Published Date: 2017-07-06
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident of hackers penetrating the computer networks of companies operating nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries, was reported in the article published on July 6, 2017 [Article 61048]. 2. The incident occurred before the article was published on July 6, 2017. |
| System | 1. Scada systems [61048] |
| Responsible Organization | 1. The hackers, specifically the "Energetic Bear" Russian hacking group, were responsible for causing the software failure incident at the nuclear power stations and other energy facilities [Article 61048]. |
| Impacted Organization | 1. Wolf Creek Nuclear Operating Corporation [61048] |
| Software Causes | 1. The software cause of the failure incident was the hackers penetrating the computer networks of companies operating nuclear power stations and other energy facilities, as well as manufacturing plants, through techniques such as sending malicious code-laced Microsoft Word documents disguised as fake résumés to control engineering personnel [61048]. |
| Non-software Causes | 1. The hackers used highly targeted email messages containing fake résumés for control engineering jobs to trick the senior industrial control engineers into clicking on malicious documents, allowing the attackers to steal credentials and proceed to other machines on the network [61048]. 2. The hackers compromised legitimate websites frequented by their victims, deploying watering hole attacks to gain access to their systems [61048]. 3. The hackers also used man-in-the-middle attacks to redirect their victims' internet traffic through their own machines [61048]. |
| Impacts | 1. The software failure incident led to hackers penetrating the computer networks of companies operating nuclear power stations, energy facilities, and manufacturing plants, including the Wolf Creek Nuclear Operating Corporation [61048]. 2. The incident raised concerns about potential espionage, destruction, and threats to public safety, although no direct impact on operations systems was reported [61048]. 3. The hackers targeted industrial control engineers with access to critical systems, posing risks of explosions, fires, or spills of dangerous materials [61048]. 4. The incident highlighted vulnerabilities in critical infrastructure systems, including Scada systems used by manufacturers, nuclear plant operators, and pipeline operators [61048]. 5. The incident underscored the ongoing challenges in securing critical infrastructure against advanced hacking attacks, particularly those utilizing tools stolen from organizations like the National Security Agency [61048]. |
| Preventions | 1. Implementing robust cybersecurity measures such as regular security audits, network monitoring, intrusion detection systems, and access controls could have helped prevent the cyberattacks on the nuclear power stations and energy facilities [61048]. 2. Educating employees on cybersecurity best practices, including recognizing phishing emails and not clicking on suspicious links or attachments, could have prevented the hackers from gaining access to the systems [61048]. 3. Ensuring that critical infrastructure systems are regularly updated with the latest security patches and software updates to address known vulnerabilities could have mitigated the risk of cyberattacks [61048]. 4. Enhancing collaboration between government agencies, public companies, and critical infrastructure organizations to share threat intelligence and coordinate cybersecurity defenses could have improved overall resilience against cyber threats [61048]. 5. Implementing multi-factor authentication for accessing critical systems could have added an extra layer of security to prevent unauthorized access by hackers [61048]. |
| Fixes | 1. Implementing robust cybersecurity measures such as network segmentation, intrusion detection systems, and regular security audits to prevent unauthorized access and cyberattacks [61048]. 2. Conducting thorough security training for employees to recognize and avoid phishing emails and malicious attachments, which were used in the attack [61048]. 3. Enhancing the security of critical infrastructure systems by collaborating with government agencies and public companies to mitigate risks and defend against cyber threats [61048]. 4. Strengthening the cybersecurity defenses of federal networks and critical infrastructure as mandated by the executive order signed by President Trump [61048]. 5. Continuously monitoring and updating software systems, including Scada systems, to address vulnerabilities and protect against potential hacking and computer viruses [61048]. | References | 1. Security consultants 2. Department of Homeland Security 3. Federal Bureau of Investigation 4. Wolf Creek Nuclear Operating Corporation officials 5. Nuclear Energy Institute 6. Two individuals familiar with the attacks 7. Former chairman of the Federal Energy Regulatory Commission 8. The New York Times 9. The joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation 10. The government report mentioned in the article 11. President Trump's executive order 12. Jon Wellinghoff, the former chairman of the Federal Energy Regulatory Commission 13. The language security specialists use to describe hackers backed by governments 14. Researchers who have tied the Russian hacking group "Energetic Bear" to attacks on the energy sector 15. Security specialists 16. The National Security Agency [61048] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to cyberattacks on critical infrastructure, including nuclear power plants and energy facilities, has happened again at the Wolf Creek Nuclear Operating Corporation. The company was targeted by hackers attempting to penetrate their computer networks [61048]. (b) The software failure incident involving cyberattacks targeting critical infrastructure has also occurred at multiple organizations, including manufacturing plants and energy facilities in the United States and other countries. The attacks were part of a larger campaign targeting companies operating in the energy, nuclear, and critical manufacturing sectors [61048]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the article where hackers targeted industrial control engineers by sending them fake résumés for control engineering jobs containing malicious code. This design flaw in the form of fake résumés laced with malicious code allowed the attackers to steal credentials and gain access to critical industrial control systems [61048]. (b) The software failure incident related to the operation phase is evident in the article where hackers compromised legitimate websites frequented by their victims, a tactic known as a watering hole attack. Additionally, the hackers deployed man-in-the-middle attacks to redirect victims' internet traffic through their own machines, showcasing operational failures in internet traffic management and security protocols [61048]. |
