CompTIA SecOT+ SOT-001: OT Incident Management

Topic snapshot

Sample questions

These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: OT Incident Management

A regulated chemical facility detects compromised credentials used through a vendor remote-access path. Operators briefly lost HMI view of a batch reactor for 18 minutes, but the SIS remained normal, no release or injury occurred, and production is now in manual monitoring. The incident response plan states: regulator notification is required for cyber events causing loss of view/control of a regulated process; cyber-insurance notice is required before engaging external IR; emergency notification is required for actual or suspected offsite safety impact; a customer contract requires notice only for shipment delays over 12 hours. What is the BEST professional decision?

Options:

• A. Notify only the insurer until root cause is confirmed

• B. Delay all external notifications until eradication is complete

• C. Notify emergency services, the regulator, insurer, and customer immediately

• D. Notify the regulator and insurer now; reassess emergency and customer notice triggers

Best answer: D

Explanation: Mandatory reporting in OT incident management should follow predefined triggers, not guesswork or a desire to minimize visibility. Here, the loss of HMI view affected a regulated process, so the regulator notification requirement is met. The plan also requires cyber-insurance notice before external IR is engaged, so that notice should happen early enough to preserve coverage obligations. Emergency notification is not yet triggered because the stem says there is no actual or suspected offsite safety impact. The customer contract is also not triggered because there is no shipment delay over 12 hours. The key practice is to notify required parties promptly, document why other notices are not yet required, and keep reassessing as safety or business impacts change.

• Root-cause delay fails because the reporting trigger is loss of view/control, not completed attribution or eradication.
• Over-notification ignores the stated emergency and customer thresholds, which have not been met.
• Waiting for eradication can violate time-sensitive regulator and insurance obligations during active incident handling.

Question 2

Topic: OT Incident Management

A chemical plant is updating its OT incident response documentation before a tabletop exercise. The highest-value assets include a safety instrumented system (SIS), a batch DCS, and an engineering workstation used only during approved change windows. Operations owns process decisions, safety cannot be bypassed, and any incident evidence must support later root cause analysis and possible regulator review. Which documentation improvement is the BEST professional decision?

Options:

• A. Add OT roles, safety decision points, and evidence handling procedures

• B. Replace OT procedures with the corporate IT incident checklist

• C. Document only network indicators for SIEM correlation

• D. Authorize security staff to isolate SIS assets immediately

Best answer: A

Explanation: OT incident documentation must support coordinated response without creating unsafe process conditions. For this plant, the documentation should identify who has authority over process actions, when safety or emergency shutdown procedures are invoked, how engineering and operations participate, and how evidence is collected and preserved for root cause analysis and reporting. Good preparation also maps high-value assets and change-window constraints so responders do not treat a DCS, SIS, or engineering workstation like ordinary IT endpoints. The key is not just having an incident checklist, but having one that reflects OT ownership, safety impact, and evidence requirements.

• IT-only checklist fails because generic IT steps may omit process authority, SIS constraints, and plant safety coordination.
• Network indicators only fails because SIEM evidence is useful but insufficient for operator logs, sequence-of-events data, and root cause needs.
• Immediate SIS isolation fails because unilateral containment could affect safety functions and bypass required operations-led decisions.

Question 3

Topic: OT Incident Management

A water treatment plant detects suspicious remote-access activity on an engineering workstation during an active chemical dosing operation. Operators report that the HMI value for a dosing valve no longer matches the local field indicator, and an alarm indicates potential overfeed if the valve remains open. The OT incident lead has not yet confirmed malware, but physical safety consequences are possible. What is the best professional decision?

