GRID - GIAC Response and Industrial Defense ICS Network Security Monitoring Questions and Answers

Question 1

A security analyst is reviewing network traffic logs from a SCADA network and notices a series of Modbus Function Code 16 (Write Multiple Registers) commands sent from an HMI to a PLC that controls a critical pumping station. The commands occur outside of the normal operational schedule and target registers that are not typically modified by this HMI. Which type of network anomaly does this activity represent?

Accepted Answer

A behavioral anomaly, where the communication pattern deviates from the established baseline.

Answer

This scenario describes a behavioral anomaly. The communication itself is syntactically correct (valid Modbus commands), but the context and pattern (timing, source, and target registers) are abnormal compared to the established baseline of normal operations. Anomaly detection in SCADA systems often relies on modeling normal, cyclical behavior to detect deviations that could indicate an attack.

Question 2

When implementing a passive network security monitoring solution in an ICS environment, what is the primary reason for using a network TAP (Test Access Point) over a SPAN (Switched Port Analyzer) port?

Accepted Answer

TAPs are less likely to drop packets under high load, ensuring full fidelity of the monitored traffic.

Answer

Network TAPs are dedicated hardware devices that create an exact copy of the traffic without altering it. They are purpose-built for monitoring and are highly reliable, ensuring that every packet is seen by the monitoring tool, even on heavily utilized networks. SPAN ports, on the other hand, are a software feature on a switch. During periods of high traffic, the switch may prioritize its primary function of forwarding production traffic over mirroring traffic to the SPAN port, which can lead to dropped packets and an incomplete view for the security monitoring tool.

Question 3

An analyst is using a network security monitoring tool that has baselined normal DNP3 communication patterns between a master station and several outstations. Which of the following alerts would be the strongest indicator of a potential reconnaissance or lateral movement activity?

Accepted Answer

A new, unauthorized device attempts to communicate using the DNP3 protocol.

Answer

The appearance of a new, unauthorized device attempting to use an ICS protocol like DNP3 is a significant indicator of compromise. It suggests that an attacker has gained a foothold on the network and is now performing reconnaissance or attempting to move laterally to interact with other control system devices. The other options could be due to normal network issues, minor configuration errors, or expected operational fluctuations.

Question 4

A security team is deploying an anomaly detection system for their OT network. The system must be able to identify sophisticated attacks that use legitimate ICS commands in an unusual sequence. For example, an attacker might issue a command to stop a motor before issuing a command to open a valve, which is an unsafe and abnormal sequence. This capability is best described as:

Accepted Answer

Stateful protocol analysis

Answer

Stateful protocol analysis involves understanding the context and sequence of commands within a given protocol. It models the expected state transitions of the industrial process and can detect anomalies when commands are issued in an illogical or unsafe order, even if each individual command is syntactically correct. DPI is necessary to see the commands, but stateful analysis provides the contextual understanding of the sequence.

Question 5

Which of the following is a significant advantage of using passive monitoring for asset discovery in an OT network compared to active scanning?

Accepted Answer

It poses a much lower risk of disrupting sensitive or legacy OT devices.

Answer

Passive monitoring observes existing network traffic without sending any new packets, making it non-intrusive. This is a critical advantage in OT environments where legacy systems, embedded devices, and sensitive controllers can react unpredictably to active scanning probes, potentially causing operational disruption or device failure. Active scanning, while often faster and more detailed, carries a higher risk of impacting operations.

(GRID) GIAC Response and Industrial Defense Practice Test

(GRID) GIAC Response and Industrial Defense Practice Test

GRID - GIAC Response and Industrial Defense ICS Network Security Monitoring Questions and Answers