Try 10 focused CompTIA SecOT+ SOT-001 questions on OT security architecture, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA SecOT+ SOT-001 on Web View full CompTIA SecOT+ SOT-001 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA SecOT+ SOT-001 |
| Topic area | OT Cybersecurity Architecture, Design, and Engineering |
| Blueprint weight | 18% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate OT Cybersecurity Architecture, Design, and Engineering for CompTIA SecOT+ SOT-001. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 18% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: OT Cybersecurity Architecture, Design, and Engineering
A water utility needs to allow an OEM vendor to troubleshoot an engineering workstation in the control network. The utility requires MFA, individual vendor accounts, session recording, centralized logs, and no direct VPN routing from the vendor laptop into the control network. Which implementation best meets these requirements?
Options:
A. Create a shared local vendor account on the workstation
B. Allow vendor VPN access directly to the engineering workstation
C. Install a data diode between the vendor and control networks
D. Place a hardened jump box in the IDMZ to broker approved sessions
Best answer: D
Explanation: Secure OT remote access should avoid direct paths from external devices to control-network assets. A jump box or bastion host in an IDMZ provides a controlled landing point where access can be authenticated, authorized, monitored, and logged before reaching approved OT systems. It also supports operational controls such as time-bound access, session recording, file-transfer restrictions, and separation between the vendor endpoint and the control zone. The key design idea is brokered access: the vendor connects to the bastion, and the bastion connects only to explicitly permitted OT targets. Direct VPN access may authenticate the user, but it often creates broader network reachability than the stated requirement allows.
Topic: OT Cybersecurity Architecture, Design, and Engineering
A chemical blending site is reviewing a proposed remote-support conduit. The OEM only needs to observe HMI screens during approved maintenance windows; PLC logic changes are handled separately by on-site engineering staff.
Exhibit: Proposed access
| Source | Destination | Proposed access |
|---|---|---|
| OEM VPN | Engineering workstation | RDP, SMB, PLC programming ports, local admin |
| Historian | PLC cell | Read-only OT polling |
| HMI | PLC cell | Operator control protocol |
| IT users | IDMZ historian replica | HTTPS dashboard |
Which architecture control best applies least privilege and necessary functionality?
Options:
A. Use an IDMZ jump box for supervised view-only HMI access
B. Approve the OEM VPN because access is time-limited
C. Disable historian polling during all OEM sessions
D. Keep direct access but enable full session logging
Best answer: A
Explanation: Least privilege grants only the access required for the task, and necessary functionality removes services or capabilities that are not needed. The exhibit shows the OEM being given an engineering workstation path with RDP, SMB, PLC programming ports, and local admin access, even though the stated need is only to observe HMI screens. A jump box in the IDMZ with MFA, approval workflow, session monitoring, and view-only HMI access better limits both who can connect and what they can do. Time limits and logging are useful supporting controls, but they do not remove excessive capability. Disabling historian polling would affect operations without addressing the over-permissive vendor path.
Topic: OT Cybersecurity Architecture, Design, and Engineering
A water treatment facility is hardening an engineering workstation in a locked PLC cabinet. Several unused USB and RJ45 ports are reachable during maintenance, but some interfaces must remain available for vendor-supported monthly service. A walkdown found evidence of unauthorized test laptops being connected. Which action is the BEST professional decision?
Options:
A. Rely on NAC to reject unauthorized connections
B. Disable all USB and Ethernet ports in firmware
C. Install keyed port blockers on unused interfaces
D. Seal the cabinet door with tamper tape only
Best answer: C
Explanation: Port lockers and port blockers are hardware security controls used to physically restrict access to exposed interfaces such as USB and RJ45 ports. In this scenario, the facility needs to prevent casual or unauthorized device connections without making the workstation unsupported or blocking legitimate maintenance. Keyed blockers are reversible, auditable through key control, and targeted to unused ports, so they meet the hardening goal while respecting OT service constraints. Network controls such as NAC can help, but they do not protect every physical interface and do not address USB access.
Topic: OT Cybersecurity Architecture, Design, and Engineering
A water utility wants enterprise analysts to receive near-real-time historian data from the control network. Operations states that no enterprise or internet-connected system may initiate sessions or send commands into the control zone. Which network security design best meets this requirement?
