200+ Review Questions

for
Getting Started in Industrial
(ICS/OT) Cyber Security

© 2025 Mike Holcomb

Review Questions: Getting Started in Industrial (ICS/OT) Cyber Security

This document contains review questions for each part in the Getting Started in
Industrial (ICS/OT) Cyber Security course. An answer key is provided at the end of the
document.

Part 1: Course Overview

There are no questions for this part.

Part 2: ICS/OT Cyber Security Overview

Question #1
Which of the following is of the least concern in industrial control environments?
A. Physical safety
B. Environmental safety
C. Data confidentiality
D. Site availability

Question #2
Discovered in 2010, which of the following ICS/OT-specific malware attacks targeted
the Natanz nuclear facility in Iran and has been described as “crossing the Rubicon?”
A. Stuxnet
B. Havex
C. TriSIS
D. Pipedream

Question #3
Which of the following was developed as an attack framework for targeting common
ICS/OT assets from common vendors (e.g., Schneider Electric, Omron) and industrial
protocols (e.g., Modbus, OPC UA, CODESYS)?
A. CosmicEnergy
B. Pipedream
C. Industroyer
D. Havex

Question #4
Which party is ultimately responsible for the cyber security of a facility?
A. Asset owner
B. Asset operator
C. Asset supplier
D. The facility’s cyber security team

© 2025 Mike Holcomb

Question #5
In 2015, which nation state adversary group was believed to be responsible for the
Ukrainian blackout?
A. Fancy Bear
B. Sandworm
C. Tailored Access Operations (TAO)
D. Bene Gesserit

Question #6
Which of the following is not considered a critical infrastructure sector according to the
Cybersecurity & Infrastructure Security Agency (CISA)?
A. Communications
B. Dams
C. Data Centers
D. Nuclear Reactors, Materials, and Waste

Question #7
Which critical infrastructure sector refers to those organizations which act as
contractors and subcontractors in helping the United States government accomplish its
goals and mission?
A. Emergency Services
B. Defense Industrial Basis
C. Government Facilities
D. Critical Manufacturing

Question #8
Which of the following is the most overlooked aspect of cyber security in both ICS/OT
and IT networks?
A. Physical security
B. Data confidentiality
C. Phishing attacks
D. PLC vulnerabilities

Question #9
What is the least important aspect of cyber security in traditional IT networks?
A. Confidentiality
B. Integrity
C. Availability
D. Compliance

© 2025 Mike Holcomb

Question #10
In 2021, Colonial Pipeline had to take the United States’ largest oil pipeline offline for
approximately a week due to an attack launched by a ?
A. Nation-state adversary
B. Ransomware group
C. Hacktivist
D. Script Kiddie

Question #11
In 2003, part of the Davis-Besse nuclear power plant was taken down with commodity
malware, the SQL Slammer worm. How did this Internet-based malware get into an “air
gapped” nuclear power plant?

A. A contractor brought it in on an infected USB drive

B. A contractor had run a T1 data line into the plant from their office
C. A contractor had their laptop infected with SQL Slammer
D. A contractor malicious inserted the malware onto the plant network

Question #12
How did the Sandworm attack group get its name?

A. Malware included the name ‘Sandworm’ inside

B. Their malware was signed with a certificate from Sandworm, LLC
C. Used campaign tags associated with the book Dune
D. The attackers named their original executable sandworm.exe

Question #13
An attacker has gained access to a data historian running Windows Server and SQL
Server. The attacker then proceeds to update some of the values. Which aspect of
cyber security does this activity violate? Choose the best answer.

A. Safety
B. Availability
C. Integrity
D. Confidentiality

© 2025 Mike Holcomb

Question #14
Most ICS/OT networks send communication to the associated IT network. Which of the
following is true about network communication FROM the IT network from the cyber
security perspective?

A. The IT network should be allowed to send any traffic to the OT network

B. The IT network should be allowed to only send RDP traffic to the OT network
C. The IT network should be allowed to send limited traffic to the OT network
D. The IT network should never be allowed to send any traffic to the OT network

Question #15
Which of the following is the least common way for attackers to gain access to an
ICS/OT network?

A. Malicious insider
B. Malware brought in on a “transitory cyber asset”
C. From the IT back office network
D. Control systems exposed directly to the Internet

Question #16
As highlighted during the course, a thermostat could be seen as an example of what
type of ICS/OT asset?

A. DCS
B. PLC
C. Engineering workstation
D. Data historian

Question #17
Which of the following would be most likely described by the term ‘SCADA’ rather than
the term ‘ICS’?

A. A remote substation having its flow of electricity monitored over a WAN link
B. An HMI that interfaces with a PLC within a power plant
C. An operator monitors performance of a system across the local network
D. A technician reviews an HMI that displays the process of the local facility

© 2025 Mike Holcomb

Question #18
Which of the following is not considered critical infrastructure by the United States
government as of January 2025?

A. Dams
B. Energy
C. Space
D. Defense Industrial Base

Question #19
What is the name of the ICS/OT attack toolkit that can be used to “automatically” target
a significant portion of ICS/OT assets?

A. FROSTYGOOP
B. STUXNET
C. SLOWFALL
D. PIPEDREAM

Question #20
Before the Colonial Pipeline breach, the majority of asset owners and operators were
concerned primarily with what type of cyber attacker?

