An organization has several production-critical SCADA supervisory systems that cannot follow the normal 30- day patching policy.
Which of the following BEST maximizes the protection of these systems from malicious software?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The scenario described in the question involves production-critical SCADA (Supervisory Control and Data Acquisition) systems that cannot be patched in accordance with the organization's normal 30-day patching policy. The question asks which option would BEST maximize protection from malicious software for these systems.
A. Configure a firewall with deep packet inspection that restricts traffic to the systems. This option involves setting up a firewall with deep packet inspection that restricts traffic to the SCADA systems. Deep packet inspection refers to the process of analyzing and filtering network traffic based on the contents of the packets. While this can provide some level of protection, it is not the BEST option in this scenario. This is because the system may still be vulnerable to attacks that originate from within the network, such as an infected device on the same network segment. Additionally, if the SCADA systems require communication with other systems, deep packet inspection may interfere with legitimate traffic.
B. Configure a separate zone for the systems and restrict access to known ports. This option involves creating a separate network zone for the SCADA systems and restricting access to known ports. This approach can effectively isolate the systems from the rest of the network, minimizing the risk of attacks from other devices. Additionally, by limiting access to known ports, the organization can reduce the attack surface of the SCADA systems. This is a good option for this scenario and is a recommended approach for protecting critical infrastructure.
C. Configure the systems to ensure only necessary applications are able to run. This option involves configuring the SCADA systems to only allow necessary applications to run. By restricting the ability to execute arbitrary code, this approach can limit the damage that malware can cause. However, it may not be sufficient to protect against all types of attacks, particularly those that exploit vulnerabilities in legitimate software.
D. Configure the host firewall to ensure only the necessary applications have listening ports. This option involves configuring the host firewall on the SCADA systems to only allow necessary applications to have listening ports. This approach can be effective in limiting the attack surface of the SCADA systems. However, it may not provide sufficient protection against attacks that exploit vulnerabilities in legitimate software.
In conclusion, the BEST option for maximizing protection of the production-critical SCADA supervisory systems from malicious software would be to configure a separate zone for the systems and restrict access to known ports (Option B). This approach can effectively isolate the systems from the rest of the network, minimizing the risk of attacks from other devices and reducing the attack surface of the SCADA systems.