- What Is GRID Domain 7: Visibility and Asset Awareness?
- Why Visibility Is the Foundation of ICS Defense
- Core Technical Concepts You Must Master
- Asset Inventory Methods in OT Environments
- Network Architecture and Segmentation Visibility
- Passive Discovery vs. Active Scanning: The ICS Tradeoff
- How Domain 7 Is Tested on the GRID Exam
- Domain 7 Study Schedule Within Your Overall GRID Prep
- Tools and Platforms Relevant to Asset Visibility
- Frequently Asked Questions
- Domain 7 focuses on building an accurate, living inventory of ICS assets as the prerequisite for every other defensive action.
- The GRID exam is 75 questions in 2 hours; open hardcopy notes are allowed, so build a dense reference index covering Domain 7 terminology.
- Passive discovery is the dominant technique in OT environments because active scanning can disrupt or crash legacy control system devices.
- A 74% passing score means roughly 56 correct answers; every domain, including Visibility, carries real weight in reaching that threshold.
What Is GRID Domain 7: Visibility and Asset Awareness?
GRID Domain 7 - Visibility and Asset Awareness in an ICS Environment - addresses one of the most practically urgent challenges in operational technology security: you cannot defend what you cannot see. Before detection analytics fire, before incident responders engage, and before threat hunters pivot through network data, someone must know what assets exist, how they communicate, and what their baseline behavior looks like. Domain 7 is the structural foundation that makes every other GRID domain actionable.
GIAC does not publish percentage weights for each domain, so candidates should treat Domain 7 with the same seriousness as the more operationally flashy domains. In practice, visibility knowledge threads through exam questions about monitoring, detection, and even active defense, making it one of the highest-leverage areas to master. If you are mapping your preparation across all seven areas, the GRID Exam Domains 2026: Complete Guide to All 7 Content Areas provides the full cross-domain picture.
The GRID certification is governed by GIAC and delivered as a proctored, web-based, multiple-choice exam. It costs $999 for your first attempt and allows hardcopy books and notes - a detail that has enormous strategic implications for how you study Domain 7's terminology-dense content. The exam is valid for four years, with renewal requiring continuing professional education and a $499 renewal fee.
Why Visibility Is the Foundation of ICS Defense
In an enterprise IT environment, asset discovery is routine. Tools scan subnets, endpoints check in with management servers, and configuration management databases update automatically. In an ICS environment, none of those assumptions hold. A programmable logic controller (PLC) running firmware from 2003 may crash if it receives an unexpected TCP connection. A human-machine interface (HMI) might be running an unsupported operating system that has never been patched because the vendor's warranty requires it to remain static. A remote terminal unit (RTU) may communicate exclusively over serial protocols that standard IP-based discovery tools cannot interpret.
This fragility is precisely why GRID dedicates an entire domain to visibility. The exam tests whether candidates understand the constraints of ICS asset discovery, not just the mechanics. Questions in this space are often scenario-driven: given a specific environment with SCADA systems, PLCs, and engineering workstations, what is the safest and most effective way to build an asset inventory?
Understanding why visibility matters also connects directly to GRID Domain 2: Detection in an ICS Environment, where detection logic is only as reliable as the asset baseline it references. A detection rule that flags unexpected communication between two IP addresses is useless if you do not know which IP addresses belong to legitimate control system components.
Core Technical Concepts You Must Master
Domain 7 is heavily technical. The following are the concept categories that appear with regularity in GRID-aligned coursework and exam objectives:
ICS Asset Classification
Candidates must be able to categorize assets by function and zone within the ICS architecture.
- Field devices: PLCs, RTUs, intelligent electronic devices (IEDs), sensors, actuators
- Control layer: HMIs, engineering workstations (EWS), historian servers
- Supervisory layer: SCADA servers, data acquisition systems, operator interfaces
- Demilitarized zone (DMZ) assets: data diodes, jump servers, unidirectional gateways
- Corporate / enterprise integration points: OSIsoft PI historians, ERP connectors
ICS Communication Protocols
Visibility requires interpreting the protocols that ICS assets use to communicate, many of which are unique to OT environments.
- Modbus (TCP and serial variants): the most widely deployed ICS protocol globally
- DNP3: common in electric utilities and water treatment; supports unsolicited responses
- EtherNet/IP and Common Industrial Protocol (CIP): dominant in manufacturing
- IEC 61850 and GOOSE messaging: substation automation and protection relaying
- OPC-DA and OPC-UA: historian and inter-system data exchange
- BACnet and Profibus: building automation and process control respectively
Protocol fluency is not optional for GRID candidates. Exam questions frequently describe a packet capture or a network diagram and ask you to identify what type of device is communicating, what function code is being used, or what anomaly exists in the traffic. This overlaps heavily with GRID Domain 4: Monitoring in an ICS Environment, where the same protocol knowledge is applied to ongoing surveillance rather than initial discovery.
Asset Inventory Methods in OT Environments
Building an asset inventory in an ICS environment requires multiple overlapping methods because no single approach captures everything safely and accurately. GRID candidates should be comfortable explaining the rationale for each technique and its limitations.
