B. NIST Cybersecurity Framework (CSF)
Role: Provides a risk-based approach to manage cybersecurity for critical infrastructure (including ICS/SCADA/DCS).
Fortinet Reference:
Fortinet OT Security Solution Guide (v7.2):
"The NIST Cybersecurity Framework is widely adopted in OT environments to align security practices with business objectives, manage risks, and ensure resilience."
Page 12: "Framework adoption (e.g., NIST CSF) helps organizations prioritize OT asset protection."
C. IEC 62443
Role: International standard specifically designed for ICS/OT security, covering technical controls, processes, and risk management.
Fortinet Reference:
*Fortinet NSE 7 - OT Security 7.2 Study Guide*:
"IEC 62443 is the foundational standard for securing industrial automation and control systems (IACS), including SCADA and DCS. It defines security zones, conduits, and security levels (SLT)."
*Module 4: "IEC 62443 provides OT-specific security requirements not covered by IT frameworks."*
Why Other Options Are Incorrect
A. Modbus: A communication protocol (not a framework) used in OT environments. It lacks security features and governance.
FortiGate OT Security Guide:
"Modbus is an unauthenticated, cleartext protocol vulnerable to eavesdropping. It is not a security framework."
D. IEC 104: A telecontrol protocol for SCADA (based on IEC 60870-5-104). It is not a security framework.
FortiSIEM OT Monitoring Handbook:
"IEC 104 is used for data transmission in electrical grids. Like Modbus, it requires external security controls."
Key Documentation Extracts
*"Industrial environments align with IEC 62443 for OT-specific controls and NIST CSF for risk governance. Protocols like Modbus/IEC 104 require additional hardening."*
"IEC 62443 addresses OT asset discovery, segmentation, and threat detection. NIST CSF complements it with risk assessment methodologies."
