Description
Project 3
The United States’ critical infrastructure?power, water, oil and natural
gas, military systems, financial systems?have become the target of
cyber and physical attacks as more critical infrastructure systems are
integrated with the internet and other digital controls systems. The
lesson learned in mitigating and defending against cyberattacks is that
no entity can prevent or resolve cyberattacks on its own. Collaboration
and information sharing are key for success and survival.
This is a group exercise, representing collaboration across all sectors to
support and defend US critical infrastructure. In the working world, a
team like this would include agencies, industrial partners, and private
sector corporations. Each organization has different strengths and
skills, different access to information, and different authorities to report
to. When the sectors work together and share resources and skills, the
result is that everyone benefits from the defense and protection of US
IT infrastructure.
In your teams, you can model the same collaboration, leveraging each
other’s expertise, sharing each other’s knowledge, and teaching each
other. This will include providing contributions specific to your role in
the scenario:
?
?
Law Enforcement Representative, special task in Step 4
Intelligence Agency Representative, special task in Step 5
There are seven steps that will help you create
your final deliverables. The deliverables for this
project are as follows:
1. Security Assessment Report (SAR): This report should be a 10
pages double-spaced Word document with citations in APA
format. The page count does not include figures, diagrams,
tables, or citations.
2. After Action Report (AAR): This report should be a 10- to 15-page
double-spaced Word document with citations in APA format. The
page count does not include figures, diagrams, tables, or
citations.
3. Presentation: This should be a five- to eight-slide PowerPoint
presentation for executives, along with a narrated or in-class
presentation, summarizing your SAR and AAR reports.
1
Security Assessment Report (SAR) and Risk Assessment Report (RAR) of Data Breach at
the US Office of Personnel Management (OPM)
Loubna Idrissi
University of Maryland Global Campus
February 5, 2022
2
Security Assessment Report (SAR) and Risk Assessment Report (RAR) of Data Breach at
the US Office of Personnel Management (OPM)
1. Security Assessment Report (SAR)
Executive Summary
This document presents a security assessment report (SAR) for the United States (US)
Office of Personnel Management (OPM) following the 2015 data breach on the information
system. The SAR is also composed of results of the comprehensive security evaluation and test
of the OPM system. It is known that the US OPM data breach was the largest in the history of
the country?s government, as reported in the audit made by the Office of the Inspector General
(OIG). This assessment report helps to realize the possible causes of the data breach, what ought
to be done, and what should be done to prevent such occurrences in the future. Specifically, this
SAR describes the risks related to the vulnerabilities identified during the OIG?s audit. The
report further acts as the risk summary report to offer guidance for the Risk Management
Framework to the Federal Information Systems. To achieve this, the report is divided into
various components, including the name and the date of the threat, a vulnerability assessment, a
detailed threat description including the affected systems, and an existing plan to counter the
threat in the future.
The Name and the Date of the Threat
The threat is referred to as a data breach at the US OPM. The data breach occurred on
June 4, 2015 (Lin, 2018). On this date, it was revealed that cyber instruction had a significant
impact on the data and information technology systems. The cyber intrusion had a potential
impact that compromised the personal information of more than 4.2 million employees at the US
OPM, both current and former employees (Lin, 2018). Additionally, the data breach also
3
compromised almost 21.5 million people (Lin, 2018). Such a historic occurrence had its weak
points and vulnerabilities of the information system, which is the focus of this SAR.
The Assessment Overview
The SAR is one of the essential documents for every information system. Indeed, Broad
(2013) reported that SAR is a key document for common control set or authentication package.
This is because SAR gives an accurate reflection of the results of security control assessment for
authorization of the system and official owner. Therefore, it is expected that this approach will
provide an elaborative insight into what happened and how the risk could have been averted.
The data breach on OPM happened on June 4, 2015, exposing sensitive individual
information discussed herein. The OPM later, in the month, indicated that there was another
cyber incident that targeted the office?s databases with background investigation records (Lin,
2018). Following the data breach and the later threat, there had been critics that the response
agency was ineffective in addressing the security systems’ intrusion and protection. This
criticism caused Katherine Archuleta to step down as the OPM?s director, with Beth Cobert
taking over the role of the director (Lin, 2018). However, everyone in the organization
understood better how the data breach transpired.
