ITNET202A

Enterprise Security
Assignment 1

Asmita Koirala,
TAFE NSW | MEADOWBANK
Table of Contents
1. Introduction to Stuxnet.................................................................................................................2
2. What Stuxnet does?......................................................................................................................2
2.1 What Stuxnet does on access control?......................................................................................2
2.2. What Stuxnet does on Crypto?.....................................................................................................3
2.3. What Stuxnet does on Network security?......................................................................................3
2.4. What Stuxnet does on Identity?.....................................................................................................3
3. What is qualitative risk analysis?...................................................................................................3
3.1. Purpose of Qualitative rise analysis................................................................................................4
3.2. Qualitative risk analysis on Iranian nuclear assessment.................................................................4
4. What is formal enterprise security architect?...............................................................................4
4.1. TOGAF.............................................................................................................................................5
4.1.1. TOGAF business benefits.............................................................................................................5
4.2. SABSA........................................................................................................................................6
4.2.1. Business benefits of SABSA....................................................................................................7
4.3. C4ISTAR......................................................................................................................................8
4.3.1. Benefits of C4ISTAR...............................................................................................................8
5. Comparing different frameworks and choosing the best one.......................................................9
6. Charter Article 2(4) and UN Charter Article 51............................................................................10
6.1. Iranian`s response........................................................................................................................11
7. Conclusion...................................................................................................................................12

1|Page
 1. Introduction to Stuxnet

Stuxnet is a very subtle computer worm, discovered on 2010 that exploits

multiple previously unknown Windows zero-day vulnerabilities to infect
computers and unfold. Its purpose wasn't simply to infect PCs however to
cause real-world physical effects. Specifically, it targets centrifuges used
to turn out the enriched Uranium that powers nuclear weapons and reactors.

2. What Stuxnet does?

Stuxnet specially targets programmable logic controllers (PLCs), Stuxnet

functions by targeting machines mistreatment the Microsoft Windows OS and
networks, then seeking out Siemens Step7 software system. Stuxnet
reportedly compromised Iranian PLCs, grouping data on industrial systems
and inflicting the fast-spinning centrifuges to tear themselves apart.
Stuxnet’s style and design aren't domain-specific and it might be tailored as a
platform for assaultive trendy higher-
up management and knowledge acquisition (SCADA) and PLC systems (e.g.,
in industry assembly lines or power plants), the bulk of that reside in Europe,
Japan and the United States. Stuxnet reportedly ruined virtually one fifth of
Iran's nuclear centrifuges. Targeting industrial management systems, the worm
infected over 200,000 computers and caused 1,000 machines to physically
degrade.

2.1 What Stuxnet does on access control?

Access control system security is that hindrance of intentional or
unintentional interference with the right operation of commercial
automation and management systems. Same management system
manages the essential things like electricity, communication, transport
system, fuels and even nuclear projects.
 They have confidence computers, networks, operational systems,
applications, and programmable logic
controllers, every of that might contain security vulnerabilities. As,
Stuxnet mainly targets programmable logic controller, control system
can also be exploited by this. The u. s. and different governments have

2|Page
 passed cyber-security rules requiring increased protection
for management systems operational important infrastructure.

2.2. What Stuxnet does on Crypto?

Crypto system is a backbone of system security. Stuxnet targets PLC which is
also a part of crypto system.

2.3. What Stuxnet does on Network security?

Stuxnet is a worm that usually injected from a USB or any other malicious
external devices and spread over the network exploiting zero day’s
vulnerability. Once it’s inside the network it can totally alter the functioning of
network. Network security of an enterprise can be at risk due to this worm.

2.4. What Stuxnet does on Identity?

Identity management is also a huge part of network security. Sharing
credentials could be very risky. When it comes to Stuxnet, it can exploit the
whole identity management system. No one should be allowed to share their
credentials with anyone else. As Stuxnet targets Microsoft OS and all the users
and their credentials are also saved their, it can cause a serious security
hazards.

