CompTIA PenTest+ (PT1-002) — Question 54

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?

Answer options

• A. PLCs will not act upon commands injected over the network.
• B. Supervisors and controllers are on a separate virtual network by default.
• C. Controllers will not validate the origin of commands.
• D. Supervisory systems will detect a malicious injection of code/commands.

Correct answer: C

Explanation

The correct answer is C because many controllers are designed to accept commands without validating their origin, making them vulnerable to unauthorized command injections. Option A is incorrect since PLCs may respond to commands over the network if not properly secured. Option B is false as it is not a default configuration for supervisory systems and controllers to be on a separate virtual network. Option D is also incorrect since many supervisory systems lack the capability to detect malicious injections.