Try 10 focused CompTIA SecOT+ SOT-001 questions on OT Risk Management, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA SecOT+ SOT-001 on Web View full CompTIA SecOT+ SOT-001 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA SecOT+ SOT-001 |
| Topic area | OT Risk Management |
| Blueprint weight | 17% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate OT Risk Management for CompTIA SecOT+ SOT-001. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 17% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: OT Risk Management
A manufacturing site is adding vendor-managed remote support for a packaging-line PLC network. IT will manage the remote-access platform, engineering owns PLC logic, operations owns production scheduling, and the vendor will perform approved troubleshooting. Which implementation choice best supports stakeholder management for this shared responsibility?
Options:
A. Let operations approve access without engineering review
B. Assign IT as sole owner of all remote-access decisions
C. Define a RACI matrix tied to the remote-access procedure
D. Allow the vendor to connect when troubleshooting is requested
Best answer: C
Explanation: Stakeholder management in OT cybersecurity requires clear ownership and communication when multiple groups share operational and security responsibilities. A RACI matrix tied to the remote-access procedure defines who is responsible for setup and monitoring, who is accountable for approvals, who must be consulted for PLC or process impacts, and who must be informed before and after vendor activity. This supports safety, availability, and auditability without assuming one group can make all decisions alone. In this scenario, IT, engineering, operations, and the vendor each control different parts of the risk, so the process should make those roles explicit.
Topic: OT Risk Management
A food-processing plant is planning a vendor firmware update for a packaging-line PLC. The security engineer must decide how to move the change forward while OT, IT, operations, engineering, and the vendor share responsibilities.
Exhibit: Change note and responsibility matrix
| Item | Current status |
|---|---|
| Planned change | Vendor firmware update to PLC-07 |
| Production state | Line runs 24/7 except approved maintenance windows |
| Operations | Accountable for downtime approval |
| Engineering | Responsible for PLC logic backup and process validation |
| IT | Responsible for firewall and remote-access controls |
| Vendor | Consulted for firmware procedure |
| Gap | No approved window or engineering validation plan attached |
Options:
A. Ask the vendor to approve the downtime because the vendor owns the firmware procedure
B. Reject the change until the PLC is replaced during a capital project
C. Hold a coordination review to obtain operations approval and engineering validation before scheduling access
D. Have IT open temporary remote access so the vendor can complete the update tonight
Best answer: C
Explanation: Stakeholder management in OT change work means using the defined ownership model, such as a RACI, to involve the right parties before taking action. In this case, operations is accountable for downtime approval, engineering is responsible for PLC backup and process validation, IT controls remote access, and the vendor is only consulted for the procedure. The gap is not the firmware itself; it is the missing stakeholder approval and validation planning needed to protect safety and production continuity. The next step should coordinate those parties and attach the required approvals before implementation. Opening access or letting the vendor decide bypasses operational ownership.
Topic: OT Risk Management
A beverage plant risk assessment finds an unsupported engineering workstation that is required to update pasteurizer PLC recipes. Operations cannot take it offline until the quarterly shutdown because an unplanned stop would spoil in-process product. Quality notes that an unauthorized recipe change could trigger a product hold or recall, and the business has delivery penalties with major customers. Which assessment is the BEST professional decision?
Options:
A. Score the risk only by patch cost and expected downtime hours
B. Classify the finding as technical debt and defer assessment until the shutdown
C. Document operational, quality, financial, and reputational impacts with interim risk ownership
D. Transfer the risk to the workstation vendor until replacement is possible
Best answer: C
Explanation: OT risk management should translate a technical finding into business impacts that matter to operational and executive stakeholders. In this scenario, the unsupported workstation affects process continuity, product quality, financial exposure from spoilage and delivery penalties, and reputational exposure from a possible recall. Because the asset cannot be taken offline immediately, the assessment should also identify interim controls, the accountable risk owner, and the planned decision point at the shutdown window. Treating the issue as only a patching task misses the broader consequence analysis needed for risk disposition.
Topic: OT Risk Management
A refinery plans to apply a firewall rule change that will restrict engineering workstation access to PLCs controlling a safety-critical unit. The change could affect vendor remote support during a scheduled 2-hour maintenance window. Operations owns the production risk, cybersecurity owns the access-control standard, and the plant requires a tested rollback plan before any production change. What is the BEST professional decision before implementation?