| Boundary (Internal/External) | within_system | (a) within_system: The software failure incident reported in the articles is primarily due to contributing factors that originate from within the system. The incident involved hackers penetrating the computer networks of companies operating nuclear power stations and other energy facilities, including the Wolf Creek Nuclear Operating Corporation. The hackers targeted industrial control engineers with direct access to critical industrial control systems, aiming to steal credentials and gain access to other machines on the network. The attack involved sending targeted email messages containing fake résumés with malicious code, compromising legitimate websites frequented by victims, and deploying man-in-the-middle attacks to redirect internet traffic. These actions were all carried out within the system's network and infrastructure [61048]. (b) outside_system: The software failure incident does not seem to be primarily due to contributing factors that originate from outside the system. While the hackers responsible for the cyberattacks are believed to be an "advanced persistent threat" actor, possibly linked to the Russian hacking group "Energetic Bear," the actual execution of the attacks and infiltration into the systems were carried out within the targeted companies' networks. The incident does not indicate any external factors outside the system that directly caused the software failure [61048]. |
| Nature (Human/Non-human) | non-human_actions | (a) The software failure incident in this case is attributed to non-human actions, specifically cyberattacks by hackers targeting the computer networks of companies operating nuclear power stations and other energy facilities [61048]. The hackers used various techniques such as sending malicious code through fake résumés, compromising legitimate websites, and deploying man-in-the-middle attacks to gain unauthorized access to critical industrial control systems. These actions were carried out by an "advanced persistent threat" actor, likely backed by a government, and mimicked the tactics of the Russian hacking group known as "Energetic Bear" [61048]. (b) The software failure incident was not caused by human actions in terms of introducing contributing factors. However, human actions were involved in responding to the incident, with security specialists and investigators working to analyze the cyberattacks and mitigate the risks posed to critical infrastructure systems [61048]. |
| Dimension (Hardware/Software) | software | (a) The articles do not provide information about a software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incident reported in the articles is related to a cyberattack by hackers targeting computer networks of companies operating nuclear power stations, energy facilities, and manufacturing plants. The hackers used various techniques such as sending malicious code through fake résumés in Microsoft Word documents, compromising legitimate websites, and deploying man-in-the-middle attacks to steal credentials and gain access to critical industrial control systems [61048]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident described in the articles is malicious in nature. The incident involved hackers penetrating the computer networks of companies operating nuclear power stations and other energy facilities, as well as manufacturing plants, with the objective of mapping out computer networks for future attacks [61048]. The attackers used various techniques such as sending highly targeted email messages containing fake résumés with malicious code, compromising legitimate websites frequented by the victims, and deploying man-in-the-middle attacks to redirect internet traffic through their own machines. These actions were aimed at stealing credentials and gaining access to critical industrial control systems [61048]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | The intent of the software failure incident reported in the articles is related to poor_decisions. The incident involved hackers penetrating the computer networks of companies operating nuclear power stations and other energy facilities, as well as manufacturing plants. The hackers used sophisticated techniques, such as sending targeted email messages containing fake résumés for control engineering jobs laced with malicious code, compromising legitimate websites frequented by victims, and deploying man-in-the-middle attacks [61048]. These actions indicate a deliberate and strategic approach by the hackers, suggesting that the software failure incident was driven by poor decisions made by the hackers to infiltrate critical infrastructure systems. |
| Capability (Incompetence/Accidental) | accidental | (a) The software failure incident related to development incompetence is not explicitly mentioned in the provided article. (b) The software failure incident related to accidental factors is evident in the article as it describes how hackers were able to infiltrate computer networks of companies operating nuclear power stations and other energy facilities through tactics like sending fake résumés containing malicious code to control engineering personnel [61048]. |
| Duration | permanent | (a) The software failure incident described in the articles is more likely to be considered permanent rather than temporary. The incident involved hackers penetrating the computer networks of companies operating nuclear power stations and other energy facilities, as well as manufacturing plants. The hackers targeted industrial control engineers who have direct access to systems that, if damaged, could lead to serious consequences like explosions, fires, or spills of dangerous materials [61048]. The attack was sophisticated, involving the use of fake résumés containing malicious code sent to senior industrial control engineers. Once the recipients clicked on these documents, the attackers could steal their credentials and move laterally within the network. Additionally, the hackers deployed techniques like man-in-the-middle attacks and compromised legitimate websites frequented by their victims [61048]. These actions by the hackers indicate a permanent software failure incident, as the breach and potential damage caused by the cyberattack were significant and could have long-lasting consequences on the affected systems and organizations. |
