Incident Details

Incident: Chinese Government Hackers Target Australian Power Plants with Ransomware Attack

Published Date: 2021-12-07

Postmortem Analysis
Timeline	1. The software failure incident at CS Energy's two thermal coal plants in Queensland, targeted by Chinese government hackers, occurred on November 27 as mentioned in Article 122214. 2. The article was published on December 7, 2021. 3. Therefore, the software failure incident happened in November 2021.
System	The software failure incident reported in Article 122214 involved a ransomware attack on CS Energy's two thermal coal plants in Queensland, Australia. The incident highlighted vulnerabilities in critical infrastructure due to under-investment in hacking defenses. The systems that failed in this software failure incident were: 1. CS Energy's internal corporate systems 2. Generators circulating 3,500MW of electricity into the grid 3. Broadcasting equipment of Channel Nine These systems were compromised by the ransomware attack, leading to potential power outages and disruptions in broadcasting services. [122214]
Responsible Organization	1. Chinese government hackers were responsible for causing the software failure incident at CS Energy in Queensland, Australia [122214].
Impacted Organization	1. CS Energy - the Queensland power firm targeted by a ransomware attack which almost shut down power to three million homes [122214].
Software Causes	1. Ransomware attack targeting CS Energy's thermal coal plants in Queensland, which denied workers access to critical data and email, almost shutting down power to three million homes [122214].
Non-software Causes	1. Under-investment in hacking defenses over the years, leaving the government and private corporations almost defenseless [Article 122214]. 2. Lack of encryption of data and transfer data encrypted, lack of strict controls over who can access data and logging all access, failure to securely delete all data as soon as possible [Article 122214]. 3. Lack of training for staff to be aware of phishing attacks and social engineering tactics [Article 122214]. 4. Failure to partition networks and completely disconnect critical info and infrastructure access from the internet [Article 122214].
Impacts	1. The software failure incident targeted Queensland power firm CS Energy with a ransomware attack, almost shutting down power to three million homes [122214]. 2. The attack bypassed CS Energy's internal corporate systems to access the generators that circulate 3,500MW of electricity into the grid, potentially knocking out power to between 1.4 and 3 million homes indefinitely [122214]. 3. The incident highlighted the vulnerability of critical infrastructure in Australia, prompting the government to introduce new laws such as the Security Legislation Amendment (Critical Infrastructure Bill) 2020 to give unprecedented powers in the face of cyber attacks [122214]. 4. The new laws would allow the government to take control of private companies if their critical infrastructure came under cyber attack, and company directors of affected companies would be held personally responsible for cyber security breaches [122214]. 5. The incident underscored the need for Australian companies to invest in protection against cyber attacks, including encrypting data, controlling access to data, training staff to be aware of phishing attacks, and strengthening network security [122214].
Preventions	1. Implementing strong encryption protocols to protect critical data and prevent unauthorized access [122214]. 2. Enforcing strict access controls and logging mechanisms to monitor and track who accesses sensitive information [122214]. 3. Providing comprehensive training to staff on identifying and avoiding phishing attacks and social engineering tactics [122214]. 4. Partitioning networks and disconnecting critical infrastructure access from the internet where possible to enhance security [122214].
Fixes	1. Encrypting all data and transferring data encrypted. 2. Implementing strict controls over who can access data and logging all access. 3. Securely deleting all data as soon as possible. 4. Training staff to be aware of phishing attacks and social engineering. 5. Partitioning networks and completely disconnecting critical info and infrastructure access from the internet when possible [122214].
References	1. Experts warning about the potential cyber war and vulnerabilities in Australia's critical infrastructure [Article 122214] 2. Nigel Phair, director of UNSW Institute for cyber security, providing insights on Chinese hackers and the ransomware attack on CS Energy [Article 122214] 3. Prime Minister Scott Morrison discussing cybersecurity threats and the new laws introduced by the Australian government [Article 122214] 4. Senator James Paterson highlighting the need for urgent reforms in Australia's cyber defense capabilities [Article 122214] 5. Information on what Australian companies must do for protection from cyber attacks, including encryption, access controls, and network security measures [Article 122214]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	unknown	The articles do not provide specific information about a software failure incident happening again at either one specific organization or multiple organizations. Therefore, the information to answer this question is 'unknown.'
Phase (Design/Operation)	operation	(a) The software failure incident mentioned in the articles is primarily related to the operation phase rather than the design phase. The incident was a result of a ransomware attack on Queensland power firm CS Energy's thermal coal plants, which denied workers access to critical data and email, ultimately almost shutting down power to three million homes [122214]. This failure was due to the operation of the system being compromised by the cyber attack, highlighting the importance of operational security measures to prevent such incidents. (b) The articles do not provide specific information about a software failure incident related to the design phase, such as issues introduced during system development or updates. The focus of the incident discussed is more on the operational aspects, particularly the impact of the ransomware attack on the operation of the power plants and the potential consequences for the nation's critical infrastructure.
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident reported in the article is primarily due to contributing factors that originate from within the system. The incident involved a ransomware attack on Queensland power firm CS Energy's thermal coal plants, which almost shut down power to three million homes. The attack bypassed CS Energy's internal corporate systems to access the generators, disrupting the circulation of electricity into the grid [122214]. Additionally, the article mentions that the hackers used various forms of hacking techniques, including social engineering and phishing attacks, to gain access to networks and critical data within the system [122214]. (b) outside_system: The software failure incident does not seem to be primarily caused by contributing factors originating from outside the system. The focus of the incident is on the internal vulnerabilities and the attack carried out by Chinese government hackers on the Queensland power firm's systems. The article does not highlight external factors as the main cause of the failure [122214].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident reported in the articles is primarily attributed to non-human actions, specifically a cyber attack orchestrated by Chinese government hackers targeting the Queensland power firm CS Energy. The attack involved ransomware that almost shut down power to three million homes by denying workers access to critical data and email [122214]. The incident highlights the vulnerability of critical infrastructure to cyber attacks and the potential consequences of under-investment in hacking defenses. (b) The articles also mention human actions contributing to the software failure incident, particularly the lack of investment by private companies in beefing up cybersecurity controls on their networks. Nigel Phair, the director of UNSW Institute for Cyber Security, emphasized that most critical infrastructure owner operators in the private sector do not see the return on investment in enhancing cybersecurity measures, viewing it as a cost rather than a priority [122214]. This lack of proactive action by private companies has prompted the Australian government to introduce new laws granting unprecedented powers in the face of cyber attacks and holding company directors personally responsible for cybersecurity breaches.
