CompTIA SecOT+ SOT-001: OT Threat Intelligence

Topic snapshot

Sample questions

These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: OT Threat Intelligence

A water utility receives a high-confidence ISAC alert about current exploitation of a remote-access path used to reach a specific PLC engineering tool. The plant has the affected PLC family on chlorine dosing skids, but remote access is only through an IDMZ jump box and a vendor VPN. The process is running continuously, and operations prohibits active scanning or PLC restarts until a 72-hour maintenance window. Which action is the BEST professional decision?

Options:

• A. Submit a regulatory incident report before confirming any compromise or impact

• B. Perform targeted log review and access-control checks, then plan validated changes with operations

• C. Dismiss the alert because the PLCs are not directly Internet-accessible

• D. Restart the affected PLCs immediately and apply firmware updates before the window

Best answer: B

Explanation: Timely, relevant, and actionable OT intelligence should be applied in a way that supports safe decisions. The alert is timely because exploitation is current, relevant because the site uses the affected PLC family and remote-access workflow, and actionable because the team can check jump box, VPN, firewall, IDS, and engineering-workstation evidence without touching live controllers. OT constraints matter: continuous chlorine dosing and an operations restriction make disruptive scanning, restarts, or untested updates inappropriate before the approved window. The best response validates exposure and compromise indicators, tightens access if needed, and coordinates any change through operations.

• Immediate restart ignores process-continuity and safety constraints by disrupting live chlorine dosing before the maintenance window.
• Dismissing exposure overlooks the vendor VPN and IDMZ jump box as possible indirect paths to the affected engineering workflow.
• Premature reporting may be required later, but the stem provides an alert, not confirmed compromise or reportable impact.

Question 2

Topic: OT Threat Intelligence

A water utility receives a threat-intelligence summary after abnormal VPN activity against its billing network and historian reporting server. Operations remain stable, but leadership needs to classify the likely actor for briefing and response planning.

Exhibit: Threat-intel note

Observed behavior: encrypted several business file shares
Claim: copied customer and maintenance records
Demand: payment within 5 days to prevent publication
Message theme: financial demand, no political cause stated
OT activity: historian access attempted; no process changes observed

Which threat actor type is best supported by the exhibit?

Options:

• A. Unintentional insider

• B. Nation-state espionage actor

• C. Cybercriminal extortion actor

• D. Hacktivist

Best answer: C

Explanation: The exhibit most strongly supports a cybercriminal extortion actor. The decisive indicators are file encryption, a payment deadline, and a threat to publish copied records. The attempted historian access is relevant to OT scoping, but the observed motivation is financial pressure rather than ideology or covert intelligence collection. In OT environments, these actors may affect operations directly or indirectly, even when the initial activity is in business systems or data repositories.

A key takeaway is to classify the actor by the visible motivation and behavior, not only by the type of affected asset.

• Unintentional insider does not fit because the activity includes a demand message and threatened publication.
• Hacktivist is less supported because the note states no political or social cause.
• Nation-state espionage is less supported because the behavior is overt extortion, not stealthy collection for strategic intelligence.

Question 3

Topic: OT Threat Intelligence

A manufacturer receives correlated alerts during normal production. The process is stable, PLC changes require an approved outage, and OT operations owns containment decisions for control-zone assets.

Exhibit: Alert summary

Which response is the best professional decision?

Options:

• A. Classify it as routine engineering activity and suppress the jump-host alerts.

• B. Classify it as IT-to-OT pivoting and coordinate containment through OT operations.

• C. Treat it as an isolated IT phishing event and reimage only the laptop.

• D. Force the PLCs into program mode and reload known-good logic.

Best answer: B

Explanation: The alert sequence indicates lateral movement and an IT-to-OT pivot path: compromise begins on an enterprise laptop, the same identity is used through VPN, and activity then reaches the IDMZ jump host before attempting access to HMI and engineering assets. Because production is stable and PLC changes require an outage, the safest professional response is to classify the activity correctly and coordinate containment with OT operations, such as suspending the account, restricting the conduit, and validating process impact before touching control assets. The key is recognizing the cross-zone movement rather than treating each alert as separate.