Options:
A. Provide VPN access to the historian through a jump box
B. Allow enterprise analysts to query the OT historian through a firewall rule
C. Place the OT historian in the enterprise network segment
D. Use a one-way gateway from the control zone to an IDMZ historian replica
Best answer: D
Explanation: The core design concept is enforcing zones and conduits with unidirectional flow. For OT data sharing, a one-way gateway or data diode between the control zone and an IDMZ can publish historian data outward while preventing inbound sessions or control commands from enterprise networks. The IDMZ provides a buffer zone for services that need to exchange data across trust boundaries without exposing controllers, HMIs, or primary historians directly.
A firewall can restrict traffic, but it still permits a routed path if rules allow queries. Remote access designs such as VPNs and jump boxes are useful for monitored maintenance, not for a no-inbound-flow requirement. The key takeaway is to match the conduit design to the required direction of trust and data movement.
Topic: OT Cybersecurity Architecture, Design, and Engineering
A water treatment facility is redesigning security for a critical chemical-dosing cell. The PLCs use a legacy Ethernet protocol with tight scan-time requirements, and an unplanned stop could create a public health impact. Operations requires better evidence for audits and earlier detection of abnormal commands, but the next approved outage is six weeks away. Which design is the BEST professional decision?
Options:
A. Add passive OT-aware monitoring and cell-boundary logging
B. Place an inline IPS between PLCs and remote I/O
C. Run active vulnerability scans during production
D. Install EDR agents directly on the PLCs
Best answer: A
Explanation: Safety-aware OT architecture balances security goals with deterministic control behavior. In this scenario, the dosing cell is critical, legacy, and sensitive to scan-time changes, so controls that add inline delay or change controller behavior are risky before an approved outage. Passive OT-aware IDS using a TAP or SPAN feed, combined with firewall or conduit logging and engineering-workstation change records, improves observability and audit evidence while preserving process continuity. It also supports baselining of normal protocol behavior and detection of abnormal commands without interfering with control traffic. The key trade-off is to increase visibility first, then evaluate intrusive controls during a tested change window.
Topic: OT Cybersecurity Architecture, Design, and Engineering
A water treatment plant has several legacy PLCs controlling chemical dosing. The process runs continuously, but operations has approved a 2-hour monthly maintenance window. The engineering team needs recoverable backups of PLC hardware configuration, logic, and settings without risking an unplanned process change. Which backup approach is the BEST professional decision?
Options:
A. Use vendor-supported offline backups during the approved window and verify restore on a spare PLC
B. Schedule daily online uploads from each PLC during production
C. Upgrade PLC firmware before taking backups to standardize versions
D. Rely on the engineering workstation disk image as the PLC backup
Best answer: A
Explanation: OT backup strategy must protect recoverability without creating unsafe or uncontrolled process effects. For legacy PLCs that control chemical dosing, backups should use vendor-supported tools, be performed in an approved maintenance window, and capture the logic, hardware configuration, firmware/version context, parameters, and settings needed for restoration. A backup is not fully useful until it is verified, preferably by restoring to a spare or test controller rather than the live process. This approach also supports rollback, configuration integrity, and operational ownership. The key distinction is that OT backups must be both complete and safely validated, not merely copied from nearby systems or collected at maximum frequency.
Topic: OT Cybersecurity Architecture, Design, and Engineering
During an OT facility walkdown, an engineer finds a Level 2 network switch inside a PLC cabinet in a contractor-accessible corridor. The cabinet uses the same generic key as non-OT maintenance cabinets, and several unused RJ45 patch ports are exposed on the cabinet side panel. The plant cannot relocate the cabinet this quarter. Which implementation choice best addresses the physical security gap?
Options:
A. Restrict cabinet access and block exposed unused ports
B. Document the finding in the CMDB only
C. Add the switch to passive asset discovery
D. Increase IDS alert severity for new hosts
Best answer: A
Explanation: The gap is physical exposure of OT network infrastructure: a shared-key cabinet in a contractor-accessible area and exposed unused ports. The most appropriate implementation is to harden physical access where the equipment already resides, such as using restricted cabinet locks or badge-controlled access, port blockers, and tamper-evident controls for exposed connection points. This reduces the chance that an unauthorized person can open the cabinet, connect a device, or manipulate cabling. Monitoring and inventory controls are useful, but they do not prevent physical access. Documentation alone preserves knowledge of the issue but leaves the risk untreated.
