- May 15, 2020
1 The University of Queensland School of Information Technology and Electrical Engineering COMS3000 Semester 2, 2019 Report (Weighting 15%, 15 marks) This Assignment is due Midday Tuesday, 08/10/2019 (Monday is a public holiday) Auric Enterprises Threat and Vulnerability Analysis You have been engaged by Auric Enterprises to perform a desktop Threat and Vulnerability Analysis. Auric Enterprises has a large mining and metallurgical operation in central Australia. The whole operation occupies a single site of approximately 6 km x 26 km, including mining pits, processing plant, train load-out, workshops, operations control centre, engineering and administration buildings. The operations control centre, engineering and administration buildings are all together and interconnected by 10 Gbit fibre and there is a 2 Gb microwave link to the workshops, processing plant and train load-out. All the wiring within each building is Cat 3 (10 Mb) ethernet, except for the administration building which has Cat 5 (100 Mb) cabling; and all server rooms have Cat 6 or multi-mode fibre connections (1-10 Gb). There are server rooms in the administration building and in the processing plant. All data and communications from the control centre to the mining equipment is via radio technologies. Radios are used for voice communications, including safety and traffic management. Wi-Fi is used for all data transfer (reporting position, loads, telemetry and receiving targets, mining instructions, job messages, etc.) to the draglines, shovels, haul trucks and other equipment throughout the site. To cover the distances required, there is a network of Wi-Fi repeaters that retransmit all Wi-Fi packets to all stations in range. See the map on the next page showing the network of repeaters so that the Wi-Fi signals get to all parts of the site. Because the various equipment has different capabilities, the repeaters relay all types of Wi-Fi traffic, including open, WEP, WPA and WPA2. The drilling rigs are automated and use GPS to position the bore holes for explosives and have a Wi-Fi data connection back to the control centre. The draglines are electric and have their own industrial control systems with multiple ruggedized general purpose computers and many Programmable Logic Controllers (PLC) with Wi-Fi links back to the control centre. Also the electric motor manufacturer has their own 3G connection to each dragline to get data from the motors. Electric and diesel shovels take the material from the draglines and load it into haul trucks that carry the ore to the Run of Mine (RoM – unprocessed ore) grizzly (a grate that stops pieces that are too big). Most of the haul trucks can only support WEP encryption on the Wi-Fi (refitting is expensive and requires expensive downtime), and since haul trucks may get close to boundaries (and hence public areas) the maintenance manager decided to follow the famous xkcd cartoon (http://xkcd.com/936/) but with mining terms and so Auric use the complex WEP password “auricblackcoalmining”. The shovels have to use unencrypted (“open”) Wi-Fi, but they are all too far from the mine boundaries for their Wi-Fi radios to reach outside the mine. All other WPA and WPA2 Wi-Fi stations use secure IEEE 802.1X authentication. The workshops, control centre, engineering and administration buildings all have Wi-Fi throughout with WPA2 and 802.1X authentication. 2 Figure 1: Map of Auric Enterprises operations 3 Auric Enterprises have reliable, patched and up-to-date firewalls on their Internet connection. For security they use IPv4 private addressing internally with the entire 10.0.0.0/8 address space configured on all devices throughout the site. This flat network means any device will work anywhere on the site and can easily interoperate with any other device, anywhere else on the site, including: – finance – HR – all office PCs (Windows 7, 8 & 10) – all engineering workstations (Windows XP with Siemens Step7 SCADA software) – all SCADA devices (Siemens S7-300 PLCs with Vacon variable-frequency drives) – all draglines – all shovels and drilling rigs – all haul trucks When asked what the primary business risks were, the following personnel provided: CFO: “Our finance data in our MSSQL databases is absolutely critical. If we lose that or it is tampered with it will conservatively cost us up to $10,000,000. In addition, it is crucial that our mining product and volume data, both in these databases and the SCADA systems, is kept secret, otherwise price negotiations with our biggest customers could easily cost us $10,000,000 per annum. Our biggest trading country is Kamaria.” COO: “Our mining operations are absolutely critical. We have 24 hour operations. Our operations cost $2,500,000 a day. Trains load all day and night. Each train takes 8 hours to load and is worth $1,000,000. If the plant stops or the load-out stops or the trains stop, it will cost us $3,000,000 a day in lost revenue and 2,500,000 in expenses.” CEO: “My travels are absolutely critical. I travel extensively for business along with my black and yellow Rolls Royce Phantom III. My personal assistant makes all my travel arrangements. Being a Kamarian national, he does not speak much English, but he uses my login and password on all systems to make any arrangements necessary. Because