Published Date: 2020-02-03
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the EKANS ransomware targeting industrial control systems happened in late December, as Bapco was reportedly hit with Iranian wiper malware known as Dustman just days before the US assassination of Iranian general Qassem Soleimani raised tensions with Iran to the breaking point [95918]. 2. Published on 2020-02-03, the incident likely occurred in late December 2019. |
| System | 1. Industrial control systems, including software and hardware used in oil refineries, power grids, and manufacturing facilities [95918] |
| Responsible Organization | 1. It is unknown who was responsible for causing the software failure incident described in the article [95918]. |
| Impacted Organization | 1. Bapco, Bahrain's national oil company [95918] |
| Software Causes | 1. The software cause of the failure incident was the ransomware known as EKANS, which specifically targeted industrial control systems by terminating 64 different software processes on victim computers, including those specific to industrial control systems, encrypting the data, and holding it hostage [95918]. |
| Non-software Causes | 1. Iranian state-sponsored hackers targeting industrial control systems [95918] |
| Impacts | 1. The software failure incident involving the EKANS ransomware targeted industrial control systems, terminating 64 different software processes on victim computers, including those specific to industrial control systems, leading to the encryption of data and holding it hostage [95918]. 2. The incident disrupted the functionality of critical software used in industrial settings, such as GE's Proficy software, which is a "data historian" program, and the mechanism that checks for a customer's paid license for GE's Fanuc automation software, among others [95918]. 3. The ransomware attack decreased the victim's visibility and understanding of their environment by taking out critical functionality, potentially leading to dangerous consequences if certain automation software couldn't function without a license [95918]. 4. The incident highlighted the increasing willingness and ability of non-state actors, such as cybercriminals, to significantly impact or impair critical infrastructure entities, signaling a shift in industrial hacking tactics towards common criminals for profit [95918]. |
| Preventions | 1. Implementing robust cybersecurity measures such as network segmentation, intrusion detection systems, and regular security audits to detect and prevent malware attacks targeting industrial control systems [95918]. 2. Regularly updating and patching software systems to address vulnerabilities that could be exploited by ransomware like EKANS and Megacortex [95918]. 3. Educating employees on cybersecurity best practices to prevent phishing attacks and unauthorized access to critical systems [95918]. |
| Fixes | 1. Enhancing cybersecurity measures for industrial control systems to prevent malware attacks like EKANS and Megacortex [95918]. 2. Implementing robust backup and recovery systems to mitigate the impact of ransomware attacks on critical infrastructure [95918]. 3. Developing and deploying advanced threat detection and response mechanisms to identify and neutralize malware targeting industrial control systems [95918]. | References | 1. Vitali Kremez, researcher at Sentinel One [95918] 2. Malware Hunter Team [95918] 3. Joe Slowik, researcher at Dragos [95918] 4. Israeli security firm Otorio [95918] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The article mentions that Bapco, Bahrain's national oil company, was likely a victim of the EKANS ransomware attack. This incident is significant because Bapco was reportedly hit with Iranian wiper malware known as Dustman just days before the EKANS attack [95918]. (b) The software failure incident having happened again at multiple_organization: - The article discusses how EKANS is the second ransomware to hit industrial control systems, with the first being Megacortex. Both ransomware strains included industrial control system process-killing features, indicating that similar incidents have occurred at multiple organizations [95918]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the case of the EKANS ransomware, which specifically targets industrial control systems. The malware is designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. This action disrupts the software used to monitor critical infrastructure, potentially leading to dangerous consequences by preventing staff from remotely monitoring or controlling equipment operations [95918]. (b) The software failure incident related to the operation phase is evident in the impact of the EKANS ransomware on industrial control systems. By encrypting data and terminating specific software processes, EKANS disrupts the operation of critical infrastructure systems, such as oil refineries, power grids, and manufacturing facilities. This disruption can decrease the victim's visibility and understanding of their environment, potentially leading to loss of control situations that could become dangerous [95918]. |
| Boundary (Internal/External) | within_system, outside_system | (a) The software failure incident described in the article is within_system. The malware sample called EKANS is specifically designed to target industrial control systems by terminating 64 different software processes on victim computers, including those specific to industrial control systems. This action allows EKANS to encrypt the data that those control system programs interact with, potentially disrupting the monitoring and control of critical infrastructure like oil refineries, power grids, and manufacturing facilities [95918]. |
| Nature (Human/Non-human) | non-human_actions | (a) The software failure incident in Article 95918 is related to non-human actions. The incident involves a piece of malware called EKANS that specifically targets industrial control systems by terminating software processes, encrypting data, and holding it hostage for ransom. This malicious code is designed to disrupt the operations of industrial facilities by manipulating software processes without direct human involvement [95918]. (b) The incident does not involve failure due to contributing factors introduced by human actions. |
