Application of PKI to Secure IOT and OT Devices (CLO2)

According to a recently published ZDNet article, with IoT botnets continuing to cause problems and attacks on critical infrastructure, Microsoft has conducted research to find out whether edge network devices are a threat to enterprise systems.

 

The Microsoft-commissioned survey, conducted by the Ponemon Institute, looked at Internet of Things (IOT) and Operational Technology (OT) devices and what security threats they posed to IT systems that were once separated from edge network devices.

 

The survey of 615 IT, IT security, and OT security practitioners across the United States found that 51% of OT networks are connected to corporate IT networks. Some 88% of respondents said their business IOT devices are connected to the internet for things like cloud printing services while 56% reported devices on their OT network were connected for remote access.

 

The survey suggests there is awareness among IT managers since 39% of respondents said they’re experienced an attack on IOT or OT devices in the past two years. Additionally, 35% said they’d experienced an incident where an IOT device was used to conduct a broader attack, such as ransomware, or to gain persistence on a network. Most respondents (63%) believe attacks on IOT/OT devices will significantly increase in coming years.

 

References:

  1. https://www.zdnet.com/article/iot-under-attack-security-is-still-good-not-enough-on-these-edge-devices/
  2. https://mytechdecisions.com/it-infrastructure/just-42-of-security-pros-can-detect-iot-ot-vulnerabilities/

 

Activities:

  1. Propose the application of PKI for IOT and OT devices against cyberattacks.
  2. Suggest specific applications / systems to be used in the security proposal.

 

Deliverable:

Proposal for application of PKI for IOT and OT devices

 

 

Portfolio 2: Use of Forensic Tools and Techniques (CLO2) – 800 words

 

Case Study: M57 Patents – Exfiltration

A hypothetical start-up company, M57 Patents, was in business for about a month, doing art patent searches. In this case, the main players are the CEO, Pat McGoo; the IT person, Terry; and the patent researchers, Jo and Charlie.

 

One of the employees in M57 is stealing proprietary research from the company and passing it on to an outside entity. This employee has taken some measures to cover their tracks, but probably did not count on the company machines being imaged in the ongoing investigation of other criminal activity.

 

The police seized the digital evidence at the scene and made forensic copies of various evidence sources. However, for the scope of this portfolio, you are going to investigate ONE of the USB drives’ images only which can be downloaded here:

https://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/usb/

 

Reference:

For more details, the case could be read here: https://digitalcorpora.org/corpora/scenarios/m57-patents-scenario

 

Activities:

  1. Refer to the additional details provided: Portfolio2 – Terry USB.pdf.
  2. Document your investigation steps and findings as a case investigation report, following proper structure and sequence.
  3. Evaluate the case based on your findings.
  4. Provide recommendations for the case and for the future if similar case were to happen as part of your conclusion.

 

Deliverable:

Case investigation report

 

 

Portfolio 3: Professional, Ethical and Legal Discussion (CLO3) – 400 words

 

Case Study: Levels of Security

Stephanie Clark owns her own consulting business and has several people working for her. Stephanie is currently designing a database management system for the personnel office of MyCyberGames, a mid-sized company that makes cyber security games software.

Ms. Clark has involved MyCyberGames management in the design process from the start of the project. It is now time to decide about the kind and degree of security to build into the system.

Stephanie has described several options to the client. The client has decided to opt for the least secure system because the system is going to cost more than was initially planned, and the least secure option is the cheapest security option.

Stephanie knows that the database includes sensitive information, such as performance evaluations, medical records, and salaries. With weak security, she fears that MyCyberGames employees will be able to easily access this sensitive data. Furthermore, she fears that the system will be an easy target for external hackers.

Stephanie feels strongly that the system should be more secure than it would be if the least secure option is selected. Ms. Clark has tried to explain the risks to MyCyberGames, but the CEO, the CIO, and the Director of Personnel are all convinced that the cheapest security is what they want.

 

Should Stephanie refuse to build the system with the least secure option?

 

Applying the Code

The Code makes it clear that Stephanie must be careful about the issue of privacy of sensitive data, and she should not lose sight of that responsibility. At the same time, Ms. Clark needs to balance the need for security with the economic interests of the company that hired her to do this work. Professionals have to make subjective judgments to balance cost and the customer’s needs; there cannot be perfect security, and there are never infinite resources. This tension between finite resources and attaining the highest quality is a common cause for ethical conflicts.

In this case Stephanie made a mistake by offering a security “option” to the company that, upon later reflection, she thought was inadequate. It seems she did this to allow MyCyberGames to make an informed decision. If the low security system is not good enough for sustainable operations, then she should not have made it a possibility. By not informing the company up front about the necessity and cost for adequate security, she has created a difficult situation, both for MyCyberGames and for herself.

When we are faced with an ethical issue, whether it is in the evaluation of a case, the choice of a course of action, or the formulation of a policy, there are a number of questions that we need to examine:

  • Who are the stakeholders? That is, be aware of all the people involved in the issue in any way, whether they are responsible in some way for the decision or have some interest in the outcome.
  • What alternatives responses to the issue exist?
  • What are the costs and benefits of each alternative? This examination should include all the stakeholders and be as comprehensive as possible.
  • How would the benefits and burdens be distributed for each alternative? What groups among the stakeholders would be favoured and which would be disadvantaged under each of the alternatives?

 

Consider the following alternatives:

  1. Stephanie goes along with the request and builds the system with inadequate security.
  2. Stephanie refuses to build the system and abandons the project.
  3. Stephanie tells MyCyberGames that her company will build in better security, but only charge for the cheaper option.

 

Deliverable:

This case does not require research – it requires thought and reflection.

 

 

Documentation Guidelines:

Document the results of your work in a professional and systematic manner. Your completed documentation should at least contain the following requirements:

  • Cover
  • Table of content
  • Write up for Portfolio 1, 2 and 3 with proper numbered sections and subsections. Each portfolio should have the following structure at minimum:
    1. Introduction
    2. Structured write up content (with appropriate referencing and in-text citations)
    3. Conclusion
    4. References
    5. Appendix

 

Leave a Comment

Your email address will not be published. Required fields are marked *

+1 587-331-9072
WHAT'SAPP US, WE'LL RESPOND
AustralianEssayHelp
We will write your work from scratch and ensure that it is plagiarism FREE, you just submit the completed work.