Various methods and tools were used to help in understanding how information
technology (IT) experts explored the threats. One of the methods and tools used was Electronic
Questionnaires to apply investigations processing (e QIP). This system was designed to help
process different forms used to conduct background investigations (Lin, 2018). The
investigations were further taken offline to allow for secure information gathering. Officials
continued to investigate the possible actors behind the breaches and the possible motivations for
the search to launch an attack on the system.
4
Additionally, theft of personally identifiable information (PII) was further used for
financially motivated cybercrime and identity theft (Lin, 2018). Further exploration of the data
threats revealed a controversy on the reasons behind the data breach in the organization. For
instance, it is shown that there have been speculations that OPM data breach was for espionage
and not criminal-based (Esser, 2019). Nonetheless, some critics have considered China the
primary source of the violations. It then remains unclear how the data from OPM were going to
be used, not that they were in the hands of the Chinese Government if the argument that the
Chinese actors are the ones who perpetrated the data breach. However, it is possible to
understand more through a deeper analysis of what happened during the data insecurity at OPM.
Vulnerability Analysis
Vulnerability analysis is an imperative component of SAR since it helps identify the
organization’s strength before a data breach. The OPM management stated that they used to
perform vulnerability scans to their information system, including all computer servers (Esser,
2019). The organization mainly used automated scanning tools to assess the system’s
vulnerability. Despite the determination of OPM to perform scanning of the system, the OIG?s
audit indicated that some of the scans were correctly performed while some servers were not
scanned at all (Esser, 2019). This was a significant point for system vulnerability.
It is also indicated that OPM did not have energy metering in all data centers.
Consequently, the OPM?s process of collecting data on power usage from the data centers was
not adequately defined (Esser, 2019). The common data collection methods were manual, while
other methods included estimation. The lack of advanced metering tools exposed the
organization to various vulnerabilities to data breaches. This is because it was almost impossible
for the OPM to visualize the challenge and, hence, not possible to address it. The inability of
5
OPM to maintain automated power metering at the data centers and the associated lack of data
increased the risk of inefficiently using agency sources (Esser, 2019). In addition, this impaired
the ability of the organization?s officials to plan for data management and security effectively. It
can then be concluded that OPM?s vulnerability was high and hence the risks of a data breach,
which finally manifested in 2015.
Description of the Threat and the Systems Affected
The description of the threat and the analysis of the systems affected is another essential
part of the SAR necessary to improve the organization?s data security. The data breach at OPM
involved the check records of about 21.5 million people (West & Zentner, 2020). The OPM
labeled the incidence as infiltration by Hacker X1. Another incident was also reported later in
2015 where more than 4.2 million records of individuals (including current and former
employees) got stolen (West & Zentner, 2020). The OPM labeled this second data breach
incidence as Hacker X2. The assumption is that both Hacker X1 and Hacker X2 worked
together. The two types of data breaches were characterized by illegal access to highly
confidential information, 5.6 records of fingerprints, and social security numbers (SSNs) (West
& Zentner, 2020). Nonetheless, this was not the first time that the organization was experiencing
cyberattacks.
The OPM detected an intrusion into their information system in 2013. According to West
and Zentner (2020), cybercriminals initially entered into OPM?s network in November 2013.
However, the first hack was discovered in 2014 (West & Zentner, 2020). The officials at OPM
did not announce the threat and the possible risks associated with the attacks. This is because the
officials believed that the hack was on the network section that did not contain personal data.
6
After the IT staffers discovered the big data breach in April 2015, the executives of OPM
resigned as per the Congressional investigation.
The tragedy in OPM?s data breach is that it is still unclear and unknown how the hackers
entered the organization?s information system. Despite Hacker X1 entering the network, Hacker
X2 still entered the system as the OPM security team tried to remove the first attack from the
system (West & Zentner, 2020). Furthermore, Hacker X2 was freely moving into the system
without being noticed. Hacker X2 happened just after Hacker X1 tried to create a valid log-in on
the Keypoint Web server as if it were an OPM contractor doing background checks (West &
Zentner, 2020). The possibility of creating these credentials is because the system did not have
multi-factor authentication. Therefore, the attackers could log in to the pivot through the system
and finally exfiltrate data. Furthermore, the Congressional investigation realized that the security
management at OPM had a lax security posture characterized by lacking two-factor
authentication coupled with inadequate technologies for data security (West & Zentner, 2020).
