Published Date: 2017-05-12
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in May 2017 [Article 59065, Article 59073, Article 59121, Article 59300, Article 59305, Article 59308, Article 59312, Article 59322, Article 59937]. |
| System | 1. NHS computers [Article 59065, Article 59121, Article 59300] 2. Windows XP operating system [Article 59121, Article 59300] 3. Microsoft software [Article 59121, Article 59937] 4. Windows operating system [Article 59305] 5. Boeing's production systems and airline software [Article 69249] |
| Responsible Organization | 1. The attack was caused by a vulnerability in Microsoft software found by the National Security Agency (NSA) for its surveillance tool kit, which was leaked online [Article 59121]. 2. The attack was facilitated by the Shadow Brokers group who released the malware, although it is suggested that they were not directly involved in the ransomware strike [Article 59305]. 3. The attack could have been government-orchestrated or carried out by a large cyber criminal gang [Article 59297]. |
| Impacted Organization | 1. NHS in Britain, Telefónica in Spain, FedEx, Russian Interior Ministry, Chinese universities, French carmaker Renault, local authority in Sweden, Brazilian social security administration, major telecommunications firms, German railway stations, Nissan UK, Megafon in Russia, Iberdrola in Spain, Gas Natural in Spain, Deutsche Bahn in Germany, schools in China, Europol, Turkish Information and Communication Technologies Authority [Article 59065, Article 59073, Article 59121, Article 59286, Article 59300, Article 59322] 2. Kent community health trust [Article 59627] |
| Software Causes | 1. Failure to install critical software patches by NHS organizations, leading to vulnerability exploitation [59065, 59073, 59121] 2. Exploitation of a security flaw in Microsoft software found by the National Security Agency [59121, 59286] 3. Slow installation of security updates on a wide scale due to various reasons [59305] 4. Use of outdated operating systems like Windows XP, which lacked necessary patches [59300, 59312] 5. Ransomware outbreak exploiting weaknesses in Microsoft's Windows operating system [59937] 6. WannaCry ransomware spreading due to software vulnerabilities [60366] 7. WannaCry ransomware affecting Boeing due to the same computer virus [69249] |
| Non-software Causes | 1. Lack of applying critical software patches by NHS organizations [59065] 2. Failure of US government protocols for warning software developers and the private sector about system vulnerabilities [59073] 3. Leaked files detailing security flaws by the National Security Agency [59121] 4. Reliance on outdated Microsoft computer operating systems [59300] 5. Slow installation of security updates due to various reasons [59305, 59308] 6. Limited intrusion of malware affecting a small number of systems at Boeing [69249] |
| Impacts | 1. The software failure incident affected about 40 NHS organizations, causing disruptions and interrupting medical procedures across hospitals in England and Scotland [Article 59065]. 2. The attack impacted 48 out of 248 NHS organizations, with some systems still left vulnerable due to failure to apply patches or using outdated software [Article 59121]. 3. The cyberattack led to the cancellation of procedures in hospitals in England and Scotland, affecting around a fifth of trusts due to outdated software vulnerabilities [Article 59300]. 4. The incident prompted Boeing to address a cyberattack using the WannaCry virus, causing concerns about potential spread to production systems and airline software [Article 69249]. |
| Preventions | 1. Ensuring that critical software patches released by Microsoft are promptly installed across all systems, especially in organizations like the NHS [59065, 59073, 59121]. 2. Keeping systems up to date by applying routine software updates and patches to prevent vulnerabilities [59121, 59300]. 3. Using up-to-date operating systems and software to avoid exploiting known vulnerabilities [59121, 59300]. 4. Implementing comprehensive patching systems to prevent attacks like the ransomware incident [59121]. 5. Enabling Windows updates and running antivirus software to protect systems from attacks [59297]. 6. Promptly installing security updates provided by software developers to address vulnerabilities [59305]. 7. Taking proactive measures to patch systems and prevent the spread of malware, as demonstrated by the "accidental hero" who registered a domain name to halt the ransomware attack [59308, 59312, 59322]. 8. Breaking rules on software maintenance to address vulnerabilities promptly and keep users safe [59937]. 9. Addressing the challenges of updating critical software in specialized systems, such as health care systems, to prevent interruptions in operations [84772]. |