Documentation Review and Physical Walkdown
Before touching the network, experienced ICS security practitioners start with documentation: P&ID drawings, network diagrams, vendor manuals, and maintenance logs. Physical walkdowns - literally walking the plant floor or substation yard - reveal undocumented devices that appear nowhere in logical network maps. The exam tests whether candidates recognize this as a legitimate and often essential first step, not merely an informal preliminary.
Passive Network Monitoring
Passive collection via network taps or SPAN ports on switches allows security personnel to observe existing traffic without injecting any new packets into the OT network. By capturing and parsing Modbus, DNP3, or EtherNet/IP traffic, analysts can build an asset list from observed communication pairs. This is the gold-standard approach for initial discovery in live ICS environments. Tools like Zeek (formerly Bro), Wireshark with industrial protocol dissectors, and purpose-built ICS security platforms all support passive asset identification.
Configuration Data Extraction
Engineering workstations and SCADA servers often hold configuration files that enumerate every device in the system - I/O lists, device address tables, tag databases. Extracting this data from authorized sources provides highly accurate inventory without touching the network at all. GRID candidates should understand that this method requires careful access control and chain-of-custody documentation.
Key Takeaway
On the GRID exam, when a scenario describes a live production ICS environment where uptime is critical, passive discovery and documentation review are almost always the preferred first steps. Active scanning is generally a wrong answer unless the scenario explicitly establishes a safe maintenance window and device compatibility testing.
Network Architecture and Segmentation Visibility
Domain 7 requires candidates to understand not just which assets exist, but how they are networked - and whether that architecture matches intended design. The Purdue Enterprise Reference Architecture (PERA), also known as the Purdue model, provides the conceptual framework that GRID exams consistently reference.
| Purdue Level | Description | Typical Assets | Visibility Considerations |
|---|---|---|---|
| Level 0 | Physical process | Sensors, actuators, field instruments | Often serial-only; may require protocol-specific capture hardware |
| Level 1 | Basic control | PLCs, RTUs, IEDs | High crash risk from active scanning; passive is mandatory |
| Level 2 | Supervisory control | HMIs, SCADA clients, EWS | Windows-based; more tolerant of standard tools but still cautious |
| Level 3 | Site operations | Historian servers, batch management | DMZ placement; often the boundary for corporate data exchange |
| Level 4/5 | Business logistics / enterprise | ERP, corporate IT | Standard IT asset management tools are appropriate here |
Exam questions test whether candidates can identify a device's appropriate zone, recognize when an asset is in the wrong zone (a rogue connection or misconfiguration), and understand what network segmentation controls - firewalls, data diodes, unidirectional security gateways - should exist at each boundary. This architectural knowledge also underpins the work described in GRID Domain 3: Incident Response in an ICS Environment, where responders must understand network topology to contain an incident without shutting down critical physical processes.
Passive Discovery vs. Active Scanning: The ICS Tradeoff
This conceptual tension is one of the most frequently tested ideas in Domain 7. GRID candidates who arrive from an IT security background must internalize that active network scanning - the default approach in IT environments - is genuinely dangerous in OT. This is not a theoretical risk. There are documented cases of Nmap scans causing PLCs to stop responding, causing industrial processes to fail.
That said, the exam also tests nuance. Active scanning is not categorically prohibited for all ICS environments. When performed during a scheduled maintenance window, on devices that have been validated for scan tolerance, with change management authorization, and using ICS-specific low-rate scanning profiles, it can be a valid supplementary tool. The key word on any exam scenario is context: what are the safety requirements, what is the maintenance window status, and what has the asset owner authorized?
How Domain 7 Is Tested on the GRID Exam
The GRID exam uses 75 multiple-choice questions delivered in 120 minutes. That is roughly 96 seconds per question - enough time to think carefully if you have solid preparation, but not enough time to reason from first principles on every item. Domain 7 questions typically fall into three patterns:
- Scenario identification: A network diagram or text description of an ICS environment is presented. You must identify which assets belong to which Purdue level, or identify an architectural anomaly such as a field device communicating directly with a corporate ERP system.
- Method selection: Given a specific constraint (live production, maintenance window, legacy serial devices, budget limitations), which asset discovery method is most appropriate?
- Protocol interpretation: A captured packet or function code is shown. You must identify the protocol, the device type, and whether the behavior is normal or anomalous.
Because hardcopy notes are permitted, your index should include a quick-reference table of ICS protocol port numbers (Modbus TCP: 502, DNP3: 20000, EtherNet/IP: 44818, OPC-UA: 4840), Purdue model level definitions, and a decision tree for passive vs. active discovery scenarios. For detailed exam-day logistics advice, see GRID Exam Day Tips: 15 Strategies to Maximize Your Score.
If you want to test your Domain 7 readiness before the real exam, GRID Exam Prep practice tests include scenario-based questions that mirror the style and difficulty of actual GRID content.
Domain 7 Study Schedule Within Your Overall GRID Prep
With seven domains to cover and a recommended preparation depth that SANS ICS515 training addresses comprehensively, sequencing your study time matters. Domain 7 should be studied early in your preparation, not saved for the end, because its concepts give context to everything else.
