where unauthorized users gain higher-level permissions improperly.
Flood the Switch: Typically involves a DoS attack where the switch is overwhelmed with traffic,
preventing normal operations.
Crack the Password: An attack aimed at gaining unauthorized access by breaking through password
security. All these threats can potentially compromise the network's security and the safety of its
physical and logical assets.
Reference:
CompTIA Security+ Guide to Network Security Fundamentals.
What is the maximum size in bytes of an ethernet packet?
C
Explanation:
The maximum transmission unit (MTU) for Ethernet, which is the largest size of an Ethernet packet or
frame that can be sent over the network, is typically 1500 bytes. This size does not include the
Ethernet frame's preamble and start frame delimiter but does include all other headers and the
payload. Ethernet's MTU of 1500 bytes is a standard for most Ethernet networks, especially those
conforming to the IEEE 802.3 standard.
Reference:
IEEE 802.3-2012, "Standard for Ethernet".
Which component of the IT Security Model is usually the least priority in ICS/SCADA Security?
B
Explanation:
In ICS/SCADA systems, the typical priority hierarchy of the IT Security Model components places
Availability and Integrity above Confidentiality. This prioritization is due to the critical nature of
operational continuity and data accuracy in industrial control systems, where system downtime or
incorrect data can lead to significant operational disruptions or safety issues. Confidentiality, while
important, is often considered of lesser priority compared to ensuring systems are operational
(Availability) and data is accurate (Integrity).
Reference:
National Institute of Standards and Technology (NIST), "Guide to Industrial Control Systems (ICS)
Security".
How many IPsec rules are there in Microsoft Firewall configuration?
D
Explanation:
In the configuration of Microsoft Windows Firewall with Advanced Security, you can define IPsec
rules as part of your security policy. Typically, these rules can be organized into four main categories:
Allow connection, Block connection, Allow if secure (which can specify encryption or authentication
requirements), and Custom. While the interface and features can vary slightly between Windows
versions, four fundamental types of rules regarding how traffic is handled are commonly supported.
Reference:
Microsoft documentation, "Windows Firewall with Advanced Security".
Which of the following is the stance that by default has a default deny approach?
B
Explanation:
In the context of network security policies, a "Paranoid" stance typically means adopting a default-
deny posture. This security approach is one of the most restrictive, where all access is blocked unless
explicitly allowed.
A default deny strategy is considered best practice for securing highly sensitive environments, as it
minimizes the risk of unauthorized access and reduces the attack surface.
This approach contrasts with more open stances such as Permissive or Promiscuous, which are less
restrictive and generally allow more traffic by default.
Reference
"Network Security: Policies and Guidelines for Effective Network Management," by Jonathan
Gossels.
"Best Practices for Implementing a Security Awareness Program," by Kaspersky Lab.
Which of the following ports are used for communications in Modbus TCP?
D
Explanation:
Modbus TCP is a variant of the Modbus family of simple, networked protocols aimed at industrial
automation applications. Unlike the original Modbus protocol, which runs over serial links, Modbus
TCP runs over TCP/IP networks.
Port 502 is the standard TCP port used for Modbus TCP communications. This port is designated for
Modbus messages encapsulated in a TCP/IP wrapper, facilitating communication between Modbus
devices and management systems over an IP network.
Knowing the correct port number is crucial for network configuration, security settings, and
troubleshooting communications within a Modbus-enabled ICS/SCADA environment.
Reference
Modbus Organization, "MODBUS Application Protocol Specification V1.1b3".
"Modbus TCP/IP – A Comprehensive Network protocol," by Schneider Electric.
Which of the CVSS metrics refer to the exploit quotient of the vulnerability?
A
Explanation:
The Common Vulnerability Scoring System (CVSS) uses several metrics to assess the severity of
vulnerabilities. Among them, the Temporal metric group specifically reflects the exploit quotient of a
vulnerability.
Temporal metrics consider factors that change over time after a vulnerability is initially assessed.
These include:
Exploit Code Maturity: This assesses the likelihood of the vulnerability being exploited based on the
availability and maturity of exploit code.
Remediation Level: The level of remediation available for the vulnerability, which influences the ease
of mitigation.
Report Confidence: This metric measures the reliability of the reports about the vulnerability.
These temporal factors directly affect the exploitability and potential threat posed by a vulnerability,
adjusting the base score to provide a more current view of the risk.
Reference
Common Vulnerability Scoring System v3.1: User Guide.
"Understanding CVSS," by FIRST (Forum of Incident Response and Security Teams).
Which of the following are NOT components of an ICS/SCADA network device?
C
Explanation:
Industrial Control Systems (ICS) and SCADA networks typically operate in environments where the
available bandwidth is limited. They are often characterized by:
Low processing threshold: ICS/SCADA devices generally have limited processing capabilities due to
their specialized and often legacy nature.
