Assignment: Take Home Portion
Directions:
This part, i.e. the Problems section is ‘open internet' meaning that you can use any online source, physical book, slides from class, or personal notes on the take home portion. Doing so will result in a significant grade penalty (an F for the course). I will be employing a number of cheat detection mechanisms to ensure compliance.
You must submit all of your answers as typed text in-line in this test document. Graphs may be hand-drawn and scanned in or created digitally.
Problems
1. you are a security analyst that is consulting with an industrial factory called Fictional Terrible Company (FTC) that makes a special type of chemical called "Destructoviralbacteriumuraniumpostapocalypseicus" (DVBUP for short). FTC is regulated by the Environmental Protection Agency (EPA) and has to pay for each violation they have:
The EPA provides the following information about penalties:
|
Laws and regulations
|
Fine for each violation (per day per incident)
|
|
Hazardous Waste Disposal
|
$71,264
|
|
Clean Air Act
|
$95,284
|
|
Clean Water Act
|
$52,414
|
|
Safe Drinking Water Act
|
$54,789
|
FTC provides the following information about their industrial plant
Below is the table of the past problems we have had.
|
Problem
|
Incidents
|
Avg. Number of Days to mitigate
|
|
Sabotage Pipe breakages that have led to DVBUP release
|
16 times in the past 8 years
|
2
|
|
Insecure SCADA system that has led to DVBUP release
|
2 times in the past 8 years
|
15
|
FTC also states the following:
• 8 of thepipe breakages caused a Clean Air Act violation, 4 caused a Clean Water Act violation, and 4 lead to violations of both the Clean Air and Clean Water acts
• 1 of the times, when hackers breached our SCADA systems, they released materials into the air, the other led to a release that went into the water, but also got into the drinking water table causing us to pay penalties for the both the clean water act and the safe drinking water act
• We've not had any Hazardous Waste Disposal issues
a) State the two security problems as threats quantitatively using Expected Threat Impact (ETI) and Annual Threat Loss Expectancy (ATLE). Show all of the work.
b) Given your calculations in a) you confer with Bill Mahoney of the UNO Cybersecurity department to come up with a secure SCADA architecture. Bill says that, for $600,000 he can assemble a team of students at UNO that can mitigate the problem. Based on a look at the national numbers, you figure the solution will reduce the number of exploitations to once in 10 years - but wont change how long it takes to mitigate. You also confer with a physical security company to look into new fencing that will reduce the sabotage incident frequency by90% (i.e. to once every 5 years). The fencing will cost $500,000. Draw a single decision tree that showsALL of the different options available. Use the information above to estimate the probabilities and costs at each step.
c) Assuming a risk neutral approach, is it cheaper to mitigate one SCADA, sabotage, both problems, or to do nothing in a 1 year time interval? What about a 5 year time interval? Use the decision tree to justify your answer
2. You are given the following policy from the NIST SP 800-53.
IA-3: DEVICE IDENTIFICATION AND AUTHENTICATION
The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
Assume the organization in question - FTC from question 1, has instantiated the policy using the following selections as follows.
The information system uniquely identifies and authenticates mobile phones and IoT devices before establishing a network connection.
a) Write a first order logic statement that represents the control for FTC.
b) Identify a non-compliant state (i.e. scenario that is not acceptable by the policy) using first order logic.
c) Given your answers, draw a Venn diagram that visibly shows the "secure states" and "insecure states" for the information system. Assume a closed-world assumption is in place (i.e. only your logic statement defines what is secure and insecure.