The University of Queensland CYBR7001 Fundamentals of Cyber Security Assignment 1 – Individual Work
Due Date: 02 September 1400hrs (Brisbane time) Total possible score: 100 marks (which contributes to 35% of total CYBR7001 assessment score) Submission: Only via Learn.UQ Blackboard site. Submit only in PDF format. Remember to put your name and student ID on the submission document.
Please observe strict academic integrity. All submissions will be checked by Turn-it-in for plagiarism and for original written content. Submissions with 20% or higher similarity scores will be flagged for disciplinary action.
Part 1: Situation Assessment and Policy Brief (50 marks) In this part of the assignment, you will take on the role of policy adviser of Lucky Country (LC) as part of a hypothetical cybersecurity taskforce, preparing to brief the LC Prime Minister’s Committee on National Security. This assignment information document contains fictional information on the background and current situation involving a major cyber incident affecting systems. The attacks notionally take place in 2024. The scenario presents a fictional account of political developments and public reporting surrounding the cyber incident.
The LC Prime Minister’s Committee on National Security needs information on the full range of response options available to them regarding this incident. Your team has been tasked with developing an appropriate course of action for them to recommend to the LC Prime Minister.
You are to consider as facts the following pages for formulating your response.
You will use the fictional scenario material presented to write a Situation Assessment and Policy Brief (no more than 2 A4-sized pages; Arial font size 10):
Write an analytical policy brief that provides a concise assessment of the situation, addresses potential impacts and risks, and discusses the implications of the cyber incident. Describe policy considerations for different potential state and non-state actors and explore the course of action you are recommending in depth.
The length of the brief is limited to two single-sided pages in length.
Part 1 marking rubrics: - 15 marks – Quality of situational assessment and analysis depth - 10 marks – Quality of immediate/short-term recommendations - 10 marks – Quality of long-term recommendations - 10 marks – Clarity of communication to appropriate audience - 5 marks – Writing style, grammar, structure and formatting Keep these tips in mind as you are reading and considering your policy response alternatives: ● Analyse the issues. The goal of this assignment is to grapple with complex issues and weigh the strengths and weaknesses of sometimes conflicting interests. Priority should be given to analysis of the issues and not to listing all possible issues or solutions. ● Engage the scenario. Believe that the universe we have created is plausible and that the events that happen in it are realistic. Nevertheless, remember to think critically about the intelligence you have been provided and its provenance. ● Think multi-dimensionally. When analysing the scenario, remember to consider implications for other organizations and domains (e.g. private sector, military, law enforcement, diplomatic) and incorporate these insights along with cyber security. ● Consider who you are, and who you’re briefing. You are cyber policy professionals briefing the upper echelons of the Lucky Country government, which happened to have a very similar cyber security ecosystem as that of its ally Australia. As such, you should be ready to answer questions on agency responsibility, provide justifications for your recommendations, and have potential alternatives ready. In other words, for ease of describing the organisations in the ecosystem, you may use Australian organisations/agencies (e.g. LCCSC likened to ACSC, or any organisation from the Patrick Fair overview) in your brief. ● Be creative. Cyber policy is an evolving discourse, and there is no single correct course of action to the scenario information provided. There are many ideas to experiment with in responding to the crisis. Note: Most of this part of the assignment is based on and referenced from the Atlantic Council Cyber 9/12 cyber competition packages. All materials included are fictional and were created only for the purpose of this assignment. All scenario content is for academic purposes and is not meant to represent the views of the university, authors, or any affiliated organizations. All names and places, if relating to any real-world characters or places, are purely coincidental. If you score really well, we may nominate you to represent UQ at the next competition. J CYBR7001 Assignment 1 2 From: Lucky Country (LC) Cyber Security Centre Re: Vulnerabilities in Key LC Systems Date: August 5th, 2024 As senior policy advisers preparing to brief the Prime Minister’s Committee on National Security on a developing threat to LC, I’ll let you know what her leading worries are. Based off initial intelligence, the Prime Minister has indicated that she is concerned about threat vectors concerning the status of LC electricity supply security and how it could affect the rest of the nation. There may be other threat vectors that the PM is not yet aware of. Given the unclear nature of the threat, the PM requests your team prepare a concise assessment of the ongoing situation and reporting. Your assessment should include: How or where the relevant systems could be vulnerable to exploitation, and what steps can be made to mitigate these vulnerabilities; An assessment of potential risks and impacts to consider if the vulnerabilities are successfully exploited; and Immediate and long-term responses the LC government can or should consider to address these vulnerabilities, taking into account the severity and likelihood of the threat. To provide this assessment and policy recommendations, you will apply your understanding of UQ’s CYBR7001 (e.g. elements of cyber security threats, vulnerabilities, technologies involved, law, foreign policy, international relations, criminology) to synthesize useful policy measures from limited information. Your recommendation must analyse the possible strengths, weaknesses, opportunities, and threats of your proposed response. As policy advisers, in formulating your response you will be expected to have considered, at a minimum: All stakeholders when determining an action or recommendation, including the role of the government and private sector; The long and short-term impacts of your recommendation; Which agency will be responsible for the action you have recommended, Whether you can, or should, attribute the threat; and The covert or overt nature of your response. Additionally, this message is accompanied by several documents that may assist your team in preparing a comprehensive policy recommendation for the task force: Tab 1 – LCNN Article #1 Tab 2 – LCNN Article #2 Twitter feeds
CYBR7001 Assignment 1 3 LCNN Article #1
[Breaking] Devastating Power Outage Across Lucky Country’s East Coast 5th August 2024 0600 hrs LCT
Report by Jonathan de Souza
A power cut has hit all cities and towns along the entire east coast of the Lucky Country. The blackout lasted just over five hours and started just before 11pm on 4th August 2024, causing service disruption and possible life loss.
