Exam PT0-001 topic 1 question 25 discussion

I'm going for A. Reason? A single TCP or UDP port scan against a SCADA component can cause catastrophic damage of mass proportion. Before testing SCADA systems, pentesters should know the proper tools to use to ensure the testing provides adequate coverage and reduces the likelihood of knocking over critical services. Nutting, Raymond. CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) (p. 83). McGraw-Hill Education. Kindle Edition.

For the CISSP the answer is C but this the Pentest+ the answer should be A.

ccccccccccc

ccccccccccccccc

looks good to me

A is correct because it inherently encompasses C. Choosing proper tools specifically for testing SCADA systems implies that the safety consequences of using the wrong tools has already been considered. Therefore, by choosing A, you have considered C; by choosing C, you have not necessarily considered A yet. Therefore, the answer is A in my opinion.

Just a Short Reality check: If you pentest the IT of nuclear plant what are your biggest woories? a.) Having the right tools prepared ? c:) crashing a controlling system that may contrrols the cooling pumps ? So i would go with C guy's

The question mentioned that 'that must be made by the firm when preparing for the assessment?', so I am going for A 'Selection of the appropriate set of security testing tools'

I have to say C safety is always first ICS covers power, gas and oil. In OT/ICS networks, both integrity and confidentiality come second to availability Industrial Control System (ICS) is an umbrella term that includes both SCADA and DCS. An ICS network can monitor many infrastructure and raw material systems. For instance, Conveyor belts in a mining operation Power consumption in the electric grid Valve pressures in a natural gas facility ICS networks are mission critical, requiring immediate and high-availability. In many ways, this emphasis represents the main difference between IT and OT/ICS systems. For IT, security is high priority preserved by the Confidentiality, Integrity, and Availability (CIA) triad. In OT/ICS networks, both integrity and confidentiality come second to availability. Source: https://www.securicon.com/whats-the-difference-between-ot-ics-scada-and-dcs/

i think its C

I initially went with A, but after doing some searching, I'm leaning toward C: https://blog.hornecyber.com/attack-surface/rising-to-the-challenge-of-pen-testing-ics This details that we might have to coordinate scanning a PLC or other automated systems during off-hours or when no materials are in the machine, you don't want to accidentally start a machine when someone has their hands in it, for example. So you'd want to work out what those systems are and when you can scan them because of safety reasons.

Flip a coin? For me the key word is 'unique'. as others above have said, you'd choose the right tools whatever the environment (you wouldn't want to stress test/DOS a web server. But what's unique about scada is C.

I would also say that A is correct, for the same reason as kabwitte. SCADA/ICS systems are vulnerable to DoS/failure and careful consideration should be used when selecting the tools. Much more so that testing a typical windows/linux system.

I believe the correct answer is A.

I would go for C too. Because the question said: "unique to such an environment". Answer A is not unique to this environment because in every pentest you must select the appropriate tools to be used. But for ICS you should consider operational and safety issues. Its is unique for sure.

It is always human life in the first place. C !

The answer is A. Because you would have to more research to find tools that can test that specific scada system.