• Routine engineering activity fails because the unusual VPN login and malware alert make the jump-host access suspicious.
• PLC reload is unsafe and unnecessary without evidence of logic manipulation or an approved outage.
• Laptop-only response misses the use of credentials and the movement into the IDMZ toward OT assets.

Question 4

Topic: OT Threat Intelligence

An OT SOC is tuning detections after a suspected intrusion at a water facility. Which implementation choice best applies the ICS Cyber Kill Chain to the current evidence and reduces progression risk?

Evidence:
- Contractor account used VPN after a phishing report
- Engineering workstation made periodic outbound connections
- No controller logic change is recorded
- No abnormal ICS function codes are observed
- Historian and operator displays match expected process values

Options:

• A. Treat it as process manipulation and recalibrate sensors before network containment

• B. Treat it as Stage 1 enablement and harden VPN, IDMZ, and jump-host monitoring

• C. Treat it as normal remote access and wait for abnormal historian values

• D. Treat it as Stage 2 execution and restore controllers from known-good logic backups

Best answer: B

Explanation: The ICS Cyber Kill Chain separates initial intrusion activity from ICS attack development and execution. In this case, the attacker appears to have obtained remote access and established possible command-and-control from an engineering workstation, but there is no evidence of controller logic modification, abnormal function codes, or process manipulation. The best implementation choice is to contain and monitor the access path before the activity progresses into Stage 2 ICS-specific delivery or execution. VPN logs, IDMZ controls, jump-host activity, account use, and outbound connections are the most relevant defensive points here.

Controller restoration or process recovery actions are not supported until there is evidence of control logic compromise or operational impact.

• Premature recovery fails because controller logic changes have not been observed.
• Process-first response fails because sensor or process manipulation is not shown in the evidence.
• Wait-and-see monitoring fails because Stage 1 activity can enable later ICS attack execution if not contained.

Question 5

Topic: OT Threat Intelligence

A chemical plant OT security team must decide whether to add temporary monitoring rules and remote-access restrictions before a weekend maintenance window. The plant has PLCs from Vendor X, an engineering workstation reachable only through a jump box, and strict uptime requirements. Which intelligence input should the team use first to support the decision?

Options:

• A. A same-sector ISAC alert from today that maps Vendor X activity to observed TTPs, affected versions, IOCs, and OT-safe mitigations

• B. A generic CVE feed entry for Vendor X with no asset match, exploit context, or compensating controls

• C. A six-month-old annual threat report describing increased nation-state interest in critical infrastructure

• D. A vendor marketing brief recommending a new monitoring platform for industrial networks

Best answer: A

Explanation: Useful OT threat intelligence should be timely, relevant, and actionable. In this scenario, the team needs to make a near-term security decision without disrupting operations, so the best input is recent intelligence tied to the same sector, the actual vendor or versions in use, observed adversary behavior, and specific mitigations or detection logic that can be reviewed for OT safety. Strategic background may inform risk discussions, but it is not enough for an immediate maintenance-window decision. A raw vulnerability mention also needs context, such as exposure, applicability, exploitability, and safe compensating controls.

• Strategic reporting may be relevant to long-term planning, but a six-month-old broad report is not timely or specific enough for immediate control changes.
• Raw CVE data can start triage, but without asset applicability or mitigation context it is not yet actionable.
• Product marketing may describe capabilities, but it is not validated threat intelligence for a specific OT decision.

Question 6

Topic: OT Threat Intelligence

An OT security engineer at a municipal heating plant reviews a threat-intelligence briefing about a historical OT cyber event that caused physical service disruption by abusing an industrial control protocol. The plant uses a similar protocol on legacy controllers, but there are no matching IOCs, no abnormal process values, and no confirmed unauthorized access. Operations owns the controllers and has a maintenance window in 10 days. What is the BEST professional decision?