3. What is qualitative risk analysis?

Qualitative risk analysis is that the method of assessing individual project

risk characteristics - the chance of incidence and the impact they might bring
in a project if happening - against a scale.

The scale used for the analysis teams project risks into three

or additional classes in line with their impact, like low, medium and high. The
chance will impact various project elements: budget, schedule, deliverables,
scope or accessible resources. The chance may
be evaluated victimisation constant classes or expressed as a proportion (0% to
100%) or odds (0 to 1). the size may be custom-built to
suit structure desires then used across all comes inside a company for
consistency.

3|Page
In addition to assessing risk against a pre-defined scale, the qualitative risk
analysis may cluster them supported their supply, like market risks
or restrictive risks, or effect, like inflicting delay or increasing prices.

3.1. Purpose of Qualitative rise analysis

The main purpose of the qualitative risk analysis is prioritizing risks in step
with their likelihood and impact. A project may be exposed to an
outsized variety of various risks. It might be impractical for a project manager
to pay time handling each single one amongst them, since in several cases, the
resources spent on mitigation can outweigh the risk impact. Evaluating
the likelihood and the impact of potential project risks permits a project
manager to rate risks and to specialise in making risk response ways for the
foremost vital risks.

3.2. Qualitative risk analysis on Iranian nuclear assessment

Iranian nuclear assessment had some flaws and risk. Here I have mentioned some risk
factors.

3.2.1. Radiation
As we all are known about the fact that working on nuclear assessment is very
risky. Employees can easily be the victim of cancer because of radiation on
their workplace.

3.2.2. Natural calamities

We never know when any natural calamities going to occur. Disasters like
flood, landslide, earth quake, and tsunami can destroy the whole workplace,
which can lead to huge loss of human and property damage.

3.2.3. Kidnapping of employees

When it comes to nuclear research it becomes international matter. It is quite
obvious that rival country can kidnap peoples involved on such assessment to
get their secret and plan owns county nuclear programme more securely and
better than their rivals.

4|Page
3.2.4. Air attack
It is quite possible for a camp working under nuclear power can attacked by
air.

3.2.5. Cyber attack

This aspect of security is the one which we are more concerned of. We can
learn from the Stuxnet attack that how powerful a cyber-attack can be. It only
not damage the network part of the project but can also damage the physical
aspects as well.

4. What is formal enterprise security architect?

Security architect is a brought together security plan that tends to the

necessities and potential dangers associated with a specific situation or
condition. It likewise determines when and where to apply security controls.
The plan procedure is by and large reproducible.
In security architect, the plan standards are accounted for unmistakably, and
inside and out security control determinations are for the most part reported
in autonomous records. Framework architect can be viewed as an outline that
incorporates a structure and addresses the association between the segments
of that structure.
I am discussing some formal enterprise security architect framework below.

4.1. TOGAF

The Open Group Architecture Framework (TOGAF) is an undertaking

engineering procedure that offers an abnormal state system for big business
programming improvement. TOGAF arranges the improvement procedure
through a methodical methodology went for decreasing mistakes, looking after
courses of events, remaining on spending plan and adjusting IT to specialty
units to deliver quality outcomes.
Like other IT administration structures, TOGAF enables organizations to adjust
IT objectives to in general business objectives, while sorting out cross-
departmental IT endeavours. TOGAF enables organizations to characterize and
5|Page
compose prerequisites before an undertaking begins, keeping the procedure
moving rapidly with couple of mistakes.
The Open Group states that TOGAF is intended to:
 Guarantee everybody talks a similar dialect
 Maintain a strategic distance from secure too restrictive arrangements
by institutionalizing on open techniques for big business design
 Spare time and cash, and use assets even more viably
 Accomplish verifiable ROI

4.1.1. TOGAF business benefits

TOGAF enables associations to actualize programming innovation in an

organized and sorted out path, with an emphasis on administration and
meeting business destinations. Programming advancement depends on
cooperation between numerous offices and specialty units both inside and
outside of IT, and TOGAF helps address any issues around getting key partners
in agreement.