A. State adversaries
B. Ransomware operators
C. Hacktivists
D. Script kiddies

© 2025 Mike Holcomb

Part 3: Main Types of Control Systems & Protocols

Question #1
Which of the following would be considered a field device?
A. Programmable Logic Controller
B. Data historian
C. Sensor
D. Modbus

Question #2
Which of the following industrial control assets is used to program a PLC?
A. Engineering Workstation (EWS)
B. Human Management Interface (HMI)
C. Safety Instrumented System (SIS)
D. Data Historian

Question #3
To secure a PLC using its key switch, which of the following is true?
A. Place the PLC in Program mode when the PLC is operational
B. Place the PLC in Secure mode when the PLC is operational
C. Place the PLC in Store mode when the PLC is operational
D. Place the PLC in Run mode when the PLC is operational

Question #4
Which of the following control systems typically runs commodity operating systems
(e.g., Windows, Linux) and commodity software (e.g., MS SQL Server, Oracle) making it
a prime target for attackers?
A. HMI
B. Data Historian
C. PLC
D. RTU

Question #5
Which of the following is the most common language used to program PLCs?
A. Ladder logic
B. S7 Comm
C. .Net Framework
D. Cobol

© 2025 Mike Holcomb

Question #6
Which of the following control systems is used to coordinate the operations of multiple
systems at a single location?
A. PLC Server
B. DCS
C. PCI
D. SCADA

Question #7
Which of the following control systems is a graphical interface used to monitor and
make changes to a PLC’s operation?
A. DCS
B. SCADA
C. IACS
D. HMI

Question #8
Which of the following control systems acts as a fail-safe backup which can be used to
safely shutdown the facility in the event of a plant fault or emergency situation?
A. DCS
B. PLC
C. RTU
D. SIS

Question #9
Due to its use of commodity operating systems and software that are popular in IT
environments, which of the following is a primary target for attackers?
A. PLC Server
B. Supervisory Control and Data Acquisition
C. Data Historian
D. DCS

Question #10
Which of the following is not considered an industrial control protocol?
A. NetBIOS
B. S7comm
C. Modbus
D. BACnet

© 2025 Mike Holcomb

Question #11
Which of the following is the last stage in the lifecycle of an plant?
A. Front End Engineering Design (FEED)
B. Procurement and Construction
C. Operations and Maintenance
D. Decommissioning

Question #12
A power plant has been operations for over twenty years. This is an example of what
type of project?
A. Brownfield
B. Bluefield
C. Greenfield
D. No Field

Question #13
Which of the following is mechanical device that controls the flow of liquids and gases
through a system?
A. Pump
B. Compressor
C. Valve
D. Sensor

Question #14
Which of the following would not be considered a type of actuator?
A. Pump
B. Compressor
C. Valve
D. Sensor

Question #15
What is the most used type of ICS/OT asset?
A. HMI
B. Data Historian
C. PLC
D. RTU

© 2025 Mike Holcomb

Question #16
An offshore oil rig can experience extreme temperatures, high humidity, corrosion,
vibration and shock. What type of ICS/OT asset should be implemented in this type of
environment?
A. Saturated
B. Ruggedized
C. Flared
D. Programmed

Question #17
Which of the following would not be considered a type of sensor?
A. Pump
B. Temperature
C. Humidity
D. Motion

Question #18
Which of the following types of ICS/OT assets was successfully targeted in the
Triton/Trisis incident in 2017?
A. HMI
B. Data Historian
C. SIS
D. RTU

Question #19
During the Stuxnet incident, operators in the control room were led to believe that all
centrifuges were operating correctly. In reality, the centrifuges were being manipulated
in order to break the systems down over time. This is most commonly referred to as an
example of what?
A. Loss of visibility
B. Loss of control
C. Loss of functionality
D. Loss of safety

Question #20
Which of the following only stores binary data, 1s and 0s, in Modbus?
A. Registers
B. Formulas
C. Coils
D. Joins

© 2025 Mike Holcomb

Unit 4: Secure Network Architecture
Question #1
Which level of the Purdue Model does a PLC typically reside on?
A. Level 0
B. Level 1
C. Level 2
D. Level 3

Question #2
The IT-OT DMZ resides between which two levels of the Purdue Model?
A. Levels 1 and 2
B. Levels 2 and 3
C. Levels 3 and 4
D. Levels 4 and 5

Question #3
Which of the following network-based appliances should be used to create the IT-OT
DMZ?
A. Firewall
B. Switch
C. Router
D. Network gateway

Question #4
Which of the following levels of the Purdue Model would an HMI typically be hosted on?
A. Level 1
B. Level 2
C. Level 3
D. Level 4

Question #5
Which of the following levels of the Purdue Model should be the only level that is
connected directly to the Internet?
A. Level 6
B. Level 5
C. Level 4
D. Level 3

© 2025 Mike Holcomb

Question #6
Which of the following ICS-specific malware attacks compromised the Safety
Instrumented System (SIS) of a petrochemical facility in the Middle East to target
human life?
A. Havex
B. Stuxnet
C. Trisis
D. Shamoon

Question #7
According to ISA 62443, the ICS/OT network should further be broken down into which
logical grouping of systems?
A. Zones
B. VLANs
C. Subnets
D. SANs

Question #8
The term IIoT refers to which of the following?
A. Use of a shared Active Directory structure between IT and OT
B. Deployment of IoT-based sensors within the ICS/OT network for defense
C. The IT connection directly to the Internet
D. Allowing ICS/OT assets to send data directly to the Internet for analysis

Question #9
Which of the following is typically not a consideration for cyber security teams?
A. Network security monitoring
B. Physical security
C. Secure remote access
D. Secure network architecture

Question #10
Which of the following social engineering attacks can be used to obtain sensitive
information that has been printed out?
A. Eavesdropping
B. Phishing
C. Shoulder surfing
D. Dumpster diving

© 2025 Mike Holcomb

Question #11
Which of the following according to ISA/IEC 62443 is the communication paths
between zones?
A. Circuits
B. Conduits
C. Pipes
D. Pathways

Question #12
Which of the following TWO options would have helped prevent the SIS from being
compromised during the 2017 TriSIS incident?
A. Preventing the SIS from communicating with the rest of the ICS/OT network
B. Configure the SIS to allow all communication from the ICS/OT network
C. Setting the SIS key switch to Run mode
D. Setting the SIS key switch to Program mode

