A notification is received from a critical business partner and supplier. The supplier, a hardware manufacturer of constrained devices used in Ackme deployed infrastructure has been the target of a successful spear-phishing attack. The notification came as follows:

------------------------- Mary L. White Critical Infrastructure Hardware Co. Sodor, UK Date 14 December

CONFIDENTIAL PARTNER DISCLOSURE

Dear Valued Business Partner at H. Ackme Oil & Gas Company,

We regret to inform you that the Critical Infrastructure Hardware Co has experienced a breach. While the extent of the breach is still under investigation, we are aware that the point of entry was through a very smartly crafted spear-phishing attack. Unfortunately, administrators with root access were the target of this attack and deeper access was gained into our networks through privilege escalation and lateral movement exploits possible with the browsers and systems in use by these Administrators. Critical Infrastructure Provider Co. is still working to determine the extent of lateral movement within our network as the attack began 6 months ago and went undetected for 5 months.

In terms of impact to H. Ackme Oil & Gas Company, we suspect code may have been stolen for the device management interface and that it may have been compromised, adding a backdoor. The H. Ackme Oil & Gas Company likely received shipments between October and November that had been compromised. We believe the hardware impacted is limited to the Badger AMR line, firmware version 268, released June 19, 2019.

While steps are being taken to revert the firmware to a safe version and iterate the code to include expected updates, we advise our customers to roll back to what we believe is a safe version of firmware, version 246 version, released: May 11, 2019.

We at Critical infrastructure Co are taking this breach very seriously and are examining steps to better secure our network as well as our firmware and update process. Regrettably, supply chain controls are not yet in place. The device does not have a software root of trust or a hardware root of trust, however, we are examining best practices to integrate these features as well as ensuring the secure update of code from a trusted source in future versions. Additionally, attestation work has started but is not yet integrated into our products. Attestations would provide cryptographic evidence of expected device features and security measures for your control management as you integrate future versions into your infrastructure.

We would like to work closely with strong business partners like you and trust you will keep this in confidence as we work together to resolve the breach, as outlined in our executed exploit disclosure agreement. Individual customer briefings will be forthcoming from our Lead Cyber Threat Analyst, Jenna Thexpert, coordinated by your sales manager.

Sincerely,

Mary L. White Chief Executive Officer Critical Infrastructure Hardware Co. +44 7823 123456

Post your response to all of the questions in the prompt below.

1. Should Ackme continue to use CI Company as a supplier?
2. Has other hardware, software, or data recording at the connection point been affected?
3. Has lateral movement taken place within Ackme?
4. Are measures in place to react and/or prevent an incident like from this occurring in the future? What makes you say so?
5. Does information need to be relayed to their customers? If so, what information needs to be relayed?
6. Should this incident be reported to authorities - local and/or national? What are the regulations and laws about reporting?