Legacy systems: Many ICS/SCADA systems include older technology that might not support newer
security protocols or high-speed data transfer.
Weak network stack: These systems may have incomplete or less robust network stacks that can be
susceptible to specific types of network attacks.
High bandwidth networks are not typical of ICS/SCADA environments, as these systems do not
usually require or support high-speed data transmission due to their operational requirements and
the older technology often used in such environments.
Reference
"Navigating the Challenges of Industrial Control Systems," by ISA-99 Industrial Automation and
Control Systems Security.
"Cybersecurity for Industrial Control Systems," by the Department of Homeland Security.
What type of protocol is represented by the number 6?
D
Explanation:
The protocol number 6 represents TCP (Transmission Control Protocol) in the Internet Protocol suite.
TCP is a core protocol of the Internet Protocol suite and operates at the transport layer, providing
reliable, ordered, and error-checked delivery of a stream of bytes between applications running on
hosts communicating via an IP network.
Reference:
RFC 793, "Transmission Control Protocol," which specifies the detailed operation of TCP.
What does the SPI within IPsec identify?
A
Explanation:
Within IPsec, the SPI (Security Parameter Index) is a critical component that uniquely identifies a
Security Association (SA) for the IPsec session. The SPI is used in the IPsec headers to help the
receiving party determine which SA has been agreed upon for processing the incoming packets. This
identification is crucial for the proper operation and management of security policies applied to the
encrypted data flows.
Reference:
RFC 4301, "Security Architecture for the Internet Protocol," which discusses the structure and use of
the SPI in IPsec communications.
What is the extension of nmap scripts?
B
Explanation:
Nmap scripts, which are used to enhance the functionality of Nmap for performing network
discovery, security auditing, and other tasks, have the extension .nse. This stands for Nmap Scripting
Engine, which allows users to write scripts to automate a wide variety of networking tasks.
Reference:
Nmap Network Scanning by Gordon Lyon (also known as Fyodor Vaskovich), detailing the use and
examples of Nmap scripts.
With respect to data analysis, which of the following is not a step?
A
Explanation:
In the context of data analysis, enumeration is not typically considered a step. Enumeration is more
relevant in security assessments and network scanning contexts where specific details about devices,
users, or services are cataloged. Data analysis steps typically include gathering data, preprocessing,
analyzing, and interpreting results rather than enumeration, which is more about identifying and
listing components in a system or network.
Reference:
"Data Science from Scratch" by Joel Grus, which outlines common steps in data analysis.
A protocol analyzer that produces raw output is which of the following?
A
Explanation:
tcpdump is a powerful command-line packet analyzer used primarily in UNIX and UNIX-like operating
systems; it allows the capture and display of TCP/IP and other packets being transmitted or received
over a network to which the computer is attached.
Unlike graphical tools like Wireshark, tcpdump provides raw output of the packet captures directly to
the terminal or a specified file, making it ideal for deep dive network analysis, especially in
environments where a graphical user interface is unavailable.
tcpdump uses the libpcap library to capture packet data, which allows it to support a wide range of
command-line options to filter and display packet information according to user needs.
Reference
"tcpdump manual page," by the Tcpdump Group.
"Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems," by Chris Sanders,
No Starch Press.
Which type of Intrusion Prevention System can monitor and validate encrypted data?
B
Explanation:
A Network Intrusion Prevention System (NIPS) is capable of monitoring and validating encrypted
data if it is integrated with technologies that allow it to decrypt the traffic.
Typically, network IPS can be set up with SSL/TLS decryption capabilities to inspect encrypted data as
it traverses the network. This allows the IPS to analyze the content of encrypted packets and apply
security policies accordingly.
Monitoring encrypted traffic is critical in detecting hidden malware, unauthorized data exfiltration,
and other security threats concealed within SSL/TLS encrypted sessions.
Reference
"Network Security Technologies and Solutions," by Yusuf Bhaiji, Cisco Press.
"Decrypting SSL/TLS Traffic with IPS," by Palo Alto Networks.
What is used in the Modbus protocol to tell the slave to read or write?
B
Explanation:
In the Modbus protocol, the function code is used to tell the slave device what kind of action to
perform, such as reading or writing data.
Modbus function codes specify the type of operation to be performed on the registers. For example,
function code 03 is used to read holding registers, and function code 06 is used to write a single
register.
Each function code is a single byte in size and is positioned at the start of the PDU (Protocol Data
Unit) in the Modbus message structure, directly influencing how the slave interprets and executes
the request.
Reference
"Modbus Application Protocol Specification V1.1b," Modbus Organization.
"The Modbus Protocol Explained," by Schneider Electric.