Options:

• A. Have IT reimage the engineering workstation before changing operations

• B. Block all plant network traffic immediately from the firewall

• C. Wait for forensic confirmation before involving non-cyber response teams

• D. Engage operations to consider emergency shutdown and notify emergency services if exposure is possible

Best answer: D

Explanation: In OT incident management, possible physical consequences change the response priority. The team should coordinate with operations, engineering, and the incident command structure because operators own process-control decisions such as emergency shutdown. If personnel, public safety, or environmental exposure may be affected, emergency services or site emergency response should be involved even before malware is fully confirmed. Cyber containment can still proceed, but it must not override safe process handling or create a more hazardous state.

The key takeaway is that uncertain cyber evidence does not justify delaying safety actions when process indicators suggest a credible physical hazard.

• Forensic delay fails because safety coordination should not wait for malware attribution when a hazardous process condition may exist.
• Network-wide blocking may disrupt visibility or control and could worsen the process state without operations approval.
• Immediate reimage destroys evidence and does not address the active dosing hazard or operational decision authority.

Question 4

Topic: OT Incident Management

A water treatment facility detects confirmed command attempts from a compromised IT help desk account to an engineering workstation in the OT zone. Operators report the treatment process is stable, and the PLCs must continue running to avoid unsafe pressure changes. The site has an OT jump box and firewall rules that can be changed immediately with operations approval. What is the BEST containment action?

Options:

• A. Disconnect all PLCs from the control network

• B. Power off the engineering workstation immediately

• C. Suspend the account and block IT-to-OT access paths

• D. Wait for the next maintenance window

Best answer: C

Explanation: Containment in OT should stop the incident path while maintaining safe, stable operations whenever possible. Here, the evidence points to a compromised IT account attempting to reach an OT engineering workstation, while PLCs are still running a stable process. Suspending the account and blocking the IT-to-OT path through approved firewall changes targets the active route without disrupting controller operation. This is more precise than shutting down OT assets and more urgent than waiting for a maintenance window.

The key takeaway is to contain the threat at the safest effective point: identity and conduit controls first when they address the confirmed path.

• Powering off the workstation may disrupt engineering visibility or support activities and is less targeted than blocking the confirmed account and path.
• Disconnecting PLCs risks loss of control or unsafe pressure changes, which violates the stated process-safety constraint.
• Waiting for maintenance leaves a confirmed intrusion path active during an incident stage that requires containment.

Question 5

Topic: OT Incident Management

A water utility detects a possible unauthorized control change. The process is stable, and operations has not declared an emergency shutdown condition. The incident lead needs to determine incident extent before choosing containment or recovery actions.

Exhibit: Initial triage notes

09:12  VPN: vendor-maint account login from new source IP
09:17  Firewall: vendor jump box -> EWS-2 allowed
09:22  IDS: EWS-2 -> PLC-7 Modbus function 16 write
09:24  Historian: PLC-7 chlorine set point changed
09:31  IDS: EWS-2 -> PLC-8 read-only polling observed
09:40  Operator: no abnormal process condition reported

Which next action best supports triaging and scoping?

Options:

• A. Restore PLC-7 logic from the last known-good backup

• B. Disconnect the entire OT cell from the network immediately

• C. Correlate logs and flows for the account, EWS-2, and touched PLCs

• D. Reimage EWS-2 and reset the vendor account password

Best answer: C

Explanation: Triaging and scoping establish what is affected, how far activity spread, and which evidence supports the incident extent. The exhibit shows a likely path from a vendor VPN login to a jump box, then to EWS-2, then a write to PLC-7 and read-only traffic to PLC-8. Because the process is stable and no emergency shutdown condition exists, the priority is to correlate VPN, firewall, IDS, historian, and access logs to identify affected assets and accounts before containment or recovery. This prevents under-scoping the incident or disrupting operations unnecessarily. Recovery and eradication actions should be based on the confirmed scope, not just the first observed symptom.

• Restore first fails because recovery before scoping may overwrite evidence and miss other affected assets.
• Disconnect broadly may be justified for immediate safety, but the stem says operations is stable and asks for extent determination.
• Reimage and reset are eradication actions that assume the root cause and scope before confirming them.

