Exam CS0-002 topic 1 question 98 discussion

I think this is C. If were referring to other devices, yes - Implement BIOS passwords before they are compromised. But the ones that were already compromised, they need to be removed from the system to avoid further exploitation. Plus, if you put a password on there, the attacker may now have your password.

C. Remove the assets from the production network for analysis.

SO. From my understanding.... just googling... Field devices are "Equipment that is connected to the field side on an ICS. Types of field devices include RTUs, PLCs, actuators, sensors, HMIs, and associated communications." which doesn't have BIOS? so it would have to be C?

i will go with B because the key statement is ; To secure the devices from further exploitation; device not system. so i think B fits perfectly.

Among the options provided, the best action to recommend is to remove the assets from the production network for analysis

The other answers don't fit

The question is mentioning "devices". That could be tablets and phones which don't have BIOS

I was looking for “contain” as the key word and not “remove from production” good to see it in different wording.

In the real world you would remove those devices in the first instance and this fits the question as removing them would be securing them and removing them from further exploitation. Then you would examine them in your lab setup.

the best step for securing the devices is to implement password BIOS...

Unauthorized changes to firmware versions on field devices indicate that the devices have likely been compromised by an attacker.By removing the compromised devices from the production network for analysis, the organization can better understand the extent of the compromise and take steps to remediate the issue. Changing the passwords on the devices (A) or implementing BIOS passwords (B) may provide some additional security, but these measures are unlikely to fully address the compromise of the devices.

C. it is essential to isolate the devices and analyze them in a controlled environment to identify the root cause of the issue, assess the scope of the compromise, and implement appropriate remediation measures.

Next step is Containment. Remove devices

In this scenario, the unauthorized changes to the firmware versions of the field devices indicate a potential security breach. To secure the devices from further exploitation, the best course of action is to remove them from the production network for analysis. This will help to prevent any potential harm to the network and reduce the risk of further compromise. The analysis will also provide important information for determining the source and extent of the breach, as well as any necessary steps to remediate it. Other recommended actions may include changing passwords, implementing BIOS passwords, and reporting the findings to the threat intel community, but removing the assets from the production network should be the first priority

Removing the devices from the production network?? What will you replace them with?? For sure some analysis will need to be completed but the key in the question is "Secure devices from FURTHER EXPLOITATION. Changing the BIOS passwords would be the best fit.

B, the only one that secures the devices.

I go for C: in order to investigate. B: can't be right, as the question talks about "field devices" which may or may not have an accessible bios.