An architect was recently hired by a power utility to increase the security posture of the company’s power generation and distribution sites. Upon review, the architect identifies legacy hardware with highly vulnerable and unsupported software driving critical operations. These systems must exchange data with each other, be highly synchronized, and pull from the Internet time sources. Which of the following architectural decisions would BEST reduce the likelihood of a successful attack without harming operational capability? (Choose two.)
A. Isolate the systems on their own network
B. Install a firewall and IDS between systems and the LAN
C. Employ own stratum-0 and stratum-1 NTP servers
D. Upgrade the software on critical systems
E. Configure the systems to use government-hosted NTP servers
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
I think the answer is BE. But it could be AC. Let’s play with the answer of AC first:
AC Isolate systems and provide your own time source. Could work in one power station, but what about the next power station. Qsay… distribution sites and they need to be highly synchronized base on NTP (Net Time Protocol). AC failed at distribution sites. All distribution sites will need firewall, IDS to secure traffic.
D is wrong as these are legacy things that are not supported any more.
So this leave us with BE.
A. Isolate (No, can not isolate because need to distribute power to next site. Must have network connectivity to see how much load to distribute.)
B. Install a firewall and IDS (Yes, every site/station will need this)
C. Employ own stratum-0 and stratum-1 NTP servers (Maybe, but you can pull from trusted NTP such as the government.)
D. Upgrade the software on critical systems (No, software not supported any more.)
E. Configure the systems to use government-hosted NTP servers (Yes, trusted and economical.)
The question specifically states the systems must: “pull from the *Internet* time sources.”
I would think that means they cannot be on an entirely isolated lan.
It isn’t D and I’d have to suggest A + C for the fact one can’t assume there is a LAN.
Pearson 280 also mentions IDS/IPS (also SIEM/log management) being an important tool.
If we do be they can do do E. safely.
If we do B. first they can do do E. safely.
How is D not one of the correct answers. It says ” highly vulnerable and unsupported software driving critical operations”.
I’d argue because it specifically mentions without harming operational capability – anytime you perform software upgrades or firmware upgrades you run the risk of things not being compatible with one another anymore, and a ton of other possibilities. If you mitigate the risk with additional security equipment instead you don’t have to risk the functionality of the pre-existing equipment.
These are SCADA systems, so the question is asking “What is the best practice for SCADA systems?”
A) is a best practice. (Air Gapping – Pearson Vue CAS003 Cert Guide P280)
B) Is good practice, but only if Airgapping is not possible. A is better than B, because it is the BEST answer to reduce an attack. (Someone who hacks the firewall can access the SCADA network)
C) Stratum 0 clocks are things like Atomic clocks. Personally I don’t have any of those handy. So not this answer.
D) Wrong – You’re a security engineer. Leave the SCADA systems to the SCADA engineer, installing patches on SCADA systems may not be possible anyway, or may reduce the availabilty of the systems, or void the warranty (See Pearson Cert Guide P280)
E) This addresses the need to pull from internet time sources, and is the best option if you must use public time sources.
The answers are A and E.
Hey Sandman,
Page 280 doesn’t speak on air gaps as far as I can see, it talks about network segregation.
How is air-gapping possible when your going to be connecting to Government hosted NTP servers?
A firewall + IDS is the only option if you want to have a segregated network + public NTP server.
B/E