Question 6

Topic: OT Incident Management

A chemical plant must validate whether its OT incident response team can make correct shutdown, isolation, escalation, and notification decisions during a suspected controller compromise. The production line runs 24/7, the affected unit includes a safety instrumented system, and there is no approved change window for testing on live assets. Which exercise type is the BEST professional decision?

Options:

• A. Full-scale failover test of the production DCS

• B. Unannounced live containment drill on the production network

• C. Facilitated tabletop exercise using the OT IR playbook

• D. Adversarial emulation against live PLCs

Best answer: C

Explanation: The core concept is selecting an exercise type that tests decision quality while preserving OT safety and process continuity. A facilitated tabletop exercise is designed for this situation: stakeholders walk through a realistic scenario, use the incident response plan, apply decision matrices, and validate roles, communications, shutdown criteria, and notification steps. It does not require blocking traffic, changing controller logic, forcing failover, or interacting with safety-critical production assets. In OT environments, higher-fidelity exercises can be valuable, but they require approval, engineering safeguards, and a safe test environment or change window. With 24/7 operations, a SIS, and no approved production testing window, tabletop validation is the safest fit.

• Live containment is too disruptive because blocking production traffic without an approved window can affect control and visibility.
• Production failover may validate resilience, but it changes operational state and needs formal engineering approval and a change window.
• Live PLC emulation introduces unnecessary operational and safety risk when the objective is decision-making validation.

Question 7

Topic: OT Incident Management

During an OT incident, operators report that an HMI trend for a reactor temperature stayed flat at 72°C while a local gauge and an independent safety alarm indicated a rapid increase. The incident commander needs evidence that best confirms whether this was manipulation of view rather than a normal process condition. Which evidence source should be prioritized?

Options:

• A. Controller tag history and sequence-of-events records

• B. HMI workstation antivirus scan results

• C. Firewall allow-rule documentation

• D. Maintenance training attendance records

Best answer: A

Explanation: Manipulation of view means the operator’s displayed information may not match the real process state. The strongest confirmation comes from evidence closest to the control process, such as PLC/controller tag history, RTU data, historian values sourced from controllers, and sequence-of-events records. These sources can be compared with the HMI trend to determine whether the HMI was frozen, delayed, or altered while the field process actually changed. Host security data and firewall rules may help with scoping or root cause later, but they do not directly prove the mismatch between displayed values and process reality. Prioritize process-aware evidence that preserves timing and actual control-system state.

• Antivirus results may identify malware on the HMI, but they do not directly prove the displayed temperature differed from the controller value.
• Firewall documentation can explain allowed paths, but it does not validate the process state or operator display accuracy.
• Training records may support readiness review, but they are not technical evidence of view manipulation.

Question 8

Topic: OT Incident Management

A chemical blending facility has completed containment after malware was found on an engineering workstation used to maintain PLC logic. The workstation is isolated, the affected batch line is running safely under local PLC control, and a redundant operator station provides view-only monitoring. Forensics found the shared maintenance account was used on the workstation, but PLC logic checks match the approved baseline. A 2-hour maintenance window has been approved by operations. What is the BEST eradication action?

Options:

• A. Reload all PLC logic before the next batch

• B. Keep the workstation isolated until the next quarterly outage

• C. Clean the malware while reconnecting the workstation

• D. Rebuild the workstation and reset exposed credentials

Best answer: D

Explanation: Eradication removes the attacker’s foothold after containment and before recovery. In this case, the compromised component is the engineering workstation, not the PLC logic, and operations has approved a maintenance window. Rebuilding from a known-good image is safer and more reliable than attempting an in-place cleanup on an OT engineering asset. Resetting the shared maintenance credential is also necessary because evidence shows it was used on the compromised workstation. The PLCs should not be changed without evidence of logic compromise, because unnecessary controller changes can introduce process risk. The key takeaway is to eradicate the confirmed compromise while respecting operational ownership and process safety.

