CompTIA SecOT+ V1 (SOT-001) Exam Focus
Use this Quick Reference as independent review support for CompTIA SecOT+ V1 (SOT-001). It is organized around high-yield operational technology security decisions: architecture, monitoring, controls, vulnerability handling, identity, remote access, incident response, and risk.
Core Exam Mental Model
| If the question says… | Think first | Common trap |
|---|
| Plant floor, controller, safety impact, production outage | OT/ICS risk, safety, availability | Applying pure IT response without process approval |
| Legacy protocol, PLC, HMI, RTU, DCS | Compensating controls and segmentation | Assuming encryption/authentication exists |
| Vendor remote support | MFA, PAM, jump host, time-bound access, logging | Direct VPN into control network |
| Suspicious controller write | Engineering workstation validation, change window, process impact | Blocking traffic without operations coordination |
| Vulnerability on critical OT asset | Risk-based patching, testing, maintenance window | Scanning/patching aggressively like IT endpoints |
| Need visibility without disruption | Passive discovery, SPAN/TAP, OT-aware IDS | Active scanning of fragile controllers |
| IT/OT data sharing | Industrial DMZ, broker/historian replica, least privilege | Direct enterprise-to-PLC access |
IT vs OT Security Priorities
| Area | IT emphasis | OT/ICS emphasis | SOT-001 decision point |
|---|
| Primary objective | Data protection and business services | Safety, availability, process integrity | Do not choose controls that endanger safe operations |
| CIA priority | Often confidentiality first | Availability and integrity often first | Confidentiality still matters, but downtime can be critical |
| Change frequency | Frequent patching and updates | Controlled, tested, scheduled changes | Prefer maintenance windows and rollback plans |
| Asset lifecycle | Shorter refresh cycles | Long-lived equipment, legacy OS/protocols | Use compensating controls when upgrades are impractical |
| Monitoring | Endpoint/log heavy | Network behavior, protocol commands, asset baselines | Passive monitoring is often preferred |
| Incident containment | Isolate, reimage, block quickly | Coordinate with operations and safety teams | Containment must account for process state |
| Acceptable downtime | Often recoverable with DR | May cause safety, production, environmental impact | Recovery planning must include process restart |
OT/ICS Architecture Reference
Purdue Model and Security Zones
| Level | Typical systems | Security focus | Exam cues |
|---|
| 0 | Sensors, actuators, valves, drives | Physical process safety and integrity | Direct process manipulation risk |
| 1 | PLCs, RTUs, IEDs, controllers | Controller logic, deterministic control | Unauthorized writes are high severity |
| 2 | HMI, engineering workstation, local SCADA | Operator visibility and control | Protect engineering tools and HMI accounts |
| 3 | Site operations, historian, batch servers, OT AD | OT services and plant operations | Strong segmentation from enterprise IT |
| 3.5 | Industrial DMZ | Controlled data exchange | Preferred place for brokers, jump hosts, replicas |
| 4 | Enterprise IT | Business apps, users, corporate identity | No direct control network access |
| 5 | External/cloud/partners | Remote access, analytics, vendors | Brokered, monitored, least-privilege connections |
Architecture Patterns
| Pattern | Use when | Key controls | Avoid |
|---|
| Industrial DMZ | IT and OT must exchange data | Firewalls, proxies, historian replica, jump server, broker | Direct enterprise connection to controllers |
| Jump host | Admin or vendor access into OT | MFA, PAM, session recording, allowlist, approval workflow | Shared unmanaged admin workstation |
| One-way transfer/data diode | Data must leave OT with minimal inbound risk | Unidirectional gateway, replicated data services | Assuming it supports all interactive admin tasks |
| Separate OT identity boundary | OT has different uptime/risk needs than IT | Dedicated OT AD or hardened identity services | Blind trust between enterprise and OT domains |
| Remote vendor access gateway | Vendor support is required | Time-limited access, MFA, logging, named accounts | Always-on VPN with broad network reach |
| Out-of-band management | Normal network may be unavailable | Separate management path, break-glass process | Uncontrolled modems or undocumented backdoors |
Key Components and What They Do
| Component | Role | Security concern | High-yield protection |
|---|
| PLC | Controls machinery/process logic | Unauthorized logic changes, unsafe outputs | Engineering workstation control, logic backups, write monitoring |