This created a loophole for the attackers to extract data by creating a domain referred to as
opmlearning.org. Subsequently, the attackers could successfully install malware into the
Keypoint web server at the organization (Fruhlinger, 2020). The malware helped the attackers
exfiltrate personal records, which was witnessed in December 2014. The attackers went ahead to
create the domain wdc-news-post.com, which they used as a command-and-control center,
allowing them to exfiltrate records of fingerprints by various individuals that used the system.
Essentially, the data breach affected various parts of the organization. Apparently, the
employees, both current and former ones, were affected by the data breach. This is because there
was an intrusion and compromising of their individual data (Lin, 2018). Additionally, the data
breach affected 21.5 million individuals (Lin, 2018). Specific to the employees, most top
7
management, such as the director, resigned from the job. The data breach also affected the
organization?s system since it was rendered weak and highly vulnerable to any potential risk in
the organization. The country was also affected as a whole. This is because it was unknown if the
hackers from China knew what the Chinese government was planning to do with the stolen data.
Plan to Correct the Threat
The organization has been determined to correct the cyber threat it experienced. The
OPM security officials were determined to remove the Hacker X1 from the network, even if X2
entered and was roaming without notice (DeCapua, 2021). This demonstrates that the
management was determined to make the system clean and free from possible hackers. At least
success in the security management of OPM can be noticed since they could detect Hacker X2
on April 15, 2015, as a security engineer investigated the encrypted SSL traffic on the networks
associated with OPM. The researcher detected a ping that looked like a beacon that connected a
component on the infrastructure referred to as mcutil.dll to opmsecurity.org. It can then be stated
that OPM largely depends on investigations and assessment of the system to determine the
existence of cyber threats then eliminate them.
OPM also plans to correct the threat by following the placed guidance. The management
stated that they agree that OPM needs to follow the NIST SP 800-60 and SP 800-18 guidance for
categorizing its central information systems (Esser, 2019). The essence of following the guidance
is that they help provide additional language specific to General Support System (GSS).
According to NIST SP 800-18, ?a general support system can have a FIPS 199 impact level of
low, moderate, or high in its security categorization depending on the criticality or sensitivity of
the system and any major applications the general support system is supporting? (Esser, 2019).
On the other hand, NIST SP 800-60 volume 1 explains the essentiality of using a high watermark
8
in determining the categorization of GSS (Esser, 2019). This guidance states that since networks
and other GSSs do not inherently own management and support based on mission, the
categorization of the infrastructure depends on the aggregation of its security categorization. This
means that the categorization of the security infrastructure is the high-water mark of the
supported information systems, and it is based on the types of information being processed,
stored, and flowed. These two guidelines are the current plan to correct the threat. Therefore,
OPM should consider categorizing its Macon GSS as a high system and conduct a gap analysis
to verify that additional controls exist as required for the high system. Most of these steps are
derived from the challenges and the loopholes that led to the data breach.
Results and Recommendations
The OIG?s audit presented numerous results from the ?big bang.? One of the main
findings is that the OPM had weak authentication mechanisms (Esser, 2019). As discussed, the
OPM did not have two-factor or multi-factor authentication mechanisms to its system. This made
it easy for the intruders to get to the organization?s network and manipulate the security data as
with the data breach. The possible solution to this challenge is that OPM should have developed
a multi-factor authentication method.
The second results are a preliminary plan for managing the information systems life
cycle. There was also no management of the configuration of the management and strategies for
change management. Additionally, the OPM did not use inventory servers, systems, network
devices, and databases. Mature tools for vulnerability scanning were also lacking in the system.
Furthermore, there was no valid authorization for most systems. Lastly, the OIG?s audit report
found that OPM did not have plans of action that could help to remedy the findings of previous
9
audits (Esser, 2019). To address these issues, it was essential for the OPM management to
establish what has been lacking in its information system management.
The data breach at the US OPM also had significant business impacts. The Obama
administration stated that the massive theft of federal employee data could cost the taxpayers of
America $20 million (DeCapua, 2021). Likewise, the OPM stated that as a way of responding to
the data breach, it contracted with CSID to help offer services to former and current federal
workers whose personal information was stolen (DeCapua, 2021). Although the benefits could
be free for the Federal workers, they were not accessible for the taxpayers. The OPM was to pay
more than $20.7 million for the services designated as ?call I? within the contract (DeCapua,
2021). Such services consisted of sending 2.1 million emails to the employees who had been
affected in addition to 1.1 million letters plus support at a call center.
