Try 10 focused CompTIA SecOT+ SOT-001 questions on OT Security Operations, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA SecOT+ SOT-001 on Web View full CompTIA SecOT+ SOT-001 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA SecOT+ SOT-001 |
| Topic area | OT Security Operations |
| Blueprint weight | 22% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate OT Security Operations for CompTIA SecOT+ SOT-001. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 22% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: OT Security Operations
A plant cybersecurity engineer must seed a CMDB for a chemical blending line while it is running. Operations needs visibility into OT assets and observed software/firmware details without increasing process risk.
Exhibit: Collection constraints
| Fact | Value |
|---|---|
| Controller subnet | Legacy PLCs; vendor warns against active polling during production |
| HMI/EWS hosts | In a 10-day change freeze |
| Network switch | Unused SPAN port available |
| Production constraint | No unscheduled downtime or controller load changes |
| CMDB need | Initial asset/software inventory for later validation |
Which collection method best fits these constraints?
Options:
A. Active credentialed scanning of the controller subnet
B. Passive discovery from the SPAN port
C. Endpoint inventory agents on all OT assets
D. Manual inventory only at the next outage
Best answer: B
Explanation: The key constraint is safe visibility during production. Passive network discovery using a SPAN port observes existing OT traffic and can identify assets, communications, protocols, and sometimes software or firmware indicators without transmitting probes to PLCs or changing host configurations. That makes it appropriate for an initial CMDB seed when controllers are legacy, active polling is discouraged, and HMI/engineering workstation changes are frozen. The results should still be validated later against engineering records, vendor data, host inventories, and maintenance windows because passive discovery may miss quiet assets or details not visible in traffic. Active scans and agent deployments can provide richer detail, but they conflict with the stated safety and change constraints.
Topic: OT Security Operations
A plant deployed new OT firewall inspection rules between the SCADA zone and one packaging cell. Operators now report intermittent HMI timeouts during shift startup, but no process alarms have occurred. The change window is still open. What is the best next action supported by the exhibit?
Exhibit: NPM comparison
Conduit: SCADA zone -> Packaging PLC zone
Traffic: EtherNet/IP cyclic I/O and HMI reads
Metric Baseline After change
95th percentile RTT 18 ms 145 ms
Packet loss <0.1% 2.8%
TCP retransmissions Low High
PLC CPU/network load Normal Normal
Firewall denies None None
Options:
A. Prioritize EDR investigation on the PLCs
B. Expand the firewall rules because no denies are logged
C. Pause rollout and tune or roll back using NPM validation
D. Increase HMI timeouts to hide the delay
Best answer: C
Explanation: Network performance monitoring is the right evidence source when a security change may affect OT availability or latency. The exhibit shows a clear before-and-after degradation on the SCADA-to-PLC conduit: higher round-trip time, packet loss, and retransmissions after the firewall inspection rules were added. Normal PLC load and no firewall denies make an endpoint overload or blocked-traffic explanation less likely. Because the change window is still open and the issue affects operator view, the safer operational response is to pause the rollout, tune or roll back the firewall inspection behavior with OT stakeholders, and use NPM metrics to confirm the conduit returns near baseline before deploying more broadly.
Topic: OT Security Operations
A plant is building an initial OT asset inventory for a legacy packaging line. Several PLCs and drives have not been rebooted in years, the control engineer says unplanned polling can disrupt production, and no maintenance window is available this month. The team needs device identities, observed protocols, and communication relationships with minimal risk to operations. Which discovery approach should be implemented first?
Options:
A. Manual discovery using panel walkdowns only
B. Active polling of each controller from the engineering workstation
C. Passive discovery from a network TAP or SPAN port
D. Active discovery using authenticated network scans
Best answer: C
Explanation: Passive discovery is the best fit when OT assets are fragile, production cannot be interrupted, and the goal is to learn what is communicating on the network. A TAP or SPAN feed lets the inventory tool observe source and destination addresses, protocols, device fingerprints, and traffic relationships without sending discovery packets to PLCs or drives. Active discovery can be useful when approved and tested, especially for filling in software or configuration details, but it introduces traffic and device interaction. Manual discovery is valuable for validating labels, physical locations, owners, and panel contents, but by itself it may miss live communication paths. Start with passive discovery, then use manual validation and carefully approved active checks to close gaps.
Topic: OT Security Operations
A refinery OT security team is preparing vulnerability triage for engineering workstations that support a safety-critical blending unit. Active scanning is prohibited while the unit is running, the next approved change window is in 10 days, and Operations owns the CMDB.