Options:
A. Require joint operations and cybersecurity approval with rollback evidence
B. Implement during the window and document approval afterward
C. Let cybersecurity approve because the change reduces access risk
D. Let operations approve because the PLCs affect production
Best answer: A
Explanation: OT change approval should match the risk ownership and technical control ownership affected by the change. Here, the firewall rule affects cybersecurity access control, PLC reachability, vendor support, and a safety-critical process. The best decision is to require documented agreement from both operations and cybersecurity before implementation, with evidence that testing and rollback requirements are satisfied. This supports safety and process continuity while enforcing the security standard. A maintenance window alone does not replace approval, and one team’s approval is incomplete when the change crosses operational and cybersecurity responsibilities.
Topic: OT Risk Management
A plant OT security engineer reviews the monthly risk register before the change advisory board. The plant manager can accept only Low or Medium residual risks for plant-owned controls. Corporate risk appetite for safety-critical OT assets is no higher than Medium. Which action should the engineer take next?
Exhibit: Risk register entry
| Field | Value |
|---|---|
| Asset | SIS engineering workstation |
| Finding | Persistent vendor VPN path to OT IDMZ |
| Current controls | MFA, jump box logging |
| Residual risk | High |
| Control owners | Corporate IAM, Procurement, vendor manager |
| Requested disposition | Plant manager acceptance |
Options:
A. Escalate for cross-owner risk disposition
B. Close the finding due to MFA and logging
C. Have the plant manager accept the risk
D. Block the VPN immediately without approval
Best answer: A
Explanation: Residual risk is the risk remaining after existing controls are considered. In the exhibit, the residual risk is High, but the stated appetite for safety-critical OT assets is Medium or lower. The requested acceptance is also outside the plant manager’s authority because key controls are owned by Corporate IAM, Procurement, and vendor management. The appropriate next action is escalation to the proper risk governance path and affected owners for disposition, funding, mitigation, transfer, or formal acceptance by an authorized role. Escalation does not mean the engineer must immediately change production access without approval; it means the risk cannot be locally accepted or closed under the stated facts.
Topic: OT Risk Management
A municipal water utility is choosing the assessment method for an OT risk workshop before approving a change to a chemical dosing skid.
Exhibit: Workshop request
Asset: Sodium hypochlorite dosing skid
Question: What happens if a sensor drifts, a pump relay fails,
or an actuator sticks during automatic dosing?
Needed output: Failure effects, process consequence,
criticality ranking, and safeguard recommendations
Scope: Skid components and control logic only
Which assessment method best fits the risk question?
Options:
A. Supply-chain risk assessment
B. Failure mode and criticality assessment
C. Scenario-based cyber risk assessment
D. Third-party risk assessment
Best answer: B
Explanation: A failure mode and criticality assessment fits when the risk question starts with possible component or function failures and asks what each failure would do to the process. The exhibit focuses on sensor drift, relay failure, and actuator sticking within one skid, then asks for effects, consequences, criticality, and safeguards. That is not primarily about vendor reliability, supplier provenance, or an attacker path. A scenario-based cyber assessment could model an event such as unauthorized remote access causing unsafe dosing, but this request is narrower: identify failure modes and rank their operational impact.
Topic: OT Risk Management
A water treatment plant must update its OT risk assessment after adding vendor remote access to a legacy PLC network. The chlorination process is safety-critical, the PLCs cannot tolerate active scanning during production, and management wants the assessment to account for likely adversaries and potential public health impact. Which assessment scope or method is the BEST professional decision?
Options:
A. Limit the assessment to CVSS scores for internet-facing IT assets
B. Run an authenticated vulnerability scan against all PLCs during production
C. Perform a scenario-based OT risk assessment using passive discovery and operations interviews
D. Conduct a physical safety audit focused only on PPE and lockout/tagout
Best answer: C
Explanation: A scenario-based OT risk assessment is the best fit when the goal is to connect asset criticality, exposure, threat actors, and operational consequence. In this case, the chlorination PLCs have high operational and public health consequence, vendor remote access changes exposure, and legacy PLC constraints make active scanning risky. Passive discovery, architecture review, process owner interviews, threat modeling, and consequence analysis can produce a risk view that is accurate enough for decision-making without jeopardizing process continuity. Pure vulnerability scoring or IT-only scoping would miss OT consequence and operational ownership. A safety audit is valuable, but it does not assess cyber exposure or threat actor paths.