Options:

• A. Emergency-patch the legacy controllers before operations approves

• B. Use the event to update risk posture and plan controls review

• C. Attribute the activity to the same threat actor

• D. Disconnect the controller network until the briefing is resolved

Best answer: B

Explanation: Historical OT cyber events can inform risk posture when they reveal credible TTPs, affected technologies, operational consequences, or control gaps that resemble the organization’s environment. In this case, the plant has a similar protocol and legacy controllers, so the event should influence risk assessment, monitoring priorities, compensating controls, and change planning. However, attribution requires incident evidence such as matching IOCs, observed TTPs, unauthorized access, or process anomalies. Safety and operational ownership also matter: changes to legacy controllers should be coordinated with operations and maintenance windows unless there is an active safety issue. The key distinction is relevance to risk, not proof of compromise.

• Actor attribution fails because a similar protocol and historical event do not prove the same actor is active.
• Emergency patching bypasses OT change control and may create availability or safety risk without active compromise evidence.
• Network disconnection is too disruptive for a briefing alone and is not justified without incident indicators or safety impact.

Question 7

Topic: OT Threat Intelligence

A chemical plant receives an IDS alert indicating abnormal traffic to several safety-rated PLCs. The asset owner needs a source of threat intelligence that can confirm whether the exact PLC firmware version has a known vulnerability and provide supported mitigation guidance before the next maintenance window. Which source is the best fit?

Options:

• A. Social media threat posts

• B. Volunteer malware tracker

• C. Cross-sector ISAC bulletin

• D. OEM vendor security advisory

Best answer: D

Explanation: OT threat intelligence source selection should match the operational decision. For device-specific questions, such as whether an exact PLC model and firmware version is affected and what mitigation is supported, the OEM vendor is usually the most authoritative source. Vendor advisories can identify affected versions, compensating controls, update paths, and safety or operational constraints tied to the product. Broader sources can still add context, but they should not replace vendor-supported guidance when planning remediation for production OT assets.

• Social media posts may surface early rumors or indicators, but they are not authoritative enough for firmware-specific remediation decisions.
• Volunteer trackers can help with malware or IOC awareness, but they typically do not provide supported PLC mitigation guidance.
• ISAC bulletins are useful for sector-wide awareness, but they may not confirm exact affected firmware and vendor-approved actions.

Question 8

Topic: OT Threat Intelligence

An OT threat analyst is creating a threat-intelligence case record using the Diamond Model after suspicious activity at a water utility.

Observed facts:

• An ISAC notice links similar activity to an extortion crew targeting water utilities.
• A remote session came from VPS 198.51.100.44 through the contractor VPN path.
• The session used stolen contractor credentials and a Modbus-capable enumeration tool.
• The activity focused on Plant 2 chlorine dosing PLCs.

Which case-record mapping best applies the Diamond Model?

Options:

• A. Adversary: Plant 2 PLCs; Capability: VPS; Infrastructure: ISAC notice; Victim: contractor account

• B. Adversary: contractor VPN; Capability: water utility; Infrastructure: Modbus registers; Victim: extortion crew

• C. Adversary: stolen contractor credentials; Capability: extortion crew; Infrastructure: chlorine dosing PLCs; Victim: VPS and VPN path

• D. Adversary: extortion crew; Capability: stolen credentials and Modbus enumeration; Infrastructure: VPS and contractor VPN path; Victim: Plant 2 chlorine dosing PLCs

Best answer: D

Explanation: The Diamond Model organizes intrusion facts into four connected vertices: adversary, capability, infrastructure, and victim. In this OT case, the adversary is the actor associated with the activity, the extortion crew. Capability is what enables or performs the action, including credential abuse and the Modbus-capable enumeration tool. Infrastructure is the logical path or resources used to conduct the activity, such as the VPS and contractor VPN access path. The victim is the affected organization or asset, here the Plant 2 chlorine dosing PLCs. Keeping these vertices separate helps analysts compare campaigns, identify reusable infrastructure, and assess OT-specific victim impact.

