EC-Council ICS-SCADA Practice Test 2024 - Achieve Success in Your Exam

Text Material Preview

NETWORK SECURITY Exam
ICS-SCADA Questions V8.02
Network Security
Topics - ICS/SCADA Cyber
Security
 1 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
1.What type of communication protocol does Modbus RTU use?
A. UDP
B. ICMP
C. Serial
D. SSTP
Answer: C
Explanation:
Modbus RTU (Remote Terminal Unit) is a communication protocol based on a master-
slave architecture that uses serial communication. It is one of the earliest
communication protocols developed for devices connected over serial lines. Modbus
RTU packets are transmitted in a binary format over serial lines such as RS-485 or
RS-232.
Reference: Modbus Organization, "MODBUS over Serial Line Specification and
Implementation Guide V1.02".
2.Which of the ICS/SCADA generations is considered monolithic?
A. Second
B. First
C. Fourth
D. Third
Answer: B
Explanation:
The first generation of ICS/SCADA systems is considered monolithic, primarily
characterized by standalone systems that had no external communications or
connectivity with other systems. These systems were typically fully self-contained,
with all components hard-wired together, and operations were managed without any
networked interaction.
Reference: U.S. Department of Homeland Security, "Recommended Practice:
Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies".
3.Which of the following components is not part of the Authentication Header (AH)?
A. Replay
B. Authentication
C. Confidentiality
D. Integrity
Answer: C
Explanation:
The Authentication Header (AH) is a component of the IPsec protocol suite that
provides authentication and integrity to the communications. AH ensures that the
contents of the communications have not been altered in transit (integrity) and verifies
the sending and receiving parties (authentication). However, AH does not provide
 2 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
confidentiality, which would involve encrypting the payload data. Confidentiality is
provided by the Encapsulating Security Payload (ESP), another component of IPsec.
Reference: RFC 4302, "IP Authentication Header".
4.How many main score areas are there in the CVSS?2
A. 2
B. 4
C. 3
D. None of these
Answer: C
Explanation:
The Common Vulnerability Scoring System (CVSS) is a framework for rating the
severity of security vulnerabilities. CVSS provides three main score areas: Base,
Temporal, and Environmental. Base Score evaluates the intrinsic qualities of a
vulnerability.
Temporal Score reflects the characteristics of a vulnerability that change over time.
Environmental Score considers the specific impact of the vulnerability on a particular
organization, tailoring the Base and Temporal scores according to the importance of
the affected IT asset.
Reference: FIRST, "Common Vulnerability Scoring System v3.1: Specification
Document".
5.Which of the following is NOT an exploit tool?
A. Canvas
B. Core Impact
C. Metasploit
D. Nessus
Answer: D
Explanation:
Among the options listed, Nessus is primarily a vulnerability assessment tool, not an
exploit tool. It is used to scan systems, networks, and applications to identify
vulnerabilities but does not exploit them. On the other hand, Canvas, Core Impact,
and Metasploit are exploit tools designed to actually perform attacks (safely and
legally) to demonstrate the impact of vulnerabilities.
Reference: Tenable, Inc., "Nessus FAQs".
6.When monitoring a network, you receive an ICMP type 8 packet.
What does this represent?
A. Echo request
B. Echo start
 3 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
C. Echo recall
D. Echo reply
Answer: A
Explanation:
ICMP (Internet Control Message Protocol) is used in network devices, like routers, to
send error messages and operational information indicating success or failure when
communicating with another IP address.
An ICMP type 8 packet specifically is an "Echo Request." It is used primarily by the
ping command to test the connectivity between two nodes.
When a device sends an ICMP Echo Request, it expects to receive an ICMP Echo
Reply (type 0) from
the target node. This mechanism helps in diagnosing the state and reachability of a
network on the
Internet or within a private network.
Reference
RFC 792 Internet Control Message Protocol: https://tools.ietf.org/html/rfc792
Internet Assigned Numbers Authority (IANA) ICMP Parameters:
7.What step of the malware infection installs the malware on the target?
A. Drive-by
B. Init
C. Dropper
D. Stager
Answer: C
Explanation:
The term "Dropper" in cybersecurity refers to a small piece of software used in
malware deployment that is designed to install or "drop" malware (like viruses,
ransomware, spyware) onto the target system.
The Dropper itself is not typically malicious in behavior; however, it is used as a
vehicle to install malware that will perform malicious activities without detection.
During the infection process, the Dropper is usually the first executable that runs on a
system. It then unpacks or downloads additional malicious components onto the
system.