| Dimension (Hardware/Software) | software | (a) The software failure incident related to hardware: The incident described in the article is primarily related to software failure rather than hardware failure. The malware, EKANS, specifically targets industrial control systems by killing software processes and encrypting data, which are software-related actions. The focus is on how the malware affects the software processes and data within these systems, rather than any hardware components being directly affected [95918]. (b) The software failure incident related to software: The software failure incident described in the article is directly related to software. The malware, EKANS, is designed to target industrial control systems by terminating specific software processes, encrypting data, and holding it hostage. This incident is a result of malicious software actions that impact the functionality and integrity of software processes within industrial control systems [95918]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The objective of the software failure incident was malicious, as the incident involved a piece of ransomware called EKANS specifically designed to target industrial control systems with the intent to harm the systems by encrypting data and holding it hostage [95918]. The ransomware terminated 64 different software processes on victim computers, including those specific to industrial control systems, which could potentially have dangerous consequences by preventing staff from remotely monitoring or controlling equipment operation [95918]. (b) The incident was not non-malicious, as the ransomware EKANS was intentionally designed to target industrial control systems and disrupt their operations for financial gain, rather than being a result of unintentional contributing factors [95918]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | The intent of the software failure incident discussed in the articles appears to be a combination of poor decisions and accidental decisions. 1. The incident involves the deployment of ransomware known as EKANS, which specifically targets industrial control systems by encrypting data and demanding payment for its release [95918]. 2. The malware is designed to terminate specific software processes on victim computers, including those crucial for industrial control systems, leading to potential dangerous consequences such as preventing staff from monitoring or controlling equipment operations [95918]. 3. The malware's targeting of industrial control systems, which are high-value targets with a lot to lose if they go offline, suggests a deliberate intent to disrupt critical infrastructure for financial gain [95918]. 4. While the specific motivation behind the ransomware attack is not definitively attributed to state-sponsored hackers or cybercriminals seeking profit, the targeting of industrial control systems indicates a strategic decision to impact essential operations [95918]. Therefore, the software failure incident involves poor decisions in the form of deliberate targeting of critical infrastructure for ransom, as well as accidental decisions in terms of the potential unintended consequences and dangers posed by disrupting industrial control systems. |
| Capability (Incompetence/Accidental) | development_incompetence, unknown | (a) The software failure incident related to development incompetence is evident in the case of the EKANS ransomware targeting industrial control systems. The malware was specifically designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems, leading to the encryption of data that those control system programs interact with [95918]. This targeted attack on critical infrastructure highlights the consequences of development incompetence in creating vulnerabilities that can be exploited by malicious actors. (b) The accidental aspect of the software failure incident is not explicitly mentioned in the provided article. |
| Duration | temporary | (a) The software failure incident described in the articles is more likely to be temporary rather than permanent. The incident involves a piece of ransomware called EKANS that targets industrial control systems by encrypting data and terminating specific software processes, including those crucial for industrial operations [95918]. This type of ransomware aims to hold data hostage and demand payment for its release, indicating that the failure is temporary and can potentially be resolved by addressing the ransomware attack. |
| Behaviour | crash, omission, value, other | (a) crash: The software failure incident described in the article involves a form of ransomware called EKANS that targets industrial control systems. EKANS is designed to terminate 64 different software processes on victim computers, including those specific to industrial control systems. This termination of critical software processes can lead to a crash in the system, preventing staff from remotely monitoring or controlling the equipment's operation [95918]. (b) omission: The ransomware EKANS encrypts data and displays a note to victims demanding payment to release it. By encrypting data and terminating specific software processes, EKANS can cause the system to omit performing its intended functions, such as monitoring infrastructure like oil pipelines or factory robots [95918]. (c) timing: The incident does not specifically mention any failures related to timing issues where the system performs its intended functions but at incorrect times. (d) value: The software failure incident involves the ransomware EKANS encrypting data and terminating critical software processes, leading to the system performing its intended functions incorrectly. This can result in a decrease in the victim's visibility and understanding of their environment, potentially causing dangerous consequences if certain software dependencies are disrupted [95918]. (e) byzantine: The incident does not describe the software failure incident as exhibiting byzantine behavior with inconsistent responses and interactions. (f) other: The software failure incident involves ransomware targeting industrial control systems, which is a unique form of attack that can lead to a variety of consequences beyond the typical ransomware attacks on regular systems. The incident highlights the potential for