Dimension (Hardware/Software)	software	(a) The software failure incident reported in the articles is primarily related to a cyber attack on the Queensland power firm CS Energy, which almost shut down power to three million homes. The attack was a ransomware attack launched by Chinese government hackers on CS Energy's two thermal coal plants in Queensland. The attack denied workers access to critical data and email, and it almost shut down power to a significant number of homes [122214]. (b) The software failure incident is attributed to a cyber attack, specifically a ransomware attack, which targeted CS Energy's systems. The attack bypassed CS Energy's internal corporate systems to access the generators that circulate electricity into the grid. This incident highlights the vulnerability of critical infrastructure to cyber attacks and the potential consequences of such attacks on essential services like power supply [122214].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident described in the article is malicious in nature. It involved Chinese government hackers launching a ransomware attack on CS Energy's thermal coal plants in Queensland, targeting critical infrastructure with the intent to harm the system and potentially disrupt power supply to millions of homes [122214]. The attack was described as a "sustained hack" and a "sophisticated attack" carried out by state-sponsored hackers with the capability to cause significant damage [122214]. The incident highlighted the vulnerability of Australia's critical infrastructure to cyber attacks orchestrated by foreign state actors, particularly China, and the need for enhanced cybersecurity measures to defend against such malicious activities [122214]. The government responded by introducing new laws to give unprecedented powers in the face of cyber attacks and hold company directors personally responsible for cybersecurity breaches [122214].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The intent of the software failure incident was due to poor decisions made in terms of under-investment in hacking defenses by the Australian government and private corporations. The articles highlight that Australia had years of under-investment in hacking defenses, leaving the government and private corporations almost defenseless against cyber attacks [122214]. Additionally, it is mentioned that most critical infrastructure owner operators in Australia, which are primarily in the private sector, failed to invest in beefing up cybersecurity controls on their networks because they saw it as a cost rather than a necessary investment [122214]. (b) The software failure incident was also influenced by accidental decisions or unintended consequences. For example, the ransomware attack on the Queensland power firm CS Energy was described as almost shutting down power to three million homes, indicating the unintended consequences of the attack [122214]. Additionally, the incident highlighted the vulnerability of critical infrastructure companies to cyber attacks, emphasizing the accidental consequences of not adequately protecting against such threats [122214].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident reported in the articles is primarily related to development incompetence. The incident involved a ransomware attack on Queensland power firm CS Energy's thermal coal plants, which almost shut down power to three million homes [122214]. The attack was attributed to Chinese government hackers who targeted the power firm, denying workers access to critical data and email. The hackers were described as well-organized, technically adept, and sponsored by the state, with a capability to switch off Australia's power grid [122214]. The incident highlighted the vulnerability of critical infrastructure due to under-investment in hacking defenses, leaving the government and private corporations almost defenseless [122214]. (b) The software failure incident was not reported to be accidental but rather a deliberate cyber attack orchestrated by Chinese government hackers. The attack was described as a sustained ransomware attack on CS Energy's thermal coal plants, indicating a targeted and intentional effort to disrupt the power supply [122214]. The incident underscored the need for urgent reforms to enhance Australia's cyber defense capabilities in the face of hostile nations like China and Russia [122214].
Duration	temporary	The software failure incident reported in Article 122214 was temporary. The incident involved a ransomware attack on Queensland power firm CS Energy's thermal coal plants, which almost shut down power to three million homes. The attack denied workers access to critical data and email, and it came within minutes of bypassing internal corporate systems to access the generators that circulate electricity into the grid. A last-ditch plan to separate control operations from the main network saved the plant from a prolonged outage, indicating that the failure was temporary [122214].
Behaviour	crash, omission, other	(a) crash: The software failure incident described in the article can be categorized as a crash. The incident involved a ransomware attack on CS Energy's thermal coal plants in Queensland, which almost shut down power to three million homes. The attack bypassed internal corporate systems and targeted the generators that circulate electricity into the grid, potentially causing a complete blackout. The incident led to a situation where the system was on the verge of losing its state and failing to perform its intended function of providing electricity [Article 122214]. (b) omission: The software failure incident can also be categorized as an omission. The attack on CS Energy's plants denied workers access to critical data and email, indicating that the system omitted to perform its intended functions at that instance by blocking access to necessary information [Article 122214]. (c) timing: The software failure incident does not align with a timing failure as there is no indication in the article that the system performed its intended functions too late or too early [Article 122214]. (d) value: The software failure incident does not align with a value failure as there is no indication in the article that the system performed its intended functions incorrectly [Article 122214]. (e) byzantine: The software failure incident does not align with a byzantine failure as there is no mention of inconsistent responses or interactions within the system [Article 122214]. (f) other: The software failure incident can also be described as a potential security breach or vulnerability. The incident involved a ransomware attack by Chinese hackers on critical infrastructure, highlighting a significant security flaw in the system that allowed unauthorized access and potential disruption of essential services [Article 122214].