Reference
Common Malware Enumeration (CME): http://cme.mitre.org
Microsoft Malware Protection Center: https://www.microsoft.com/en-us/wdsi
8.The vulnerability that led to the WannaCry ransomware infections affected which
protocol?
A. Samba
B. None of these
 4 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
C. RPC
D. SMB
Answer: D
Explanation:
WannaCry is a ransomware attack that spread rapidly across multiple computer
networks in May 2017.
The vulnerability exploited by the WannaCry ransomware was in the Microsoft
Windows implementation of the Server Message Block (SMB) protocol.
Specifically, the exploit, known as EternalBlue, targeted a flaw in the SMBv1 protocol.
This flaw allowed the ransomware to spread within corporate networks without any
user interaction, making it one of the fastest-spreading and most harmful cyberattacks
at the time.
Reference
Microsoft Security Bulletin MS17-010 - Critical: https://docs.microsoft.com/en-
us/security-updates/SecurityBulletins/2017/ms17-010
National Vulnerability Database, CVE-2017-0144:
https://nvd.nist.gov/vuln/detail/CVE-2017-0144
9.Which of the registrars contains the information for the domain owners in Europe?
A. RIPENCC
B. AFRINIC
C. LACNIC
D. ARIN
Answer: A
Explanation:
RIPENCC (Réseaux IP Européens Network Coordination Centre) is one of the five
Regional Internet Registries (RIRs) that allocate IP addresses and manage related
resources within a specific region. Specifically, RIPENCC covers Europe, the Middle
East, and parts of Central Asia.
For domain owners, while the top-level domain (TLD) registrars handle domain
registration, the information about IP allocations and related network infrastructure
information in Europe is managed by RIPENCC.
Reference
RIPE Network Coordination Centre: https://www.ripe.net
RIPE Documentation and Information: https://www.ripe.net/manage-ips-and-asns
10.Which component of the IT Security Model is attacked with interruption?
A. Confidentiality
B. Availability
C. Authentication
D. Integrity
 5 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
Answer: B
Explanation:
The IT Security Model commonly refers to the CIA Triad, which stands for
Confidentiality, Integrity, and Availability.
An attack on "Availability" is aimed at disrupting the normal functioning and access to
data or resources in a network. This type of attack can include actions such as DDoS
(Distributed Denial of Service), where overwhelming traffic is sent to a system to
make it unresponsive.
The main goal of attacks on availabilityis to prevent legitimate users from accessing
systems or information, which can have significant implications for business
operations and security.
Reference
Understanding the CIA Triad in Cybersecurity: https://www.cyber.gov.au/acsc/view-all-
content/publications/cia-triad
Denial of Service C What it is and how to prevent it: https://www.us-
cert.gov/ncas/tips/ST04-015
11.In what default directory (fully qualified path) does nmap store scripts?
A. /usr/share/scripts
B. /ust/share/nmap/scripts
C. /usr/share/nmap
D. /opt
Answer: C
Explanation:
Nmap (Network Mapper) is a network scanning and security auditing tool. Scripts
used by Nmap for performing different network discovery and security auditing tasks
are stored in /usr/share/nmap/scripts. This directory contains a collection of scripts for
NSE (Nmap Scripting Engine), which enables Nmap to perform additional networking
tasks, often used for detecting vulnerabilities, misconfigurations, and security-related
information about network services.
Reference: Nmap documentation, "Nmap Scripting Engine (NSE)".
12.Which of the registrars contains the information for the domain owners in South
America?
A. AFRINIC
B. ARIN
C. LACNIC
D. RIPENCC
Answer: C
Explanation:
LACNIC (Latin American and Caribbean Network Information Centre) is the regional
 6 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
Internet registry for Latin America and parts of the Caribbean. It manages the
allocation and registration of Internet number resources (such as IP addresses and
AS numbers) within this region and maintains the registry of domain owners in South
America.
Reference: LACNIC official website, "About LACNIC".
13.Which of the hacking methodology steps can be used to identify the applications
and vendors used?
A. Enumeration
B. OSINT
C. Scanning
D. Surveillance
Answer: B
Explanation:
OSINT (Open Source Intelligence) refers to the collection and analysis of information
gathered from public, freely available sources to be used in an intelligence context. In
the context of hacking methodologies, OSINT can be used to identify applications and
vendors employed by a target organization by analyzing publicly available data such
as websites, code repositories, social media, and other internet-facing resources.
