























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Focused on the cybersecurity needs of industrial and operational technology environments, this practice exam measures the candidate’s skills in OT device discovery, ICS protocol parsing, network traffic monitoring, and identifying cyber-physical system vulnerabilities. It includes scenarios on risk scoring for OT assets, threat detection in PLCs, SCADA systems, and HMIs, segmentation analysis, anomaly detection, and secure OT network architecture design. Candidates are evaluated on using Tenable OT Security to reduce downtime, interpret OT threat intelligence, and integrate IT–OT security workflows.
Typology: Exams
1 / 95
This page cannot be seen from the preview
Don't miss anything!
























































































Question 1. Which layer of the Purdue Model is primarily responsible for supervisory control and data acquisition (SCADA) functions? A) Level 0 – Device B) Level 1 – Control C) Level 2 – Supervisory D) Level 3 – Operations Management Answer: C Explanation: Level 2 of the Purdue model hosts SCADA systems that aggregate data from PLCs and provide operator interfaces. Question 2. In IEC 62443 terminology, what does the term “zones” refer to? A) Physical locations of servers B) Logical groupings of assets with similar security requirements C) Separate VLANs for IT traffic only D) The demilitarized zone (DMZ) between OT and IT networks Answer: B Explanation: Zones are logical groupings of assets that share security policies and risk profiles, enabling tailored protection. Question 3. Which protocol is most commonly associated with Modbus TCP communications? A) UDP port 161 B) TCP port 502 C) TCP port 44818 D) UDP port 502 Answer: B
Explanation: Modbus TCP uses TCP port 502 for client‑server communication. Question 4. When deploying Tenable Core + OT Security as a virtual appliance, which hypervisor is NOT officially supported? A) VMware ESXi B) Microsoft Hyper‑V C) Oracle VirtualBox D) Amazon Web Services (AWS) EC Answer: C Explanation: VirtualBox is not listed among the supported platforms for production deployments. Question 5. What is the primary advantage of using a network TAP over a SPAN port for OT traffic capture? A) TAPs require no configuration changes on switches B) TAPs can filter traffic by protocol C) TAPs provide higher bandwidth than SPAN ports D) TAPs encrypt captured data automatically Answer: A Explanation: TAPs are passive devices that mirror traffic without altering switch configurations, minimizing risk of packet loss. Question 6. Which of the following is a required license component to enable the Industrial Control Platform (ICP) in Tenable OT Security? A) Tenable.io Cloud License B) Tenable.sc License
Question 9. Which of the following best describes Deep Packet Inspection (DPI) in Tenable OT Security’s passive detection? A) Blocking all traffic that does not match a whitelist B) Analyzing packet payloads to identify device type, vendor, and firmware version C) Performing cryptographic decryption of TLS traffic D) Generating synthetic traffic to test device responses Answer: B Explanation: DPI inspects payloads to extract detailed asset information without actively probing devices. Question 10. Which Tenable OT Security component stores configuration backups and can restore them on demand? A) Sensor Appliance B) Tenable Core C) ICP Analytics Engine D) OT Security Console Answer: B Explanation: Tenable Core maintains system configuration backups and provides restore capabilities. Question 11. When configuring firewall rules for Tenable OT Security sensors, which inbound port must be opened to allow sensor registration with the Core? A) TCP 443 B) UDP 123 C) TCP 8080 D) TCP 8443
Answer: D Explanation: Sensors communicate with the Core over TCP 8443 for registration and data transfer. Question 12. Which OT protocol uses a master‑slave architecture and typically operates on port 20000 UDP? A) Modbus RTU B) DNP C) IEC 60870‑ 5 ‑ 104 D) OPC Classic Answer: C Explanation: IEC 60870‑ 5 ‑104 (often called IEC 104) uses UDP 20000 for master‑slave communication. Question 13. What does Vulnerability Priority Rating (VPR) consider when ranking OT asset vulnerabilities? A) Asset criticality, exploitability, and CVSS score B) Number of open ports only C) Age of the device firmware D) Geographic location of the device Answer: A Explanation: VPR combines asset importance, exploitability, and CVSS to prioritize remediation. Question 14. Which scenario is most appropriate for using an active query in Tenable OT Security? A) Continuous passive monitoring of network traffic
