Incident: Cybersecurity Breach: Power Grid Operations Compromised by Hackers.

Published Date: 2017-09-06

Postmortem Analysis
Timeline 1. The software failure incident happened in the spring and summer of the year the article was published, which was in 2017 [63128].
System 1. Power grid operations system 2. Control interfaces used by power company engineers to send commands to equipment like circuit breakers 3. IT networks and operational controls of non-nuclear energy companies 4. Remote help desk tool of a Ukrainian energy utility 5. Software vulnerabilities in energy companies' networks and systems [63128]
Responsible Organization 1. The group known as Dragonfly 2.0 was responsible for causing the software failure incident by compromising energy companies' networks and gaining operational access to power grid operations, potentially being able to induce blackouts on American soil [63128].
Impacted Organization 1. Energy companies in the US and Europe [63128] 2. Power grid operations, including power company engineers [63128] 3. US power firms and at least one company in Turkey [63128]
Software Causes 1. Malware infection leading to unauthorized access to power grid operations [63128]
Non-software Causes 1. The failure incident was caused by a series of hacker attacks compromising energy companies in the US and Europe, resulting in intruders gaining hands-on access to power grid operations [63128].
Impacts 1. The software failure incident resulted in hackers gaining hands-on access to power grid operations in energy companies in the US and Europe, potentially allowing them to induce blackouts at will [63128]. 2. The hackers successfully gained operational access to power company networks, including control of interfaces used to send commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses [63128]. 3. The incident raised concerns about the potential sabotage of American power company systems, with hackers having unprecedented control over critical infrastructure [63128]. 4. The software failure incident highlighted the vulnerability of energy companies to cyber attacks, emphasizing the need for enhanced cybersecurity measures in the power grid sector [63128].
Preventions 1. Implementing robust cybersecurity measures such as regular security audits, network monitoring, and intrusion detection systems to detect and prevent unauthorized access to critical systems [63128]. 2. Conducting regular employee training on cybersecurity best practices to prevent falling victim to phishing attacks and other social engineering tactics used by hackers [63128]. 3. Enhancing network segmentation between internet-connected IT networks and operational controls to prevent unauthorized access to critical infrastructure systems [63128]. 4. Promptly updating software and systems to patch known vulnerabilities and reduce the risk of exploitation by hackers [63128]. 5. Collaborating with cybersecurity firms and government agencies to share threat intelligence and best practices for defending against sophisticated cyber threats [63128].
Fixes 1. Enhancing cybersecurity measures within energy companies to prevent future intrusions and unauthorized access to power grid operations [63128]. 2. Implementing stricter separations between internet-connected IT networks and operational controls within energy companies to mitigate the risk of cyber attacks [63128]. 3. Conducting regular security assessments and audits to identify and address vulnerabilities in software systems used by energy companies [63128]. 4. Educating employees on cybersecurity best practices, such as avoiding opening suspicious email attachments or falling victim to phishing attacks, to prevent unauthorized access to company networks [63128]. 5. Collaborating with cybersecurity firms like Symantec to detect and respond to potential threats in a timely manner [63128].
References 1. Symantec [63128] 2. FireEye 3. Dragos 4. Department of Homeland Security 5. FBI