TOGAF is proposed to help make an efficient way to deal with streamline the
advancement procedure so it tends to be reproduced, with a’;,mln couple of
blunders or issues as conceivable as each period of improvement changes
hands. By making a typical dialect that extensions holes among IT and the
business side, it brings clearness to everybody included. It's a broad archive —
yet we don't need to receive all aspects of TOGAF. Organizations are in an ideal
situation assessing their requirements to figure out which parts of the system
to centre around.

4.2. SABSA
SABSA is both a system and procedure for guaranteeing that the privilege
physical and data security controls required to execute an association's
methodology are connected in the correct spots at the ideal time with proper
levels of expense. It was at first created by John Sherwood in 1995 to exhibit it
was conceivable to make a physical and innovation engineering that could

6|Page
meet the SWIFT interbank exchange framework's objective of giving $1 billion
ensures each exchange would be safely executed.
SABSA is a technique for creating endeavour wide security designs over the full
scope of business exercises, including data security, business coherence and
physical and natural security.
The Open Group states that SABSA is intended to:
 SABSA IPR is possessed, represented and secured by The SABSA
Institute.

 The SABSA structure isn't identified with any IT arrangements provider

or other sort of provider and is totally seller unbiased.

 The SABSA structure is adaptable, that is, it very well may be presented
in a little investigate and afterward moved to consequent zones and
frameworks, and subsequently executed incrementally.

 The SABSA structure might be utilized in any industry division and in any
association whether secretly or freely claimed, including business,
modern, government, military or beneficent associations.

 The SABSA system can be utilized for the advancement of designs and
arrangements at any level of granularity of degree, from a venture of
constrained extension to a whole undertaking structural system.

The SABSA system is constantly kept up and created and cutting-edge forms
are distributed every once in a while.
In its broadest application, SABSA security models address every one of the
necessities of operational hazard administration. Nonetheless, the majority of
the current SABSA writing and materials – including the 2009 white paper – are
adapted principally towards the security, hazard administration and
confirmation of business data frameworks as huge piece of the general venture
wide security and hazard administration scope.

7|Page
 4.2.1. Business benefits of SABSA

SABSA is a demonstrated procedure for creating business-driven, hazard and

opportunity centred Security Architectures at both undertaking and
arrangements level that traceably bolster business targets.

It is additionally broadly utilized for Information Assurance Architectures, Risk

Management Frameworks, and to adjust and consistently incorporate security
and hazard administration into IT Architecture strategies and systems.

The SABSA system and approach is utilized effectively around the world to
meet a wide assortment of Enterprise needs including Risk Management,
Information Assurance, Governance, and Continuity Management. SABSA has
developed since 1995 to be the 'approach of decision' for associations in 50
nations and in divisions as various as Banking, Homeless Management, Nuclear
Power, Information Services, Communications Technology, Manufacturing and
Government.

SABSA guarantees that the necessities of war Enterprise are met totally and
that security administrations are outlined, conveyed and bolstered as a basic
piece of war business and IT administration foundation. In spite of the fact that
copyright ensured, SABSA is an open-utilize technique, not a business item.

4.3. C4ISTAR
There is a buffet of acronyms and language that venture supervisors in the
protection area must acclimate themselves with. Today, a standout amongst
the most essential and far reaching terms relating to military data frameworks
is C4ISR.

C4ISR (Command, Control, Communications, Computer, Intelligence,

Surveillance, and Reconnaissance) is a wide term that alludes to "frameworks,
strategies and methods used to gather and disperse data". Each of these is a
field of mastery unto itself, however they work synergistically to furnish war

8|Page
fighters and leaders with noteworthy data to enable them to carry out their
occupations.
C4ISR is at last about expanding Situational Awareness, giving leaders the data
they require as quick as could be expected under the circumstances, and
utilizing the correct materials, gear, and frameworks to get that going. Every
one of the segments of C4ISR MUST cooperate easily to make mission
progress. It is the bedrock of any mission, and a blame in any connection in the
chain can have genuine, even savage outcomes.