The blackout caused all traffic lights and telecommunication base stations to malfunction and essential services to run on backup generator power. Several traffic accidents have occurred across most cities along the east coast. At least three hospitals reported power outages after their backup power were depleted after three hours, causing disruption to hospital operating theatres and intensive care units (ICU).
There have been unconfirmed reports of a handful of patients affected by the disrupted operations and social media coverage of the chaos at affected emergency departments.
Prime Minister Michelle Macintosh said the blackout was attributed to the outage of the grid system linking the entire east coast of the country and cited possible cyber-attacks on the country’s grid systems.
The PM has activated the LC Defence Force to assist in all affected areas. She also urged all citizens to remain calm and stay indoors wherever possible.
The PM elaborated that the attack was likely caused by a state actor deploying an advanced persistent threat vector on the power grid’s industrial control systems. When asked by LCNN, the PM refused to name the state actor involved.
Cyber security expert Professor Andrew Cole said the electricity and power supply industry has been a sitting duck to cyber-attacks for a long time, with power companies guilty of ignoring the risks repeatedly highlighted by the LC Cyber Security Centre and many cyber security professionals.
He said that power companies are guilty of negligence and bad governance, since the attacks were similar to the attacks on the Ukrainian power plants in 2015 and 2016, the January 2024 Ukraine cyber- attacks on government websites, and more recently, a smaller scale series of power outages on LC’s Old North Wales (ONW) state in June 2024.
The cyber-security company Information Security and Assurance Partners (ISAP) has linked the incident to the hack and ONW blackout in June 2024 that affected 225,000. It also said a series of other recent attacks in South America were connected.
CEO of Power Lucky Country, Mr Bradley Wilson, the company managing the grid line on LC’s East Coast, denied these accusations and said that the company has passed all cyber security audits and is certified to the ISO/IEC 27001 cyber security standard.
The chief police commissioner, Commissioner Wilfred Chan, urged all members of the public to remain indoors and report possible looting to the police.
Access to electricity is a major contention as the price of electricity has risen sharply across the country despite the increased unreliability of the providers. The loss of power could impact essential services and businesses throughout Lucky Country. The debate seems likely to continue further still as the country enters one of the coldest winters on record.
More to come…
CYBR7001 Assignment 1 4 LCNN Article #2
Lucky Country Announces Sanctions on the Democratic People’s Republic of Korrelle 20th May 2024 0**0 hrs LCT
Report by Santokh Singh
The Prime Minister of Lucky Country Michelle Macintosh has announced that Lucky Country will impose economic sanctions and bans on all petroleum imports and coal exports for the Democratic People’s Republic of Korelle (DPRK).
With this announcement, Lucky Country has joined at least five other nations announcing similar sanctions on the country embroiled in years of conflict with its neighbouring countries. The move is likely going to impact the already-impoverished DPRK, which has largely depended on fuel imports for its local economy.
United Nations experts said in key sections of a recently released report obtained on 10th May by LCNN that DPRK has also evaded sanctions through “targeted” cyber attacks against officials of 10 countries on the U.N. Security Council and on members of its expert panel. They did not elaborate or identify which of the 10 council nations were targeted.
In the report to the U.N. Security Council, the experts said DPRK has maintained its nuclear facilities and continues to produce fissile material, including highly enriched uranium, that can be used in nuclear weapons. It has also continued “to develop infrastructure and capacity for its ballistic missile program” and moved ahead on construction of an experimental light water reactor, they said.
CYBR7001 Assignment 1 5 Twitter Feeds
(Note: Do not post these fictitious tweets online) CYBR7001 Assignment 1 6 Part 2 – Case Study (50 marks)
In this part of the assignment, you will take on the role of Chief Information Security Officer (CISO) of Norsk Hydro when it was just struck by a cyber-attack.
Write an advisory (limited to 800 words) for the company’s senior management o Using the Lockheed Martin Cyber Kill Chain as a visual tool, detail the events which led to the cyber-attack. (5 marks) o Describe the actor(s), motivation(s) and vulnerabilities involved in this attack. (10 marks) o Recommended actions for the company. (10 marks) o In bullet point form, key things to note for a media press release to media companies. (10 marks) o Longer-term mitigation strategies for the company to prevent such attacks from happening again (hint: many strategies and approaches were described in the CYBR7001 lectures). (15 marks)
(Note that the word limit is strict. Exceeding the word limit may result in penalties).
