OBJECTIVE 05 — IoT AND OT SECURITY COUNTERMEASURES
WHY COUNTERMEASURES ARE CRITICAL (EXAM LOGIC)
Reason
IoT and OT devices control critical infrastructure
Exploitation can cause physical damage
Devices are difficult to patch
Long operational lifecycles
MEMORY HOOK: Weak security = real-world harm
IOT SECURITY COUNTERMEASURES
DEVICE-LEVEL COUNTERMEASURES
Countermeasure
Explanation
Disable unused interfaces
Turn off JTAG, UART, debug ports
Secure boot
Ensure only trusted firmware loads
Hardware root of trust
Cryptographic verification at boot
Tamper detection
Detect physical access attempts
MEMORY HOOK: No debug ports in production
FIRMWARE-LEVEL COUNTERMEASURES
Countermeasure
Explanation
Firmware signing
Prevent unauthorized firmware
Encrypted firmware
Protect sensitive code
Secure OTA updates
Authenticate update source
Remove hardcoded credentials
Prevent reuse attacks
EXAM TRAP: Firmware encryption alone is NOT sufficient without signing.
MEMORY HOOK: Signed + encrypted firmware
AUTHENTICATION & ACCESS CONTROL
Measure
Strong passwords
Certificate-based authentication
Role-based access control (RBAC)
Least privilege
MEMORY HOOK: Every device must authenticate
NETWORK-LEVEL IOT SECURITY
SEGMENTATION (VERY IMPORTANT)
Measure
Purpose
Network segmentation
Isolate IoT devices
VLANs
Logical separation
Firewalls
Restrict access
MEMORY HOOK: IoT never flat network
PROTOCOL HARDENING
Protocol
Countermeasure
MQTT
Enable authentication & TLS
CoAP
DTLS
HTTP
HTTPS
MEMORY HOOK: Plaintext protocols are unsafe
MONITORING & LOGGING
Measure
Intrusion detection
Anomaly detection
Centralized logging
OT SECURITY COUNTERMEASURES
ARCHITECTURAL CONTROLS (EXAM FAVORITE)
ZONE AND CONDUIT MODEL (IEC 62443)
Component
Purpose
Zones
Group assets with same risk
Conduits
Controlled communication paths
MEMORY HOOK: Zones isolate, conduits control
NETWORK SEGMENTATION IN OT
Layer
Rule
IT
Internet-facing
DMZ
Buffer zone
OT
Isolated
EXAM TRAP: Direct IT-to-OT communication is insecure.
ACCESS CONTROL IN OT
Control
Strong authentication
Multi-factor authentication
Role separation
Logging of access
MEMORY HOOK: Operators ≠ administrators
PROTOCOL SECURITY IN OT
Protocol
Countermeasure
Modbus
Secure gateways
DNP3
Secure authentication
BACnet
Network isolation
EXAM TRAP: Most OT protocols lack native security.
PATCHING & CHANGE MANAGEMENT
Practice
Test patches offline
Schedule maintenance windows
Vendor-approved updates
MEMORY HOOK: Patch carefully, not frequently
MONITORING & INCIDENT RESPONSE
Measure
Passive monitoring
Anomaly detection
Incident response plans
PHYSICAL SECURITY (IOT + OT)
Measure
Locked cabinets
Surveillance
Access logs
Tamper-evident seals
MEMORY HOOK: Physical access = full compromise
CLOUD & BACKEND SECURITY (IOT)
Measure
API authentication
Token expiration
Secure cloud configuration
Regular audits
SECURITY STANDARDS & FRAMEWORKS (EXAM)
Standard
Purpose
IEC 62443
OT security
NIST SP 800-82
ICS security
OWASP IoT Top 10
IoT risks
MEMORY HOOK: 62443 = OT bible
COMMON DEFENSIVE TOOLS (EXAM)
Tool
IDS/IPS
SIEM
Firewalls
Network monitoring tools
EXAM TRAPS (VERY IMPORTANT)
Trap
Correct Understanding
Encryption alone is enough
False
OT can be patched like IT
False
Flat networks are acceptable
False
Safety > security means ignore security
False
OBJECTIVE 05 — EXAM MEMORY BLOCK
IoT and OT security requires layered defenses. Disable debug interfaces, secure firmware, and enforce authentication. Segment networks using zones and conduits. Most OT protocols are insecure by default. Security controls must not disrupt operations.