Exam CAS-004 topic 1 question 447 discussion

The best approach to reduce the company's risk is to segregate the enterprise IT servers and supervisory industrial systems. Creating a new network segment and using a Next-Generation Firewall (NGFW) to enforce a strict segmentation policy will help to isolate the systems and protect against potential attacks. Additionally, implementing a Wireless Intrusion Detection System (WIDS) can help monitor the spectrum for unauthorized devices or interference.

o Network Segmentation: Separating enterprise IT servers from supervisory industrial systems reduces the risk of lateral movement by attackers. o Next-Generation Firewall (NGFW): Enforcing a well-defined segmentation policy with an NGFW enhances security by controlling and monitoring traffic between segments. o Wireless Intrusion Detection System (WIDS): Monitoring the spectrum with a WIDS helps detect and respond to unauthorized or malicious wireless activities.

- Establish a unidirectional gateway (data diode) that allows data to flow in only one direction—from mission-critical systems to enterprise IT—but blocks any data from flowing back. Physically and logically separates the enterprise IT network from the supervisory industrial systems, mitigating the risk of cross-network attacks. Prevents potential threats originating from the enterprise IT environment from reaching mission-critical systems. - Introduce controlled RF noise to mask or obfuscate legitimate communication signals, making it harder for unauthorized parties to intercept or decipher them. Reduces the likelihood of attackers successfully intercepting RF communications. - Upgrade communication protocols to include encryption and authentication mechanisms. Ensures that command and telemetry messages are protected from unauthorized access and tampering. Verifies the identity of communicating parties, preventing spoofing attacks.

Network segmentation ensures that enterprise IT systems and mission-critical industrial systems are isolated from each other, reducing the risk of malware or attacks spreading across these environments. NGFW provides robust security controls and monitoring to enforce the segmentation policy effectively. WIDS enhances security for the RF communication used by supervisory controllers, adding a layer of detection for any suspicious or malicious activity.

https://csrc.nist.gov/glossary/term/wireless_intrusion_detection_system

B is the best choice as it directly addresses the identified risks by prioritizing the isolation and protection of safety-critical systems, improving RF signal management, and maintaining operational integrity. This approach ensures that critical systems are adequately secured while maintaining necessary connectivity and operational efficiency in the regional electric distribution services environment.