I need to be able to monitor all my business, I also have unlimited access to all the systems on the site.” CIO: “Our information systems are absolutely critical. It is essential that the business systems can interrogate the mining data from the SCADA systems, so that we have the advantage over our competitors. Availability is everything – all of the systems administrators can access all systems anytime to make sure everything stays working. After hours, they can telnet directly into the network devices from their home computers or airport kiosks if they are travelling. It is excellent.” Shift Supervisor: “Plant reliability absolutely critical. These variable-frequency drives we have throughout the plant are giving us no end of trouble. They keep failing and it is costing us dearly. We are averaging 10 days downtime every month lately!” 4 Assignment: Review the current literature in Information Security and provide a concise 1500-2000 words report on the “Auric Enterprises Threat and Vulnerability Analysis”. Your report must identify the three most relevant THREATS to the information systems particular to this scenario (explain why each is a threat), as well as the five most significant VULNERABILITIES apparent in this scenario (explain why each one is a vulnerability) and how those VULVERABILITIES may be EXPLOITED in order to realise those THREATS. Your report must also identify what are the most important CONTROLS that Auric Enterprises should be considering as a priority to mitigate the RISKS of these THREATS being realised. Your report should be sized for A4 paper and must have an appropriate structure and logical flow. You MUST use the correct IEEE citations and references throughout. Every statement you make must be backed up with the evidence (citation) of where you found the information. But remember, this is YOUR report – YOU interpret the information and present it in your own words. Do NOT just present a series of quotations! Assessment: Marking Scheme: Threats (max 3 marks): Some relevant threats are explained (why they are threat) – 1 Relevant threats from quality industry sources with no vulnerabilities identified as threats – 2 Relevant threats from peer-reviewed sources with no vulnerabilities identified as threats – 3 Vulnerabilities (max 4 marks): Some significant vulnerabilities are explained (why they are vulnerability) – 1 Some significant vulnerabilities are explained and no threats are identified as vulnerabilities – 2 Significant vulnerabilities from quality industry sources with no threats called vulnerabilities – 3 Significant vulnerabilities from peer-reviewed sources with no threats called vulnerabilities – 4 Controls (max 4 marks): Some relevant controls are provided – 1 Some relevant controls are explained (how they reduce the risk) – 2 All threats have relevant controls and demonstrate innovation beyond lecture material – 3 All threats have relevant controls, have innovation and are practical in this scenario – 4 Communication (max 4 marks): Report has the correct structure – 1 Report correct structure, readable English & mostly correct reference formats – 2 Report correct structure, acceptable university English & mostly correct reference formats – 3 Report correct structure, high quality academic English & correct reference formats – 4 5 Further Guidelines Report Length The length of the report is to be 1500 – 2000 words. Report Structure The structure of the report should follow the following outline. The structure of the main content, e.g. the number of sections, headings etc. is up to you. Please use meaningful headings. It is important that the report has a logical flow and is easy to read. Professional and consistent formatting is expected. Structure template: • Executive Summary (Abstract) (~100 word summary of report) • Introduction • … (main content, headings as appropriate) • … • … • Conclusions • References Information Sources A significant part of the information in the report should be based on quality sources of information, i.e. peer-reviewed scholarly journal or conference papers. Given the focus of this assignment on recent trends, you might also consider some relevant quality online sources of information. It is expected that you will find, read, understand and summarise information from relevant sources. In addition to summarising information, you need to provide your own critical discussion and analysis of the information. You need to express the concepts and ideas in your own words. You are allowed to quote small parts of text from different sources, but this needs to be clearly identified via quotation marks, accompanied by the relevant reference. Academic Merit, Plagiarism, Collusion and Other Misconduct You should read and understand the statement on academic merit, plagiarism, collusion and other misconduct contained within the course profile and the document referenced in that course profile. Work without academic merit will be awarded a mark of 0. Submission Instructions You need to submit an electronic version of your assignment in PDF format via Blackboard. The submission deadline is midday Tuesday 08/10/2019. Good time management is critical. Students should not expect any significant assistance from the lecturer or tutor on this assignment in the last few days before the deadline.