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - Symantec revealed a new campaign of attacks by a group called Dragonfly 2.0, targeting dozens of energy companies in the US and Europe [63128]. - Symantec tracked the Dragonfly 2.0 attacks back to at least December of 2015, but found that they ramped up significantly in the first half of 2017, particularly in the US, Turkey, and Switzerland [63128]. - The hackers behind the Dragonfly 2.0 attacks shared many characteristics with an earlier set of intrusions called Dragonfly, Energetic Bear, Iron Liberty, and Koala, which targeted the US and European energy sectors from 2010 to 2014 [63128]. (b) The software failure incident having happened again at multiple_organization: - Symantec reported that the recent hacker attacks compromised energy companies in the US and Europe, resulting in intruders gaining hands-on access to power grid operations [63128]. - Symantec found that the Dragonfly 2.0 attacks targeted dozens of energy companies in the spring and summer of the year [63128]. - The article mentions repeated hacker attacks on the Ukrainian grid that caused power outages in the country in late 2015 and 2016, which were attributed to a hacker group known as Sandworm [63128].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where it mentions that the recent hacker attacks compromised energy companies in the US and Europe, resulting in the intruders gaining hands-on access to power grid operations. The hackers obtained operational access, control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses [63128]. (b) The software failure incident related to the operation phase is evident in the article where it describes how the hackers penetrated deep enough to screenshot the actual control panels for their targets' grid operations, positioning themselves to sabotage those systems at will. The attackers used spearphishing emails and watering hole attacks to harvest credentials from victims and gain remote access to their machines, ultimately gaining the ability to cause a blackout in the US [63128].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident described in the articles is primarily due to contributing factors that originate from within the system. The failure involved a series of hacker attacks on energy companies in the US and Europe, resulting in the intruders gaining hands-on access to power grid operations, including control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers [63128]. The hackers were able to penetrate deep enough to screenshot the actual control panels for their targets' grid operations, positioning themselves to sabotage those systems at will [63128]. (b) outside_system: The software failure incident also involved contributing factors that originate from outside the system. The hackers gained access to the target companies' networks through spearphishing emails and watering hole attacks that compromised websites commonly visited by targets to hack victims' computers [63128]. Additionally, the hackers used freely available tools and existing vulnerabilities in software rather than previously unknown weaknesses, making attribution more difficult [63128].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the articles is primarily related to non-human actions. The incident involved a series of hacker attacks by a group known as Dragonfly 2.0, which compromised energy companies in the US and Europe, gaining hands-on access to power grid operations. The hackers successfully gained operational access to power company networks, including control of the interfaces used to send commands to equipment like circuit breakers, potentially allowing them to induce blackouts on American soil [63128]. (b) While the software failure incident was primarily due to non-human actions, there were also human actions involved in the incident. The hackers behind the attacks used methods like spearphishing emails and watering hole attacks to trick victims into opening malicious attachments, compromising websites commonly visited by targets, and harvesting credentials to gain remote access to their machines. Additionally, the hackers may have been waiting for strategic opportunities to cause an electric disruption, such as during a political event or armed conflict, indicating a potential human decision-making aspect in the timing of the attack [63128].
Dimension (Hardware/Software) software (a) The software failure incident related to hardware: - The incident reported in the articles is not directly related to a hardware failure. Instead, it involves a cybersecurity breach where hackers gained access to power grid operations through software vulnerabilities and malware infections [63128]. (b) The software failure incident related to software: - The software failure incident reported in the articles is primarily related to software vulnerabilities and malware infections that allowed hackers to compromise energy companies' networks and gain operational access to power grid operations, potentially leading to blackouts [63128].
Objective (Malicious/Non-malicious) malicious (a) The objective of the software failure incident was malicious, as it involved hacker attacks on energy companies in the US and Europe, resulting in the intruders gaining hands-on access to power grid operations with the potential to induce blackouts on American soil at will [63128]. The attacks were part of a campaign by a group called Dragonfly 2.0, which targeted dozens of energy companies and successfully gained operational access to control the interfaces power company engineers use to send actual commands to equipment like circuit breakers [63128]. (b) The software failure incident was non-malicious in the sense that the hackers mostly used freely available tools and existing vulnerabilities in software rather than previously unknown weaknesses, making attribution more difficult [63128]. The hackers behind the attacks were focused on stealing passwords and credentials to gain access to the targeted networks, indicating a non-malicious intent in terms of exploiting vulnerabilities rather than directly causing harm [63128].
Intent (Poor/Accidental Decisions) poor_decisions The intent of the software failure incident described in the articles is more aligned with poor_decisions rather than accidental_decisions. The incident involved a deliberate and sophisticated hacking campaign by a group known as Dragonfly 2.0, which targeted energy companies in the US and Europe, gaining hands-on access to power grid operations with the potential to induce blackouts [63128]. The hackers used tactics such as spearphishing emails and watering hole attacks to compromise victims' computers and gain control over the interfaces power company engineers use to send commands to equipment like circuit breakers [63128]. This level of access and control indicates a strategic and intentional effort to potentially sabotage power grids, rather than a random or accidental occurrence.
Capability (Incompetence/Accidental) accidental (a) The software failure incident related to development incompetence is not explicitly mentioned in the provided article. Therefore, there is no direct evidence to suggest that the incident was caused by a lack of professional competence by humans or the development organization. (b) The software failure incident related to accidental factors is evident in the article. The article discusses how a series of recent hacker attacks compromised energy companies in the US and Europe, resulting in the intruders gaining hands-on access to power grid operations. The attacks were initiated through spearphishing emails and watering hole attacks that tricked victims into opening malicious attachments or compromised websites commonly visited by targets to hack victims' computers [63128]. These accidental factors led to the successful penetration of the target companies' networks and the gaining of operational access, allowing the hackers to potentially induce blackouts on American soil.
Duration temporary The software failure incident described in the articles is more aligned with a temporary failure rather than a permanent one. The incident involved a series of hacker attacks by a group known as Dragonfly 2.0, targeting energy companies in the US and Europe. The hackers successfully gained access to the target companies' networks and even obtained operational access to control power grid operations, including the ability to stop the flow of electricity into US homes and businesses [63128]. The duration of this software failure incident is temporary because it was caused by specific circumstances, such as the successful cyberattacks by the hackers, rather than being a permanent failure due to inherent flaws in the system that would persist regardless of external factors.
Behaviour other (a) crash: The articles do not mention any software failure incident related to a crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident described in the articles does not involve the system omitting to perform its intended functions at an instance(s). (c) timing: The software failure incident does not involve the system performing its intended functions correctly, but too late or too early. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly. (e) byzantine: The software failure incident described in the articles does not involve the system behaving erroneously with inconsistent responses and interactions. (f) other: The software failure incident described in the articles involves a cybersecurity breach where hackers gained hands-on access to power grid operations, potentially being able to induce blackouts on American soil at will. This behavior falls under the category of a security breach rather than a specific software failure mode.

IoT System Layer

Layer Option Rationale
Perception actuator, processing_unit, network_communication, embedded_software (a) sensor: The software failure incident reported in the articles does not specifically mention any failure related to sensors. (b) actuator: The incident involved hackers gaining control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses. This indicates a potential failure due to contributing factors introduced by actuator error [63128]. (c) processing_unit: The hackers penetrated deep enough to screenshot the actual control panels for their targets' grid operations, which could indicate a failure related to the processing unit [63128]. (d) network_communication: The hackers used spearphishing emails and watering hole attacks to compromise victims' computers, harvest credentials, and gain remote access to their machines. This suggests a failure related to contributing factors introduced by network communication error [63128]. (e) embedded_software: The incident involved the hackers using existing vulnerabilities in software to gain access to power grid operations, indicating a potential failure related to contributing factors introduced by embedded software error [63128].
Communication connectivity_level The software failure incident described in the articles is related to the connectivity level of the cyber-physical system. The failure was due to contributing factors introduced by the network or transport layer. The hackers gained access to power grid operations by compromising energy companies' networks and obtaining operational access, allowing them to control the interfaces power company engineers use to send actual commands to equipment like circuit breakers [63128]. This indicates a failure at the connectivity level of the cyber-physical system, where the network layer was compromised, leading to potential sabotage of the power grid operations.
Application FALSE The software failure incident described in the articles is not related to the application layer of the cyber physical system. The incident involves hacker attacks on power grid operations, compromising energy companies' networks, gaining operational access, and potentially being able to induce blackouts, rather than being caused by bugs, operating system errors, unhandled exceptions, or incorrect usage at the application layer [63128].

Other Details

Category Option Rationale
Consequence non-human, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) The software failure incident described in the articles did not directly result in any property damage or financial loss to individuals or organizations. However, the hackers gained operational access to power grid operations, which could have potentially led to significant property damage if they had induced blackouts on American soil [63128]. (e) unknown (f) The software failure incident impacted non-human entities, specifically the power grid operations. The hackers gained hands-on access to power grid operations, which could have allowed them to stop the flow of electricity into US homes and businesses [63128]. (g) unknown (h) The articles discuss potential consequences of the software failure incident, such as the hackers being in a position to conduct sabotage by flipping the switch on power generation, causing power outages, and disrupting the stability of the US power grid. However, there were no real observed consequences of the hackers actually causing a blackout in the US [63128]. (i) unknown
Domain utilities (a) The failed system was intended to support the utilities industry, specifically power grid operations. The incident involved hacker attacks compromising energy companies in the US and Europe, resulting in intruders gaining hands-on access to power grid operations, including control of interfaces power company engineers use to send actual commands to equipment like circuit breakers [63128].

Sources

Back to List