Question 17. Which user role in Tenable Core typically has permissions to create and edit security policies but cannot delete the Core instance? A) Administrator B) Auditor C) Policy Manager D) Read‑Only Viewer Answer: C Explanation: The Policy Manager role is scoped to policy creation/modification while restricting destructive actions. Question 18. Multi‑Factor Authentication (MFA) for Tenable Core can be implemented using which of the following methods? A) IP address whitelisting only B) Time‑based One‑Time Password (TOTP) apps C) Plain text passwords stored locally D) Single‑sign‑on (SSO) without additional factors Answer: B Explanation: TOTP apps (e.g., Google Authenticator) provide the second factor required for MFA. Question 19. Which integration allows Tenable OT Security events to be forwarded to a SIEM for correlation with IT security data? A) Tenable.sc API B) Syslog forwarder C) Direct database export D) FTP file transfer
Answer: B Explanation: Syslog forwarding is the standard method for sending OT events to SIEM platforms. Question 20. What is the recommended action when a sensor reports “passive capture loss” due to high traffic volume? A) Increase the sensor’s CPU allocation B) Deploy an additional TAP or SPAN port to share the load C) Disable all other sensors on the network D) Reboot the Tenable Core appliance Answer: B Explanation: Adding another capture point distributes traffic, reducing loss on a single sensor. Question 21. Which OT protocol is known for using “function codes” to request read or write operations? A) DNP B) Modbus C) OPC UA D) PROFINET Answer: B Explanation: Modbus uses function codes (e.g., 03 for read holding registers) to define operations. Question 22. When performing an active query on a device, which authentication method is most secure? A) Plaintext username/password transmitted over HTTP B) SSH key‑based authentication
A) MAC address B) Device hostname C) Firmware checksum D) Operating system version Answer: C Explanation: DPI generally cannot compute firmware checksums; it extracts metadata visible in traffic. Question 26. What is the primary purpose of a “policy category” in Tenable OT Security? A) To group similar events for reporting B) To define a set of rules addressing a specific security concern (e.g., access control) C) To assign user roles automatically D) To schedule sensor firmware upgrades Answer: B Explanation: Policy categories organize related security rules for easier management. Question 27. Which Tenable product provides converged IT and OT visibility when integrated with Tenable OT Security? A) Tenable.io B) Tenable.sc (Security Center) C) Tenable Lumin D) Tenable Cloud Security Answer: B Explanation: Tenable.sc aggregates both IT and OT data for unified dashboards.
Question 28. When troubleshooting a sensor that cannot reach the Tenable Core, which log file is most useful? A) /var/log/syslog on the sensor B) /var/log/tenable/core.log on the Core C) /etc/hosts on the Core D) /opt/tenable/sensor/debug.log on the sensor Answer: D Explanation: The sensor’s debug log contains connectivity error details. Question 29. Which of the following is a recommended practice for managing disk space on Tenable Core? A) Disable all logs to save space B) Configure automatic log rotation and retention policies C) Store raw packet captures indefinitely on the root partition D) Increase the size of the swap file instead of adding storage Answer: B Explanation: Log rotation removes old entries while preserving recent data, maintaining disk health. Question 30. Which event type would most likely be generated when a PLC begins sending Modbus commands at a rate exceeding the defined baseline? A) Policy violation – excessive protocol usage B) Signature‑based malware detection C) Configuration drift alert D) Network outage notification Answer: A
C) Disable DHCP client D) Use a single‑ended mirror port only Answer: A Explanation: Promiscuous mode allows the NIC to receive all frames on the segment, essential for full visibility. Question 34. Which of the following is an example of a “behavioral anomaly” detected by Tenable OT Security? A) A known ransomware hash match B) Unexpected use of a rarely‑used OPC UA method on an HMI C) A missing SSL certificate on a web server D) A scheduled firmware patch installation Answer: B Explanation: Unusual OPC UA method usage deviates from normal behavior, indicating a potential anomaly. Question 35. In Tenable OT Security, what does the term “asset fingerprint” refer to? A) The physical location of a device on the plant floor B) A unique identifier derived from device characteristics such as vendor, model, and firmware version C) The MAC address of a network switch port D) The serial number printed on the device chassis Answer: B Explanation: Asset fingerprint aggregates identifiable attributes to uniquely represent an asset in the system.
