Quiz — SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers | LawZeee

Module: 01z — SCADA, IoT, Automotive, and Drone Hacking: Critical Infrastructure Law for Security Researchers Difficulty: advanced

Questions

Q1. Under CFAA § 1030(c)(4)(B), what is the maximum prison sentence for a first offense that causes damage to a critical infrastructure system?

A) 5 years
B) 10 years
C) 15 years
D) 20 years

Correct answer: D Explanation: CFAA § 1030(c)(4)(B) raises the sentencing ceiling to 20 years when damage affects critical infrastructure, doubling the 10-year base ceiling under § 1030(c)(4)(A). The statute sets no mandatory minimum.

Q2. How many critical infrastructure sectors are identified under Presidential Policy Directive 21 (PPD-21, 2013)?

A) 10
B) 12
C) 16
D) 18

Correct answer: C Explanation: PPD-21 identifies 16 critical infrastructure sectors, ranging from Energy and Healthcare to Water and Wastewater Systems. Courts do not require official CISA designation — they look at function, meaning even an unlisted rural water utility is covered.

Q3. In the Oldsmar, Florida water treatment plant attack (February 2021), how high did the attacker raise the sodium hydroxide (lye) concentration?

A) To 1,110 ppm, approximately 10 times the safe level
B) To 11,100 ppm, approximately 100 times the safe level
C) To 5,550 ppm, approximately 50 times the safe level
D) To 22,200 ppm, approximately 200 times the safe level

Correct answer: B Explanation: The attacker raised the sodium hydroxide level from 111 parts per million to 11,100 ppm — 100 times the safe drinking level. An operator noticed the cursor moving and reversed the change within minutes before any harm resulted.

Q4. What was the primary legal significance of the Mirai botnet case (United States v. Jha, 2018) regarding CFAA § 1030(a)(5)(A)?

A) It established that botnets could only be prosecuted if device owners suffered financial harm above $5,000.
B) It held that installing malware on IoT devices constitutes "damage" even if the device owner notices no disruption.
C) It required prosecutors to prove that each compromised device was directly connected to critical infrastructure.
D) It granted reduced culpability to researchers who cooperated with CISA after the attack.

Correct answer: B Explanation: The Mirai prosecution established that installing botnet malware on cameras and DVRs — without taking any data and without disrupting the device's apparent function — constituted damage under the impairment-of-integrity theory of § 1030(a)(5)(A). The device owner did not need to notice any harm.

Q5. Under California Civil Code § 1798.91.04, what is the maximum civil penalty per device per violation for an IoT manufacturer that ships devices with insecure default passwords?

A) $1,000
B) $2,500
C) $5,000
D) $10,000

Correct answer: B Explanation: California's IoT security law (effective January 1, 2020) imposes a civil penalty of up to $2,500 per device per violation, enforced by the California Attorney General. There is no private right of action under the statute.

Q6. In Miller and Valasek's 2015 remote Jeep Cherokee hack, why were no criminal charges filed against the researchers?

A) Chrysler had pre-authorized the research as part of a bug bounty engagement.
B) The Sprint network's cellular infrastructure provided an implicit license to all subscribers.
C) Journalist Andy Greenberg, who owned the Jeep, gave written consent to the testing on his own vehicle.
D) The researchers disclosed to CISA before publication, triggering the DOJ good-faith policy.

Correct answer: C Explanation: Researcher authorization flowed from the vehicle owner's consent. Andy Greenberg owned the Jeep and agreed to the demonstration, satisfying the CFAA authorization element. Chrysler's subsequent recall cooperation was voluntary, not legally required.

Q7. What is the maximum criminal penalty for jamming a drone's control link under 47 U.S.C. § 333?

A) $10,000 fine only; no imprisonment
B) Up to six months imprisonment and $50,000 fine
C) Up to one year imprisonment and $100,000 fine
D) Up to five years imprisonment and $250,000 fine

Correct answer: C Explanation: Willful or malicious interference with licensed radio communications under 47 U.S.C. § 333 carries a criminal penalty of up to $100,000 and/or one year imprisonment, plus civil forfeiture of equipment. The FCC has explicitly stated no property-defense exception exists.

Q8. Which entity has exclusive legal authority to conduct counter-UAS jamming operations in the United States?

A) State and local law enforcement agencies under the Anti-Drone Safety Act
B) Any property owner defending against a drone flying below 400 feet AGL
C) Private security firms operating under a DHS contractor license
D) Only DOD, DOJ, DHS, and DOE for protection of federal facilities under the 2018 FAA Reauthorization Act

Correct answer: D Explanation: Section 2209 of the FAA Reauthorization Act of 2018 (Pub. L. 115-254) grants counter-UAS authority — including jamming and spoofing — exclusively to DOD, DOJ, DHS, and DOE for protection of federal facilities. No private party, including property owners, has this authority.

Q9. What maximum daily civil penalty can FERC impose for NERC CIP violations under the Federal Power Act (16 U.S.C. § 824o)?

A) $10,000 per day
B) $100,000 per day
C) $500,000 per day
D) $1,000,000 per day

Correct answer: D Explanation: FERC can impose civil penalties of up to $1 million per violation per day for NERC CIP violations. The largest NERC CIP penalty imposed was $10 million (against an undisclosed entity, 2018). NERC CIP is a regulatory framework — it does not independently create criminal liability.

Q10. What is the legal status of a researcher who purchases a used PLC on eBay and tests Modbus attacks in an air-gapped lab, compared to one who probes a live utility SCADA system found via Shodan?

A) Both are legally equivalent because PLCs are protected computers under CFAA regardless of network connectivity.
B) The lab tester faces no CFAA exposure; the live-system prober faces § 1030(a)(2) charges and the § 1030(c)(4)(B) critical infrastructure enhancement.
C) Both researchers are protected under the DOJ 2022 good-faith policy if they disclose to ICS-CERT afterward.
D) The live prober is protected because Shodan's passive scanning already constitutes the unauthorized access, not the researcher's direct probe.

Correct answer: B Explanation: Lab isolation of testing to equipment you own is the key safe harbor — testing a purchased PLC in an air-gapped environment creates no CFAA exposure. Actively probing a live utility SCADA system without authorization crosses into § 1030(a)(2) and triggers the § 1030(c)(4)(B) critical infrastructure enhancement. Reporting to ICS-CERT does not provide legal immunity.

Quiz for Module 01z — LawZeee | Generated 2026-04-17