Question #13
Michael Assante and Rob Lee created the ICS Cyber Kill-Chain. At which stage of the
ICS Cyber Kill-Chain would an attacker be considered to have access to the ICS/OT
environment?
A. Stage 1
B. Stage 2
C. Stage 3
D. Stage 4

Question #14
Which of the following pieces of hardware uses physics to enforce one-way
communication from one network segment to another?
A. Switch
B. Firewall
C. Directional gateway
D. Data diode

Question #15
Which of the following pieces of hardware can act as a router and be used to implement
VLANs within a plant network?
A. Switch
B. Firewall
C. Directional gateway
D. Data diode

© 2025 Mike Holcomb

Question #16
Which port does Modbus typically run on?
A. TCP 102
B. TCP 502
C. TCP 3389
D. TCP 44818

Question #17
Which port does EthernetIP typically run on?
A. TCP 102
B. TCP 502
C. TCP 3389
D. TCP 44818

Question #18
Review the following firewall ACL. Which line would allow Remote Desktop Protocol
(RDP) connections from one network to another?

(1) permit tcp any host 10.10.50.152 eq 80

(2) permit tcp any host 10.10.50.152 eq 502
(3) permit tcp any host 10.10.50.168 eq 3389
(4) permit tcp any host 10.10.50.170 eq 123

A. Line 1
B. Line 2
C. Line 3
D. Line 4

Question #19
Review the following firewall ACL. Which line would be considered the MOST
restrictive?

(1) permit tcp any host 10.10.10.10 eq 502

(2) permit tcp host 192.168.15.12 host 10.10.10.50 eq 80
(3) permit tcp host 192.168.15.12 eq 44818 host 10.10.10.50 eq 44818
(4) permit ip any any

A. Line 1
B. Line 2
C. Line 3
D. Line 4

© 2025 Mike Holcomb

Question #20
Which type of firewall could be used between the IT and OT networks to inspect traffic
passing through the firewall for signs of malicious activity?
A. Packet filtering
B. Unidirectional
C. Deep packet inspection
D. Stateful inspection

© 2025 Mike Holcomb

Unit 5: Asset Registers and Control Systems Inventory
Question #1
An asset register should include all of the following except:
A. Hardware
B. Software
C. Firmware
D. Personnel records

Question #2
Which of the following is not considered a method for building a complete ICS/OT asset
register?
A. Physically walking the environment
B. Reviewing network packet captures
C. Actively scanning Levels 4 & 5 of the Purdue Model
D. Review existing data in project files

Question #3
Which of the following could potentially create availability issues within the ICS/OT
network?
A. Passive scanning of networks with Nmap
B. Active scanning of networks with Nmap
C. Passive scanning of networks with Wireshark
D. Active scanning of networks with Wireshark

Question #4
Which is considered the most physically dangerous method of building an asset
register?
A. Physically walking the environment
B. Reviewing network packet captures
C. Actively scanning Levels 4 & 5 of the Purdue Model
D. Reviewing existing data in project files

Question #5
Which of the following properties would normally not be included in an asset register?
A. Asset name
B. Serial number
C. Invoice approver
D. Last maintenance date

© 2025 Mike Holcomb

Question #6
When should an asset register be considered 100% complete and accurate?
A. Once the Change Management process is completed
B. Once the initial register is completed and before the annual update process
C. Only after the asset register has received an annual update
D. Never

Question #7
Which of the following is the most common way to store asset registers?
A. Microsoft Excel
B. COTS
C. Notepad / Wordpad
D. Cloud-based inventory application

Question #8
Which of the following should be completed while building an asset register while
walking the site?
A. Check the key switch position for each PLC
B. Ensure anti-virus software is installed and updated on each Windows host
C. Review the structural integrity of both sides of a WAN connection
D. Conduct a review of the firewall ACL’s between the IT and OT networks

Question #9
Which of the following commands can be used to display the arp cache on a Windows
system?
A. arp
B. arp -c
C. arp -a
D. cat /proc/net/arp

Question #10
Which of the following tools could be used for active discovery of ICS/OT network
hosts?
A. Wireshark
B. Nmap
C. Network Miner
D. Shodan

Question #11
How often should an asset register be updated?
A. Weekly
B. Monthly
C. Quarterly
D. Depends on the requirements of the company

© 2025 Mike Holcomb

Question #12
Which of the following would not be considered a method for securing an asset
register?
A. System hardening
B. Encryption
C. Leaving printed copy in unrestricted area
D. Access controls

Question #13
Which tool can be seen as an alternative to Wireshark to read packet captures and
easily extract captured artifacts like files, images and credentials?
A. Nmap
B. Network Miner
C. Surricata
D. Turboshark

Question #14
A default Nmap scan will test how many TCP ports by default?
A. 100
B. 1,000
C. 10,000
D. 1,000,000

Question #15
Which is the last packet in the TCP three way handshake?
A. ACK
B. SYN
C. FIN
D. URG

Question #16
Which of the following Nmap commands would scan for Modbus on a network?
A. nmap 10.10.10.0/24 -p 502
B. nmap 10.10.10.0/24 -sU -p 502
C. nmap 10.10.10.0/24 -p 102
D. nmap 10.10.10.0/24 -sU -p 102

Question #17
Which of the following Nmap commands would scan for SNMP on a network?
A. nmap 10.10.10.0/24 -p 102
B. nmap 10.10.10.0/24 -sU -p 102
C. nmap 10.10.10.0/24 -p 161
D. nmap 10.10.10.0/24 -sU -p 161

© 2025 Mike Holcomb

Question #18
Which nmap switch is used to conduct a ping sweep?
A. -p-
B. -sP
C. -sU
D. -sV

Question #19
An Nmap service scan is used to discover the open ports on a target IP address as well
as additional information about the service associated with each open port. Additional
information included the vendor and version of the associated service/application
running on the port.

Which parameter was used to conduct the service scan?

A. -v
B. -V
C. -sV
D. -sP

Question #20
An Nmap service scan is used to discover the open ports on a target IP address as well
as additional information about the service associated with each open port. Additional
information included the vendor and version of the associated service/application
running on the port.

With the gathered information from the Nmap service scan, one could use this
information to potentially determine the existence of what on the target?

A. Vulnerabilities
B. Coding issues
C. Timing issues
D. Operational availability issues

© 2025 Mike Holcomb

Unit 6: Threat & Vulnerability Management
Question #1
Which of the following is the most important to successful vulnerability management in
ICS/OT environments?
A. Asset registers
B. Active scanning
C. Passive scanning
D. Vulnerability remediation

Question #2
To calculate risk, the Threat is multiplied with three other factors. Which of the
following is not one of these three factors?
A. Vulnerability
B. Exploitation
C. Probability
D. Impact

Question #3
In the Vulnerability Management lifecycle for IT, what happens after the Remediate
phase?
A. Verification
B. Scanning
C. Prioritization
D. Asset Management

Question #4
A recently announced vulnerability has a CVSS score of 8.8. What risk classification
would this vulnerability be assigned?
A. Critical
B. High
C. Medium
D. Low

Question #5
Traditional vulnerability scanners by default search for vulnerabilities associated with all
of the following except which?
A. Operating system
B. Installed applications
C. Exposed services
D. Web applications

© 2025 Mike Holcomb

Question #6
Which of the following vulnerabilities would more than likely be the last to be
remediated?
A. A Windows-system directly exposed to the Internet
B. A pressure sensor at Level 0 of the Purdue Model
C. A data historian located in the IT/OT DMZ running Linux
D. An engineering workstation running Windows at Level 3

Question #7
Which of the following levels of the Purdue Model is typically considered not suitable
for active scanning?
A. Level 1
B. Level 2
C. Level 3
D. Level 3.5

Question #8
Which of the following levels of the Purdue Model is typically not going to receive
immediate updates on software and firmware?
A. Level 1
B. Level 2
C. Level 3
D. Leve 3.5

Question #9
Which of the following would not be considered an Indicator of Compromise (IOC)?
A. IP address
B. File hash
C. Serial number
D. Domain name

Question #10
Which of the following is an organization that shares intel about cyber threats
associated with a particular sector?
A. ISSA
B. ISACA
C. ISAC
D. ISA

© 2025 Mike Holcomb

Question #11
In more mature organizations, cyber threat intel can be used by analysts to use tools
such as a SEIM to find specific indicators in the environment that might indicate that
there is malicious activity occurring. This process is most specifically known as…?
A. Threat analysis
B. Threat hunting
C. OSINT
D. Using the Diamond Model

Question #12
Becoming a member of an ISAC and having access to information provided by other
ISAC members, as well as sharing your own, is considered a type of?
A. Formal sharing
B. Informal sharing
C. Regulated sharing
D. Irregulated sharing

Question #13
If you were on the ICS/OT cyber security team for a large pipeline provider, you would
want to monitor news feeds for alerts related to which types of environments most
specifically?
A. Manufacturing facilities
B. Nuclear power plants
C. Pipeline providers
D. LNG terminals

Question #14
Which of the following would not be considered a valid source of ICS/OT cyber intel?
A. dragos.com
B. mandiant.com
C. bleepingcomputer.com
D. cisa.org

Question #15
Which is considered the last step of building an ICS/OT threat intel program?
A. Sharing
B. Analyzing data
C. Collecting data
D. Developing threat indicators

© 2025 Mike Holcomb

Question #16
Which of the following is not considered a part of the Diamond Model?
A. Infrastructure
B. Adversary
C. Capability
D. Tools

Question #17
Which of the following TWO scheduled windows would be the best for testing ICS/OT
assets actively for vulnerabilities?
A. DAT
B. FAT
C. SAT
D. TAT

Question #18
Which of the following is the most common vulnerability that could be used for active
scanning of vulnerabilities in IT? And potentially higher levels of the Purdue Model
where the organization understands there are no safety issues involved.
A. Nessus
B. Qualys
C. Metasploit
D. Chiefscanner

Question #19
During the IT Vulnerability Management process, which phase follows the Scan phase?
A. Asset management
B. Prioritize
C. Remediate
D. Verify

Question #20
While not considered cyber, a hurricane is still considered a ___________ which can
cause significant destruction of a plant and impact operational availability.
A. Threat
B. Vulnerability
C. Risk
D. Impact

© 2025 Mike Holcomb

Unit 7: OSINT for Industrial Controls
Question #1
Which of the following would refer to intelligence gathers from confidential informants
and spies?
A. HUMINT
B. SIGINT
C. COMINT
D. ELINT

Question #2
Which records can help provide further information associated with a specific domain
name and its registration?
A. nslookup
B. arp
C. whois
D. dns

Question #3
Which of the following sites can be used to obtain a list of hosts associated with a
domain name?
A. whois.com
B. dnsdumpster.com
C. linkedin.com
D. iana.org

Question #4
Which of the following sites could be used to gain sensitive information posted about a
target organization such as what ICS vendors they use?
A. whois.com
B. dnsdumpster.com
C. linkedin.com
D. iana.org

Question #5
Which of the following is not considered an ICS/OT-specific protocol that is discovered
by Shodan?
A. HTTPS
B. Modbus
C. S7comm
D. BACnet

© 2025 Mike Holcomb

Question #6
Which of the following Shodan searches could be used to find potential devices
exposed to the Internet via Modbus?
A. port:502
B. port:102
C. port:80
D. port:443

Question #7
Which of the following Shodan searches could be used to search for findings across an
entire subnet range?
A. subnet:14.14.14.0/24
B. range:14.14.14.0/24
C. region:14.14.14.0/24
D. net:14.14.14.0/24

Question #8
Which of the following ICS-specific protocols is associated with building automation
systems?
A. HTTPS
B. Modbus
C. S7comm
D. BACnet

Question #9
Which of the following devices is designed to purposefully be hacked?
A. NIDS
B. NIPS
C. Honeypot
D. Deep packet inspection firewall

Question #10
Which of the following Shodan features could be used to find HMIs that are exposed to
the Internet?
A. Images search
B. SCADA tag search
C. Siemens tag search
D. RDP search

© 2025 Mike Holcomb

Question #11
Which of the following is not considered a type of intelligence?
A. OSINT
B. HUMINT
C. ICSINT
D. SIGINT

Question #12
OSINT indirectly maps to which phases of the penetration testing methodology?
A. Reconnaissance
B. Scanning & enumeration
C. Exploitation
D. Post-exploitation

Question #13
Which is true about the following custom Google search?

site:.edu intext:"robotics" inurl:/research

A. It searches all websites except those ending in .edu

B. It searches for a URL with the word research in it
C. It searches for the word “research” in the title of the website
D. It searches for the word “robotics” in the address of the website

Question #14
When starting a new engagement, what will be your most likely starting point?
A. The LinkedIn profile of the target company’s CEO
B. The LinkedIn profile of the target company’s CIO
C. The target company’s main website
D. A Google search on the target company’s financials

Question #15
Which of the following tools was created by Steve Micallef in 2012 and is considered
the “shotgun approach” of OSINT?
a. Dehashed
b. SpiderFoot
c. GoSubmarine
d. Hunter

© 2025 Mike Holcomb

Question #16
Which of the following is not a common way for attackers to gain access to an
ICS/OT network?
A. From the IT back office/enterprise network
B. Physically brought in by “transitory cyber assets”
C. Vía legitimate remote access capabilities
D. Through control systems that are not exposed to the Internet

Question #17
Which of the sites can be used to determine if a known email address is associated
with a public breach?
A. haveibeenhacked.com
B. ohwowthatsucks.com
C. haveibeenpwned.com
D. dontclickme.com

Question #18
Which of the following Shodan searches would look for all potential PLCs running
Modbus TCP/IP in the country of China?
A. port:502 country:”cn”
B. port:161 country:”cn”
C. port:502 co:”cn”
D. port:161 co:”cn”

Question #19
Which of the following ICS/OT protocols runs over TCP 44818?
A. Modbus
B. S7
C. EthernetIP
D. CODESYS

Question #20
Which of the following searches would find the string “Programmable Logic Controller”
in returned banner information on hosts scanned by Shodan?
A. Programmable Logic Controller
B. “Programmable Logic Controller”
C. ics:Programmable Logic Controller
D. ics:”Programmable Logic Controller”

© 2025 Mike Holcomb

Question #21
Which of the following tools can be used from the command line to lookup Shodan
information in an Nmap format?
A. Shodan CLI
B. Nmap
C. Smap
D. SmapNG

Question #22
Which of the following websites can be used for tracking security vulnerabilities
related to ICS/OT?
A. ICS Advisory Project
B. OT Tenable Vulnerability Dashboard
C. Dragos Community Defense Program
D. ICS/OT VulnExchange

Question #23
Using the Open Infrastructure Map (openinframap.org), what is the southern most
rated power station on the island of Manhattan (New York City)?
A. Greensville County
B. San Onofre
C. Con Ed East River
D. Woodrow

Question #24
What type of power station is the above?
A. Nuclear
B. Solar
C. Oil/Gas
D. Coal

Question #25
Which of the following is discovered with Google using the following custom search:

"/rokform/advancedDiags?pageReq=tcpconn"

A. The memory diagnostics page on a Siemens PLC

B. The TCP connections page on a AB/Rockwell PLC
C. The CPU utilization on a Unitronics HMI/PLC
D. The run mode status page on a CLICK PLC

© 2025 Mike Holcomb

Unit 8: Incident Detection
Question #1
According to the Pyramid of Pain, which of the following IOC’s is the easiest to use to
find malicious activity?
A. Hash values
B. IP addresses
C. Domain Names
D. TTPs

Question #2
Which of the following is a framework provided to help defenders understand what
attackers do once they have gained a foothold in the environment?
A. The Cyber Kill Chain
B. The Diamond Model
C. MITRE ATT&CK
D. OSINT

Question #3
Which of the following would not be considered network forms of incident detection?
A. NIPS
B. NIDS
C. EDR
D. Network firewall

Question #4
Which of the following types of intrusion detection platforms can be used to alert on
known malicious traffic at the network level, but it takes no further action?
A. NIDS
B. NIPS
C. HIDS
D. HIPS

Question #5
Which of the following types of host-based intrusion detection platforms can be used to
alert on known malicious traffic and take steps to block the activity?
A. NIDS
B. NIPS
C. HIDS
D. HIPS

© 2025 Mike Holcomb

Question #6
Which of the following network devices broadcasts a received packet out all available
physical ports?
A. Hub
B. Switch
C. Router
D. Firewall

Question #7
Which of the following can be used to centrally store security events while performing
event correlation to identify suspicious and malicious activity requiring human
investigation?
A. Stateful inspection firewall
B. Deep packet inspection firewall
C. HIPS
D. SEIM

Question #8
Which of the following is not true related to logging and collection of security event
data?
A. Security event data should be forwarded to a central location for archiving.
B. Human analysts are capable of manually analyzing large amounts of security
event data.
C. Archived logging data should be protected by security controls to ensure
integrity.
D. Threat and Vulnerability Management data can be incorporated with security
event data to provide additional context.

Question #9
Which of the following is an open-source Honeypot platform that can simulate an
ICS/OT asset?
A. Honeypot
B. T-Pot
C. Sanders
D. SEIM

Question #10
Proactively searching for signs of malicious activity on the network is referred to as
which of the following?
A. Intrusion detection
B. Honeypot activity
C. Threat hunting
D. Intrusion prevention

© 2025 Mike Holcomb

Question #11
Which of the following types of intrusion detection platforms would you not implement
in an ICS/OT environment based on its potential for actively blocking legitimate traffic?
A. NIDS
B. NIPS
C. HIDS
D. HIPS

Question #12
What percentage of ICS/OT networks globally are performing network security
monitoring?
A. Under 5%
B. 5% to 25%
C. 26% to 50%
D. Over 50%

Question #13
Which of the following is not considered one of the Five Tuples?
A. Source IP address
B. Destination port
C. Gateway
D. Protocol

Question #14
Which of the following IOCs sits on top of the Pyramid of Pain?
A. TTPs
B. Tools
C. Network/host artifacts
D. IP addresses

Question #15
What type of network traffic is sent from one computer to all of the other systems on
the same subnet?
A. Unicast
B. Multicast
C. Parallelcast
D. Broadcast

© 2025 Mike Holcomb

Question #16
Which of the following “old school” network devices could be used in an emergency as
a network tap?
A. Hub
B. Layer 2 Switch
C. Layer 3 Switch
D. Router

Question #17
Which application could be used to read broadcast traffic off the wire?
A. Nmap
B. Ncat
C. Wireshark
D. Wirecat

Question #18
Events from which of the following systems would be collected in a SEIM for event
correlation and alerting?
A. Firewalls
B. Intrusion detection
C. Active Directory
D. Endpoint Detection & Response (EDR)

Question #19
Which type of network hardware prevents broadcasts from passing from one network
to another?
A. Hub
B. Layer 2 switch
C. Layer 3 switch
D. Router

Question #20
The first Tactic listed on MITRE ATT&CK for ICS is what?
A. Execution
B. Initial Access
C. Persistence
D. Privilege Escalation

© 2025 Mike Holcomb

Unit 9: Incident Response
Question #1
Without additional context, which of the following is neither good nor bad?
A. Event
B. Alert
C. Incident
D. Breach

Question #2
A security incident which includes unauthorized access to sensitive data is classified as
a what?
A. Event
B. Alert
C. Incident
D. Breach

Question #3
A single maintenance laptop is determined to be infected with malware and spreads to
a Windows-based data historian and engineering workstation. Which risk classification
should be assigned to this incident?
A. Low
B. Medium
C. High
D. Critical

Question #4
If a cyber security incident presents risk to either physical or environmental safety,
which risk classification should be assigned to this incident?
A. Low
B. Medium
C. High
D. Critical

Question #5
Which of the following phases of the Incident Response process includes providing
training to the Incident Response Team members?
A. Preparation
B. Identification
C. Recovery
D. Lessons Learned

© 2025 Mike Holcomb

Question #6
Which of the following phases of the Incident Response process includes resetting any
passwords and tokens for employees?
A. Preparation
B. Containment
C. Eradication
D. Recovery

Question #7
Which of the following phases includes members of the Incident Response Team
working to understand the organization’s strengths during an incident as well as
opportunities for improvement?
A. Preparation
B. Identification
C. Recovery
D. Lessons Learned

Question #8
During an incident, which of the following is necessary for communications?
A. Informing all employees of the incident
B. Informing all clients and partners of the incident
C. Use out-of-band communication for responders
D. Work with local news media to publish an appropriate news story

Question #9
Which of the following can be used as a tool for reinforcing the actions to be taken by
Incident Response Team members during an incident?
A. Tabletop Exercise
B. Email phishing campaign
C. Incident playbook
D. Incident runbook

Question #10
Which of the following tools can be used to help people learn and understand incident
response better?
A. Chutes & Ladders
B. Backdoors & Breaches
C. Dungeons & Dragons
D. Offices & Cubicles

© 2025 Mike Holcomb

Question #11
Which is the first step of the Incident Response Process?
A. Preparation
B. Identification
C. Containment
D. Lessons Learned

Question #12
Which is the last step of the Incident Response Process?
A. Preparation
B. Identification
C. Containment
D. Lessons Learned

Question #13
Which of the following would not be considered part of the Preparation phase?
A. Writing policies and procedures
B. Determining needs for out-of-band communication
C. Performing regularly scheduled tabletop exercises
D. Restoring systems from backup

Question #14
Which of the following would not be considered part of the Recovery phase?
A. Conducting an emergency tabletop exercise
B. Getting the plant back up and running
C. Performing additional monitoring in a elevated state of alert
D. Collecting documentation for a Lessons Learned review

Question #15
Which of the following is considered a proactive security control?
A. Reviewing alerts in a SEIM
B. Performing threat hunting
C. Reviewing CCTV footage after an incident has occurred
D. Reporting an incident to legal authorities when required

Question #16
Which of the following team members, out of this list, would more than likely act as the
Incident Response Team Lead for an ICS/OT cyber security incident?
A. ICS/OT cyber security manager
B. Control systems engineer
C. Process engineer
D. HR

© 2025 Mike Holcomb

Question #17
Which of the following would never be considered a member for consideration for the
Incident Response Team during an incident?
A. Legal
B. Plant manager
C. Process engineer
D. HR

Question #18
What is the primary goal of the Containment phase during incident response?
A. Prevent the attack from spreading further
B. Restore normal operations as quickly (and safely) as possible
C. Restore all systems from known good backups
D. Identify opportunities for improvement with a Lessons Learned exercise

Question #19
Which of the following is not a main goal of conducting a tabletop exercise (TTX)?
A. Identify security gaps for improvement
B. Help team members become more comfortable with the incident response
process
C. Ensure team members understand where to find, and how to use, procedures and
other documentation related to incident response
D. Not include those team members in non-technical roles

Question #20
Which of the following includes step-by-step instructions on each task to be performed
during incident response?
A. Runbook
B. Turnbook
C. Playbook
D. Playbill

© 2025 Mike Holcomb

Unit 10: Risk Assessments, Governance & Compliance
Question #1
At which phase of the ISA 62443 life cycle is a target level assigned to a zone’s Security
Level?
A. Assess
B. Design & Implement
C. Improve
D. Maintain

Question #2
Which of the following is a logical grouping of systems with a shared mission?
A. Conduit
B. Network
C. Subnet
D. Zone

Question #3
Which of the following Security Levels would be assigned when protection against
nation state adversaries is required?
A. SL-0
B. SL-1
C. SL-4
D. SL-5

Question #4
Which of the following zones should be assigned the highest possible Security Level?
A. Safety Instrumented System (SIS)
B. Engineering
C. Operations Center
D. Plant Maintenance WiFi

Question #5
At which phase of the ISA 62443 life cycle is an achieved Security Level assigned to a
zone?
A. Assess
B. Design & Implement
C. Improve
D. Maintain

© 2025 Mike Holcomb

Question #6
Which of the following is not one of the four T’s of addressing risk?
A. Tolerate
B. Triage
C. Transfer
D. Terminate

Question #7
Which of the following is not one of the five D’s of cyber security defense?
A. Deter
B. Direct
C. Deflect
D. Delay

Question #8
Which of the following establishes the need for cyber security within an organization
and authorizes a cyber security program?
A. Policy
B. Standard
C. Guideline
D. Best Practice

Question #9
Which of the following governs cyber security regulations for entities responsible for
electricity generation and transmission in the United States?
A. FERC
B. NERC
C. JERC
D. WERC

Question #10
Which of the following ISA 62443 Foundational Requirements (FRs) addresses secure
network architecture?
A. Use Control (UC)
B. System Integrity (SI)
C. Timely Response to Events (TRE)
D. Restricted Data Flow (RDF)

Question #11
Which of the following is a requirement for meeting NIS2 compliance in the EU?
A. Implement risk-based security controls
B. Replace all OT assets with cloud-based equivalents
C. Encrypt all ICS/OT network traffic
D. Report cybersecurity incidents to NERC within a timely manner

© 2025 Mike Holcomb

Question #12
According to NIS2, how long does an entity have to report a cybersecurity incident once
detected?
A. 24 hours
B. 48 hours
C. 14 days
D. 30 days/1 month

Question #13
ISA stand for which of the following?
A. Industrial Systems Association
B. Instrumentation Standards Alliance
C. International Society of Automation
D. Industrial Safety Association

Question #14
Which of the following standards is based in IT but could still be leveraged in ICS/OT to
establish a cybersecurity management program that focuses on continual
improvement?
A. ISA/IEC 62443
B. NIST 800-82
C. ISO 27001/27002
D. Cyber Readiness Act (CRA)

Question #15
Which of the following areas does the TSA Security Directives not impact?
A. Pipeline operators
B. Power generation
C. Light rail transit
D. High-speed rail

Question #16
Which phase of the NIST Cybersecurity Framework was added in v2?
A. Respond
B. Detect
C. Prepare
D. Govern

© 2025 Mike Holcomb

Question #17
Which of the following ISA/IEC 62443 standards provides requirements for and
information on how to conduct risk assessments?
A. 62443-1-1
B. 62443-2-2
C. 62443-3-2
D. 62443-3-1

Question #18
Which of the following is not part of the ISA 62443 life cycle?
A. Assess
B. Design & Implement
C. Improve
D. Maintain

Question #19
Which of the following 62443 security levels provides no security protection?
A. SL-0
B. SL-1
C. SL-2
D. SL-3

Question #20
Chlorine, ammonia and phosgene are classified as Release Toxic Chemicals and are
covered under which of the following?
A. ISA 62443
B. ISA 62444
C. CFATS
D. CSATS

© 2025 Mike Holcomb

Unit 11: Penetration Testing for ICS/OT
Question #1
Which of the following is absolutely required before any penetration testing may be
performed against a system?
A. Rules of engagement
B. Authorization
C. Obtaining tools
D. Review of client’s policies, standards and procedures

Question #2
Which of the following tools can be used to craft a payload and launch an exploit
against a potentially vulnerable asset?
A. Nmap
B. Wireshark
C. Metasploit
D. CrackMapExec

Question #3
Which stage of the ICS Kill Chain is associated with an attacker being on the IT
network?
A. Stage 0
B. Stage 1
C. Stage 2
D. Stage 3

Question #4
Which type of penetration test involves the penetration tester receiving no information
about a target environment?
A. Black box
B. Grey box
C. White box
D. Red box

Question #5
Which of the following Nmap commands would effectively enumerate an ICS asset
running Modbus?
A. nmap 10.10.10.15 -p 102 --script modbus-discover
B. nmap 10.10.10.15 -p 502 --script discover-modbus
C. nmap 10.10.10.15 -p 102 --script discover-modbus
D. nmap 10.10.10.15 -p 502 --script modbus-discover

© 2025 Mike Holcomb

Question #6
Which of the Modbus function codes is for the command ‘Read Coils?’
A. 1
B. 2
C. 17
D. 20

Question #7
Which of the following tactics is used when an attacker sends large amounts of junk
data to an application or service to see how the target responds?
A. Spraying
B. Fuzzing
C. Scanning
D. Obfuscating

Question #8
Which of the following tactics is used when attempting to determine a login password
for a target asset over the network using a pre-compiled file of hundreds of possible
passwords?
A. Brute force
B. Dictionary attack
C. Wordlist attack
D. Password spray

Question #9
Which of the following web application vulnerabilities allows an attacker to access
information outside of the web app’s root directory? Choose the most appropriate
answer.
A. Directory traversal
B. Local file inclusion
C. Remote file inclusion
D. SQL injection

Question #10
Which of the following ICS assets is most likely to be running a web service which could
be used to gain access to the host?
A. PLC
B. Engineering workstation
C. RTU
D. HMI

© 2025 Mike Holcomb

Question #11
Which level of the Purdue Model sits between the IT and OT network and is often the
target of an assumed breach scenario?
A. 1.5
B. 2.5
C. 3.5
D. 4.5

Question #12
The #1 way attack vector for ICS/OT attackers is what?
A. Transitory cyber assets
B. Secure remote access
C. Internet-exposed devices
D. The IT network

Question #13
Which of the following is true?
A. 40% of ICS/OT attacks are coming from IT
B. 40% of ICS/OT attacks are ransomware
C. 40% of OT passwords are the same as IT
D. 40% of ICS/OT networks have Internet-exposed PLCs

Question #14
Based on the MITRE ATT&CK for ICS framework, the first step in the ICS/OT penetration
testing process is what?
A. Reconnaissance
B. Discovery
C. Collection
D. Evasion

Question #15
Referencing the MITRE ATT&CK for ICS framework, which of the following steps is used
to find live assets on the network?
A. Reconnaissance
B. Discovery
C. Collection
D. Lateral movement

© 2025 Mike Holcomb

Question #16
Referencing the MITRE ATT&CK for ICS framework, which of the following steps is used
to find enumerate more information on assets on the network?
A. Reconnaissance
B. Discovery
C. Collection
D. Lateral movement

Question #17
Which ICS-specific malware that resulted in the loss of heating for 600 apartment
buildings in the Ukraine in sub-zero temperatures for two days?
A. Havex
B. Stuxnet
C. Pipedream
D. FrostyGoop

Question #18
Which of the following tools could be used, along with vendor research information, to
create ICS-specific malware like the one listed in the previous question?
A. GenAI like ChatGPT
B. Outlook
C. OneNote
D. Python

Question #19
For Modbus implementations, which of the following stores more than binary data?
A. Coils
B. Registers
C. Holders
D. Containers

Question #20
Which of the following is a virtualized environment that can be used to practice ICS/OT
cyber-attacks that include simulated CCTV feed to watch the chaos and destruction you
cause?
A. LabshockD
B. GRFICSv2
C. Pipedream
D. Hack the Box

© 2025 Mike Holcomb

© 2025 Mike Holcomb
 Answer Key
© 2025 Mike Holcomb
Part 1: Course Overview

There are no questions for this part.

Part 2: ICS/OT Cyber Security Overview

1. C
2. A
3. B
4. A
5. B
6. C
7. B
8. A
9. C
10. B
11. B
12. C
13. C
14. D
15. A
16. B
17. A
18. C
19. D
20. A

Unit 3: Main Types of Control Systems & Protocols

1. C
2. A
3. D
4. B
5. A
6. B
7. D
8. D
9. C
10. A
11. D
12. A
13. C
14. D
15. C

© 2025 Mike Holcomb

16. B
17. A
18. C
19. A
20. C

Unit 4: Secure Network Architecture

1. B
2. C
3. A
4. B
5. B
6. C
7. A
8. D
9. B
10. D
11. B
12. A,C
13. B
14. D
15. A
16. B
17. D
18. C
19. C
20. C

© 2025 Mike Holcomb

Unit 5: Asset Registers and Control Systems Inventory
1. D
2. C
3. B
4. A
5. C
6. D
7. A
8. A
9. C
10. B
11. D
12. C
13. D
14. B
15. A
16. A
17. D
18. B
19. C
20. A

Unit 6: Threat & Vulnerability Management

1. A
2. B
3. A
4. B
5. D
6. B
7. A
8. A
9. C
10. C
11. B
12. A
13. C
14. Trick question - they all are! :)
15. A
16. D
17. B,C
18. A
19. B
20. A

© 2025 Mike Holcomb

Unit 7: OSINT for Industrial Controls
1. A
2. C
3. B
4. C
5. A
6. A
7. D
8. D
9. C
10. A
11. C
12. A
13. B
14. C
15. B
16. D
17. C
18. A
19. C
20. B
21. C
22. A
23. C
24. C
25. B

© 2025 Mike Holcomb

Unit 8: Incident Detection
1. A
2. C
3. C
4. A
5. D
6. A
7. D
8. B
9. B
10. C
11. B,D
12. A
13. C
14. A
15. D
16. A
17. C
18. They all would be!
19. D
20. B

Unit 9: Incident Response

1. A
2. D
3. B
4. D
5. A
6. C
7. D
8. C
9. A
10. B
11. A
12. D
13. D
14. A
15. B
16. A
17. Trick question. They all could be!
18. A
19. D
20. A

© 2025 Mike Holcomb

Unit 10: Risk Assessments, Governance & Compliance
1. A
2. D
3. C
4. A
5. B
6. B
7. B
8. A
9. B
10. D
11. A
12. A
13. C
14. C
15. B
16. D
17. C
18. C
19. A
20. C

© 2025 Mike Holcomb

Unit 11: Penetration Testing for ICS/OT
1. B
2. C
3. B
4. A
5. B
6. A
7. B
8. C
9. A
10. D
11. C
12. D
13. C
14. A
15. B
16. C
17. D
18. A
19. B
20. B

© 2025 Mike Holcomb

© 2025 Mike Holcomb
© 2025 Mike Holcomb