• In-place cleanup is weaker because reconnecting before a trusted rebuild and credential reset can reintroduce the compromised state.
• PLC reload is excessive because the logic matches the approved baseline and unnecessary controller changes can affect the process.
• Quarterly delay leaves a known compromised asset and exposed credential unresolved despite an approved safe window.

Question 9

Topic: OT Incident Management

A municipal water treatment facility detects unauthorized remote access to an HMI used for chemical dosing. Operators have placed the affected process in manual control and dosing remains within safe limits. The incident response plan states that any unauthorized access affecting treatment control must be escalated to the plant incident commander and reported by the compliance officer to the state regulator within 1 hour of validation. What is the best professional decision?

Options:

• A. Wait until eradication confirms the root cause

• B. Let the remote-access vendor coordinate all notifications

• C. Have the IT SOC notify only the federal cyber agency

• D. Escalate internally and notify the state regulator through compliance

Best answer: D

Explanation: OT incident notification should follow the site’s incident response plan, operational ownership, and any stated regulatory trigger. Here, the event is validated unauthorized access to a treatment-control HMI, so the required path is internal escalation to the plant incident commander plus external notification to the state regulator by the compliance officer. Manual control and safe dosing reduce immediate safety risk, but they do not remove the reporting requirement. The best action also preserves role discipline: operations owns safe process control, incident command coordinates response, and compliance handles regulator communication.

• Waiting for eradication misses the 1-hour reporting trigger and can violate the stated notification requirement.
• Federal-only notification ignores the named state regulator and bypasses the required internal command path.
• Vendor-led notification gives an external party responsibility that belongs to the facility’s incident and compliance roles.

Question 10

Topic: OT Incident Management

A municipal water treatment facility has declared an OT cybersecurity incident after operators lost remote view of two PLCs that support chemical-feed monitoring. Manual operations are stable. The incident commander asks which notification path should be initiated now based on the exhibit.

Incident status: Declared OT cyber incident
Impact: Treatment visibility affected; no public advisory issued
Notification matrix:
- Visibility/control impact: notify Operations Director and Legal/Compliance immediately
- Regulator: Legal/Compliance notifies state drinking-water regulator within 1 hour
- Federal cyber agency: CISO coordinates CISA notification after regulator notification starts
- Vendor/insurer: notify after evidence preservation approval

Options:

• A. Escalate to Operations Director and Legal/Compliance for regulator notification

• B. Have the SOC directly contact the insurer before internal escalation

• C. Notify the vendor first to begin remote troubleshooting

• D. Wait for root cause before contacting any external agency

Best answer: A

Explanation: OT incident notification should follow the approved notification matrix, especially when safety, treatment, or control visibility is affected. In this case, the incident is already declared and the exhibit states that treatment visibility is affected. That triggers immediate internal escalation to the Operations Director and Legal/Compliance, followed by Legal/Compliance notification to the state drinking-water regulator within the stated time window. The CISO coordinates CISA notification after the regulator notification starts. Vendor and insurer contact may be appropriate later, but the exhibit makes them dependent on evidence preservation approval. The key takeaway is to follow the defined authority path rather than delaying required regulator notification for technical certainty.

• Root-cause delay fails because the matrix triggers notification from impact and declaration, not from completed forensic analysis.
• Vendor first fails because vendor contact is later and depends on evidence preservation approval.
• Insurer first fails because the SOC is not the named authority and internal escalation has not occurred.

Continue with full practice

Use the CompTIA SecOT+ SOT-001 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA SecOT+ SOT-001 on Web View CompTIA SecOT+ SOT-001 Practice Test

Related focused pages

• Free CompTIA SecOT+ SOT-001 Full-Length Practice Exam
• OT Systems and Safety Foundations
• OT Risk Management
• OT Threat Intelligence
• OT Security Architecture
• OT Security Operations

Free review resource

Use the full IT Mastery practice page above for the latest review links and practice page.