| RTU | Remote telemetry/control, often geographically distributed | Weak physical security, low bandwidth links | Secure comms path, tamper controls, remote monitoring |
| DCS | Distributed process control | Broad operational impact if compromised | Segmentation, role separation, change control |
| SCADA | Supervisory monitoring/control across sites | Central visibility and control target | Harden servers, monitor commands, protect remote links |
| HMI | Operator interface | Credential theft, false process view | Least privilege, screen/session security, patching plan |
| Engineering workstation | Programs/configures controllers | Highest-value OT admin endpoint | Application allowlisting, MFA/PAM, removable media control |
| Historian | Stores process data | Bridge between OT and IT | Place replicas/brokers in DMZ; control queries and exports |
| SIS | Safety instrumented system | Should remain independent and reliable | Do not rely on SIS as the only security control |
| IED | Intelligent electronic device, often in power systems | Remote configuration/control abuse | Strong access control and protocol monitoring |
| IIoT device | Sensor/gateway with network/cloud features | Weak defaults, supply chain, exposed APIs | Secure onboarding, certs, firmware management |
| OPC server/gateway | Industrial data interoperability | Over-broad data access | Restrict tags, authenticate clients, monitor reads/writes |
OT Protocol Recognition
| Protocol/technology | Common use | Security notes | Exam reminder |
|---|
| Modbus/TCP | Simple industrial control messaging | Often lacks native authentication/encryption | Monitor function codes, especially writes |
| DNP3 | Utilities, remote telemetry | Secure variants exist but are not universal | Validate implementation, not just protocol name |
| OPC UA | Industrial interoperability | Can support authentication, encryption, signing | Secure configuration matters |
| OPC Classic | Legacy Windows/DCOM-based integration | DCOM exposure and Windows hardening issues | Segment and restrict allowed clients |
| EtherNet/IP | Industrial automation/CIP | Common on plant networks | Watch for unauthorized configuration/control traffic |
| PROFINET | Industrial Ethernet automation | Real-time industrial communication | Availability and segmentation are key |
| BACnet | Building automation | May expose HVAC/building controls | Treat facilities systems as security-relevant |
| MQTT | Publish/subscribe telemetry | Broker security, TLS, client auth, topic ACLs | Broker compromise can expose many devices |
| SNMP | Device monitoring | Weak community strings in older versions | Prefer secure versions/configuration |
| RDP/SSH/VNC | Remote administration | Credential theft and lateral movement | Use jump hosts, MFA, logging, allowlists |
Security Control Selection Matrix
| Need | Best-fit control | Why | Watch for |
|---|
| Discover assets safely | Passive asset discovery | Reduces risk to fragile OT devices | May miss powered-off or silent assets |
| Stop direct IT-to-OT access | Segmentation and industrial DMZ | Limits lateral movement | VLAN alone is not a complete security boundary |
| Control vendor sessions | PAM + MFA + jump host | Named, approved, recorded access | Shared vendor accounts reduce accountability |
| Detect unauthorized PLC writes | OT-aware IDS/NDR | Understands industrial protocols | Generic IDS may miss process-specific commands |
| Prevent unknown executables | Application allowlisting | Useful for stable engineering/HMI systems | Requires controlled change process |
| Protect legacy unpatchable assets | Compensating controls | Reduces exposure without unsupported changes | Does not remove the underlying vulnerability |
| Secure removable media | USB control and scanning kiosk | Common OT infection path | Blanket bans may fail operationally without alternatives |
| Reduce credential abuse | Least privilege, RBAC, MFA | Limits blast radius | MFA must be compatible with uptime and emergency access |
| Preserve evidence | Central logs, time sync, packet capture | Supports investigation | Unsynchronized clocks weaken timelines |
| Recover controller state | Logic/config backups | Enables validated restoration | Backups must be tested and versioned |
Segmentation and Network Security
Segmentation Options
| Control | Strength | Best use | Limitation |
|---|
| VLAN | Logical separation | Traffic organization | Not sufficient alone against routed access |
| ACL | Basic traffic filtering | Restrict known flows | Can become hard to manage |
| Firewall | Stateful boundary control | Zone-to-zone enforcement | Rules must be specific and reviewed |