Reference: Michael Bazzell, "Open Source Intelligence Techniques".
14.Which of the following is a component of an IDS?
A. All of these
B. Respond
C. Detect
D. Monitor
Answer: A
Explanation:
An Intrusion Detection System (IDS) is designed to monitor network or system
activities for malicious activities or policy violations and can perform several functions:
Monitor: Observing network traffic and system activities for unusual or suspicious
behavior. Detect: Identifying potential security breaches including both known threats
and unusual activities that could indicate new threats.
Respond: Executing pre-defined actions to address detected threats, which can
include alerts or
triggering automatic countermeasures.
Reference: Cisco Systems, "Intrusion Detection Systems".
15.Which of the IEC 62443 Security Levels is identified by a cybercrime/hacker
target?
 7 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
A. 4
B. 3
C. 1
D. 2
Answer: B
Explanation:
IEC 62443 is an international series of standards on Industrial communication
networks and system security, specifically related to Industrial Automation and
Control Systems (IACS). Within the IEC 62443 standards, Security Level 3 is defined
as protection against deliberate or specialized intrusion. It is designed to safeguard
against threats from skilled attackers (cybercriminals or hackers) targeting specific
processes or operations within the industrial control system.
Reference: International Electrotechnical Commission, "IEC 62443 Standards".
16.Which of the following was attacked using the Stuxnet malware?
A. PLCS
B. PLC3
C. All of these
D. PLC7
Answer: A
Explanation:
Stuxnet is a highly sophisticated piece of malware discovered in 2010 that specifically
targeted Supervisory Control and Data Acquisition (SCADA) systems used to control
and monitor industrial processes.
The primary targets of Stuxnet were Programmable Logic Controllers (PLCs), which
are critical components in industrial control systems.
Stuxnet was designed to infect Siemens Step7 software PLCs. It altered the operation
of the PLCs to cause physical damage to the connected hardware, famously used
against Iran's uranium enrichment facility, where it caused the fast-spinning
centrifuges to tear themselves apart.
Reference
Langner, R. "Stuxnet: Dissecting a Cyberwarfare Weapon." IEEE Security & Privacy,
May-June 2011.
"W32.Stuxnet Dossier," Symantec Corporation, Version 1.4, February 2011.
17.What is the size in bytes of the TCP sequence number in the header?
A. 2
B. 1
C. 3
D. 4
Answer: D
 8 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
Explanation:
In the Transmission Control Protocol (TCP) header, the sequence number field is
crucial for ensuring the correct sequencing of the packets sent over a network.
The sequence number field in the TCP header is 32 bits long, which equates to 4
bytes.
This sequence number is used to keep track of the bytes in a sequence that are
transferred over a TCP connection, ensuring that packets are arranged in the correct
order and data integrity is maintained during transmission.
Reference
Postel, J., "Transmission Control Protocol," RFC 793, September 1981.
"TCP/IP Guide," Kozierok, C. M., 2005.
18.Which mode within IPsec provides a secure connection tunnel between two
endpoints AND protects the sender and the receiver?
A. Protected
B. Tunnel
C. Transport
D. Covered
Answer: B
Explanation:
IPsec (Internet Protocol Security) has two modes: Transport mode and Tunnel mode.
Tunnel mode is used to create a secure connection tunnel between two endpoints
(e.g., two gateways, or a client and a gateway) and it encapsulates the entire IP
packet.
This mode not only protects the payload but also the header information of the
original IP packet, thereby providing a higher level of security compared to Transport
mode, which only protects the payload.
Reference
Kent, S. and Seo, K., "Security Architecture for the Internet Protocol," RFC 4301,
December 2005.
"IPsec Services," Microsoft TechNet.
19.Which of the following can be used to view entire copies of web sites?
A. Wayback machine
B. Google Cache
C. Netcraft
D. Bing offline
Answer: A
Explanation:
The Wayback Machine is an internet service provided by the Internet Archive that
allows users to see archived versions of web pages across time, enabling them to
 9 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
browse past versions of a website as it appeared on specific dates.
It captures and stores snapshots of web pages, making it an invaluable tool for
accessing the historical state of a website or recovering content that has since been
changed or deleted.
Other options like Google Cache may also show snapshots of web pages, but the
Wayback Machine is dedicated to this purpose and holds a vast archive of historical
web data.
Reference
Internet Archive: https://archive.org
"Using the Wayback Machine," Internet Archive Help Center.
20.The NIST SP 800-53 defines how many management controls?
