GRID - GIAC Response and Industrial Defense ICS Incident Response Questions and Answers

Question 1

An incident responder is analyzing network traffic from a compromised Human-Machine Interface (HMI) in a power generation facility. The primary goal is to understand the attacker's commands without causing further disruption to the operational process. Which of the following is the MOST appropriate initial step?

Accepted Answer

Utilize passive network monitoring and deep packet inspection of ICS protocols.

Answer

In an ICS environment, maintaining operational integrity and safety is paramount. Passive network monitoring allows the responder to observe traffic without interacting with or altering the state of the compromised device. Deep packet inspection of specific ICS protocols (like DNP3 or Modbus) is crucial for understanding the commands sent by the attacker and their potential impact on the physical process. Isolating the HMI (A) could have unintended operational consequences. While forensic imaging (B) and memory analysis (D) are valuable, they are more intrusive and carry a higher risk of disrupting the live process, making passive analysis the best initial step.

Question 2

During which phase of the ICS incident response lifecycle is the primary focus on limiting the impact of an incident and preventing it from spreading to other systems?

Accepted Answer

Containment

Answer

The Containment phase is focused on limiting the scope and magnitude of an incident. In an ICS context, this involves actions like network segmentation or isolating affected systems to stop the threat from spreading and causing further operational disruption or damage. Preparation involves getting ready for an incident, Eradication is about removing the threat, and Recovery is focused on restoring systems to normal operation.

Question 3

A manufacturing plant has experienced a cybersecurity incident where malware was found on an engineering workstation. The incident response plan prioritizes safety and operational continuity above all else. Which of the following containment strategies would be MOST appropriate in this scenario?

Accepted Answer

Disconnect the single affected workstation and monitor the process network for anomalies.

Answer

The most appropriate strategy balances security with operational needs. Disconnecting the single affected workstation removes the immediate threat source while having a minimal and predictable impact on the overall process. This is followed by heightened monitoring to ensure the threat has not already spread. Shutting down the entire network (A) is overly disruptive. Attempting to patch live malware (C) is risky and unpredictable. Rerouting traffic (D) is a complex action that could introduce new risks during an active incident.

Question 4

Which of the following is a unique challenge when performing digital forensics and incident response (DFIR) in an ICS environment compared to a traditional IT environment?

Accepted Answer

The use of proprietary protocols and legacy systems with limited logging.

Answer

ICS environments are often characterized by proprietary vendor protocols, specialized hardware (PLCs, RTUs), and legacy operating systems that may lack the robust logging and security features common in modern IT systems. This makes evidence collection and analysis significantly more challenging. While chain of custody (A), reporting (C), and memory analysis (D) are all relevant in both IT and ICS forensics, the prevalence of unique, often poorly documented systems is a distinguishing challenge for ICS.

Question 5

According to NERC CIP-008, what is the required timeframe for a Responsible Entity to provide initial notification after determining that a Cyber Security Incident has occurred?

Accepted Answer

Within 1 hour

Answer

NERC CIP-008-6 specifies strict reporting timelines. Responsible Entities are required to provide an initial notification to the E-ISAC and/or CISA within one hour after determining that a Cyber Security Incident has occurred. This rapid reporting is intended to facilitate information sharing and situational awareness across the electricity sector.

(GRID) GIAC Response and Industrial Defense Practice Test

(GRID) GIAC Response and Industrial Defense Practice Test

GRID - GIAC Response and Industrial Defense ICS Incident Response Questions and Answers