Incident Details

Incident: State-Sponsored Cyberattacks Targeting American Oil and Gas Pipelines.

Published Date: 2021-07-26

Postmortem Analysis
Timeline	1. The software failure incident involving Chinese-backed hackers targeting oil and gas pipelines occurred from 2011 to 2013 as per the declassified report by the Department of Homeland Security [116379]. 2. The incident timeline can be estimated as follows: - Step 1: The article mentions that the attacks took place from 2011 to 2013. - Step 2: The article was published on 2021-07-26. - Step 3: Based on the information provided, the software failure incident occurred between 2011 and 2013.
System	1. Industrial control networks running the pipelines [116379] 2. Email systems susceptible to spear phishing attacks [116379] 3. Remote access systems [116379]
Responsible Organization	1. Chinese-backed hackers targeted and breached companies that own oil and gas pipelines, leading to software failure incidents [116379].
Impacted Organization	1. American oil and gas pipelines operators, including Colonial Pipeline, targeted by Chinese-backed hackers [116379].
Software Causes	1. Spear phishing targeting operators of natural gas pipelines leading to successful compromises and near misses [116379]. 2. Vulnerabilities in the systems of oil and gas pipeline companies exploited by hackers [116379]. 3. Lack of cybersecurity legislation to increase the security of pipelines and critical infrastructure [116379]. 4. Failure to seal systems up after the May directive requiring companies to report significant cyberattacks to the government [116379]. 5. Chinese hackers gaining access to controls of a pipeline, potentially enabling a shutdown or explosion [116379].
Non-software Causes	1. Lack of cybersecurity legislation to increase the security of pipelines and critical infrastructure [116379] 2. Failure of Congress to pass cybersecurity legislation to address vulnerabilities in critical infrastructure [116379]
Impacts	1. The software failure incident led to the shutdown of a pipeline network operated by Colonial Pipeline, causing long gasoline lines and shortages, which underscored the urgency of defending the United States' pipelines and critical infrastructure from cyberattacks [116379]. 2. The attack on Colonial Pipeline resulted in the company paying about $4 million in cryptocurrency as ransom to the hackers [116379]. 3. The software failure incident prompted the federal government to issue a security directive requiring owners and operators of critical pipelines to take specific steps to protect against ransomware and other attacks, emphasizing the need for improved cybersecurity measures [116379]. 4. The incident highlighted the vulnerability of critical infrastructure, as the nation could have only afforded three more days of downtime before mass transit and chemical refineries came to a halt [116379]. 5. The failure incident exposed the lack of cybersecurity legislation to increase the security of pipelines and other critical infrastructure, as Congress failed to pass such legislation [116379].
Preventions	1. Implementing robust cybersecurity measures such as multi-factor authentication, network segmentation, and regular security audits to prevent unauthorized access to critical systems [116379]. 2. Enhancing employee training on recognizing and avoiding phishing attempts to reduce the likelihood of successful spear phishing attacks [116379]. 3. Enforcing timely software updates and patches to address known vulnerabilities and prevent exploitation by hackers [116379]. 4. Implementing intrusion detection systems and monitoring tools to quickly identify and respond to suspicious activities on the network [116379]. 5. Collaborating with government agencies and industry partners to share threat intelligence and best practices for enhancing cybersecurity defenses [116379].
Fixes	1. Enhancing cybersecurity measures for critical infrastructure, such as oil and gas pipelines, to protect against cyberattacks like the one on Colonial Pipeline [116379]. 2. Implementing specific steps outlined in security directives to protect against ransomware and other cyber threats [116379]. 3. Developing contingency and recovery plans for critical infrastructure in case of cyber incidents [116379]. 4. Improving collaboration between government agencies, industry stakeholders, and cybersecurity experts to address vulnerabilities in critical infrastructure [116379].
References	1. The Biden administration 2. F.B.I. 3. Department of Homeland Security 4. Transportation Security Administration 5. Mandiant, a division of the security firm FireEye 6. Telvent 7. Congress 8. Chinese government 9. White House 10. China’s Ministry of State Security 11. Justice Department 12. American officials 13. Security experts 14. Eileen Sullivan [116379]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident having happened again at one_organization: Telvent, a company that monitors more than half the oil and gas pipelines in North America, was infiltrated by Chinese hackers in September 2012. The hackers were discovered in Telvent's computer systems after they had been present for months, prompting the company to close its remote access to clients' systems to prevent potential infrastructure shutdowns [116379]. (b) The software failure incident having happened again at multiple_organization: The article mentions that Chinese-backed hackers targeted and breached nearly two dozen companies that own oil and gas pipelines from 2011 to 2013. Specifically, 13 out of 23 operators of natural gas pipelines were successfully compromised through spear phishing attacks, while three were "near misses." Additionally, the Department of Homeland Security reported responding to intrusions on oil pipelines and electric power operators at an alarming rate nearly 10 years ago, with some attacks traced back to China [116379].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be seen in the article where it mentions that Chinese-backed hackers targeted and breached nearly two dozen companies that own oil and gas pipelines through a form of email fraud known as spear phishing [116379]. This indicates a failure in the design of the security systems or protocols that allowed the hackers to successfully compromise 13 out of 23 operators. (b) The software failure incident related to the operation phase is evident in the article where it describes how the Colonial Pipeline was forced to shut down its shipments after a ransomware attack, fearing the unknown capabilities of the attackers [116379]. This operational failure led to long gasoline lines and shortages, highlighting the impact of operational disruptions on critical infrastructure.