A. 6
B. 9
C. 5
D. 7
Answer: B
Explanation:
NIST SP 800-53 is a publication that provides a catalog of security and privacy
controls for federal information systems and organizations and promotes the
development of secure and resilient federal information and information systems.
According to the NIST SP 800-53 Rev. 5, the framework defines a comprehensive set
of controls,
which are dividedinto different families. Among these families, there are specifically
nine families
categorized under management controls. These include categories such as risk
assessment, security
planning, program management, and others.
Reference
"NIST Special Publication 800-53 (Rev. 5) Security and Privacy Controls for
Information Systems and Organizations."
NIST website:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
21.Which component of the IT Security Model is attacked with masquerade?
A. Integrity
B. Availability
C. Confidentiality
D. Authentication
Answer: D
Explanation:
 10 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
A masquerade attack involves an attacker pretending to be an authorized user of a
system, thus compromising the authentication component of the IT security model.
Authentication ensures that the individuals accessing the system are who they claim
to be. By masquerading as a legitimate user, an attacker can bypass this security
measure and gain unauthorized access to the system.
Reference: William Stallings, "Security in Computing".
22.Which component of the IT Security Model is attacked with modification?
A. Authentication
B. Availability
C. Integrity
D. Confidentiality
Answer: C
Explanation:
Modification attacks directly impact the integrity of data within the IT Security Model.
Integrity ensures that information is accurate and unchanged from its original form
unless altered by authorized means. An attack that involves modification manipulates
data in unauthorized ways, thereby compromising its accuracy and reliability.
Reference: Shon Harris, "CISSP Certification: All-in-One Exam Guide".
23.Which of the following is required to determine the correct Security Association?
A. SPI
B. Partner IP address
C. Protocol
D. All of these
Answer: D
Explanation:
To determine the correct Security Association (SA) in the context of IPsec, several
elements are required:
SPI (Security Parameter Index): Uniquely identifies the SA.
Partner IP address: The address of the endpoint with which the SA is established.
Protocol: Specifies the type of security protocol used (e.g., AH or ESP). All these
components collectively define and identify a specific SA for secure communication
between parties.
Reference: RFC 4301, "Security Architecture for the Internet Protocol".
24.What share does the WannaCry ransomware use to connect with the target?
A. $IPC
B. $Admin
C. $SPOOL
 11 / 14
EC-C
ou
nc
il 
IC
S-S
CADA P
ra
ct
ic
e 
Tes
t 2
02
4 
- A
ch
ie
ve
 S
uc
ce
ss
 in
 Y
ou
r E
xa
m
 
D. $C
Answer: A
Explanation:
The WannaCry ransomware utilizes the $IPC (Inter-Process Communication) share to
connect with and infect target machines. This hidden network share supports the
operation of named pipes, which facilitates the communication necessary for
WannaCry to execute its payload across networks.
Reference: CISA Analysis Report, "WannaCry Ransomware".
WannaCry ransomware uses the SMB (Server Message Block) protocol to propagate
through networks and connect to target systems. Specifically, it exploits a vulnerability
in SMBv1, known as EternalBlue (MS17-010).
IPC Share: The $IPC (Inter-Process Communication) share is a hidden administrative
share used for inter-process communication. WannaCry uses this share to gain
access to other machines on the network.
SMB Exploitation: By exploiting the SMB vulnerability, WannaCry can establish a
connection to the $IPC share, allowing it to execute the payload on the target
machine.
Propagation: Once connected, it deploys the DoublePulsar backdoor and then
spreads the ransomware payload.
Given these details, the correct answer is $IPC.
Reference
"WannaCry Ransomware Attack," Wikipedia, WannaCry.
"MS17-010: Security Update for Windows SMB Server," Microsoft, MS17-010.
25.What is the size of the AH in bits with respect to width?
A. 24
B. 43
C. 16
D. 32
Answer: D
Explanation:
The Authentication Header (AH) in the context of IPsec has a fixed header portion of
24 bits and a
mutable part that can vary, but when considering the fixed structure of the AH itself,
the width is
typically considered to be 32 bits at its core structure for basic operations in providing
integrity and
authentication, without confidentiality.
Reference: RFC 4302, "IP Authentication Header".
 12 / 14
 
Get full version of
ICS-SCADA Q&As
Powered by TCPDF (www.tcpdf.org)
 14 / 14
https://www.killtest.com/Network-Security/ICS-SCADA.asp
https://www.killtest.com/Network-Security/ICS-SCADA.asp
http://www.tcpdf.org