| Industrial firewall | OT-aware filtering | Protocol-aware control near cells/areas | Requires OT protocol understanding |
| Data diode | Unidirectional flow | High-assurance outbound data transfer | Not for interactive control |
| Microsegmentation | Fine-grained host/workload policy | Sensitive servers and mixed environments | More operational complexity |
| NAC | Device admission control | Prevent rogue devices | Legacy OT compatibility issues |
| Air gap | Physical/logical isolation | Very high-risk environments | Often eroded by USB, laptops, vendors, temporary links |
Zone and Conduit Thinking
| Concept | Meaning | Exam application |
|---|
| Zone | Group of assets with similar risk/security requirements | HMI zone, controller cell, historian zone |
| Conduit | Controlled communication path between zones | Firewall rule, proxy, gateway, data diode |
| Least functionality | Only required services/protocols are enabled | Disable unused ports and services |
| Default deny | Block unless explicitly allowed | Stronger than broad allow rules |
| Trust boundary | Point where security assumptions change | IT/OT boundary, vendor access, cloud bridge |
Identity, Access, and Remote Access
| Topic | Correct approach | Common wrong answer |
|---|
| Operator access | Role-based access tied to duties | Everyone uses the same HMI admin login |
| Engineering access | Named accounts, approval, MFA/PAM, logging | Shared engineering account with no session trail |
| Break-glass access | Documented, monitored, tested emergency account | Untracked permanent local admin |
| Service accounts | Least privilege, noninteractive where possible, rotation plan | Domain admin service accounts |
| Vendor access | Time-bound, approved, jump host, session recording | Persistent VPN into OT subnet |
| Passwords on legacy systems | Compensating controls if modern auth is unavailable | Ignoring because the asset is “inside OT” |
| Privileged access | Just-in-time or checked-out credentials | Standing broad privileges |
| Deprovisioning | Remove access after role/vendor change | Orphaned accounts on HMIs and engineering tools |
Monitoring and Detection Reference
Data Sources
| Source | What it reveals | Notes |
|---|
| OT NDR/IDS | Asset inventory, protocol commands, unusual traffic | Prefer passive collection in sensitive networks |
| Firewall logs | Zone-crossing traffic, denied attempts | Useful for segmentation validation |
| HMI logs | Operator actions and failed logins | May require vendor-specific collection |
| Engineering workstation logs | Programming activity, tool usage | High-value detection source |
| PLC/controller events | Mode changes, downloads/uploads, faults | Collection varies by vendor/device |
| Historian logs | Data access patterns, abnormal queries | Good IT/OT bridge visibility |
| Windows/Linux logs | Authentication, process, service, endpoint events | Correlate with OT events |
| EDR/AV | Malware and endpoint behavior | Validate compatibility before deployment |
| NetFlow/metadata | Communication patterns | Less detail than packet capture |
| Packet capture | Deep forensic analysis | Storage and privacy planning needed |
| Physical access logs | Badge/cabinet access | Correlate cyber events with local activity |
High-Value Detection Scenarios
| Detection | Possible meaning | First validation step |
|---|
| New device on OT network | Rogue laptop, replacement asset, vendor tool | Check asset inventory and change tickets |
| PLC write from non-engineering host | Unauthorized control action | Confirm source, user, change window |
| Engineering workstation connecting externally | Malware, vendor tool, misconfiguration | Review approved remote access paths |
| HMI login failures | Credential attack or operator issue | Identify account/source and timing |
| Controller mode change | Maintenance, fault, or malicious action | Confirm with operations |
| Unusual protocol function codes | Reconnaissance or manipulation | Map function to asset role |
| IT host communicating with Level 1/2 | Segmentation failure | Review firewall and routing path |
| Historian exporting unusual volume | Data exfiltration or reporting job | Confirm scheduled jobs and destination |
| Time sync change | Timeline/evidence impact, device misbehavior | Verify NTP/PTP source and scope |
| USB execution on HMI | Removable media infection risk | Isolate per procedure and preserve evidence |
Example Detection Logic
IF industrial_protocol_write
AND source NOT IN approved_engineering_workstations
AND destination IN controller_assets
THEN severity = high
AND action = validate_change_window + notify_OT_operations
IF new_asset_seen
