A manufacturing company's security team discovers a critical remote code execution (RCE) vulnerability in a legacy industrial control system (ICS). The vendor's patch is available, but applying it will break the proprietary software, causing a lengthy production outage. The business has accepted the risk of not patching. Which of the following would be the MOST appropriate compensating control for the security analyst to recommend?
Implement network segmentation to place the ICS on an isolated network, and use a firewall to strictly limit all inbound and outbound connections to only those that are absolutely necessary.
Develop a business case to procure a new, modern ICS that will replace the legacy system within the next two fiscal years.
Install an Endpoint Detection and Response (EDR) agent on the legacy ICS to provide continuous monitoring and block malicious activity.
Formally document the patching exception in the organization's risk register and schedule a new risk assessment for the following quarter.
The correct answer is to implement network segmentation and firewall rules. This is the most appropriate compensating control because it directly addresses the risk of the unpatched RCE vulnerability by limiting the system's exposure to the network. By placing the ICS in an isolated segment and using a firewall to restrict traffic, an attacker's ability to reach and exploit the vulnerability is significantly reduced.
Installing an EDR agent may not be feasible on a legacy or proprietary ICS. Documenting the exception is a necessary administrative step in risk management but is not a technical control that mitigates the vulnerability. Replacing the legacy system is a long-term remediation strategy, not an immediate compensating control to address the current risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are examples of compensating controls?
Open an interactive chat with Bash
How are compensating controls evaluated for effectiveness?
Open an interactive chat with Bash
When would an organization typically need compensating controls?