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident related to the cyberattacks on American oil and gas pipelines, particularly the Colonial Pipeline attack, was primarily due to contributing factors that originated from within the system. The hackers targeted the industrial control networks that run the pipelines, aiming to gain strategic access for future operations rather than just stealing intellectual property [116379]. The failure was exacerbated by vulnerabilities in the pipeline operators' systems, as evidenced by successful compromises through spear phishing attacks and the lack of data on the extent of intrusions into some operators [116379]. (b) outside_system: The software failure incident was also influenced by contributing factors that originated from outside the system. The cyberattacks were state-sponsored, with Chinese-backed hackers targeting and breaching companies that own oil and gas pipelines [116379]. The attacks were part of a broader trend of nation-backed hackers targeting critical infrastructure, highlighting the external threat landscape faced by these systems [116379].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: The software failure incident in this case was primarily due to state-sponsored cyberattacks on American oil and gas pipelines by Chinese-backed hackers. The hackers targeted the industrial control networks that run the pipelines, aiming to gain strategic access for future operations rather than just intellectual property theft. The attacks involved spear phishing and breaches into the systems of pipeline operators, with the goal of holding U.S. pipeline infrastructure at risk [116379]. (b) The software failure incident occurring due to human actions: The failure can also be attributed to human actions, particularly the lack of adequate cybersecurity measures and vulnerabilities in the systems of pipeline operators. The failure to implement robust security protocols and the successful breaches through spear phishing indicate a failure on the part of humans responsible for maintaining the security of these critical infrastructure systems [116379].
Dimension (Hardware/Software)	software	(a) The articles do not provide information about a software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incident reported in the articles is related to a cyberattack on American oil and gas pipelines by Chinese-backed hackers. The hackers targeted the industrial control networks that run the pipelines, aiming to gain strategic access for future operations rather than just stealing intellectual property. The incident involved breaches through email fraud like spear phishing, with some operators successfully compromised and others experiencing near misses. The hackers were preparing to take control of the pipelines, potentially leading to physical damage or disruption of operations [116379].
Objective (Malicious/Non-malicious)	malicious	(a) The objective of the software failure incident was malicious. The failure was due to state-sponsored cyberattacks on American oil and gas pipelines by Chinese-backed hackers. The hackers targeted the industrial control networks that run the pipelines with the intention of gaining strategic access for future operations, such as physically damaging pipelines or disrupting pipeline operations [116379].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	The intent of the software failure incident related to the reported cyberattacks on American oil and gas pipelines appears to be a combination of poor_decisions and accidental_decisions: (a) poor_decisions: The failure can be attributed to poor decisions made by the hackers, such as the Chinese-backed hackers targeting and breaching companies that own pipelines with the intent to gain strategic access to industrial control networks for future operations rather than just for intellectual property theft [116379]. Additionally, the failure can be linked to poor decisions made by the pipeline operators who were successfully compromised due to spear phishing attacks, indicating a lack of robust cybersecurity measures in place [116379]. (b) accidental_decisions: The failure can also be attributed to accidental decisions or unintended consequences, such as the ransomware attack on Colonial Pipeline that led to the shutdown of the pipeline network, causing gasoline shortages and disruptions in fuel supply [116379]. This incident highlights how unintended decisions or actions, like paying a ransom in cryptocurrency, can have significant consequences on critical infrastructure.
Capability (Incompetence/Accidental)	accidental	(a) The articles do not provide information about a software failure incident occurring due to development incompetence. (b) The software failure incident related to accidental factors is the cyberattack on American oil and gas pipelines by Chinese-backed hackers. The hackers targeted the industrial control networks of the pipelines through spear phishing and successfully compromised several operators [116379].
Duration	temporary	The software failure incident related to the cyberattacks on American oil and gas pipelines can be considered as a temporary failure. This is evident from the fact that the cyberattacks, particularly the ransomware attack on Colonial Pipeline, led to a temporary shutdown of the pipeline network due to security concerns and uncertainties about the attackers' capabilities [116379]. The incident caused disruptions in fuel supply, leading to long gasoline lines and shortages [116379]. The ransomware attack on Colonial Pipeline resulted in the company paying a ransom of about $4 million in cryptocurrency to the attackers [116379]. Additionally, the incident prompted the federal government to issue security directives to enhance cybersecurity measures for critical infrastructure, indicating a response to a specific set of circumstances rather than a permanent failure [116379].
Behaviour	omission, other	(a) crash: The software failure incident related to the cyberattack on the Colonial Pipeline led the company to shut off its shipments for fear of not knowing what the attackers would be capable of next, resulting in a shutdown of the pipeline network [116379]. (b) omission: The failure of the software systems in the context of the cyberattack on the Colonial Pipeline resulted in the omission of the intended functions of the pipeline operations, leading to the shutdown of shipments [116379]. (c) timing: The software failure incident related to the cyberattack on the Colonial Pipeline resulted in the system performing its intended functions too late, as the company had to shut off its shipments after the attack [116379]. (d) value: The software failure incident related to the cyberattack on the Colonial Pipeline resulted in the system performing its intended functions incorrectly, as the attackers were aiming to gain control of the pipelines rather than just stealing technology [116379]. (e) byzantine: The software failure incident related to the cyberattack on the Colonial Pipeline involved the system behaving erroneously with inconsistent responses and interactions, as the attackers were preparing to take control of the pipelines for future operations [116379]. (f) other: The software failure incident related to the cyberattack on the Colonial Pipeline also involved the system behaving in a way not described in the options provided, such as the system being vulnerable to ransomware attacks and the need for increased security measures to protect critical infrastructure [116379].

IoT System Layer

Layer	Option	Rationale
Perception	processing_unit, network_communication, embedded_software	(a) sensor: The articles do not specifically mention any failure related to sensors in the cyber physical system. (b) actuator: The articles do not specifically mention any failure related to actuators in the cyber physical system. (c) processing_unit: The failure mentioned in the articles is related to the processing unit of the cyber physical system. The Chinese-backed hackers targeted industrial control networks that run the pipelines, indicating a potential breach in the processing unit [116379]. (d) network_communication: The failure mentioned in the articles is related to network communication. The cyberattacks targeted the industrial control networks that run the pipelines, which involves communication systems [116379]. (e) embedded_software: The failure mentioned in the articles is related to embedded software. The Chinese hackers gained access to the controls of a pipeline, which could have enabled a shutdown or explosion, indicating a potential issue with the embedded software [116379].
Communication	unknown	The articles do not provide specific information about a software failure incident related to the communication layer of the cyber physical system that failed.
Application	FALSE	The software failure incident described in the articles is not related to the application layer of the cyber physical system. The incident primarily involves state-sponsored cyberattacks on American oil and gas pipelines, targeting the industrial control networks that run the pipelines. The attacks were aimed at gaining strategic access to the infrastructure rather than just stealing intellectual property. The failure was due to cyberattacks orchestrated by nation-backed hackers rather than issues at the application layer of the cyber physical system [116379].

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence	(a) unknown (b) unknown (c) unknown (d) The software failure incident mentioned in the articles did not directly result in any property loss or financial impact on individuals. However, the attack on Colonial Pipeline led the company to pay about $4 million in cryptocurrency as ransom [116379]. (e) unknown (f) The software failure incident had a significant impact on non-human entities, specifically on oil and gas pipelines. Chinese-backed hackers targeted and breached nearly two dozen companies that own pipelines, with the intention of gaining strategic access to the industrial control networks that run the pipelines [116379]. (g) unknown (h) The articles discuss potential consequences of the software failure incident, such as the risk of physical damage to pipelines or disruption of pipeline operations due to cyberattacks. The alert issued by the agencies indicated that the goal of the hackers was to hold U.S. pipeline infrastructure at risk, potentially leading to physical damage or operational disruption [116379]. (i) unknown
Domain	transportation, utilities, government	(a) The failed system was related to the transportation industry, specifically the oil and gas pipelines. The software failure incident involved state-sponsored cyberattacks on American oil and gas pipelines, targeting the industrial control networks that run the pipelines [116379]. The incident led to the shutdown of a pipeline network that provides gasoline, jet fuel, and diesel up the East Coast, causing long gasoline lines and shortages [116379]. (g) The failed system was also related to the utilities industry. The cyberattack targeted critical infrastructure, specifically oil and gas pipelines, which are essential for providing power, gas, and other services to the public [116379]. (l) Additionally, the failed system was connected to the government sector. The Biden administration disclosed details about the cyberattacks on American oil and gas pipelines, emphasizing the need for increased security measures to protect critical infrastructure from such attacks [116379].

Sources

China Breached Dozens of Pipeline Companies in Past Decade, U.S. Says (Published 2021) - The New York Times - Published on: 2021-07-26
Article ID: 116379

Back to List