AND zone == control_network
AND asset NOT IN approved_inventory
THEN severity = medium_or_high
AND action = identify_owner + check_physical_location + restrict_if_unapproved
IF remote_access_session
AND user_type == vendor
AND no_ticket_or_approval
THEN severity = high
AND action = suspend_session + notify_access_owner + review_recording
Vulnerability, Patch, and Change Management
| Activity | IT-style instinct | OT-safe approach |
|---|
| Vulnerability scanning | Run authenticated scans broadly | Use passive discovery first; test active scans in lab |
| Patch deployment | Patch quickly after release | Risk-rank, test, schedule maintenance, define rollback |
| Unsupported OS | Replace immediately | Segment, allowlist, restrict access, plan lifecycle replacement |
| Firmware updates | Apply to all devices | Validate vendor guidance, test device/process impact |
| Config changes | Admin applies directly | Use change ticket, peer review, backup, rollback |
| Emergency fix | Expedite normal process | Still document approval, risk, and recovery plan |
| Penetration testing | Test live production | Scope carefully; avoid unsafe actions on controllers |
| Baseline drift | Ignore small changes | Compare against approved golden configs |
Vulnerability Triage
| Factor | Raises priority when… |
|---|
| Exploitability | Public exploit, remote access, no authentication |
| Exposure | Asset reachable from less trusted zone |
| Criticality | Controls safety, production, or essential service |
| Compensating controls | Weak or absent segmentation/monitoring |
| Patch feasibility | Patch is tested and low-risk |
| Active indicators | Exploitation attempts or suspicious behavior observed |
Incident Response in OT Environments
OT Incident Workflow
flowchart TD
A[Alert or report] --> B[Validate asset and process context]
B --> C{Safety impact?}
C -->|Yes| D[Engage operations/safety lead immediately]
C -->|No| E[Continue technical triage]
D --> F[Stabilize process if needed]
E --> G[Scope affected assets and network paths]
F --> G
G --> H{Containment could disrupt process?}
H -->|Yes| I[Plan containment with OT operations]
H -->|No| J[Apply approved containment]
I --> J
J --> K[Preserve evidence and logs]
K --> L[Eradicate, recover, validate]
L --> M[Lessons learned and control updates]
Phase-by-Phase Reference
| Phase | OT-specific actions | Avoid |
|---|
| Preparation | Asset inventory, contact tree, offline backups, incident playbooks, tabletop exercises | Waiting until an incident to identify process owners |
| Identification | Validate alerts with process context and change windows | Treating every anomaly as malicious without operations input |
| Containment | Isolate affected paths, disable accounts, block unauthorized commands | Powering off controllers without approval |
| Eradication | Remove malware, close access path, rotate credentials, correct misconfigurations | Reconnecting before root cause is addressed |
| Recovery | Restore known-good configs, validate logic, monitor process stability | Assuming IT system recovery equals process recovery |
| Lessons learned | Update detections, firewall rules, access procedures, inventory | Closing ticket without control improvement |
Containment Decision Table
| Situation | Preferred containment | Why |
|---|
| Stolen vendor credential | Disable account/session, rotate secrets, review recordings | Stops access without disrupting controllers |
| Unauthorized PLC write in progress | Coordinate with operations; block source path if safe | Prevents further manipulation while managing process risk |
| Malware on engineering workstation | Remove from network, preserve image/logs, use clean workstation | Protects controller programming environment |
| Rogue device in OT switch | Identify port/location, disable or quarantine if approved | Limits unknown access |
| Compromised historian replica in DMZ | Isolate DMZ host, preserve data, protect upstream OT links | Prevents pivot into OT |
| Ransomware on HMI | Isolate endpoint, maintain safe operation via alternate interface if available | Avoids uncontrolled shutdown |
Backup, Recovery, and Resilience
| Item to back up | Why it matters | Exam note |
|---|
| PLC logic | Restores controller behavior | Verify version and checksum where supported |
| HMI project files | Restores operator screens/control mappings | Keep vendor/tool version compatibility |
| Engineering workstation image | Restores trusted programming environment | Store offline or immutable copy |
| Network device configs | Restores segmentation/routing | Include firewalls, switches, remote access gateways |