Topic: OT Risk Management
A chemical plant is updating its OT risk register before a 6-hour maintenance window. The control engineer provides narrative evidence: an unsupported PLC controls a feed pump, a failed change could cause an off-spec batch, and operations can run manually for only 20 minutes. There is no validated incident frequency, downtime cost, or probability model. Management asks for the BEST assessment approach that supports a defensible decision without overstating confidence. What should the OT security engineer do?
Options:
A. Calculate annualized loss expectancy from estimated costs
B. Delay all risk scoring until precise failure data exists
C. Rank the risk only by the PLC vulnerability score
D. Use a qualitative assessment with documented assumptions
Best answer: D
Explanation: Qualitative assessment is appropriate when the available evidence is descriptive, judgment-based, or incomplete. In this scenario, the engineer has credible OT context from operations, including safety and process-continuity consequences, but lacks validated numeric inputs such as frequency, probability, and loss values. A qualitative method can rank likelihood and impact using defined categories, SME input, criticality, and documented assumptions. Quantitative methods are stronger when reliable numeric evidence exists and the model is defensible. The key is not to invent precision: use the best available evidence now, document uncertainty, and update the risk entry when better numeric data becomes available.
Topic: OT Risk Management
An OT risk team is comparing findings for the next mitigation window. Use the site rule: risk priority = likelihood × impact; if scores tie, prioritize the entry with the more severe consequence.
| Risk ID | Likelihood | Impact | Consequence |
|---|---|---|---|
| R-101 | 4 | 2 | Loss of historian reports only |
| R-102 | 3 | 5 | Loss of control could overpressure a transfer line |
| R-103 | 5 | 3 | Four-hour packaging outage |
| R-104 | 2 | 4 | Calibration retest required |
Which risk should be prioritized first?
Options:
A. R-102
B. R-104
C. R-103
D. R-101
Best answer: A
Explanation: Risk comparison in OT should consider likelihood, impact, and consequence together. Using the stated rule, R-102 and R-103 both score 15: R-102 is \(3 \times 5\), and R-103 is \(5 \times 3\). The tie is broken by consequence. R-102 involves potential loss of control that could overpressure a transfer line, which is more severe than a production-only outage. In OT, safety and environmental consequences commonly outweigh business disruption when risk scores are otherwise equal.
The key takeaway is to avoid ranking by likelihood alone; consequence can determine priority when scores are close or tied.
Topic: OT Risk Management
A municipal water treatment plant is updating its OT risk plan before storm season. The legacy SCADA server supports chlorine dosing visibility, the process must maintain safe minimum service during power or network disruptions, operations owns process changes, and the next approved OT outage window is in 30 days. Which decision BEST distinguishes the business continuity and disaster recovery drivers?
Options:
A. Transfer the storm risk to insurance, and omit recovery testing until an incident occurs.
B. Prioritize immediate SCADA patching, and treat continuity planning as complete after backups are verified.
C. Classify SCADA backup restoration as continuity, and defer operating procedures to disaster recovery.
D. Define continuity for safe minimum treatment, and schedule restore testing for SCADA recovery.
Best answer: D
Explanation: Business continuity and disaster recovery have different drivers in OT risk management. Business continuity is driven by the need to sustain safe, acceptable operations during a disruption, such as minimum treatment capability, manual procedures, staffing, power contingencies, and operator decision authority. Disaster recovery is driven by restoring systems, configurations, data, and supporting services after disruption, such as validated SCADA backups and tested restore procedures. In this scenario, the best professional decision respects process continuity, operational ownership, and the approved change window while separating “keep the plant safely running” from “recover the damaged or unavailable technology.”
Use the CompTIA SecOT+ SOT-001 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA SecOT+ SOT-001 on Web View CompTIA SecOT+ SOT-001 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.