4.3.1. Benefits of C4ISTAR

C4ISTAR frameworks go up against this redoubtable undertaking through the

coordination of frameworks. To guarantee that military tasks can be led
effectively, existing and future frameworks must have the capacity to trade
data proficiently. Since this is such a critical errand, incorporation requires
inventive reasoning, as it presents numerous dangers and issues. To guarantee
the coveted framework interoperability can be accomplished, a few distinct
advancements will all be fundamental. These frameworks can be redone, to fit
the correct determinations of a specific framework it's to be incorporated with.

Most importantly, any C4ISTAR framework will have mission arranging, control
and observing frameworks. This is basic for the fight to come administration
tasks. It is intriguing to see that, with the development of the idea of "shared
duty", world Governments are decreasing spending on military equipment, and
are expanding their interest in IT framework and related military activities. A
pattern has been watched, where equipment speculations are coordinated
towards preparing singular warriors, and military units with incorporated
Soldier Systems. On the order side of the activity, then again, higher
accentuation is put on interchanges frameworks, radio programming, barrier
coordination’s and data foundation.

C4ISTAR frameworks frequently ensure secure information correspondence

frameworks to be utilized on open systems. This is a more spending plan
agreeable option, when contrasted with the costs characteristic in creating and
setting up C4I – Command, Control, Communications, Computers and (Military)

9|Page
Intelligence—frameworks. These frameworks show the safe information
transmitted to administrators utilizing best in class systems, including chart
movement, and succinct graphs.

5. Comparing different frameworks and choosing the best one

The essential target of big business engineering is to empower business

advancement dependent on the present discoveries on the task of wer
business. Notwithstanding, we cannot work together in the event that we
comprehend that the business itself is likewise about overseeing dangers at
sensible and accessible chances. To deal with this procedure effectively we
require a precise, solid and powerful approach to incorporate the
administration of dangers and openings into we are architecture. Participants
will figure out how to effectively join demonstrated ideas and methods from
the extent of the SABSA news inside TOGAF system. Business at that point
guarantee making Enterprise Security Architecture (ESA) intended to oversee
hazard and procurement openings.
SABSA is a Zachman-like engineering strategy. It is depicted as a security design
technique, however it takes a wide perspective of security engineering.
Without a doubt, it covers an entire assortment of accessibility, ease of use
and nimbleness issues, to the point where it tends to the total arrangement of
non-utilitarian prerequisites.

SABSA, being founded on Zachman, arranges a security design into a 6*6

framework of perspectives and angles. The perspectives generally relate to
phases of an advancement lifecycle and the viewpoints compare to security
components, for example, clients or spaces.

TOGAF is somewhat easier than SABSA/Zachman, basically it has a 4*4 grid.

Perspectives, for example, outline and activity are not secured, nor is the
component of time. At present, TOGAF does not give much particular direction
on the best way to address security issues (however there are activities set up
or redress this). TOGAF can be considered as a subset of SABSA/Zachman.

10 | P a g e
Which would it be a good idea for us to utilize? All things considered, SABSA
has a more extensive degree yet it is extremely heavyweight. Despite the fact
that I appreciate the culmination of vision of SABSA, I can't see some true
associations making full utilization of it, particularly in the present financial
atmosphere. TOGAF, then again, is nearer to the manner in which true models
work yet needs particular security direction.

There's an astounding book on SABSA which merits perusing regardless of

whether you don't mean to utilize the technique. It's especially profitable IMO
for helping designers to comprehend the importance of non-useful necessities.

As an aside, I have archived a TOGAF-based way to deal with security

engineering that could be considered as SABSA-lite.

6. Charter Article 2(4) and UN Charter Article 51

In our case charter article 2(4) and UN charter article 51 will help us to some
extent. I have mentioned them below.
UN charter article 2(4)
1. Membership in the United Nations is open to all other peace-loving
states which accept the obligations contained in the present Charter
and, in the judgment of the Organization, are able and willing to carry
out these obligations.
2. The admission of any such state to membership in the United Nations
will be effected by a decision of the General Assembly upon the
recommendation of the Security Council.
UN charter article 51
Nothing in the present Charter shall impair the inherent right of individual or
collective self-defence if an armed attack occurs against a Member of the
United Nations, until the Security Council has taken measures necessary to
maintain international peace and security. Measures taken by Members in the
exercise of this right of self-defence shall be immediately reported to the
Security Council and shall not in any way affect the authority and responsibility
of the Security Council under the present Charter to take at any time such
11 | P a g e
action as it deems necessary in order to maintain or restore international
peace and security.

