GRID GRID ICS Vulnerability Management and Risk Assessment

Question 1

Which framework is most commonly used to assess and prioritize vulnerabilities in industrial control system environments?

Accepted Answer

CVSS

Answer

OWASP Top 10

Answer

MITRE ATT&CK

Answer

NIST SP 800-53

Question 2

What is the primary challenge of applying traditional IT patch management practices to OT/ICS environments?

Accepted Answer

OT systems often cannot tolerate downtime required for patching

Answer

Patches are too expensive

Answer

ICS vendors do not release patches

Answer

OT systems use proprietary patch formats

Question 3

Which ICS-specific vulnerability database provides advisories specifically for industrial control systems?

Accepted Answer

ICS-CERT CISA advisories

Answer

NVD

Answer

CVE Details

Answer

Exploit-DB

Question 4

In ICS risk assessment, what does the term 'consequence severity' most directly refer to?

Accepted Answer

The potential physical, safety, or operational impact if a vulnerability is exploited

Answer

The cost of replacing hardware

Answer

The number of systems affected by a patch

Answer

The skill level required to exploit a vulnerability

Question 5

What compensating control is commonly used when an ICS component cannot be patched due to operational constraints?

Accepted Answer

Network segmentation and enhanced monitoring

Answer

Disabling the component

Answer

Replacing with IT-grade equipment

Answer

Increasing firewall rules on the internet edge

Question 6

Which document type produced during ICS vulnerability management formally records accepted risks that cannot be immediately remediated?

Accepted Answer

Risk acceptance memo or Plan of Action and Milestones (POA&M)

Answer

Incident report

Answer

Change request form

Answer

Vulnerability scan export