SY0-501 Question #385: Real Exam Question with Answer & Explanation

Question

An organization has several production-critical SCADA supervisory systems that cannot follow the normal 30- day patching policy. Which of the following BEST maximizes the protection of these systems from malicious software?

Options

• AConfigure a firewall with deep packet inspection that restricts traffic to the systems.
• BConfigure a separate zone for the systems and restrict access to known ports.
• CConfigure the systems to ensure only necessary applications are able to run.
• DConfigure the host firewall to ensure only the necessary applications have listening ports.

Explanation

SCADA systems that cannot be patched require compensating controls; deep packet inspection (DPI) on a firewall provides the most robust protection by analyzing traffic content for malicious payloads at the network layer.

Common mistakes.

• B. Placing systems in a separate zone and restricting access to known ports is a basic network segmentation control that limits the attack surface but does not inspect traffic content for malware, leaving the systems vulnerable to attacks delivered over those permitted ports.
• C. Application whitelisting (allowing only necessary applications to run) is a host-based control that prevents unauthorized software execution but does not directly protect against malicious software being delivered and potentially exploiting the allowed applications on an unpatched system.
• D. Configuring the host firewall to restrict listening ports reduces exposure but only controls inbound connection points; it does not inspect the content of permitted traffic for malicious payloads and provides weaker protection than a network-level DPI firewall.

Concept tested. Compensating controls for unpatched SCADA systems using DPI

Reference. https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

No community discussion yet for this question.