Exam PT0-002 topic 1 question 68 discussion

C. Controllers will not validate the origin of commands The assumption that controllers will not validate the origin of commands is most likely to be valid. Many legacy industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are not designed with security in mind and lack basic security features such as authentication and access controls. As a result, it is common for these systems to accept commands from any source without verifying their origin. This makes them vulnerable to attacks such as command injection, which can be used to disrupt or damage the systems they control. Option A & D are likely to be invalid assumptions, many PLCs can act upon commands injected over the network and supervisory systems can detect malicious injection of code/commands if properly configured. Option B is also likely to be invalid as it is not a common practice, usually, the supervisory systems and PLCs are connected to the same network, and separating them would require additional hardware and configuration steps.

The MOST likely valid assumption made by the penetration-testing team is that Controllers will not validate the origin of commands.

it should be B.

It is likely that the controllers (such as PLCs) in a manufacturing plant's cyber-physical systems are not designed to validate the origin of commands received over the network. This means that they may not have the necessary security measures in place to prevent malicious commands from being injected over the network and executed. In contrast, it is less likely that the supervisory systems or PLCs would act upon commands injected over the network, or that the supervisory systems would detect a malicious injection of code/commands. It is also possible that the supervisory systems and controllers are on separate virtual networks, but this cannot be assumed without further information.