GRID Cheat Sheet 2026
The 30 highest-yield GRID facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
82 questions
180 min time limit
71% to pass
- Why is a post-incident review crucial in ICS environments? → To strengthen future response and defense
- Why is passive monitoring preferred in ICS threat detection? → It minimizes interference with critical systems
- In the IEC 62443 security level framework, what does Security Level 2 (SL 2) describe? → Protection against intentional violation using simple means and low motivation
- What is the primary challenge of applying traditional IT patch management practices to OT/ICS environments? → OT systems often cannot tolerate downtime required for patching
- Which metric from CVSS is most relevant when assessing an ICS vulnerability where no internet connectivity exists? → Attack Vector (AV) — specifically local or physical
- What is the role of a security information and event management (SIEM) system in ICS? → To centralize log data and detect threats
- NIST SP 800-82 recommends which network architecture strategy when IT and OT systems must exchange data? → Implementation of a DMZ with firewalls between IT and OT
- In GRID exam context, what does a 'severity × likelihood' matrix primarily help an ICS security team accomplish? → Prioritize which vulnerabilities to address first based on risk
- What is the role of a 'risk register' in an ongoing ICS vulnerability management program? → It tracks identified risks, their ratings, owners, and remediation status over time
- What technique is commonly used by ICS attackers for lateral movement? → Credential reuse
- What is the primary advantage of one-way communication in ICS defense? → It blocks inbound cyber attacks
- Which tool is widely used by ICS security professionals to passively identify OT protocols such as Modbus, DNP3, and BACnet on a captured packet trace? → Wireshark with OT protocol dissectors
- Why is network segmentation critical in ICS defense? → To isolate threats and improve control
- Which zone in ICS architecture typically houses SCADA servers? → Operations zone
- Which ICS protocol uses Function Code 90 (0x5A) and is associated with Siemens S7 PLCs, making it a common target for attackers? → S7comm
- NERC CIP-004 requires personnel risk assessments for individuals who have which type of access? → Unescorted physical or electronic logical access to BES Cyber Systems
- What is a typical objective of attackers in ICS environments? → Cause operational disruption
- What is the primary purpose of a network intrusion detection system (NIDS) in an ICS environment? → Detect malicious activity in network traffic
- When performing a vulnerability assessment on a SCADA system, why should engineers always test in a lab or replica environment first? → Scanning or testing production ICS can cause device crashes or process disruptions
- What is the primary security weakness of the Modbus TCP protocol in ICS environments? → It has no built-in authentication, authorization, or data integrity verification
- Under NERC CIP, a 'BES Cyber Asset' (BCA) is classified based on its potential impact to the BES. Which classification carries the highest compliance burden? → High Impact
- Which NERC CIP standard specifically governs Electronic Security Perimeters (ESPs) and remote access management? → CIP-005-7
- How should communication be handled during an ICS incident? → Communicate out-of-band
- Which ICS-specific vulnerability database provides advisories specifically for industrial control systems? → ICS-CERT CISA advisories
- What compensating control is commonly used when an ICS component cannot be patched due to operational constraints? → Network segmentation and enhanced monitoring
- Which NERC CIP standard addresses 'Systems Security Management,' including management of ports and services, security patches, and malicious code prevention? → CIP-007-6
- Which protocol is commonly used in oil and gas pipeline SCADA systems and operates over serial lines using a master-slave architecture? → Modbus RTU
- NIST Special Publication 800-82 was written to provide guidance for which type of system? → Industrial Control Systems (ICS) including SCADA and DCS
- Which of the following is a significant advantage of using passive monitoring for asset discovery in an OT network compared to active scanning? → It poses a much lower risk of disrupting sensitive or legacy OT devices.
- IEC 62443-3-3 defines 'Foundational Requirements' (FRs) for IACS. Which of the following is one of the seven FRs? → Use Control (UC) — restricting system functionality to authorized users and devices
Turn these facts into recall: