2.1 Given a scenario, implement vulnerability scanning methods and concepts.
📘CompTIA CySA+ (CS0-003)
Critical Infrastructure (OT, ICS, SCADA)
This section of the CySA+ exam focuses on how vulnerability scanning applies to critical infrastructure environments, especially systems that are different from normal IT networks.
You must understand:
- What critical infrastructure means
- What OT, ICS, and SCADA are
- How they are different from traditional IT systems
- How vulnerability scanning works in these environments
- The risks and special considerations involved
1. What Is Critical Infrastructure?
Critical infrastructure refers to systems and assets that are essential for a country or organization to function properly. If these systems fail, it can cause major operational or financial damage.
Examples of sectors that use critical infrastructure:
- Power generation
- Water treatment
- Manufacturing
- Healthcare systems
- Transportation systems
- Telecommunications
These environments often use Operational Technology (OT) instead of traditional IT systems.
2. Operational Technology (OT)
What Is OT?
Operational Technology (OT) refers to hardware and software that monitors and controls physical devices, processes, and events.
Unlike traditional IT systems (which manage data), OT systems control machines and industrial operations.
IT vs. OT (Exam Important)
| IT Environment | OT Environment |
|---|---|
| Focuses on data | Focuses on physical processes |
| Confidentiality is priority | Availability and safety are priority |
| Systems can be rebooted easily | Downtime may cause physical damage |
| Regular patching cycles | Patching may be limited |
In OT, availability is the most important security principle, even more than confidentiality.
3. Industrial Control Systems (ICS)
What Is ICS?
Industrial Control Systems (ICS) are systems used to control industrial processes.
ICS includes different types of control systems such as:
- PLCs (Programmable Logic Controllers)
- RTUs (Remote Terminal Units)
- DCS (Distributed Control Systems)
ICS systems:
- Monitor industrial equipment
- Send commands to machines
- Collect operational data
- Automate processes
They are commonly found in:
- Power plants
- Manufacturing plants
- Utility providers
- Large industrial environments
ICS Characteristics (Exam Focus)
- Often run on legacy systems
- May use outdated operating systems
- Use specialized protocols
- Designed for long life cycles (10–20+ years)
- Cannot be easily rebooted or patched
This makes vulnerability scanning more complicated.
4. SCADA Systems
What Is SCADA?
Supervisory Control and Data Acquisition (SCADA) is a type of ICS used for large-scale monitoring and control.
SCADA systems:
- Monitor equipment remotely
- Collect data from sensors
- Control industrial processes from a central location
- Display information on dashboards
SCADA is typically used when operations are geographically distributed.
How SCADA Works (Simple Explanation)
- Sensors collect data from equipment.
- Data is sent to controllers (RTUs or PLCs).
- The data is transmitted to a central SCADA server.
- Operators monitor and control systems from a central console.
5. Why Vulnerability Scanning Is Different in OT/ICS/SCADA
In normal IT networks, you can:
- Run aggressive scans
- Patch frequently
- Reboot systems
- Replace hardware easily
In OT environments:
- Scanning can disrupt physical operations
- Some systems crash under heavy scanning
- Downtime may stop production
- Patching may require shutdown windows
- Some devices do not support modern scanning tools
This is extremely important for the exam.
6. Vulnerability Scanning in Critical Infrastructure
1. Passive Scanning (Preferred Method)
In OT environments, passive scanning is usually safer.
Passive scanning:
- Monitors network traffic
- Does not actively send packets
- Does not interfere with operations
- Identifies devices and vulnerabilities quietly
This reduces risk of system disruption.
2. Active Scanning (High Risk)
Active scanning:
- Sends packets to devices
- Probes systems for vulnerabilities
- Can overload fragile devices
In ICS/SCADA environments, active scans can:
- Cause system crashes
- Interrupt industrial processes
- Trigger alarms
- Disrupt communications
Therefore, active scanning must be:
- Carefully scheduled
- Tested in lab environments first
- Approved by operations teams
7. Key Risks When Scanning Critical Infrastructure
1. System Instability
Some ICS devices cannot handle scanning traffic.
2. Safety Risks
Disruption may affect physical safety systems.
3. Legacy Protocols
Many OT systems use insecure protocols that lack authentication or encryption.
4. No Vendor Support
Some legacy devices are no longer supported by vendors.
8. Common ICS/SCADA Protocols (Exam Awareness)
You should recognize that OT environments use special protocols, such as:
- Modbus
- DNP3
- OPC
These protocols:
- Often lack encryption
- Were not designed with security in mind
- May be vulnerable to interception or manipulation
Understanding that these are less secure than modern IT protocols is important.
9. Segmentation in Critical Infrastructure
Network segmentation is extremely important in OT environments.
Common architecture:
- IT network (corporate systems)
- OT network (industrial systems)
- DMZ between IT and OT
Segmentation helps:
- Prevent lateral movement
- Limit impact of compromise
- Protect critical control systems
For the exam, remember:
OT networks should be isolated from IT networks whenever possible.
10. Patch Management in OT
Patch management in ICS/SCADA is challenging because:
- Downtime is costly
- Some patches require system shutdown
- Systems must be tested before deployment
- Vendors may restrict updates
Because of this, organizations often use:
- Compensating controls
- Network segmentation
- Intrusion detection systems
- Strict access control
11. Change Management and Approval
Before scanning OT environments:
- Obtain approval from operations teams
- Schedule maintenance windows
- Test scanning tools in lab environments
- Monitor systems during scanning
This is critical for exam scenarios.
12. Asset Inventory in Critical Infrastructure
You cannot protect what you do not know exists.
In ICS/OT environments, asset discovery must be:
- Accurate
- Carefully performed
- Often passive
Devices may include:
- PLCs
- Sensors
- Controllers
- Human-Machine Interfaces (HMIs)
- Engineering workstations
13. Security Priorities in Critical Infrastructure
In IT environments:
- Confidentiality → Integrity → Availability
In OT environments:
- Availability → Integrity → Confidentiality
For the exam, remember:
Availability is the highest priority in OT/ICS environments.
14. Monitoring and Detection in ICS
Because patching may not be frequent, organizations rely on:
- Network monitoring
- Intrusion detection systems (IDS)
- Log analysis
- Baseline behavior monitoring
Anomalies in OT traffic patterns can indicate compromise.
15. Exam Scenario Tips (Very Important)
You may see a question like:
- A scan caused industrial systems to stop responding.
- A PLC crashed during an aggressive vulnerability scan.
- An organization wants to scan SCADA devices safely.
Correct answers usually involve:
- Passive scanning
- Maintenance windows
- Segmentation
- Testing in staging environment
- Vendor consultation
- Minimizing operational impact
Avoid answers that suggest:
- Aggressive scans without approval
- Immediate patching without testing
- Rebooting production control systems randomly
16. Key Differences Summary (Exam Quick Review)
| Feature | IT Environment | OT/ICS Environment |
|---|---|---|
| Primary Goal | Protect data | Keep systems running |
| Downtime Impact | Business disruption | Operational failure |
| Patch Frequency | Regular | Limited and controlled |
| Scan Type | Active allowed | Passive preferred |
| System Age | Modern | Often legacy |
Final Exam Takeaways
To pass this section, you must remember:
- Critical infrastructure includes OT, ICS, and SCADA systems.
- OT controls physical processes.
- ICS manages industrial operations.
- SCADA monitors and controls distributed systems.
- Availability is the top priority in OT.
- Passive scanning is preferred.
- Active scanning can disrupt fragile systems.
- Segmentation between IT and OT is critical.
- Patching is difficult and must be controlled.
- Always consider operational impact before scanning.