significant impacts on critical infrastructure entities and the increasing willingness of non-state actors to target industrial control systems for profit [95918]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, actuator, processing_unit, embedded_software | (a) sensor: The article mentions that the malware EKANS is designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. This could potentially impact the software used to monitor infrastructure, such as an oil firm's pipelines or a factory's robots, which rely on sensor data. [95918] (b) actuator: The article discusses how EKANS targets industrial control systems by terminating specific software processes, which could include those related to actuator control in manufacturing facilities. The malware's actions could disrupt the control and operation of equipment managed by actuator systems. [95918] (c) processing_unit: The malware EKANS is designed to terminate various software processes on victim computers, including those specific to industrial control systems. This could impact the processing unit's ability to function properly and interact with control system programs. [95918] (d) network_communication: The article does not explicitly mention network communication errors as a contributing factor to the software failure incident discussed. (e) embedded_software: The article highlights that EKANS targets industrial control systems by terminating specific software processes, including those used by various industrial software programs like GE's Proficy software, Fanuc automation software, and others. This could impact the functionality of embedded software within these systems. [95918] |
| Communication | connectivity_level | The software failure incident described in the articles is related to the communication layer of the cyber-physical system that failed at the connectivity level. The incident involved a piece of ransomware called EKANS that specifically targeted industrial control systems by terminating 64 different software processes on victim computers, including many that are specific to industrial control systems. This action allowed the ransomware to encrypt the data that those control system programs interact with, potentially disrupting the monitoring and control of critical infrastructure like oil pipelines or factory robots [95918]. |
| Application | TRUE | The software failure incident described in the article [95918] is related to the application layer of the cyber physical system. The incident involves a piece of malware called EKANS that specifically targets industrial control systems by terminating 64 different software processes on victim computers, including those specific to industrial control systems. This action disrupts the software used to monitor infrastructure, potentially causing dangerous consequences by preventing staff from remotely monitoring or controlling equipment operation. The malware encrypts data and demands ransom for its release, indicating a failure at the application layer due to malicious code introducing bugs and errors into the system. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, delay, non-human, theoretical_consequence | (a) death: The articles do not mention any direct consequences of people losing their lives due to the software failure incident. [95918] (b) harm: The articles do not mention any direct physical harm to individuals due to the software failure incident. [95918] (c) basic: The articles do not mention any impact on people's access to food or shelter due to the software failure incident. [95918] (d) property: The software failure incident resulted in the encryption of data and the potential loss of control over industrial equipment, which could impact property in terms of data and operational control. [95918] (e) delay: The incident may have caused delays in monitoring and controlling industrial equipment due to the software processes being terminated and data being encrypted. [95918] (f) non-human: Non-human entities, specifically industrial control systems like oil refineries, power grids, and manufacturing facilities, were directly impacted by the software failure incident. The incident targeted industrial control system software and hardware. [95918] (g) no_consequence: The articles do not mention that there were no real observed consequences of the software failure incident. [95918] (h) theoretical_consequence: The articles discuss potential consequences of the software failure incident, such as the disruption of infrastructure monitoring and control, potential loss of control over equipment, and the possibility of dangerous situations arising from disrupted licensing checks in automation software. [95918] (i) other: The articles do not mention any other specific consequences of the software failure incident beyond those related to property, delay, non-human entities, and theoretical consequences. [95918] |
| Domain | information, manufacturing, utilities | (a) The failed system was intended to support the information industry, specifically targeting industrial control systems used in various sectors such as oil refineries, power grids, and manufacturing facilities [95918]. (b) The transportation industry was not specifically mentioned in the article. (c) The failed system did not directly support the extraction of natural resources. (d) The failed system was not related to the sales industry. (e) The failed system was not directly related to the construction industry. (f) The failed system was intended to support the manufacturing industry, as it targeted industrial control systems used in manufacturing facilities [95918]. (g) The failed system was intended to support the utilities industry, as it targeted industrial control systems used in power grids [95918]. (h) The failed system was not directly related to the finance industry. (i) The failed system was not directly related to the knowledge industry. (j) The failed system was not directly related to the health industry. (k) The failed system was not directly related to the entertainment industry. (l) The failed system was not directly related to the government industry. (m) The failed system was related to the industrial sector, specifically targeting industrial control systems used in various critical infrastructure sectors [95918]. |
Article ID: 95918