Question 36. Which protocol is typically used to retrieve alarm and event data from a DNP master to a historian system? A) OPC UA B) IEC 60870‑ 5 ‑ 104 C) DNP3 Secure Authentication D) Modbus TCP Answer: C Explanation: DNP3 Secure Authentication extends DNP3 for secure alarm/event transmission. Question 37. Which of the following actions should be taken after a critical vulnerability is identified on an OT device via Tenable OT Security? A) Immediately shut down the device B) Follow the recommended mitigation strategy, such as applying patches or implementing compensating controls, while ensuring minimal disruption C) Ignore the finding if the device appears to be functioning D) Delete the device from the asset inventory to avoid false positives Answer: B Explanation: Mitigation balances security and operational continuity; abrupt shutdown can cause safety incidents. Question 38. What is the purpose of configuring “port allowances” on a firewall for Tenable OT Security components? A) To block all inbound traffic to the OT network B) To permit only the necessary ports for sensor‑to‑Core communication and protocol inspection C) To enable NAT traversal for remote users D) To allow unrestricted internet access for sensors
B) Incorrect or missing credentials configured in the query profile C) The sensor is set to passive mode only D) The PLC uses Ethernet/IP instead of Modbus Answer: B Explanation: Active queries require valid credentials; missing or wrong credentials cause failures. Question 42. Which of the following statements about “configuration drift” detection is true? A) It only applies to software version changes B) Tenable OT Security can alert when a device’s settings differ from a known baseline configuration C) Drift detection is performed exclusively by passive traffic analysis D) Drift detection requires manual entry of configuration files for each device Answer: B Explanation: The platform compares current device settings to stored baselines and raises alerts on deviations. Question 43. What is the recommended method for securing communication between Tenable Core and its sensors? A) Use unencrypted HTTP for speed B) Enable TLS with mutual certificate authentication C) Rely solely on IP address filtering D) Use a VPN tunnel that terminates at the sensor Answer: B Explanation: TLS with mutual certificates ensures confidentiality and authenticity of sensor‑Core traffic.
Question 44. Which of the following best explains why “passive detection” is preferred for initial OT asset discovery? A) It does not generate any network traffic that could impact control loops B) It provides faster results than active scanning C) It can automatically patch discovered devices D) It replaces the need for any active queries Answer: A Explanation: Passive monitoring avoids injecting traffic, preserving the deterministic nature of OT systems. Question 45. In Tenable OT Security, a “policy‑based detection engine” differs from an “anomaly engine” in that it: A) Uses machine learning to create baselines B) Relies on predefined rule sets to flag known undesirable behaviors C) Generates alerts for every packet captured D) Only monitors user authentication events Answer: B Explanation: Policy‑based detection uses static rules, whereas anomaly engines learn normal behavior. Question 46. Which of the following is a key consideration when placing a sensor in a substation’s fieldbus network? A) Ensuring the sensor can decode IEC 61850 GOOSE messages B) Using Wi‑Fi to connect the sensor to the fieldbus C) Installing the sensor on a power‑line carrier
A) Microsoft Azure B) Amazon Web Services (AWS) C) Google Cloud Platform (GCP) D) IBM Cloud Answer: D Explanation: IBM Cloud is not listed among the officially supported deployment options. Question 50. Which of the following best describes “sensor health monitoring” in Tenable OT Security? A) Checking the physical temperature of the sensor chassis only B) Verifying CPU usage, memory consumption, packet loss, and connection status to the Core C) Measuring the sensor’s Wi‑Fi signal strength D. Monitoring the sensor’s battery level Answer: B Explanation: Health monitoring includes resource utilization and connectivity metrics to ensure reliable operation. Question 51. What is the effect of enabling “auto‑update” for Tenable Core firmware? A) The system will reboot automatically every night B) Security patches and feature updates are applied without manual intervention, reducing vulnerability exposure C) All sensor data is deleted after each update D) The Core will automatically downgrade to the previous version if an error occurs Answer: B Explanation: Auto‑update keeps the platform current with the latest security fixes.
Question 52. Which of the following is a typical indicator that an active query is impacting device performance? A. Increased CPU utilization on the Tenable Core B. Longer response times or delayed PLC cycle times observed on the control system C. Decrease in network bandwidth usage D. Decrease in the number of logged events Answer: B Explanation: Active queries can consume device resources, causing observable latency in control loops. Question 53. In Tenable OT Security, what does the “asset discovery confidence level” represent? A. The probability that a discovered asset is a false positive B. The degree of certainty based on the amount and consistency of observed traffic characteristics C. The speed at which the asset was discovered D. The number of active queries performed on the device Answer: B Explanation: Confidence levels reflect how much corroborating data supports the identified asset details. Question 54. Which of the following is a recommended practice for handling legacy OT devices that cannot be patched? A. Remove them from the network immediately B. Apply compensating controls such as network segmentation, strict firewall rules, and continuous monitoring C. Disable all logging for those devices