Exam CAS-004 topic 1 question 35 discussion

D. Screen subnet is the standard used when creating a gap between networks A & B = VPN's are secure but IT to OT environment is backwards. because you DON'T want outside access to OT env. C = is close because you need to allow the traffic, but you need to find a way to secure it via segmentation (TAXII Server, Guacamole, DMZ) Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Per NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security. "In general, the best solution is to avoid two-one systems (no DMZ) and use a three-zone design, placing the data collector in the control network and the historian component in the DMZ."

Per NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security. "In general, the best solution is to avoid two-one systems (no DMZ) and use a three-zone design, placing the data collector in the control network and the historian component in the DMZ."

A screened subnet, also known as a Demilitarized Zone (DMZ), acts as an intermediary network that separates the ICS and IT environments. This approach ensures that data can be securely transferred between the two environments without direct exposure. The historian server can be placed in the DMZ, allowing it to collect data from the ICS environment and generate reports accessible from the IT environment. This setup minimizes risk and maintains a robust security posture by ensuring that neither environment has direct access to the other.

D. Use a screened subnet between the ׀׀¢ and IT environments. A screened subnet (also known as a DMZ) is a network segment that is isolated from both the internal network and the internet by firewalls. It allows for secure communication between different networks, such as the ׀׀¢ and IT environments, while providing an additional layer of protection. By placing the historian server in the screened subnet, it can receive data from the PLCs in the ׀׀¢ environment, and the IT environment can retrieve the reports without compromising security. This is the best option to allow for secure communication between the two environments.

D. Use a screened subnet between the OT and IT environments. A screened subnet, also known as a demilitarized zone (DMZ), provides a secure area between the OT and IT environments that can be used to allow communication between the two environments while maintaining security. By placing the historian server in the screened subnet, the energy company can allow data to be transferred between the PLCs in the OT environment and the IT environment, while also ensuring that the OT environment is isolated from the internet and other external threats.

agree with D. screened subnet seems logical and secure. a good way to separate the IT and OT networks

In order to allow the business to get the required reports in an IT and OT environment, it would be best to use a screened subnet between the OT and IT environments. This would allow for controlled access between the two environments and protect against unauthorized access or attacks. Option D is the correct answer. Option A and B can introduce security risks to both environments and Option C would not be the best approach for maintaining a secure and separate IT and OT environment.

why not D?

Answer C . You would want communication to start in OT environment and send it up through levels to IT.

A seems incorrect. It's worded to sound like there's a VPN server somewhere in the OT environment, which is backwards. The PLC data would be getting forwarded to the IT environment, not vice versa.