Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Question 443

A security engineer is re-architecting a network environment that provides regional electric distribution services. During a pretransition baseline assessment, the engineer identified the following security-relevant characteristics of the environment:

• Enterprise IT servers and supervisory industrial systems share the same subnet.

• Supervisory controllers use the 750MHz band to direct a portion of fielded PLCs.

• Command and telemetry messages from industrial control systems are unencrypted and unauthenticated.

Which of the following re-architecture approaches would be best to reduce the company's risk?

Implement a one-way guard between enterprise IT services and mission-critical systems, obfuscate legitimate RF signals by broadcasting noise, and implement modern protocols to authenticate ICS messages.

Characterize safety-critical versus non-safety-critical systems, isolate safety-critical systems from other systems, and increase the directionality of RF links in the field.

Create a new network segment for enterprise IT servers, configure NGFW to enforce a well-defined segmentation policy, and implement a WIDS to monitor the spectrum.

Segment supervisory controllers from field PLCs, disconnect the entire network from the internet, and use only the 750MHz link for controlling energy distribution services.

Correct Answer: A

The best re-architecture approach involves implementing a one-way guard between the enterprise IT services and mission-critical systems to prevent unidirectional data flow vulnerabilities. Obfuscating legitimate RF signals by broadcasting noise/hops can mitigate the risks posed by unauthorized access or interference with the 750MHz band used by supervisory controllers. Modern protocols for authenticating ICS messages will address the issue of unencrypted and unauthenticated telemetry and command messages. This holistic approach ensures a secure, segmented, and authenticated operational environment suitable for critical regional electric distribution services.

Discussion

23169fdOption: C

Network segmentation ensures that enterprise IT systems and mission-critical industrial systems are isolated from each other, reducing the risk of malware or attacks spreading across these environments. NGFW provides robust security controls and monitoring to enforce the segmentation policy effectively. WIDS enhances security for the RF communication used by supervisory controllers, adding a layer of detection for any suspicious or malicious activity.

armidOption: C

https://csrc.nist.gov/glossary/term/wireless_intrusion_detection_system

isaphiltrickOption: B

B is the best choice as it directly addresses the identified risks by prioritizing the isolation and protection of safety-critical systems, improving RF signal management, and maintaining operational integrity. This approach ensures that critical systems are adequately secured while maintaining necessary connectivity and operational efficiency in the regional electric distribution services environment.