During a security assessment of a municipal water-treatment facility you prove that, once an attacker gains Layer 2 access to the control LAN, they can push malicious ladder-logic to the plant's programmable logic controllers (PLCs) and alter the chemical dosing process. The site already uses firewalls, strong authentication on engineering workstations, and segmented VLANs, but management remains concerned about logic tampering by a rogue insider or a compromised HMI. Which additional OT-specific countermeasure would most effectively block unauthorized logic downloads to the PLCs even if the network defenses are bypassed?
Deploy a network IDS that triggers alerts on Modbus function codes 5, 6, and 16.
Place the PLCs behind an additional stateful inspection firewall on the control LAN.
Enforce time-based one-time password (TOTP) authentication for all SCADA HMI logins.
Lock each PLC's hardware mode switch in the RUN position to disable programming writes.
Most industrial PLCs (for example, Rockwell, Siemens, and Schneider Electric models) include a hardware key switch with positions such as RUN, REM (remote), and PROG. When the switch is locked in the RUN position, the controller continues executing its current logic but rejects any write or download attempts, regardless of network reachability or workstation compromise. Because changing the switch requires physical access and the key can be controlled through operational procedures, this creates a strong last-line control against unauthorized logic modification.
The other options are useful but do not provide the same assurance:
A traditional stateful firewall cannot stop attacks that originate from within the control LAN.
Enforcing two-factor authentication on HMIs protects interactive sessions but does not stop direct PLC programming commands sent from another host.
A network IDS that alerts on Modbus writes provides visibility but is detective, not preventive; it will not block the download in real time. Locking the PLC's mode switch is therefore the most effective preventive control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a PLC?
Open an interactive chat with Bash
What is the purpose of a hardware mode switch on a PLC?
Open an interactive chat with Bash
How does logic tampering in PLCs impact industrial processes?
Open an interactive chat with Bash
What is a Programmable Logic Controller (PLC)?
Open an interactive chat with Bash
How does a hardware mode switch on a PLC help secure the device?
Open an interactive chat with Bash
What is Modbus protocol and why is it relevant for PLC communication?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Mobile Platform, IoT, and OT Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .