IoT, ICS/SCADA, and Embedded Systems

What the Exam Is Really Testing

When the Colonial Pipeline was hit by ransomware in 2021, fuel distribution across the eastern United States stopped. The attack targeted IT systems, but the company shut down OT operations as a precaution — because the boundary between the two networks was not clear enough to guarantee safety.

That is the kind of scenario the exam is built around.

Devices with constrained resources, long lifecycles, and limited patching capabilities require a fundamentally different security approach than standard IT systems.

Most exam questions in this area follow the same logic: the device cannot be secured directly, so what do you do around it?

IoT Security Challenges

Internet of Things (IoT) devices include smart cameras, sensors, medical devices, HVAC controllers, wearables, and industrial monitors. They share common security weaknesses:

Weak Defaults

Many IoT devices ship with default credentials, open ports, and unnecessary services enabled. Users rarely change these settings. Attackers know the default credentials for thousands of device models.

The Mirai botnet exploited exactly this — scanning for devices using factory-default usernames and passwords.

Limited Patching

IoT devices often lack automated update mechanisms. Firmware updates may require manual intervention, physical access, or vendor-specific tools. Many manufacturers stop issuing updates entirely after a few years.

Result: known vulnerabilities persist indefinitely on deployed devices.

Constrained Processing

IoT devices typically have minimal CPU, memory, and storage. This means:

• They cannot run endpoint protection agents
• They may not support strong encryption protocols
• Complex authentication schemes may be impractical
• Logging and monitoring capabilities are minimal

Large Attack Surface

Organizations may deploy hundreds or thousands of IoT devices. Each one is a potential entry point. Many connect directly to the network with minimal security controls.

The exam expects you to recognize that IoT security is primarily about compensating controls rather than securing the devices themselves.

ICS/SCADA Systems

Industrial Control Systems (ICS) manage physical processes in manufacturing, utilities, energy, and critical infrastructure. SCADA (Supervisory Control and Data Acquisition) is a type of ICS used for monitoring and controlling distributed systems.

Operational Technology vs Information Technology

This distinction is critical for the exam:

• IT systems prioritize confidentiality, integrity, availability (in that order)
• OT systems prioritize availability, integrity, confidentiality (reversed order)

In an OT environment, keeping the system running is the top priority. A power plant cannot afford downtime for patching. A manufacturing line cannot stop for a security scan.

ICS/SCADA Security Challenges

• Legacy protocols — Many ICS protocols (Modbus, DNP3) were designed without authentication or encryption. They predate modern security requirements.
• Long lifecycles — ICS equipment may run for 15-25 years. Replacing it for security reasons is often financially impractical.
• Safety implications — A security incident in an ICS environment can cause physical harm, environmental damage, or loss of life. This changes the risk calculus entirely.
• Air-gapping challenges — Historically, ICS networks were isolated (air-gapped). Convergence with IT networks and remote access requirements have eroded this isolation.
• Vendor dependencies — ICS environments often depend on specific vendor configurations. Unauthorized changes, including security patches, can void warranties or cause system instability.

Real-Time Operating Systems (RTOS)

An RTOS is designed to process data and events within strict time constraints. It is used in embedded systems where timing is critical: medical devices, automotive systems, industrial controllers, avionics.

Security implications:

• Deterministic behavior — RTOS prioritizes timing guarantees over security features. Adding security overhead may violate timing requirements.
• Minimal footprint — RTOS runs on constrained hardware. Traditional security tools are too resource-intensive.
• Limited updates — Updating an RTOS may require recertification of the entire system, especially in medical or aviation contexts.
• Long deployment cycles — Devices running RTOS may be deployed for decades without updates.

Embedded System Security

Embedded systems are specialized computing systems designed for specific functions within larger devices. They are found in routers, printers, medical equipment, automotive systems, and industrial controllers.