| Historian data/config | Supports operations and investigation | Separate operational data from configuration |
| Identity/config databases | Restores access services | Protect privileged secrets |
| Firmware/software installers | Required for legacy recovery | Maintain license and compatibility records |
| Runbooks | Guides safe restart | Must be accessible during outages |
| Concept | Meaning | Trap |
|---|
| RTO | Maximum tolerable recovery time | Short RTO requires tested procedures, not just backups |
| RPO | Maximum tolerable data loss | Frequent backups alone do not guarantee restore success |
| Immutable backup | Backup that cannot be modified for a retention period | Still needs restore testing |
| Offline backup | Disconnected from normal network | Useful against ransomware |
| Golden image | Known-good system image/config | Must be updated through change control |
| High availability | Reduces service interruption | Not a substitute for backups |
| Disaster recovery | Restores after major failure | Must include OT process dependencies |
Risk, Governance, and Safety
| Term | Practical meaning | SOT-001 distinction |
|---|
| Threat | Potential cause of harm | Ransomware group, insider, malware, vendor compromise |
| Vulnerability | Weakness that can be exploited | Unpatched HMI, default password, open protocol |
| Risk | Likelihood and impact of threat exploiting vulnerability | OT impact includes safety, production, environment |
| Control | Safeguard reducing risk | Firewall, MFA, allowlisting, monitoring |
| Residual risk | Risk remaining after controls | Must be accepted by appropriate owner |
| Compensating control | Alternative safeguard when ideal control is impractical | Segmenting an unpatchable controller |
| Risk register | Tracked list of risks, owners, treatment plans | Should include OT asset criticality |
| BIA | Business impact analysis | Identifies process and operational dependencies |
| MOC | Management of change | Prevents unsafe or undocumented modifications |
Common Framework Concepts
| Concept | Use | Exam-safe framing |
|---|
| ISA/IEC 62443 zones and conduits | OT segmentation and security levels | Common OT security architecture model |
| NIST CSF functions | Identify, Protect, Detect, Respond, Recover | Useful lifecycle structure |
| CIS Controls | Prioritized security safeguards | Adapt implementation for OT constraints |
| MITRE ATT&CK for ICS | Adversary tactics/techniques in ICS | Helps map detections and gaps |
| Policies, standards, procedures | Governance hierarchy | Policy says what; procedure says how |
| Audit evidence | Proof controls operate | Logs, approvals, configs, training records |
Cryptography and Secure Communications
| Control | Use | OT caveat |
|---|
| TLS | Encrypts/authenticates transport | Legacy devices may need gateway/proxy support |
| Certificates | Device/user/service identity | Requires lifecycle management and revocation plan |
| Hashing | Integrity verification | Does not provide confidentiality |
| Digital signatures | Authenticity and integrity | Useful for firmware/software validation |
| Encryption at rest | Protects stored data | Key storage is critical |
| Encryption in transit | Protects data on the wire | Does not authorize commands by itself |
| VPN | Encrypted tunnel | Must still enforce least privilege and logging |
| PKI | Certificate trust infrastructure | Operational complexity and expiry risk |
| Secure boot | Verifies trusted startup components | Hardware/firmware support required |
| Key rotation | Limits long-term credential exposure | Coordinate with uptime requirements |
Physical and Environmental Security
| Area | Security relevance | Practical controls |
|---|
| Control cabinets | Direct access to controllers and wiring | Locks, tamper seals, access logs |
| Plant floor ports | Rogue device risk | Port security, NAC where compatible, disabled unused ports |
| Maintenance laptops | Bridge between networks | Hardened build, scanning, restricted admin rights |
| Removable media | Malware transfer path | Approved media, scanning kiosk, logging |
| Remote sites | Limited staffing and physical exposure | Tamper monitoring, secure enclosures, cellular/VPN controls |
| Environmental systems | Can affect safety and uptime | Monitor HVAC, power, UPS, fire suppression |
| Cameras/badges | Correlate physical and cyber events | Retain logs according to policy |
| Visitors/vendors | Temporary elevated risk | Escort, approval, least access, session tracking |
Cloud, IIoT, and Enterprise Integration
| Requirement | Better pattern | Risky pattern |
|---|
| Send production metrics to cloud | Historian replica or broker in DMZ | PLC publishes directly to internet |