Exhibit: Inventory evidence
| Source | Record for EWS-07 |
|---|---|
| CMDB | Windows 10 21H2, EngSuite 8.2, updated 5 days ago |
| Software inventory agent | Windows 10 1909, EngSuite 7.4, last check-in 62 days ago |
| Passive network discovery | Same MAC and switch port, hostname EWS-07, OS fingerprint inconclusive |
| Change log | Vendor upgrade completed 14 days ago, closeout pending |
Which decision is BEST for security operations?
Options:
A. Run an authenticated scan to confirm versions immediately
B. Use the CMDB record as authoritative for triage
C. Reconcile the records with Operations before vulnerability triage
D. Use the stale software agent record for triage
Best answer: C
Explanation: Security operations need inventory records that are current and consistent enough to support decisions such as vulnerability relevance, exposure, and remediation planning. Here, the CMDB and software inventory conflict, the agent data is stale, passive discovery does not confirm software versions, and the change log suggests a recent upgrade that has not been administratively closed. Because active scanning is prohibited during production and Operations owns the CMDB, the safest professional decision is to reconcile the CMDB, software inventory, and change evidence with Operations and the vendor before using the data for triage. The key takeaway is that “authoritative” does not mean “synchronized” when other evidence shows unresolved discrepancies.
Topic: OT Security Operations
An OT security analyst reviews a newly created vulnerability record for a packaging line where active scanning is restricted during production. What does the exhibit indicate about how the vulnerability was identified?
Vulnerability record: VR-2147
Source: OEM PSIRT advisory, matched to NVD CVE entry
Affected product: PLC-X firmware before 4.2
Local match: Asset inventory shows Line 2 PLC-X at firmware 4.0
Network activity: No active scan or controller query performed
Next step: Validate applicability with engineering in test cell
Options:
A. Internal active discovery from controller interrogation
B. External identification correlated with internal inventory
C. Internal passive discovery from OT network traffic
D. Process anomaly identification from production logs
Best answer: B
Explanation: External vulnerability identification uses sources outside the organization, such as OEM advisories, PSIRT notices, NVD entries, ISAC alerts, or third-party intelligence. In the exhibit, the vulnerability was identified from an OEM PSIRT advisory and NVD CVE entry, then correlated to the plant’s internal asset inventory. No active scan, controller query, packet analysis, or process-log evidence created the finding. In OT, this distinction matters because externally identified vulnerabilities often require applicability validation, engineering review, maintenance-window planning, and possible compensating controls before remediation.
Topic: OT Security Operations
A water treatment plant receives a vendor advisory for a vulnerability in PLC firmware. The affected PLC controls a chemical dosing skid that cannot be stopped during production. The advisory lists several firmware versions, notes that some versions require an engineering workstation software update first, and warns that controller logic must be backed up before upgrading. What is the best next remediation action?
Options:
A. Patch only the engineering workstation to avoid touching the PLC
B. Verify applicability, dependencies, backup, test results, and maintenance window
C. Accept the risk because the PLC cannot stop during production
D. Install the firmware immediately because a vendor patch exists
Best answer: B
Explanation: OT vulnerability remediation should not jump directly from “patch available” to “install now.” The team must first confirm the update is applicable to the exact asset and firmware, viable for the process constraint, and dependent on any other required changes such as engineering workstation software. For a PLC controlling a live chemical dosing skid, remediation planning should also include a current logic backup, testing on a representative system or spare when available, stakeholder approval, a maintenance window, and a rollback plan. If the patch cannot be applied safely, temporary compensating controls may be needed, but that decision should follow the assessment.
Topic: OT Security Operations
A food-packaging plant identifies a critical vulnerability in a PLC family used on a production line. A vendor patch is available, but the only maintenance window this month is 2 hours. The site has no spare controller, the current backup predates several logic changes, and post-patch process validation requires a 6-hour QA run. Temporary firewall rules can restrict engineering-workstation access to the PLCs. Which remediation path is best?
Options:
A. Patch during the 2-hour window and validate after startup
B. Apply access restrictions, update backups, and schedule tested remediation
C. Replace the PLCs with a newer model immediately
D. Accept the risk until a spare controller is procured
Best answer: B
Explanation: OT vulnerability remediation must balance exposure reduction with process safety and recoverability. Although a patch exists, the site lacks the minimum conditions for a safe implementation: a current rollback backup, a spare or tested recovery path, and enough downtime for required validation. The best path is to apply compensating controls now, such as restricting engineering access, while coordinating a later maintenance window that includes backup verification, patch testing where possible, stakeholder approval, rollback planning, and process validation. Patch availability alone does not make immediate deployment appropriate in OT. The key takeaway is to reduce risk without creating an uncontrolled production or safety risk.