| Fixes | 1. Applying critical software patches promptly to all systems, especially in organizations like the NHS [Article 59065, Article 59121]. 2. Ensuring comprehensive patching systems are in place and regularly updated to prevent attacks [Article 59121]. 3. Updating outdated software and operating systems to prevent vulnerabilities [Article 59065, Article 59300]. 4. Collaboration between government agencies, private sector, and software developers to improve patching and updating systems [Article 59073]. 5. Encouraging businesses to prioritize upgrading to the latest software versions to mitigate risks [Article 84772]. | References | 1. Ross Anderson, Cambridge University [59065] 2. Alan Woodward, University of Surrey [59065] 3. NHS Digital [59065] 4. Cyber-security expert [59073] 5. Europol [59121] 6. Jean-Frederic Karcher, Maintel [59297] 7. Metropolitan Police [59300] 8. MalwareTechBlog [59300] 9. Kaspersky Lab [59300] 10. Europol [59300] 11. Anonymous British blogger [59300] 12. Nissan [59300] 13. European Union's police agency, Europol [59300] 14. Renault [59300] 15. Shadow Brokers [59305] 16. Jakobsson [59312] 17. Spain's telecoms giant Telefonica, power firm Iberdrola, and utility provider Gas Natural [59322] 18. Group of Seven wealthiest countries [59322] 19. Microsoft [59937] 20. Cybersecurity firm SecureWorks [60366] 21. Boeing [69249] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization | (a) The software failure incident having happened again at one_organization: - Boeing was hit by a cyberattack that some |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the development phase of design was evident in the failure to apply critical software patches. The incident highlighted that large numbers of NHS organizations failed to act on a critical notice from Microsoft to update their systems, leading to vulnerabilities [59065]. Additionally, the attack exploited a security flaw in Microsoft software that was found by the National Security Agency, indicating a failure in the design or development of the software that allowed for the vulnerability to be exploited [59121]. (b) The software failure incident related to the development phase of operation was seen in the failure of system administrators to apply patches or updates promptly. The incident revealed that countless systems were left vulnerable either due to the failure to apply patches or the use of outdated software, indicating operational shortcomings in maintaining system security [59121]. Additionally, the attack exploited known vulnerabilities in old Microsoft computer operating systems, highlighting the operational failure to keep systems up to date and secure [59300]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: - The failure to apply critical software patches by NHS organizations and other institutions contributed to the software failure incident [59065]. - The attack exploited known vulnerabilities in old Microsoft computer operating systems, indicating a failure in updating and patching systems [59300]. - Organizations were slow to install security updates, despite patches being available, leading to the spread of the malware [59305]. - Boeing was hit by a cyberattack using the WannaCry virus, indicating a failure in maintaining secure systems [69249]. (b) outside_system: - The NSA did not reveal the vulnerability it had discovered, leading to the exploitation of the flaw in Microsoft's Windows operating system [59073]. - The flaw in Microsoft's Windows operating system was first discovered by the United States National Security Agency and made public by the hacker collective Shadow Brokers, indicating an external factor contributing to the software failure incident [59286]. - The attack originated from outside the system, with the malware spreading through emails and affecting systems globally [59312]. - The attack exploited weaknesses in Microsoft's Windows operating system, indicating external factors contributing to the software failure incident [59937]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The attack on the NHS and other institutions was due to a security flaw in Microsoft software found by the National Security Agency, which was leaked online [Article 59121]. - The attack exploited a flaw in Microsoft's Windows operating system that was first discovered by the United States National Security Agency [Article 59286]. - The ransomware outbreak used weaknesses in Microsoft's Windows operating system to spread, prompting Microsoft to break its own rules on software maintenance to keep users safe [Article 59937]. - The global cyberattack that struck computer systems worldwide was similar to a recent assault that crippled tens of thousands of machines, utilizing hacking tools stolen from the National Security Agency and leaked online [Article 60060]. (b) The software failure incident occurring due to human actions: - The failure to apply critical software patches by system administrators or using outdated software left countless systems vulnerable to the attack [Article 59121]. - Human error, such as the failure to do routine software updates and employees unknowingly clicking on email attachments containing malware, contributed to the preventable attack [Article 59121]. - The attack could have been prevented if organizations had comprehensive patching systems in place, highlighting the role of human actions in cybersecurity incidents [Article 59121]. - The malware spread through phishing attacks with malicious attachments, emphasizing the importance of user behavior in protecting against such attacks [Article 59937]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The attack that affected systems worldwide was due to a flaw in Microsoft's Windows operating system, which was first discovered by the United States National Security Agency [Article 59286]. - The attack exploited known vulnerabilities in old Microsoft computer operating systems, leading to systems being brought down in various institutions [Article 59300]. - Boeing was hit by a cyberattack identified as the WannaCry computer virus, which was spreading and could potentially affect production systems and airline software [Article 69249]. (b) The software failure incident occurring due to software: - The attack exploited a security flaw in Microsoft software found by the National Security Agency, which was leaked online, leaving countless systems vulnerable due to failure to apply patches or using outdated software [Article 59121]. - The ransomware outbreak used weaknesses in Microsoft's Windows operating system to spread rapidly, prompting Microsoft to break its own rules on software maintenance to keep users safe [Article 59937]. - The attack that affected computer systems globally was similar to the WannaCry attacks in May, which took control of computers and demanded digital ransom from their owners [Article 60060]. |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) The software failure incident related to the WannaCry attack was malicious in nature. The attack exploited a vulnerability in Microsoft software found by the National Security Agency and was developed with broad, long-term reach in mind [Article 59065, Article 59272]. The attack was part of a series of attacks making use of hacking tools stolen from the National Security Agency and leaked online by a group called the Shadow Brokers [Article 60060]. The attack spread rapidly and demanded digital ransom from affected users [Article 60060]. (b) On the other hand, the software failure incident was also non-malicious to some extent. It was noted that the attack could have been prevented if organizations had comprehensive patching systems in place and if routine software updates were done [Article 59121]. Additionally, the attack highlighted the importance of keeping software up to date and using anti-virus programs to clean malicious software from computers [Article 59300]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) poor_decisions: - The software failure incident related to the cyberattack that affected the NHS and other institutions across Europe and Russia was attributed to poor decisions such as the failure of system administrators to apply critical patches or using outdated software [59065, 59121]. - The failure was also linked to the US government's protocols for disclosing vulnerabilities, where the NSA did not reveal the vulnerability it had discovered, leading to the exploitation of the flaw [59073]. - The incident highlighted the stubborn reality of human error in cybersecurity, with organizations collectively spending billions on cybersecurity measures but still being vulnerable due to failures in routine software updates and employee actions [59121]. - The attack on Boeing by the WannaCry virus was also a result of poor decisions, as the virus was identified as the same one that struck thousands of computer systems globally the previous year, indicating a lack of effective preventive measures [69249]. (b) accidental_decisions: - An accidental hero emerged during the cyberattack incident when an anonymous British blogger unintentionally halted the spread of the malware by registering a website, not realizing the impact it would have [59300]. - The accidental nature of decisions was further highlighted by the fact that the attack could have been much worse if the attacker had not left a domain unguarded, making it easy to stop the attack [59073]. - The accidental aspect of decisions was also evident in the unintended consequences of the attack, such as the disruption of operations at various organizations due to the malware, including the Cadbury chocolate factory and Qantas Airways [60060, 59300]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - The incident involving the ransomware attack on NHS computers highlighted the failure of some NHS organizations to act on a critical notice from Microsoft to install a software patch, indicating a lack of professional competence in keeping systems up to date [59065]. - The attack that affected the NHS and other institutions revealed the broken patching and updating systems in the private sector and