| Behaviour | byzantine, other | (a) crash: The articles do not mention any software crashes where the system loses state and does not perform any of its intended functions. (b) omission: The incident described in the articles does not involve the system omitting to perform its intended functions at an instance(s). (c) timing: The software failure incident does not relate to the system performing its intended functions correctly but too late or too early. (d) value: The incident does not involve the system performing its intended functions incorrectly. (e) byzantine: The behavior of the software failure incident in the articles aligns more with a byzantine failure. The hackers were able to penetrate computer networks of companies operating nuclear power stations and other energy facilities, targeting industrial control engineers with direct access to critical systems that could lead to potential disasters. The hackers used sophisticated techniques, such as sending fake résumés with malicious code, compromising legitimate websites, and deploying man-in-the-middle attacks to steal credentials and gain access to critical industrial control systems [61048]. (f) other: The behavior of the software failure incident could also be described as a targeted cyberattack aimed at mapping out computer networks for future attacks, with the potential to cause destruction or disruption to critical infrastructure systems. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, actuator, processing_unit, network_communication, embedded_software | (a) sensor: The article mentions that hackers targeted industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire, or a spill of dangerous material. This indicates a potential threat to the sensors or monitoring devices within the cyber physical systems [61048]. (b) actuator: The article discusses how the hackers compromised industrial control engineers who maintain broad access to critical industrial control systems. Actuators are components that take input from the control system and convert it into physical action, so compromising the engineers with access to these systems could potentially lead to issues with actuators [61048]. (c) processing_unit: The article mentions that the hackers deployed various techniques like man-in-the-middle attacks and redirection of internet traffic through their own machines. These actions could potentially impact the processing units within the cyber physical systems, affecting the processing of data and commands [61048]. (d) network_communication: The article highlights how the hackers compromised legitimate websites frequented by their victims and redirected internet traffic through their own machines. These actions point towards potential vulnerabilities in the network communication layer of the cyber physical systems [61048]. (e) embedded_software: The article discusses how the hackers sent targeted email messages containing malicious code hidden in Microsoft Word documents. This indicates a potential threat to the embedded software within the cyber physical systems, as the malicious code could impact the functioning of the software embedded in the systems [61048]. |
| Communication | connectivity_level | The software failure incident reported in the articles is related to the connectivity level of the cyber physical system that failed. The incident involved hackers penetrating the computer networks of companies operating nuclear power stations and other energy facilities, targeting industrial control engineers with direct access to critical industrial control systems [61048]. The hackers used various techniques such as sending fake résumés containing malicious code, compromising legitimate websites, and deploying man-in-the-middle attacks to steal credentials and gain access to the network [61048]. These actions indicate a breach at the network or transport layer of the cyber physical system, rather than a failure at the physical layer. |
| Application | FALSE | The software failure incident described in the articles is not related to the application layer of the cyber physical system. The incident primarily involves cyberattacks by hackers targeting the computer networks of companies operating nuclear power stations and other energy facilities, with a focus on industrial control engineers and critical infrastructure systems. The attacks involved techniques such as phishing emails, malicious code in fake résumés, watering hole attacks, and man-in-the-middle attacks, rather than failures at the application layer due to bugs, operating system errors, unhandled exceptions, or incorrect usage [61048]. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | theoretical_consequence | (a) death: The articles do not mention any deaths resulting from the software failure incident. [61048] (b) harm: The articles do not mention any physical harm to individuals resulting from the software failure incident. [61048] (c) basic: The articles do not mention any impact on people's access to food or shelter due to the software failure incident. [61048] (d) property: The software failure incident did not result in any direct impact on people's material goods, money, or data. However, there were concerns about potential cyberattacks on critical infrastructure systems, which could have significant consequences on national security and public safety. [61048] (e) delay: There is no mention of any activities being postponed due to the software failure incident. [61048] (f) non-human: The software failure incident targeted computer networks of companies operating nuclear power stations, energy facilities, and manufacturing plants. The incident did not directly impact non-human entities. [61048] (g) no_consequence: The articles do not mention any observed real consequences resulting from the software failure incident. [61048] (h) theoretical_consequence: There were discussions about potential consequences of the cyberattacks on critical infrastructure systems, including the possibility of electricity disruptions and prolonged power outages. However, there is no indication that these theoretical consequences actually occurred. [61048] (i) other: The articles do not mention any other specific consequences of the software failure incident. [61048] |
| Domain | information, manufacturing, utilities | (a) The failed system was intended to support the production and distribution of information as it targeted companies operating nuclear power stations, energy facilities, and manufacturing plants [61048]. (b) The failed system was not directly related to the transportation industry. (c) The failed system was not directly related to the extraction of natural resources. (d) The failed system was not directly related to the sales industry. (e) The failed system was not directly related to the construction industry. (f) The failed system was intended to support the manufacturing industry as it targeted manufacturing plants in the United States and other countries [61048]. (g) The failed system was intended to support the utilities industry as it targeted companies operating nuclear power stations and energy facilities [61048]. (h) The failed system was not directly related to the finance industry. (i) The failed system was not directly related to the knowledge industry. (j) The failed system was not directly related to the health industry. (k) The failed system was not directly related to the entertainment industry. (l) The failed system was not directly related to the government industry. (m) The failed system was not directly related to any other specific industry. |
Article ID: 61048