• Treating credentials as the adversary confuses an enabling capability with the actor behind the activity.
• Treating the ISAC notice as infrastructure fails because it is a reporting source, not an operational path used by the actor.
• Treating the VPN as the adversary confuses access infrastructure with the responsible threat actor.

Question 9

Topic: OT Threat Intelligence

An OT security lead is preparing a board briefing for a fuel terminal operator. The team needs a historical example of indirect OT impact where an IT-side cyber incident disrupted operations and supply continuity, but the briefing must avoid implying confirmed PLC or SIS manipulation. Which event is the best example to cite?

Options:

• A. TRISIS

• B. Stuxnet

• C. Colonial Pipeline

• D. Industroyer

Best answer: C

Explanation: Indirect OT impact occurs when a cyber event affects operational continuity, safety posture, logistics, or business decisions without directly manipulating industrial controllers or safety systems. Colonial Pipeline fits the stem because ransomware in the IT environment prompted operational shutdown and disrupted fuel supply, making it a clear example of IT-to-operations consequence. The briefing should describe the operational impact accurately without overstating evidence of direct ICS compromise.

Events such as TRISIS, Stuxnet, and Industroyer are more closely associated with direct industrial control or safety-system targeting, so they do not match the requested indirect-impact framing.

• Direct safety targeting fails because TRISIS is associated with safety instrumented system compromise, not an IT-driven indirect impact example.
• Controller manipulation fails because Stuxnet involved direct manipulation of industrial control behavior.
• Grid control impact fails because Industroyer is associated with direct electric grid control-system operations rather than a precautionary IT-driven shutdown.

Question 10

Topic: OT Threat Intelligence

A water treatment plant receives an OEM firmware update for a PLC that controls chemical dosing. The advisory says the flaw is remotely exploitable through a vendor component, but the PLC supports a safety-critical process and can only be changed during a weekly 30-minute maintenance window. The OT network has no direct internet access, and the vendor’s integrator offers to apply the update remotely. What is the BEST professional decision?

Options:

• A. Install it immediately because the advisory says the flaw is remotely exploitable

• B. Allow the integrator to install it remotely using the shared maintenance account

• C. Defer all firmware updates until the next annual shutdown

• D. Verify the OEM source and signature, test offline, then deploy in the approved window

Best answer: D

Explanation: Supply-chain firmware risk means the update itself becomes part of the trust decision. In OT, a vendor-provided update should not be applied only because it appears urgent or comes from a familiar partner. The team should validate provenance through an approved OEM channel, verify digital signatures or hashes, confirm applicability to the exact asset, and test on an offline spare or representative environment when possible. Deployment should follow OT change control, including operational approval, a maintenance window, backup or rollback preparation, and process validation after the change. This balances threat intelligence about the vendor component with safety and continuity constraints.

• Remote convenience fails because shared-account remote installation weakens accountability and bypasses controlled firmware provenance and change handling.
• Urgency only fails because exploitable firmware risk still requires validation and safe OT deployment planning.
• Annual deferral fails because it ignores a relevant vendor-component exposure instead of triaging and mitigating it through an approved window.

Continue with full practice

Use the CompTIA SecOT+ SOT-001 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA SecOT+ SOT-001 on Web View CompTIA SecOT+ SOT-001 Practice Test

Related focused pages

• Free CompTIA SecOT+ SOT-001 Full-Length Practice Exam
• OT Systems and Safety Foundations
• OT Risk Management
• OT Security Architecture
• OT Security Operations
• OT Incident Management

Free review resource

Use the full IT Mastery practice page above for the latest review links and practice page.