Topic: OT Cybersecurity Architecture, Design, and Engineering
An OT cybersecurity engineer is preparing host security configuration for six Windows-based HMI/operator workstations at a water treatment plant. Operations needs the same security settings on each workstation and evidence for quarterly audits. Which action best applies OS benchmarks?
Exhibit: Change note
| Item | Detail |
|---|---|
| Current state | Local settings differ by workstation |
| Audit gap | No approved baseline or exception record |
| OT constraint | Vendor-required HMI services must remain functional |
| Change rule | Test before the maintenance window |
Options:
A. Apply all benchmark settings directly to production HMIs.
B. Keep vendor defaults and provide antivirus scan reports.
C. Deploy a tested benchmark baseline with documented exceptions.
D. Use the most hardened HMI image as the standard.
Best answer: C
Explanation: OS benchmarks should be used as a controlled baseline, not as an untested checklist applied blindly. In OT, the benchmark must be tailored to the asset role, vendor requirements, and operational constraints, then tested before deployment. Documented exceptions show why a benchmark control was changed or deferred, and a managed baseline supports repeatable builds and audit evidence across multiple HMI/operator workstations. Applying every setting verbatim could break required HMI services, while informal images or antivirus reports do not prove consistent benchmark-based hardening.
Topic: OT Cybersecurity Architecture, Design, and Engineering
A plant is preparing a firmware backup for a PLC controlling a mixer skid. Production must continue, and the control network uses EtherNet/IP between the PLC and HMI.
Exhibit: Maintenance readiness note
Asset: PLC-MIX-17
PLC mode: RUN
USB-A port: enabled; accepts mass storage
Serial maintenance port: enabled; not used by operations
Ethernet services: EtherNet/IP required; HTTP and FTP enabled
Requested media: shared contractor USB drive
Available controls: scan kiosk, dedicated plant USB media, port locks
Which action is the best next step before the maintenance activity?
Options:
A. Move the PLC to program mode and enable vendor services.
B. Use scanned dedicated media, lock unused ports, and disable unused HTTP/FTP.
C. Disable EtherNet/IP until the firmware backup is complete.
D. Use the shared USB after kiosk scanning and keep all ports enabled.
Best answer: B
Explanation: Secure OT hardware management should reduce exposure without disrupting required control functions. The exhibit shows a required EtherNet/IP path, but also shows unnecessary USB mass-storage access, an unused serial maintenance port, and HTTP/FTP services that are not needed for the stated backup. The safer choice is to use authorized dedicated media that has been scanned, restrict or lock unused physical ports, and disable unneeded services. This supports least functionality and limits removable-media risk while keeping the PLC in RUN and preserving the HMI-to-PLC communication needed for production.
Topic: OT Cybersecurity Architecture, Design, and Engineering
An engineering workstation in a water treatment plant must be hardened before deployment. The OT team needs a repeatable configuration that can be reviewed during audits, but the workstation must still support the vendor’s approved PLC programming software and maintenance workflow. Which implementation choice best meets this requirement?
Options:
A. Use the vendor default OS configuration until the next outage
B. Reimage the workstation after each maintenance window
C. Apply a documented OS benchmark baseline with OT-approved exceptions
D. Disable all nonessential services based only on technician preference
Best answer: C
Explanation: OS benchmarks provide a repeatable, auditable baseline for host hardening, such as password policy, logging, service configuration, local permissions, and security options. In OT, the benchmark should not be applied blindly because engineering software, drivers, licensing tools, and maintenance workflows may require specific settings. The practical approach is to apply an approved benchmark, test it against the workstation role, and document any justified exceptions. That creates evidence for audits and supports consistent rebuilds without breaking required control-system functions.
The key takeaway is to combine standardized hardening with OT compatibility validation and exception tracking.
Use the CompTIA SecOT+ SOT-001 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA SecOT+ SOT-001 on Web View CompTIA SecOT+ SOT-001 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.