Incident: F-35 Lightning II Software Vulnerabilities and Gun Accuracy Issues

Published Date: 2020-01-30

Postmortem Analysis
Timeline 1. The software failure incident with the F-35 Lightning II's software vulnerabilities and gun accuracy issues was reported in the article published on 2020-01-30 [94788]. 2. The incident timeline estimation: - Step 1: The article mentions that the number of software deficiencies totaled 873 as of November, and the report was published in January. - Step 2: The article was published on 2020-01-30. - Step 3: The incident likely occurred in November of the previous year, which would be November 2019.
System 1. F-35 Lightning II's software system 2. Internally mounted 25mm Gatling gun system on Air Force models of the F-35 3. Mounts on the guns of Air Force models of the F-35 4. Cybersecurity vulnerabilities in the F-35 Lightning II's software system [94788]
Responsible Organization 1. Lockheed Martin - The software failure incident with the F-35 Lightning II, including software vulnerabilities and gun accuracy issues, was reported in a new Pentagon report on issues with Lockheed Martin's program [94788].
Impacted Organization 1. The Air Force was impacted by the software failure incident related to the F-35 Lightning II's internally mounted 25mm Gatling gun accuracy issues and software vulnerabilities [94788].
Software Causes 1. The F-35 Lightning II program reported a total of 873 software deficiencies as of November, indicating software vulnerabilities [94788]. 2. The report mentioned a number of cybersecurity vulnerabilities that were identified in previous reports but have not yet been resolved, pointing to software security weaknesses [94788].
Non-software Causes 1. Misalignments in the internally mounted 25mm Gatling gun causing 'unacceptable' accuracy issues [94788] 2. Cracking mounts on the guns leading to restrictions on gun use [94788]
Impacts 1. The F-35 Lightning II program reported having 873 software deficiencies as of November, which could potentially impact safety or combat capability [94788]. 2. The software vulnerabilities identified in the F-35 program have not yet been resolved, leaving the aircraft susceptible to cybersecurity threats [94788].
Preventions 1. Implementing thorough software testing procedures to identify and address software vulnerabilities before deployment [94788]. 2. Regularly updating and patching software to address known vulnerabilities and cybersecurity issues [94788]. 3. Conducting comprehensive cybersecurity assessments to identify and mitigate potential risks [94788]. 4. Ensuring proper alignment and maintenance of software components to prevent accuracy issues and malfunctions [94788].
Fixes 1. Addressing the 873 software deficiencies identified in the report by the Defense Department's director of operational test and evaluation [94788]. 2. Resolving the cybersecurity vulnerabilities that were identified in previous reports but have not yet been fixed [94788].
References 1. Pentagon's test office report obtained by Bloomberg [94788] 2. Defense Department's director of operational test and evaluation [94788] 3. Brett Ashworth, spokesman for Lockheed Martin [94788]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the F-35 Lightning II program has occurred within the same organization, Lockheed Martin. The Pentagon report highlighted that the F-35 program has faced issues with software vulnerabilities and guns that don't shoot straight [94788]. Lockheed Martin, the manufacturer of the F-35, acknowledged that the aircraft continues to mature but did not directly address the specific software vulnerabilities and gun accuracy issues mentioned in the report. (b) The software failure incident related to the F-35 Lightning II program has also affected multiple organizations that have purchased the aircraft, including the US, UK, Australia, and Netherlands. The issues identified in the Pentagon report, such as software deficiencies and cybersecurity vulnerabilities, will need to be addressed in the already-delivered planes, which are running six different versions of software [94788].
Phase (Design/Operation) design (a) The article mentions that the F-35 Lightning II program has hundreds of software vulnerabilities identified in a Pentagon report. The report from the Defense Department's director of operational test and evaluation highlights 13 'must-fix' problems that affect safety or combat capability, indicating issues introduced during the design and development phases [94788]. (b) The article does not provide specific information about software failure incidents related to operation or misuse of the system.
Boundary (Internal/External) within_system (a) The software failure incident related to the F-35 Lightning II program includes hundreds of software vulnerabilities identified within the system itself. The Pentagon report mentioned in the article highlights that the F-35 program had a total of 873 software deficiencies as of November, indicating issues originating from within the system [94788]. Additionally, the report also mentions cybersecurity vulnerabilities that were identified in previous reports but have not yet been resolved, further emphasizing internal software weaknesses [94788].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident related to non-human actions in the F-35 Lightning II program includes the presence of hundreds of software vulnerabilities and issues with the accuracy of the internally mounted 25mm Gatling gun due to misalignments and cracking mounts [94788]. (b) The software failure incident related to human actions in the F-35 Lightning II program involves the identification of 13 'must-fix' problems that affect safety or combat capability, as well as the presence of cybersecurity vulnerabilities that have been identified in previous reports but have not yet been resolved [94788].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The article mentions that the F-35 Lightning II program has issues with the internally mounted 25mm Gatling gun, including misalignments and cracking mounts, which are hardware-related problems affecting the gun's accuracy and functionality [94788]. (b) The software failure incident related to software: - The article highlights that the F-35 program has hundreds of software vulnerabilities, with the number of software deficiencies totaling 873 as of November [94788]. - Additionally, the report identifies cybersecurity vulnerabilities that have been previously reported but remain unresolved, indicating software-related weaknesses in the system [94788].
