GRID - GIAC Response and Industrial Defense ICS Network Security Monitoring Questions and Answers

Question 1

A security analyst is reviewing network traffic logs from a SCADA network and notices a series of Modbus Function Code 16 (Write Multiple Registers) commands sent from an HMI to a PLC that controls a critical pumping station.
The commands occur outside of the normal operational schedule and target registers that are not typically modified by this HMI.
Which type of network anomaly does this activity represent?

Accepted Answer

A behavioral anomaly, where the communication pattern deviates from the established baseline.

Answer

A volumetric anomaly, indicating a denial-of-service attack.

Answer

A protocol anomaly, where the Modbus packet structure is malformed.

Answer

A signature-based anomaly, matching a known malware communication pattern.

Question 2

When implementing a passive network security monitoring solution in an ICS environment, what is the primary reason for using a network TAP (Test Access Point) over a SPAN (Switched Port Analyzer) port?

Accepted Answer

TAPs are less likely to drop packets under high load, ensuring full fidelity of the monitored traffic.

Answer

TAPs are less expensive to implement on industrial switches.

Answer

TAPs actively block malicious traffic, whereas SPAN ports do not.

Answer

TAPs can decrypt all encrypted ICS protocols, while SPAN ports cannot.

Question 3

An analyst is using a network security monitoring tool that has baselined normal DNP3 communication patterns between a master station and several outstations. Which of the following alerts would be the strongest indicator of a potential reconnaissance or lateral movement activity?

Accepted Answer

A new, unauthorized device attempts to communicate using the DNP3 protocol.

Answer

An outstation stops responding to polling requests from the master.

Answer

The master station sends a single, malformed DNP3 packet to an outstation.

Answer

The volume of DNP3 traffic increases by 10% during peak operational hours.

Question 4

A security team is deploying an anomaly detection system for their OT network. The system must be able to identify sophisticated attacks that use legitimate ICS commands in an unusual sequence. For example, an attacker might issue a command to stop a motor before issuing a command to open a valve, which is an unsafe and abnormal sequence. This capability is best described as:

Accepted Answer

Stateful protocol analysis

Answer

Deep packet inspection (DPI)

Answer

Signature-based detection

Answer

Statistical volume analysis

Question 5

Which of the following is a significant advantage of using passive monitoring for asset discovery in an OT network compared to active scanning?

Accepted Answer

It poses a much lower risk of disrupting sensitive or legacy OT devices.

Answer

It provides more detailed information, such as firmware versions and patch levels.

Answer

It is significantly faster at creating a comprehensive asset inventory.

Answer

It discovers non-communicating or dormant devices on the network.

Question 6

An attacker has compromised an HMI in a manufacturing plant's process control network (Purdue Level 1). To reach PLCs in a different, segregated process zone, the attacker exploits a vulnerability in a fieldbus coupler that connects the two zones. This technique is an example of what kind of activity?

Accepted Answer

Deep lateral movement

Answer

Privilege escalation

Answer

A denial-of-service attack

Answer

A man-in-the-middle attack