Conclusion and Recommendations
The data breach at the OPM in 2015 was one of the most significant challenges that the
US government ever experienced. It remained in the country?s history that hackers could
maneuver through the system without getting noticed. As the security personnel was busy
eliminating Hacker X1 from the network, Hacker X2 was within the system and not noticeable.
Nonetheless, the security team could detect Hacker X2 as a bit of an achievement. The leading
causes of the problem are that OPM lacked effective scanning and management tool for the
system. The multi-factor authentication method was one of these essential tools and systems that
OPM lacked. Therefore, OPM should establish a robust multi-factor authentication method while
enhancing mature monitoring tools. Furthermore, it is also recommended that OPM use NIST SP
800-18 and SP 800-60 to categorize its data, allowing easier monitoring.
2. Risk Assessment Report (RAR)
10
Executive Summary
In addition to SAR, Risk Assessment Report (RAR) is also a crucial tool that can help
understand how OPM landed into the big problem of the historic data breach in 2015. The
purpose of this analysis is to evaluate the US OPM compliance with reporting for the Federal
Information Technology Reform Act on the requirements for the Data Center Optimization
Initiative. This assessment also looks at the possible risks in the information security controls
and documentation for the support systems of OPM. The scope of this assessment is based on
OIG?s audit findings in terms of OPM?s compliance with DCOI to ensure that the agency’s
efforts meet the requirement of the US OPM and budget. The assessment also looks at the
security controls of various systems in meeting the standards set for information technology (IT)
security management. This RAR essentially presents the steps for the assessment, risk findings,
and security plans and strategy.
Assessment Steps
Like a security assessment report, a risk assessment report is also one of the best and
most effective methods in analyzing the risks leading to an event. Risk assessment has developed
over the years, coming with different methods for risk assessment (Yan & Xu, 2018). The most
common risk assessment methods include event tree analysis (ETA), fault tree analysis (FTA),
preliminary hazard analysis (PHA), failure model effect criticality analysis (HAZOP), and more.
In this RAR, the most suitable method used is HAZOP. This is because the risk assessment is
based on what had happened in the organization, the effects caused by the risk, and the failure
that followed after that.
The first step in the risk assessment was to examine the initiatives taken by OPM for data
center optimization and compliance with OMB M-16-19. This step was based on the
11
requirements of this guidance. According to OMB M-16-19, agencies are required to annually
create and post their strategic plans online that meet the DCOI requirement (Esser, 2019). Such a
plan must consist of planned and achieved performance levels by year, closures, an explanation
for optimization metrics and closures where the agency did not meet the planned level, and
yearly calculations for the target (Esser, 2019). This helped in determining how the organization
was exposed to risks.
The next step of the risk assessment included assessing the data center closures. Every
agency aims to minimize the number of tiered data contents by at least 25% (Esser, 2019). Tiered
data centers are defined as different physical spaces for IT infrastructure, a dedicating cooling
system, a zone, a backup power generator, or an uninterruptible power supply. It is required that
the agencies self-classify according to the data centers.
Additionally, the assessment also looked at the data center optimization. Agencies are
required to replace all their manual reporting and collection systems, hardware, and software
inventory within the data centers with automated monitoring, collection, management, and
inventory tools (Esser, 2019). Based on this assessment, the risks in the OPM can be associated
with a lack of automated systems in controlling and monitoring the security of the organization?s
network.
Lastly, the risk assessment was crowned by assessing the reporting ability and strategies
by the OPM. It is required that there should be quarterly submissions to help in measuring the
progress of the agency towards optimization, closure metrics, and power usage (Esser, 2019).
The assessment indicated that OPM had complied with the request by OMB to offer the quarterly
submissions. Nonetheless, the recommendations starting with Q1 of 2017 and Q4 of 2018 did not
accurately represent OPM data center inventory data. Furthermore, there was an intrusion into
12
OPM?s network in November 2013, but it was never reported on the claims that the attackers
could not access personal data (West & Zentner, 2020). This, therefore, demonstrates that OPM
has been vulnerable in terms of its network?s security.