Acts that execute or harm people or crush or harm objects are unambiguously
employments of power" and likely abuse universal law, as indicated by the
Tallinn Manual on the International Law Applicable to Cyber Warfare, an
examination delivered by a gathering of free lawful specialists in line with
NATO's Cooperative Cyber Defence Centre of Excellence in Estonia.

Demonstrations of power are denied under the United Nations contract, with
the exception of when done in self-protection, Michael Schmitt, educator of
worldwide law at the U.S. Maritime War College in Rhode Island and lead
creator of the investigation, told the Washington Times.

6.1. Iranian`s response

The Associated Press detailed that the semi-official Iranian Students News
Agency discharged an announcement on 24 September 2010 expressing that
specialists from the Atomic Energy Organization of Iran met in the earlier week
to talk about how Stuxnet could be expelled from their systems. According to
experts, for example, David Albright, Western insight offices had been
endeavouring to attack the Iranian atomic program for some time.

The leader of the Bushehr Nuclear Power Plant revealed to Reuters that just
the PCs of staff at the plant had been tainted by Stuxnet and the state-run daily
paper Iran Daily cited Reza Taghipour, Iran's broadcast communications serve,
as saying that it had not caused "genuine harm to government systems”. The
Director of Information Technology Council at the Iranian Ministry of Industries
and Mines, Mahmud Liaii, has said that: "An electronic war has been propelled
against Iran... This PC worm is intended to exchange information about
creation lines from our mechanical plants to areas outside Iran."[100]

Because of the contamination, Iran amassed a group to battle it. Within excess
of 30,000 IP tends to influenced in Iran, an authority said that the

12 | P a g e
contamination was quick spreading in Iran and the issue had been aggravated
by the capacity of Stuxnet to change. Iran had set up its own frameworks to
tidy up diseases and had prompted against utilizing the Siemens SCADA
antivirus since it is suspected that the antivirus was really installed with codes
which refresh Stuxnet as opposed to annihilating it.

As indicated by Hamid Alipour, representative leader of Iran's administration

Information Technology Company, "The assault is as yet progressing and new
forms of this infection are spreading." He revealed that his organization had
started the clean-up procedure at Iran's "delicate focuses and organizations."
"We had foreseen that we could find the infection inside one to two months,
yet the infection isn't steady, and since we began the clean-up procedure three
new forms of it have been spreading", he told the Islamic Republic News
Agency on 27 September 2010.

7. Conclusion
It is basic to shield our OT to keep cybercriminals from jabbing through,
however remember to secure IT also. It's similarly vital to anchor all IoT
gadgets all through the plan stage. On the off chance that IT experts can gain
from history, they can keep a disastrous episode like Stuxnet from occurring
for their associations.

8. References https://www.giiresearch.com/report/bis556462-global-
c4isr-systems-market-analysis-forecast.html
http://malebits.com/lifestyle/c4istar-systems-facilitate-battle-management

https://www.capgemini.com/2009/08/sabsa-and-togaf-for-security-architecture/

http://www.un.org/en/sections/un-charter/chapter-vii/index.html

https://en.wikipedia.org/wiki/Stuxnet

https://www.wired.com/2013/03/stuxnet-act-of-force/

https://securityintelligence.com/lesson-learned-from-stuxnet/

https://www.google.com.au/search?
q=calculating+matrix+of+qualittive+risk+analysis&rlz=1C1GCEA_enAU819AU819&oq=calculating+ma
trix+of+qualittive+risk+analysis&aqs=chrome..69i57.23095j0j8&sourceid=chrome&ie=UTF-8

13 | P a g e