Which sequence best describes the recommended incident recovery steps for a damaged control network segment?

• A. Isolate affected segment, restore from clean backups, verify system integrity, re-establish secure communications, and monitor for residual threats.
• B. Verify system integrity, then patch all devices remotely.
• C. Reboot devices, then restore from back ups, then isolate.
• D. Notify stakeholders and wait for guidance.

Answer: (A)

When recovering after damage to a control network segment, the first priority is containment and returning the environment to a trusted state. Start by isolating the affected segment to stop the threat from spreading to other parts of the network and to protect assets. Next, restore from clean backups so you’re loading known-good configurations and software rather than reintroducing compromised code. After restoration, verify system integrity to ensure that the restored devices really are clean and that no malicious changes or firmware tampering remain. Then re-establish secure communications to restore trusted, authenticated data flow between components and operators. Finally, monitor for residual threats to detect any persistence mechanisms or new indicators of compromise and respond quickly if anything unusual is spotted. This order emphasizes stopping the spread, restoring a clean baseline, validating that baseline, reconnecting securely, and maintaining vigilance.