Published Date: 2018-11-21
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the WannaCry ransomware at Taiwan Semiconductor Manufacturing Company happened in August, as mentioned in the article [77532]. 2. The software failure incident involving the NotPetya attack at Mondelez International and Merck occurred in 2017, as stated in the article [77532]. |
| System | 1. Third-party vendor software without pre-screening [77532] 2. Engineer at Taiwan Semiconductor failed to scan software infected with WannaCry ransomware [77532] 3. Outdated Windows XP without updated security [77532] |
| Responsible Organization | 1. The software failure incident at Taiwan Semiconductor Manufacturing Company was caused by the negligence of an engineer who failed to scan software infected with the WannaCry ransomware before installing it [77532]. 2. The software failure incident at Merck and Mondelez International was caused by the Notpetya attack, which disrupted their operations and led to significant financial losses [77532]. |
| Impacted Organization | 1. Merck & Company [77532] 2. Mondelez International [77532] |
| Software Causes | 1. The software failure incident was caused by the WannaCry ransomware infecting the software shipped by a third-party vendor to Taiwan Semiconductor Manufacturing Company, leading to the virus spreading within the company's operating system [77532]. 2. The NotPetya attack caused significant disruptions to the operations of Mondelez International and Merck, affecting their global sales, distribution, financial networks, manufacturing, research, and sales operations [77532]. 3. Outdated software, such as Windows XP without updated security patches, was a vulnerability exploited in the NotPetya attack, highlighting the importance of keeping software up to date to prevent such incidents [77532]. |
| Non-software Causes | 1. Negligence in pre-screening software by a third-party vendor and an engineer at Taiwan Semiconductor Manufacturing Company [77532]. 2. Lack of cybersecurity measures and employee training in manufacturing companies [77532]. 3. Use of outdated equipment and systems, such as Windows XP, without updated security patches [77532]. |
| Impacts | 1. Taiwan Semiconductor Manufacturing Company experienced a software failure incident when a third-party vendor shipped infected software (WannaCry ransomware) to the chip maker, leading to the virus spreading within the company's operating system. The incident resulted in a few days of recovery time and a potential 2% revenue loss for the third quarter [77532]. 2. Mondelez International and Merck suffered significant losses due to the Notpetya attack in 2017. Mondelez reported a net revenue loss of less than 1% of global net revenues ($103.6 million) and incurred additional expenses of $84 million for recovery efforts. Merck faced a $260 million loss in sales for 2017 and expected an additional loss of $200 million in 2018, with total costs for expenses and remediation amounting to $285 million [77532]. |
| Preventions | 1. Implementing fundamental cybersecurity practices such as employee training, two-factor authorization, changing passwords, and securing USB ports to prevent downloading of malicious software could have prevented the software failure incident [77532]. 2. Regularly updating outdated software and operating systems, like Windows XP, to ensure security patches are in place could have prevented the software failure incident [77532]. 3. Segmenting networks to keep systems separate from each other, allowing for regular updates without exposing the entire system to potential breaches, could have prevented the software failure incident [77532]. 4. Adopting whitelisting as a defense mechanism to specify approved software applications that are permitted to be active on a computer system could have prevented the software failure incident [77532]. |
| Fixes | 1. Implement fundamental cybersecurity practices such as employee training, two-factor authorization, changing passwords, and securing USB ports to prevent downloading malicious software [77532]. 2. Regularly update outdated equipment and software to prevent vulnerabilities, especially in critical systems like control systems [77532]. 3. Segment networks to keep systems separate and secure, allowing for regular updates without exposing the entire network to potential breaches [77532]. 4. Conduct regular cybersecurity testing by known hackers to identify vulnerabilities and address them promptly [77532]. 5. Adopt whitelisting as a proactive defense mechanism by specifying approved software applications that are permitted to be active on computer systems [77532]. | References | 1. Thomas Siebel, chairman and chief executive of C3 [77532] 2. Taiwan Semiconductor Manufacturing Company [77532] 3. Mondelez International [77532] 4. Merck [77532] 5. Boeing [77532] 6. Michael Tanenbaum, executive vice president of insurer Chubb [77532] 7. John Reed Stark, president of John Reed Stark Consulting [77532] 8. Manesh Patel, senior vice president and chief information officer of the Sanmina Corporation [77532] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The article mentions that Taiwan Semiconductor Manufacturing Company experienced a software failure incident when a third-party vendor shipped infected software (WannaCry ransomware) to the chip maker, which was then installed and connected to the company's operating system, leading to the spread of the undetected virus [77532]. - Merck and Mondelez International also suffered significant losses in a previous software failure incident involving the Notpetya attack in 2017 [77532]. (b) The software failure incident having happened again at multiple_organization: - The article highlights that various organizations, including financial institutions, retailers, shipping companies, manufacturers like Merck & Company, Mondelez International, and Taiwan Semiconductor Manufacturing Company, have been affected by cyberattacks such as Notpetya, WannaCry, and Samsam [77532]. - Boeing was also mentioned to have been attacked by WannaCry, indicating that multiple organizations have faced similar software failure incidents [77532]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the case of the Taiwan Semiconductor Manufacturing Company. An engineer at Taiwan Semiconductor failed to scan the software, which was infected with the WannaCry ransomware, installed it, and then connected it to the company’s operating system. This failure in the design