government agencies, indicating a fundamental flaw in the system between the government and the private sector [59073]. - The attack exploited a security flaw in Microsoft software found by the National Security Agency, where countless systems were left vulnerable due to system administrators failing to apply the patch or using outdated software, showcasing a failure to do routine software updates [59121]. - The attack that exploited a flaw in Microsoft's Windows operating system was made public by a hacker collective known as Shadow Brokers, indicating a failure to address vulnerabilities in the software [59286]. - The Metropolitan Police in the UK was still using outdated software Windows XP, leaving systems more vulnerable to attacks, showcasing a lack of updating systems [59300]. (b) The software failure incident occurring accidentally: - An anonymous British blogger accidentally helped slow down the spread of the cyber attack by putting the brakes on the attack, indicating accidental involvement in mitigating the incident [59300]. - The WannaCry ransomware attack, which exploited known vulnerabilities in old Microsoft computer operating systems, was deployed via a worm that spread between computers, showcasing an accidental spread of the attack [59322]. |
| Duration | permanent | (a) The software failure incident was temporary: - The ransomware attack that affected more than 200,000 computers in 150 countries was described as a temporary incident that could strike again as systems with fixes could be reinfected [Article 59300]. - An anonymous British IT expert discovered a 'kill switch' that slowed the spread of the ransomware, indicating a temporary solution to the attack [Article 59300]. - The attack exploited known vulnerabilities in old Microsoft computer operating systems, suggesting a temporary failure due to specific circumstances [Article 59300]. (b) The software failure incident was permanent: - The article mentions that some organizations were left vulnerable due to human error in failing to apply patches or using outdated software, indicating a more permanent failure due to ongoing issues with system maintenance [Article 59121]. - The article highlights the challenges faced by organizations in updating critical software, especially in healthcare systems where updates could interrupt patient care, suggesting a more permanent aspect to the failure [Article 84772]. |
| Behaviour | crash, omission, value, other | (a) crash: The software failure incident mentioned in the articles can be categorized as a crash due to the system losing state and not performing any of its intended functions. The incident led to systems being affected, causing disruptions in various organizations and sectors. For example, the attack that hit the NHS networks and other institutions across Europe and Russia resulted in systems being temporarily crippled [Article 59073]. Additionally, the ransomware outbreak on Friday used weaknesses in Microsoft's Windows operating system to spread rapidly, prompting Microsoft to break its own rules on software maintenance to keep users safe [Article 59937]. (b) omission: The software failure incident can also be categorized as an omission due to the system omitting to perform its intended functions at instances. This was evident in the vulnerabilities that were left unpatched, either because system administrators failed to apply the patch or because they used outdated software, leaving systems vulnerable [Article 59121]. Furthermore, the attack exploited known vulnerabilities in old Microsoft computer operating systems, indicating instances where the system omitted to address these vulnerabilities [Article 59300]. (c) timing: The software failure incident can be categorized as a timing failure due to the system performing its intended functions correctly but either too late or too early. An example of this is seen in the delays in updating critical software in health care systems, where the process could potentially interrupt patient care [Article 84772]. (d) value: The software failure incident can be categorized as a value failure due to the system performing its intended functions incorrectly. This is evident in the attack that exploited a flaw in Microsoft's Windows operating system, leading to disruptions in various organizations and sectors [Article 59286]. (e) byzantine: The software failure incident can be categorized as a byzantine failure due to the system behaving erroneously with inconsistent responses and interactions. This behavior is seen in the widespread impact of the attack, affecting computer systems from Ukraine to the United States in an international cyberattack [Article 60060]. (f) other: The software failure incident can be categorized as other due to the behavior not fitting into the defined categories of crash, omission, timing, value, or byzantine. An example of this is the concern raised about a potential resurgence of chaos as office workers power up their machines, indicating