Key security concerns:

• Firmware vulnerabilities — Embedded firmware may contain hardcoded credentials, buffer overflows, or backdoors
• Physical access — Many embedded systems are physically accessible, allowing direct hardware attacks (JTAG, serial console access)
• Supply chain risk — Compromised components or firmware inserted during manufacturing
• No user interface — Many embedded systems lack a management interface, making security configuration difficult
• Inability to install agents — Proprietary operating systems and constrained resources prevent installation of security software

Network Segmentation for OT Environments

Since you often cannot secure IoT and ICS devices directly, network segmentation becomes the primary defense.

The Purdue Model

The Purdue Enterprise Reference Architecture defines network segmentation levels for industrial environments:

• Level 0-1 — Physical processes and controllers (sensors, actuators, PLCs)
• Level 2 — Control systems (SCADA, HMI)
• Level 3 — Manufacturing operations (historians, application servers)
• DMZ — Buffer zone between OT and IT networks
• Level 4-5 — Enterprise IT network and internet

Segmentation Controls

• Firewalls between zones — Control traffic flow between IT and OT networks
• VLANs — Logically separate IoT devices from production networks
• Jump servers — Dedicated, hardened systems for accessing OT environments from IT networks
• Unidirectional gateways (data diodes) — Allow data to flow out of OT networks for monitoring without allowing inbound connections
• Network monitoring — Passive monitoring that observes traffic without introducing latency or risk to OT systems

Pattern Recognition

When you see IoT, ICS, or embedded system scenarios on the exam:

• Cannot patch the device — The answer involves network segmentation, compensating controls, or monitoring
• Default credentials exploited — The answer involves credential management, network isolation, or device hardening policies
• OT network needs protection — The answer involves segmentation, DMZ between IT and OT, or data diodes
• Safety vs security tradeoff — The answer prioritizes safety and availability in OT contexts

Trap Patterns

Watch for these common traps:

• "Install endpoint protection on the IoT device" — Most IoT devices lack the resources to run security agents. The answer is network-level controls.
• "Immediately patch the ICS system" — Patching OT systems requires careful change management and testing. Immediate patching can cause system instability or safety issues.
• "Air-gap the entire OT network" — While historically common, true air-gapping is increasingly impractical. The exam expects segmentation with controlled access points.
• Applying IT security priorities to OT — OT prioritizes availability over confidentiality. Answers that would cause downtime in OT environments are usually wrong.

Scenario Practice

Question 1

A hospital deploys network-connected infusion pumps that run proprietary firmware. The manufacturer has not released a security update in two years, and the devices cannot run endpoint protection software.

What is the BEST security control?

A. Replace all infusion pumps with newer models
B. Install host-based intrusion detection on each pump
C. Segment the infusion pumps onto an isolated network VLAN with strict access controls
D. Disable the network connectivity on all pumps

Question 2

A manufacturing company discovers that its SCADA system uses an unencrypted legacy protocol for communication between sensors and the control server. The system cannot be taken offline for upgrades.

What is the MOST appropriate mitigation?

A. Immediately upgrade the protocol to a modern encrypted version
B. Deploy network monitoring and segmentation around the SCADA environment
C. Disconnect the SCADA system from all networks until the protocol is upgraded
D. Accept the risk because legacy protocols are always acceptable in OT

Question 3

An organization is integrating its OT network with its IT network to enable remote monitoring of industrial processes. Security leadership is concerned about attacks traversing from IT to OT.

What control BEST addresses this concern?

A. Deploy a single firewall between the two networks
B. Implement a DMZ with data diodes and jump servers between IT and OT
C. Grant all IT administrators direct access to OT systems
D. Use the same security policies for both IT and OT networks

Key Takeaway

The thread that runs through every question in this area:

When you cannot secure the device, secure the network around it. When you cannot patch the system, segment and monitor it.

Can the device be patched? Can it run security agents? What are the safety implications? Is segmentation the answer? In OT environments, availability is the priority. Security controls must protect without disrupting operations.