phase, where the software was not pre-screened before installation, led to the spread of the undetected virus within the company's systems [77532]. (b) The software failure incident related to the operation phase is evident in the case of Mondelez International and Merck. Mondelez stated that the malware affected a significant portion of their global sales, distribution, and financial networks, leading to net revenue loss and incremental expenses during the recovery effort. Similarly, Merck experienced a disruption of its worldwide operations, including manufacturing, research, and sales operations, resulting in significant losses in sales and additional costs for expenses and remediation [77532]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident at Taiwan Semiconductor Manufacturing Company was caused by a failure within the system. A third-party vendor shipped software infected with the WannaCry ransomware to the chip maker. An engineer at Taiwan Semiconductor failed to scan the software, installed it, and connected it to the company's operating system, leading to the undetected virus spreading within the system [77532]. (b) outside_system: The software failure incidents at Mondelez International and Merck, caused by the Notpetya attack, were due to contributing factors originating from outside the system. The malware affected a significant portion of their global operations, leading to disruptions in sales, distribution, and financial networks. The attack resulted in substantial revenue losses and additional expenses for both companies [77532]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: The incident at Taiwan Semiconductor Manufacturing Company was a result of a third-party vendor shipping software infected with the WannaCry ransomware, which was then installed by an engineer without proper scanning, leading to the virus spreading within the company's operating system [77532]. The vulnerability with the Notpetya attack was attributed to outdated Windows XP for which there hadn't been updated security, highlighting the role of outdated technologies in exposing systems to attacks [77532]. (b) The software failure incident occurring due to human actions: The incident at Taiwan Semiconductor Manufacturing Company was acknowledged by the chief executive as "purely our own act of negligence" for failing to pre-screen the software and scanning it before installation, leading to the introduction of the WannaCry ransomware into the company's systems [77532]. The articles also mention that employees in manufacturing are more susceptible to phishing attacks, with 50% of manufacturing losses in 2018 resulting from phishing attacks or spear phishing, indicating a human factor in introducing vulnerabilities to the systems [77532]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident related to hardware can be seen in the case of the Notpetya attack on Merck and Mondelez International. The outdated Windows XP system at Merck was a vulnerability that contributed to the attack, as there hadn't been updated security for it [77532]. Additionally, the article mentions the risk of ransomware attacks taking down entire production lines if manufacturers don't update security on their equipment, highlighting a hardware-related vulnerability [77532]. (b) The software failure incident related to software itself is evident in the case of the Taiwan Semiconductor Manufacturing Company. The company suffered a ransomware attack due to a third-party vendor shipping infected software that was not pre-screened, leading to the installation of the WannaCry ransomware on the company's operating system [77532]. This incident showcases a failure originating in the software itself. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incidents mentioned in the articles are primarily malicious in nature. The incidents involve cyberattacks such as Notpetya, WannaCry, and Samsam, which were designed to harm the targeted systems. These attacks affected companies like Merck & Company, Mondelez International, and Taiwan Semiconductor Manufacturing Company, leading to significant financial losses and operational disruptions [77532]. The attacks were carried out with the intent to extort money, steal intellectual property, or disrupt operations, showcasing malicious motives behind the software failures. The incidents highlight the increasing vulnerability of manufacturers to cyber threats and the significant impact of such malicious attacks on businesses. (b) The articles do not provide information about non-malicious software failure incidents. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) poor_decisions: The software failure incidents mentioned in the articles were primarily attributed to poor decisions made by the companies involved. For example, Taiwan Semiconductor Manufacturing Company experienced a ransomware attack after a third-party vendor shipped infected software without pre-screening it, and an engineer failed to scan the software before installing it [77532]. Similarly, Merck and Mondelez International suffered significant losses due to the Notpetya attack, with Merck reporting a disruption in worldwide operations, including manufacturing, research, and sales operations [77532]. These incidents highlight the consequences of poor decisions related to cybersecurity practices within these organizations. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident mentioned in the articles can be attributed to development incompetence. For example, the incident at Taiwan Semiconductor Manufacturing Company occurred because a third-party vendor shipped software infected with the WannaCry ransomware without proper screening. An engineer at the company failed to scan the software, leading to the virus spreading within the company's operating system [77532]. (b) Additionally, the incident at Taiwan Semiconductor was described as "purely our own act of negligence" by the company's chief executive, C.C. Wei. This acknowledgment suggests that the failure was accidental and not intentional [77532]. |
| Duration | permanent, temporary | The software failure incidents described in the articles can be categorized as both permanent and temporary: (a) Permanent: The incident at Merck due to the Notpetya attack led to a disruption of its worldwide operations, including manufacturing, research, and sales operations, resulting in a significant loss in sales for 2017 and an expected additional loss for 2018 [77532]. (b) Temporary: The incident at Taiwan Semiconductor Manufacturing Company, where the WannaCry ransomware infected their systems due to negligence in scanning software, resulted in a temporary shutdown of production. However, the company was able to recover fully within a few days and fulfill delayed orders to offset revenue losses [77532]. |
| Behaviour | crash, omission, value | (a) crash: The article mentions a software failure incident where a third-party vendor shipped software infected with the WannaCry ransomware to Taiwan Semiconductor Manufacturing Company. An engineer at the company failed to scan the software, which led to the virus spreading and causing a system crash [77532]. (b) omission: The article discusses how the Notpetya attack affected companies like Mondelez International and Merck, disrupting their global sales, distribution, and financial networks. This omission to perform intended functions resulted in significant revenue losses and additional expenses for the companies [77532]. (c) timing: The article does not specifically mention a software failure incident related to timing issues. (d) value: The software failure incident involving the WannaCry ransomware at Taiwan Semiconductor Manufacturing Company resulted in the system performing its intended functions incorrectly, leading to the spread of the virus and subsequent disruptions [77532]. (e) byzantine: The article does not describe a software failure incident related to a byzantine behavior. (f) other: The article does not provide information on a software failure incident with a behavior not covered in the options. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, actuator, network_communication, embedded_software | (a) sensor: The article mentions vulnerabilities in manufacturing equipment, such as outdated technologies like Windows XP, which can lead to exposure. For example, the Notpetya attack exploited outdated Windows XP systems for which security updates were not applied, highlighting a sensor-related vulnerability [77532]. (b) actuator: The article discusses the importance of segmenting systems on a network to prevent potential breaches from vendors. Segmenting helps keep systems separate, allowing vendors to update their equipment without accessing other parts of the system, which can be related to actuator-related vulnerabilities [77532]. (c) processing_unit: The article does not provide specific information related to failures introduced by errors in the processing unit. (d) network_communication: The article highlights the risks associated with network communication, such as phishing attacks or spear phishing, which can disrupt a company. It also mentions the potential for ransomware attacks to take down entire production lines if security updates are not applied, emphasizing network communication vulnerabilities [77532]. (e) embedded_software: The article mentions a specific incident where a third-party vendor shipped software infected with the WannaCry ransomware to Taiwan Semiconductor Manufacturing Company. An engineer at the company failed to scan the software, leading to the infection spreading, indicating a failure related to embedded software [77532]. |
| Communication | unknown | The articles do not provide specific information about a software failure incident related to the communication layer of the cyber physical system that failed. |
| Application | FALSE | <Article 77532> does not provide specific details about the software failure incident being related to the application layer of the cyber physical system. Therefore, it is unknown whether the failure was specifically related to the application layer based on the information provided in the article. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, non-human | (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident involving the Notpetya attack affected companies like Mondelez International and Merck, resulting in significant financial losses. Mondelez reported a net revenue loss of $103.6 million, along with incremental expenses of $84 million for recovery efforts [77532]. - Merck stated in its SEC filings that the attack led to a disruption of its worldwide operations, including manufacturing, research, and sales operations, resulting in a $260 million loss in sales for 2017 and expected additional losses for 2018. The total costs for expenses and remediation were $285 million [77532]. |
| Domain | manufacturing, finance | (a) The software failure incident mentioned in the articles affected the production and distribution of information in the manufacturing industry. The incident involved cyberattacks on companies like Merck & Company and Mondelez International, leading to disruptions in their global sales, distribution, and financial networks [77532]. (b) There is no specific mention of the transportation industry being impacted by the software failure incident. (c) There is no specific mention of the natural resources industry being impacted by the software failure incident. (d) The software failure incident did not directly involve the sales industry, but it did impact the financial aspects of companies like Mondelez International and Merck & Company due to the disruptions caused by cyberattacks [77532]. (e) There is no specific mention of the construction industry being impacted by the software failure incident. (f) The software failure incident primarily affected the manufacturing industry, with companies like Merck & Company and Mondelez International experiencing significant losses due to cyberattacks on their operations [77532]. (g) There is no specific mention of the utilities industry being impacted by the software failure incident. (h) The software failure incident indirectly impacted the finance industry through the financial losses incurred by companies like Mondelez International and Merck & Company as a result of cyberattacks on their systems [77532]. (i) There is no specific mention of the knowledge industry being impacted by the software failure incident. (j) There is no specific mention of the health industry being impacted by the software failure incident. (k) There is no specific mention of the entertainment industry being impacted by the software failure incident. (l) There is no specific mention of the government industry being impacted by the software failure incident. (m) The software failure incident was related to the manufacturing industry, and there is no mention of it being related to any other industry [77532]. |
Article ID: 77532