Domain 7 Foundation: Architecture and Asset Classification
- Study the Purdue model in depth - know every level, its assets, and its boundaries
- Memorize the primary ICS protocols, their port numbers, and their typical use cases
- Review the difference between IT and OT asset management approaches and why they diverge
- Begin building your hardcopy reference index for Domain 7 terminology
Domain 7 Application: Discovery Techniques and Tools
- Deep dive into passive discovery: how to deploy network taps, configure SPAN ports, and parse ICS protocol traffic
- Practice interpreting Modbus and DNP3 function codes from packet captures
- Study configuration data extraction workflows and documentation review processes
- Cross-reference with Domain 4 (Monitoring) concepts - overlapping protocol knowledge compounds your efficiency
Domains 1-3: Active Defense, Detection, Incident Response
- Your Domain 7 foundation now supports understanding detection logic (Domain 2) and IR topology knowledge (Domain 3)
- Note how asset visibility gaps create specific incident response blind spots
- Review GRID Domain 1: Active Defense and GRID Domain 5: Threat Hunting to see how baseline asset knowledge enables both
For a comprehensive week-by-week plan covering all seven domains, the GRID Study Guide 2026: How to Pass on Your First Attempt provides full scheduling guidance alongside registration logistics and the note-preparation strategy that makes the open-book format work in your favor.
Tools and Platforms Relevant to Asset Visibility
GRID candidates should be familiar with the categories of tools used in ICS asset visibility programs, even if they have not personally deployed every platform. Exam questions may reference tool capabilities without naming specific commercial products, so understanding what each category of tool does is more important than brand familiarity.
Passive ICS Asset Discovery Platforms
These platforms sit on network taps or SPAN ports and automatically identify assets from observed traffic without injecting packets.
- Identify asset types, firmware versions, and communication patterns from protocol analysis
- Build automatic asset inventories including PLCs, HMIs, engineering workstations, and network infrastructure
- Alert on new devices appearing in the environment (a key indicator of unauthorized access or rogue asset introduction)
- Examples of this category include Claroty, Dragos Platform, Nozomi Networks, and Tenable OT Security
Packet Analysis Tools with ICS Protocol Support
General-purpose network analysis tools extended with ICS protocol dissectors are essential for manual investigation.
- Wireshark with Modbus, DNP3, EtherNet/IP, and IEC 61850 dissectors
- Zeek (Bro) with ICS protocol analyzers for automated log generation
- tcpdump for lightweight, targeted packet capture at network tap points
Understanding these tool categories also positions you well for the GRID Domain 6: Threat Intelligence concepts, where vendor-published ICS vulnerability data and threat actor TTPs are often contextualized against specific asset types identified through visibility programs.
If you are still evaluating whether the investment in GRID preparation is appropriate for your career stage, the Is the GRID Certification Worth It? Complete ROI Analysis 2026 addresses how ICS-specific expertise - including the asset visibility skills Domain 7 develops - commands premium compensation in critical infrastructure roles. You can also use GRID Exam Prep practice tests to get a realistic sense of where your Domain 7 knowledge stands before you commit to the $999 exam fee.
Frequently Asked Questions
GIAC does not publish percentage weights for individual domains on the GRID exam. The exam contains 75 questions across all seven domains. Candidates should prepare Domain 7 thoroughly, both for its direct coverage and because asset visibility knowledge supports correct answers in detection, monitoring, incident response, and threat hunting questions as well.
Yes, but only in specific scenario conditions. If the question establishes a scheduled maintenance window, device compatibility verification, low-rate scan profiles, and proper change management authorization, active scanning can be the correct answer. In any scenario involving live production environments with no maintenance window specified, passive discovery is almost always the correct choice.
Hands-on experience is not a formal prerequisite for the GRID exam. However, candidates who have worked with ICS environments, interpreted Modbus or DNP3 captures, or deployed network monitoring in OT networks will find Domain 7 questions significantly more intuitive. SANS ICS515-aligned preparation is strongly recommended because it provides both conceptual and hands-on coverage of visibility techniques.
Build a tabbed, indexed reference set before exam day. For Domain 7, prioritize a Purdue model level table, ICS protocol port and function code reference, a passive vs. active discovery decision framework, and a glossary of key terms like data diode, unidirectional gateway, historian, EWS, RTU, and IED. Practice navigating your notes quickly during timed practice sessions so you can find information in under 15 seconds during the real exam.
Domain 7 is foundational to nearly every other domain. Detection (Domain 2) requires a baseline asset inventory to identify anomalies. Monitoring (Domain 4) depends on knowing which assets to monitor and which protocols they use. Incident response (Domain 3) requires topology awareness to contain incidents without disrupting physical processes. Threat hunting (Domain 5) pivots on knowing what normal asset communication looks like. Mastering Domain 7 creates a multiplier effect across your entire exam score.
Ready to Start Practicing?
Test your Domain 7 knowledge and all other GRID exam areas with scenario-based practice questions designed to mirror the real exam's style, difficulty, and ICS-specific focus. Open hardcopy notes are allowed on the real GRID - use practice tests to find the gaps you need to fill before exam day.
Start Free Practice Test