| Vendor analytics | Scoped API/data feed | Vendor VPN to broad OT subnet |
| Remote monitoring | Read-only path with authentication and logging | Shared credentials on dashboard |
| IIoT onboarding | Certificate-based identity and inventory | Default passwords and unmanaged firmware |
| Enterprise reporting | Replicated data source | Direct queries into OT database/control systems |
| Secure API access | API gateway, auth, rate limits, logging | Exposed unauthenticated endpoint |
| Edge processing | Hardened gateway, restricted outbound traffic | General-purpose unmanaged edge box |
Troubleshooting and Exam Decision Traps
| Symptom/question cue | Likely answer direction | Trap answer |
|---|
| Need to identify assets without disrupting production | Passive discovery | Aggressive active scan |
| Controller is vulnerable but cannot be patched | Segment, monitor, restrict access | Ignore vulnerability |
| Vendor needs emergency access | Time-bound MFA/PAM through jump host | Permanent firewall opening |
| Data must flow from OT to IT only | One-way gateway/data diode | Bidirectional VPN |
| Operator account shared by all shifts | Named accounts or compensating accountability | Keep shared admin for convenience |
| Ransomware in enterprise IT | Check IT/OT segmentation and remote access paths | Assume OT is safe because it is “separate” |
| Suspicious command during maintenance window | Validate change ticket and operator approval | Immediately declare compromise |
| New OT firewall rule request | Allow only required source, destination, port/protocol, time | Any-any rule for troubleshooting |
| Unexplained process change | Correlate cyber logs with operations and physical access | Review only Windows endpoint logs |
| Legacy HMI needs hardening | Allowlisting, restricted services, backups | Install untested endpoint tools directly in production |
Quick Memorization Tables
Authentication, Authorization, Accounting
| AAA element | Meaning | OT example |
|---|
| Authentication | Proves identity | MFA for engineer login |
| Authorization | Grants allowed actions | Engineer can program PLC; operator can view/control HMI |
| Accounting | Records activity | Session recording and command logs |
Control Types
| Type | Purpose | Example |
|---|
| Preventive | Stop event before it occurs | Firewall rule, MFA, locked cabinet |
| Detective | Identify event | OT IDS, SIEM alert, camera |
| Corrective | Restore or fix | Backup restore, patch, reimage |
| Deterrent | Discourage action | Warning banner, visible cameras |
| Compensating | Alternative risk reduction | Segmenting unsupported controller |
| Administrative | People/process control | Policy, training, change approval |
| Technical | System-enforced control | ACL, encryption, allowlisting |
| Physical | Physical protection | Badge access, cabinet locks |
IDS, IPS, SIEM, SOAR, NDR
| Tool | Primary function | OT use |
|---|
| IDS | Detect suspicious activity | Passive alerting on industrial commands |
| IPS | Block traffic inline | Use cautiously where blocking can affect process |
| SIEM | Central log correlation | Cross-correlate OT, IT, identity, firewall logs |
| SOAR | Automate workflows | Automate enrichment/ticketing; be careful with auto-containment |
| NDR | Network detection and response | Build asset/traffic baselines and detect anomalies |
Final SOT-001 Review Checklist
- Know why OT security prioritizes safety, availability, and process integrity.
- Map common assets to roles: PLC, RTU, HMI, SCADA, DCS, historian, engineering workstation, SIS.
- Choose industrial DMZ, jump host, PAM, MFA, and session logging for controlled IT/OT and vendor access.
- Prefer passive discovery and OT-aware monitoring before active scanning.
- Treat unauthorized controller writes, new devices, and unexpected remote access as high-value alerts.
- Use risk-based patching with testing, maintenance windows, backups, and rollback.
- Protect legacy systems with segmentation, allowlisting, restricted services, and compensating controls.
- Never choose an incident response action that ignores operations, safety, or process state.
- Distinguish backup, HA, DR, RTO, RPO, immutable backup, and golden image.
- For cloud/IIoT integration, prefer brokered, outbound, authenticated, logged data flows over direct OT exposure.
Practical Next Step
Use this Quick Reference as a checklist, then complete a timed CompTIA SecOT+ V1 (SOT-001) practice set. For every missed question, tag the reason: architecture, protocol, identity, monitoring, vulnerability management, incident response, recovery, or risk. Then revisit the matching table above before your next practice round.