Risk Findings
Various findings emanated from the multiple steps of risk assessment on OPM. The
conclusions of the risk assessment indicate that the data breach on OPM was reported in 2015
(Daswani & Elbayadi, 2021). This was after a chief agency of human resources for the federal
government announced that there was a breach that exposed the SF-86 security clearance
background checks of more than 21.5 million government employees of the US (Daswani &
Elbayadi, 2021). The SF-86 forms that had been stolen consisted of the information of millions
of government employees, their addresses, names, neighbors, family members, and friends.
Furthermore, the stolen data also consisted of personal financial information. This means that the
risk of the data breach was high and of concern as most individual information was stolen.
On data center optimization, it was found that OPM has a DCOI strategic plan of
consolidating the infrastructure of its data center. This included the closing of data centers.
Albeit having such a plan, it has not been updated since 2017 and addresses none of the DCOI
targets and objectives (Esser, 2019). Also, OPM had closed some of its data centers as planned,
but the agency did not implement the required tools needed to optimize its data centers. These
essential tools include automated inventory, monitoring, power metering, and management.
Another risk point is that OPM submitted its quarterly reports as initially needed. Still, most of
the elements from the information were wrong such as the closure status power utilization of the
agency. These discrepancies between the requirement and what OPM submitted were a
significant risk for the data breach.
13
The General Support System (GSS) was also assessed for risk. It was found that OPM
does not have a definition of documents that should be reviewed and updated when the office of
the assessment process leaves (Esser, 2019). Furthermore, OPM had issues with the privacy
assessment, categorization, tracking of weaknesses, security plans, and risk assessments. This
was a potential point of risk despite being after the data breach.
OPM?s risk point was also observed in its DCOI plan. There were two main components
of DCOI, which were last updated in 2017. The written components establish a consolidation
among nine data centers in various locations such as Georgia, Macon, Boyers, and Pennsylvania.
However, the OPM estimated that the consolidation efforts would be completed by the end of
2018. The weakness point, which also invites risk to the organization, is that the written plan
does not present details on the methods for accomplishing the goals of optimization of DCOI
(Esser, 2019). Furthermore, OPM?s written procedures did not identify the tiered and non-tiered
data centers closed. Furthermore, the numerical part of the plan did not identify the essentially
required goals.
Security risks were also spotted in the OPM?s DCOI submissions. This submission
stated that there was only one data center in Macon. However, it has been shown that there are
four different spaces for OPM in Macon that meet the reporting requirements for DCOI (Esser,
2019). This difference in reporting can be a situation of the company not having accurate
documentation of its data centers, which further implies that there is not sufficient tracking of
security of the organization?s network.
Lastly, risk assessment also identified data breach risks in the security plans and
strategies. The strategic objective of OPM indicates the consolidation of the OPM?s
infrastructure, which starts from nine data centers, as has been discussed above. However, there
14
is no energy metering installed in its data centers. Therefore, the process of data collection on
OPM?s data center collections depends on manual data collection methods (Esser, 2019).
Apparently, these manual processes are prone to errors, exposing the organization to the risks of
getting more attacked and data breaches. Furthermore, the current procedures and authorization
policies have no definition for requirements needed to address changes in authorizing officials.
To be specific, the documentation of OPM does not require a new authorizing official to review
the system’s documentation and sign a recent decision of authorization (Esser, 2019). Therefore,
the system has high risks when it comes to access.
Conclusion
The RAR indicates that OPM?s main weakness is an immature plan. The organization
ignores the essential elements of planning that can protect it against data breaches. An example is
where no policies for access authorization, among other risks such as lacking automated tools,
exist. Therefore, OPM should consider addressing every possible source of risk in its security
management.
15
References
Broad, J. (2013). RMF Phase 4: Assess Security Controls. In Risk Management Framework (pp.
133?145). Elsevier. https://doi.org/10.1016/B978-1-59749-995-8.00012-0
Daswani, N., & Elbayadi, M. (2021). The OPM Breaches of 2014 and 2015. In Big Breaches
(pp. 131?153). Apress. https://doi.org/10.1007/978-1-4842-6655-7_6
DeCapua, T. (2021). The Office of Personnel Management data breach and mitigating risk. Tech
Beacon. https://techbeacon.com/security/reality-office-personnel-management-breach-howmitigate-risk
Esser, M. R. (2019). Final Audit Report: Audit of the U.S. Office of Personnel Management?s
Compliance with the Data Center Optimization Initiative. 4.
