CISSP Question #1397: Real Exam Question with Answer & Explanation

Question

The Industrial Control System (ICS) Computer Emergency Response Team (CERT) has released an alert regarding ICS-focused malware specifically propagating through Windows-based business networks. Technicians at a local water utility note that their dams, canals, and locks controlled by an internal Supervisory Control and Data Acquisition (SCADA) system have been malfunctioning. A digital forensics professional is consulted in the Incident Response (IR) and recovery. Which of the following is the MOST challenging aspect of this investigation?

Options

• ASCADA network latency
• BGroup policy implementation
• CVolatility of data
• DPhysical access to the system

Explanation

In ICS/SCADA incident response, the most challenging forensic aspect is data volatility, as critical evidence in RAM, network connections, and running processes can be lost during or after an incident if not captured immediately.

Common mistakes.

• A. SCADA network latency is an operational concern affecting real-time control performance, but it is not a primary forensic investigation challenge during IR and recovery.
• B. Group policy implementation is an administrative IT concern related to configuration management and is not a forensic challenge specific to ICS/SCADA incident response.
• D. While physical access can be a logistical challenge in some environments, ICS/SCADA systems at a water utility are typically on-premises and accessible to authorized personnel, making it less of an obstacle than the loss of volatile forensic evidence.

Concept tested. Volatile data collection in ICS/SCADA incident response

Reference. https://www.cisa.gov/sites/default/files/publications/ICS-CERT_Recommended_Practice_Developing_ICS_Incident_Response.pdf

No community discussion yet for this question.