a unique aspect of the incident [Article 59300]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | death, delay | (a) death: People lost their lives due to the software failure - The attack against the NHS demonstrates that cyber-attacks can quite literally have life and death consequences [Article 59312]. (b) harm: People were physically harmed due to the software failure - It is still unknown if anyone suffered further injury or died because of the disruption caused by the cyber attack [Article 59286]. (e) delay: People had to postpone an activity due to the software failure - A number of hospitals in England and Scotland were forced to cancel procedures after dozens of NHS systems were brought down in the attack [Article 59300]. |
| Domain | information, transportation, natural_resources, sales, manufacturing, utilities, knowledge, health, government, other | (a) The failed system was intended to support the information industry: - The attack affected systems in various countries, including the UK, Spain, Portugal, Russia, Ukraine, and Taiwan, impacting companies like Telefonica, FedEx, and others [Article 59065]. - The attack targeted various institutions across Europe and Russia, including the NHS in Britain, revealing vulnerabilities in software systems [Article 59073]. - The malware affected systems worldwide, including hospitals, telecoms, and other organizations, highlighting the importance of routine software updates and cybersecurity measures [Article 59121]. - The attack disrupted computer systems globally, affecting companies like FedEx, Nissan, and Renault, with over 130,000 IT systems impacted [Article 59300]. (b) The failed system was intended to support the transportation industry: - The attack impacted transportation companies like Deutsche Bahn, the German transport giant, and affected systems in the transport and telecom sectors [Article 59286]. - The malware affected systems in various industries, including transportation, with reports of local railway ticket machines in Germany being affected [Article 59322]. - The cyberattack struck companies worldwide, including Maersk, a transportation and logistics company, causing disruptions in operations [Article 60060]. (c) The failed system was intended to support the natural resources industry: - The attack targeted critical infrastructure institutions, including those related to natural resources, in a well-coordinated manner [Article 64140]. (d) The failed system was intended to support the sales industry: - The attack impacted companies like FedEx, a delivery company, which had to implement remediation steps to address the issue [Article 59300]. (e) The failed system was intended to support the construction industry: unknown (f) The failed system was intended to support the manufacturing industry: - The attack affected companies like Renault, a French carmaker, which announced being attacked and taking countermeasures [Article 59300]. (g) The failed system was intended to support the utilities industry: - The attack affected companies like Telefonica, Iberdrola, and Gas Natural, which are utility providers, with staff being instructed to turn off computers [Article 59322]. (h) The failed system was intended to support the finance industry: unknown (i) The failed system was intended to support the knowledge industry: - The attack impacted educational institutions, with reports of Chinese universities being affected by the ransomware attack [Article 59121]. (j) The failed system was intended to support the health industry: - Hospitals were major targets of the ransomware attack, with health systems facing numerous ransomware attacks in the past, highlighting vulnerabilities in healthcare IT systems [Article 59121]. - The attack blocked doctors from accessing patient files and caused emergency rooms to divert patients, impacting healthcare facilities significantly [Article 59286]. (k) The failed system was intended to support the entertainment industry: unknown (l) The failed system was intended to support the government industry: - The attack affected public health trusts in Britain, government agencies like the Russian Interior Ministry, and other public services, causing disruptions in operations [Article 59286]. (m) The failed system was intended to support an industry not described in the options: - The attack targeted various industries globally, impacting critical infrastructure institutions and organizations across different sectors [Article 64140]. - The malware affected systems in multiple industries, emphasizing the widespread impact on various sectors worldwide [Article 60060]. |
Article ID: 69249
Article ID: 59305
Article ID: 59065
Article ID: 59937
Article ID: 59627
Article ID: 64140
Article ID: 59286
Article ID: 60366
Article ID: 84772
Article ID: 59300
Article ID: 59297
Article ID: 59312
Article ID: 59322
Article ID: 59073
Article ID: 59121
Article ID: 59272
Article ID: 60060
Article ID: 59308
Article ID: 59635
Article ID: 58973