Fruhlinger, J. (2020). The OPM hack explained: Bad security practices meet China?s Captain
America | CSO Online. CSO. https://www.csoonline.com/article/3318238/the-opm-hackexplained-bad-security-practices-meet-chinas-captain-america.html
Lin, Z. (2018). ?Success Is Invisible, But Failure Is Public?: Examining The US Office Of
Personnel Management Data Records Breach. https://doi.org/10.15781/T2WW77H5S
West, T., & Zentner, A. (2020). Threats and Major Data Breaches: Securing Third-Party
Vendors. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3532024
Yan, F., & Xu, K. (2018). A set pair analysis layer of protection analysis and its application in
quantitative risk assessment. Journal of Loss Prevention in the Process Industries, 55, 313?
319. https://doi.org/10.1016/j.jlp.2018.07.007
16
1
Operating Systems Vulnerabilities (Windows and Linux)
Loubna Idrissi
UMGC
James Swart
DFC 610
January 28, 2022
2
Operations System Overview
The operation system (OS) is a construct that enables user application programs to
interact with the computer’s hardware. The OS does not provide any function in the computer but
offers an atmosphere where different programs and applications can work effectively. Computers
today operate under three common operating systems that include Windows, Linux, and the
Apple OS, with each having related applications, interoperability issues, and security
considerations (Williams, 2021). Another important aspect of the operating system is facilitating
the interaction between the computer’s hardware and the users through the GUI. The OS offers
important support to the computer system to manage data processing, memory, and other
applications that enhance the system’s running.
The user’s role in an OS
The user’s role in an OS is usually to transmit commands, and the OS translates the
commands to provide projected output, a process that occurs within seconds. The user’s role in
the operating system is normally dispersed in two operating tasks and through application tasks.
The operating system task is directly interfacing with the OS that moves to modify the hardware.
In this case, the operating functions involve the installation of new peripherals, deleting files to
create empty spaces in disks, and overlocking the central processing unit or the GPU. The
application’s tasks entail creating a word document, internet browsing, and sending emails
(Williams, 2021). The sole objective of the user is to start commands through the command line
or the GUI to do it. An example of the user’s role in an OS is when a computer user selects the
start menu in the OS GUI to get access and opens a word document. The user’s role ensures that
the user interacts with the OS to access the word document application. The application’s access
3
will enable the user to interact with the OS, allocating the required resources to run the
application.
Differences between the kernel of the OS and user applications
Computers usually operate in two basic modes that include the kernel and the user
applications mode. When running application software, the computer uses the user application
mode. When the application software requests the hardware, the computer gets into kernel mode.
The Kernel mode is the most important in the computer system. However, the computer system
keeps switching between the user applications to the kernel mode. The main difference between
the kernel and the user applications list is that the user-mode runs applications, while the kernel
mode is the mode in which the computer system enters to access hardware resources (Anand,
2021). The kernel applications access the computer’s underlying hardware and can execute the
intrusion of the CPU and reference the memory address. The kernel-mode reserves the most
trusted functions of an OS. The user applications deal with software and do not have direct
access to the computer’s hardware.
Embedded OS
An embedded OS is a specialized operation system that has been designed to carry out
specific tasks for devices that are not computers. The main role of an embedded OS is to run
codes that allow devices to carry on their activities. It also makes it easy for the software of the
device to access the hardware. The embedded OS is optimized to enhance the efficiency of
controlling hardware, drive the processing of graphics, and reduce the response time for the task
conducted by the device (Lutkevich, 2021). An embedded OS is usually performed through an
embedded system with microcontrollers depending on the complexity of the task performed. A
4
single microcontroller chip is in devices such as calculators, digital watches, MP3 players, while
multiple microcontroller chips are found in factory controllers and machines, aircraft, and hybrid
vehicles.
Systems fit in the overall information system architecture
The system fits in the information system architecture through the concept of
virtualization. This concept allows the utility computing model, after which the SOA model is
needed as the blueprint. The virtualization concept gives an easy upgrade of the enterprise
application comprising the entire information technology. The operating system, hardware, and
embedded OS and systems make the overall information system archit
