CISSP Question #1150: Real Exam Question with Answer & Explanation

Question

In supervisory control and data acquisition (SCADA) systems, which of the following controls can be used to reduce device exposure to malware?

Options

• ADisable all command line interfaces.
• BDisallow untested code in the execution space of the SCADA device.
• CProhibit the use of unsecure scripting languages.
• DDisable Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port 138 and

Explanation

In SCADA environments, controlling what code is permitted to execute on devices is a foundational security control to prevent malware from running in critical industrial control systems.

Common mistakes.

• A. Disabling all command line interfaces may limit some attack vectors but does not prevent malware from executing through other means such as network-delivered payloads or compromised application logic.
• C. Prohibiting unsecure scripting languages is a partial measure that addresses only one category of potential malware delivery and does not cover all forms of malicious code that could run on a SCADA device.
• D. Disabling TCP/UDP port 138 (NetBIOS Datagram Service) reduces network attack surface for Windows-based systems but does not directly control or prevent malware from executing within the SCADA device's execution environment.

Concept tested. SCADA device hardening and execution control against malware

Reference. https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

No community discussion yet for this question.