AP Cybersecurity Unit 3 Lesson 2 Exercise 2
Unit 3 • 3.2 • Exercise 2
Exercise 2 — Network Attack Scenario Analysis
3 parts, 24 points — Analyze attacks and recommend defenses for Meridian Energy Grid
Score: 0 / 24
Complete all 3 parts to see your final score
Client Organization
Meridian Energy Grid
Meridian Energy Grid is a regional utility company providing electricity to 2.3 million customers across four states. The company operates SCADA (Supervisory Control and Data Acquisition) systems that monitor and control power substations remotely. Meridian’s IT infrastructure includes a corporate network, an isolated operational technology (OT) network for SCADA, and a customer-facing web portal for billing and outage reporting.
Part 1
Incident: Customer Portal Outage During Storm Season
During a major ice storm affecting 400,000 customers, Meridian’s outage reporting portal becomes completely unresponsive. The SOC identifies 8 million HTTP requests per second from 120,000 unique IP addresses. Meanwhile, customers cannot report downed power lines or check restoration estimates. Meridian’s emergency call center is overwhelmed.
8 points
1a. Identify the specific attack type and explain why the timing is strategically significant.
Key terms: timing, emergency, distraction, maximum impact, overwhelm, critical infrastructure, safety
1b. Recommend two specific technical countermeasures that would mitigate this attack while maintaining portal availability for legitimate customers.
Key terms: CDN, rate limiting, WAF, cloud-based, scrubbing, geographic filtering, capacity, failover
Model Response: This is a DDoS attack (120K distributed IPs). The timing during an ice storm is strategically devastating because: (1) customers critically depend on the portal to report emergencies like downed power lines, turning a service disruption into a potential safety hazard; (2) the SOC is already stretched thin responding to the storm, reducing their capacity to handle a simultaneous cyberattack. Countermeasures: (1) Deploy a cloud-based DDoS scrubbing service (e.g., Cloudflare, Akamai) that filters malicious traffic before it reaches Meridian’s servers. (2) Implement rate limiting with geographic and behavioral analysis to distinguish legitimate storm-affected customers from bot traffic.
Part 2
Incident: Suspicious Traffic on the OT Network
A SCADA engineer notices that commands sent to Substation 7 are arriving with a 200ms delay that was not present last week. Network analysis reveals that all traffic between the control center and the substation is routing through an unregistered device with MAC address
8 points
FA:KE:DE:VI:CE:01. The ARP table on the control center workstation shows this MAC mapped to the substation’s IP address.
2a. Identify the attack technique and explain the specific evidence that confirms your classification.
Key terms: ARP table, MAC address, gateway IP, forged reply, redirect, delay, unregistered device, Layer 2
2b. Explain why this attack on a SCADA/OT network is more dangerous than the same attack on a corporate IT network. (2–3 sentences)
Key terms: physical, safety, power grid, real-world, modify commands, substation, critical infrastructure, cascading
Model Response: This is ARP poisoning enabling a MitM position. Evidence: (1) The ARP table shows an unregistered MAC (FA:KE:DE:VI:CE:01) mapped to the substation’s IP — classic forged ARP reply signature. (2) The 200ms latency increase indicates traffic is being routed through an intermediary device (the attacker), not traveling directly. (3) The device is unregistered, confirming it is unauthorized. On a SCADA/OT network, this is far more dangerous than on a corporate IT network because the attacker could modify commands sent to the substation — potentially opening or closing breakers, altering voltage levels, or disabling safety systems. This could cause physical damage to equipment, trigger cascading power outages, or endanger lineworkers and the public.
Part 3
Incident: Customer Credential Theft via DNS Redirect
Meridian’s customer support team receives 200+ calls from customers who say they paid their bill online but never received a confirmation. Investigation reveals that the DNS cache at a major regional ISP was poisoned to redirect
8 points
pay.meridianenergy.com to a server in a foreign country. The fake payment page collected usernames, passwords, and credit card numbers. The fake site used HTTPS with a certificate issued to pay-meridianenergy.com (note the hyphen).
3a. Classify this attack and explain why HTTPS alone did not protect customers. (2–3 sentences)
Key terms: DNS cache poisoning, redirect, certificate, different domain, HTTPS, encrypt, legitimate, verify, padlock
3b. Recommend two actions Meridian should take: one to protect their DNS infrastructure, and one to help customers verify they are on the legitimate site.
Key terms: DNSSEC, EV certificate, domain monitoring, HSTS, bookmark, notify, two-factor, out-of-band
Model Response: This is a DNS cache poisoning attack. HTTPS did not protect customers because the attacker obtained a valid TLS certificate for a different but similar-looking domain (pay-meridianenergy.com vs. pay.meridianenergy.com). HTTPS only verifies that the connection is encrypted to the domain in the certificate — it does not verify that the domain is the correct one. The padlock icon gave customers a false sense of security. DNS protection: Implement DNSSEC (DNS Security Extensions) to cryptographically sign DNS records, preventing cache poisoning. Customer protection: Deploy Extended Validation (EV) certificates on the real payment portal and educate customers to check for the full organization name in the certificate, or implement HSTS preloading to prevent browsers from ever connecting to the payment domain over an insecure channel.
AP Cybersecurity 3.2 Exercise 2 | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]