Objective (Malicious/Non-malicious) non-malicious (a) The articles do not mention any malicious software failure incidents related to the F-35 Lightning II program. (b) The software failure incidents mentioned in the articles are non-malicious in nature. The issues reported include software deficiencies, cybersecurity vulnerabilities, and guns with accuracy problems and misalignments. These failures are not attributed to malicious intent but rather to technical issues and flaws in the system [94788].
Intent (Poor/Accidental Decisions) accidental_decisions (a) The software failure incident related to the F-35 Lightning II program does not seem to be directly attributed to poor decisions. The issues mentioned in the articles primarily focus on software vulnerabilities, guns' accuracy problems, and cybersecurity vulnerabilities. There is no explicit mention of poor decisions leading to the software failures ([94788]). (b) The software failure incident related to the F-35 Lightning II program appears to be more aligned with accidental decisions or unintended consequences rather than deliberate poor decisions. The issues mentioned in the articles point towards technical challenges such as software deficiencies, misalignments in the Gatling gun, and cybersecurity vulnerabilities that were identified but not yet resolved. These issues seem to stem from technical complexities and challenges rather than deliberate poor decisions ([94788]).
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the article as it mentions that the F-35 Lightning II program has hundreds of software vulnerabilities [94788]. Additionally, the report from the Defense Department's director of operational test and evaluation identified 13 'must-fix' problems that affect safety or combat capability, indicating issues that should have been addressed during the development phase [94788]. (b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article.
Duration unknown The articles do not provide specific information about the duration of the software failure incident related to the F-35 Lightning II's software vulnerabilities and other issues. Therefore, it is unknown whether the software failure incident was permanent or temporary based on the information available in the articles.
Behaviour crash (a) crash: The article mentions that the F-35 Lightning II program had software deficiencies totaling 873 as of November, down from 917 a year earlier. This indicates that the software may have experienced crashes or failures leading to deficiencies in its operation [94788]. (b) omission: The article does not specifically mention any instances of the software omitting to perform its intended functions. (c) timing: The article does not mention any instances of the software performing its intended functions too late or too early. (d) value: The article does not provide direct information about the software performing its intended functions incorrectly. (e) byzantine: The article does not mention any instances of the software behaving erroneously with inconsistent responses and interactions. (f) other: The article does not provide information on any other specific behavior of the software failure incident.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence non-human (a) death: There is no mention of any deaths resulting from the software failure incident in the provided article [94788]. (b) harm: The article does not mention any physical harm caused to individuals due to the software failure incident [94788]. (c) basic: The article does not indicate any impact on people's access to food or shelter due to the software failure incident [94788]. (d) property: The software failure incident did not result in any direct impact on people's material goods, money, or data as per the article [94788]. (e) delay: There is no mention of any activities being postponed due to the software failure incident in the article [94788]. (f) non-human: The software failure incident did impact the F-35 Lightning II aircraft, specifically its guns, as mentioned in the article [94788]. (g) no_consequence: The article does not state that there were no real observed consequences of the software failure incident [94788]. (h) theoretical_consequence: The article discusses potential consequences such as cybersecurity vulnerabilities and software deficiencies that could impact safety or combat capability but does not mention any actual occurrences of these consequences [94788]. (i) other: The article does not describe any other specific consequences of the software failure incident [94788].
Domain government (a) The failed system in this incident is related to the defense industry, specifically the F-35 Lightning II program developed by Lockheed Martin for military purposes. The software vulnerabilities and issues with the guns of the F-35 were reported by the Pentagon's test office, highlighting problems within the defense sector [94788].

Sources

Back to List