Topic: OT Security Operations
A plant is updating its OT CMDB so engineers can decide whether a PLC firmware advisory requires action and whether a safe rollback is possible. Active discovery is restricted on the control network. Which inventory attribute set best supports the patch and backup decision?
Options:
A. Vendor logo, warranty contact, purchase price, invoice number
B. Hostname, subnet, rack color, procurement date, badge reader ID
C. Operator name, shift schedule, HMI theme, alarm volume setting
D. Model, firmware version, role, owner, location, backup status
Best answer: D
Explanation: Patch and backup decisions in OT depend on attributes that connect a vulnerability or firmware advisory to a real asset and its recovery path. The CMDB should capture identifiers such as model and firmware/software version, plus operational context such as role, owner, and physical location. Backup status is also essential because OT remediation often requires a tested way to restore the device or configuration if the update affects the process. Since active discovery is restricted, these fields may need to be validated through engineering records, vendor documentation, manual walkdowns, or controlled collection methods. Commercial or cosmetic data may help procurement, but it does not determine patch applicability or rollback readiness.
Topic: OT Security Operations
A plant has one approved 4-hour maintenance window this month. Controller changes require engineering validation, and production cannot be stopped outside the window. Which vulnerability should be ranked highest for remediation planning?
| Finding | Triage facts |
|---|---|
| PLC-12 firmware | CVSS 9.8 advisory, but the PLC runs a non-affected firmware branch and has no routable Ethernet path |
| HMI-03 service | CVSS 8.1, affected version installed, reachable from the IDMZ jump host and vendor VPN group, public exploit available, could affect operator view/control |
| Historian web UI | CVSS 9.0, affected library on read-only enterprise replica, no write path to OT historian |
| Eng workstation LPE | CVSS 6.5, affected version installed, requires local interactive access, locked cabinet, used only during quarterly changes |
Options:
A. Prioritize PLC-12 because it has the highest CVSS score
B. Prioritize the historian web UI because it is enterprise-facing
C. Prioritize the engineering workstation because it is used for changes
D. Prioritize HMI-03 and apply interim access restrictions
Best answer: D
Explanation: OT vulnerability triage should combine severity with exposure, relevance, exploitability, and impact. HMI-03 is affected, reachable through defined conduits, has a public exploit, and could affect operator visibility or control. That creates a credible OT operational impact and makes it the best candidate for priority remediation planning, with compensating access restrictions until the approved window. A higher CVSS score does not outrank a finding that is not applicable to the asset or has no credible exposure path. The key takeaway is to prioritize the vulnerability that is both technically exploitable and meaningful to the process.
Topic: OT Security Operations
A manufacturing site allows vendor technicians to bring files into an OT cell for PLC maintenance. The OT manager wants the control that best reduces unauthorized media use, malware transfer, and loss of recipe files.
Exhibit: Portable-device control checklist
| Check | Current state |
|---|---|
| Vendor laptops | Not allowed on OT switch ports |
| USB media | Personal USB drives used at EWS |
| Malware scan | Performed on office PCs only |
| File transfer log | Not maintained |
| Recipe export control | Not enforced |
Options:
A. Deploy a removable-media kiosk with scanning, authorization, logging, and approved encrypted media
B. Require vendors to sign an annual acceptable-use acknowledgment
C. Enable passive asset discovery on the OT switch mirror port
D. Add a firewall rule blocking vendor laptops from the PLC subnet
Best answer: A
Explanation: The exhibit points to removable media as the active gap: personal USB drives are used directly on the engineering workstation, scanning happens outside the OT workflow, transfers are not logged, and recipe exports are not controlled. A dedicated removable-media kiosk or transfer station can enforce the workflow before media reaches OT assets. It can scan files with approved tools, allow only authorized media, record custody and transfer details, and require encrypted or controlled media for sensitive exports.
Network controls still matter, but the exhibit already says vendor laptops are not allowed on OT switch ports. The highest-value next control must govern the actual transfer path being used: USB media at the engineering workstation.
Use the CompTIA SecOT+ SOT-001 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA SecOT+ SOT-001 on Web View CompTIA SecOT+ SOT-001 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.