IoT System Layer

Layer	Option	Rationale
Perception	network_communication	The software failure incident reported in the articles is related to the network_communication layer of the cyber-physical system that failed. The incident involved a ransomware attack on Queensland power firm CS Energy, where Chinese hackers targeted the thermal coal plants and denied workers access to critical data and email by bypassing CS Energy's internal corporate systems to access the generators that circulate electricity into the grid [122214]. This attack on the network communication layer could have resulted in knocking out power to between 1.4 and 3 million homes indefinitely if successful. Additionally, the incident highlights the vulnerability of critical infrastructure companies, including utilities, to cyber attacks, emphasizing the importance of strengthening security measures to prevent such network communication failures.
Communication	connectivity_level	The software failure incident reported in the articles is related to the connectivity level of the cyber physical system that failed. The incident involved a ransomware attack on CS Energy's thermal coal plants in Queensland, which targeted the company's internal corporate systems, denying workers access to critical data and email. The attack bypassed CS Energy's internal corporate systems to access the generators that circulate electricity into the grid, potentially affecting between 1.4 and 3 million homes [122214]. This indicates that the failure was more related to the network or transport layer of the cyber physical system rather than the physical layer.
Application	TRUE	The software failure incident reported in Article 122214 was related to a cyber attack on the Queensland power firm CS Energy. The attack involved Chinese government hackers launching a ransomware attack on CS Energy's two thermal coal plants, which almost shut down power to three million homes. The attack targeted the generators that circulate electricity into the grid, denying workers access to critical data and email. This incident can be categorized as a failure related to the application layer of the cyber physical system, as it involved unauthorized access, denial of critical data, and potential disruption of power supply due to the cyber attack [122214].

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence	(a) death: People lost their lives due to the software failure - There is no mention of people losing their lives due to the software failure incident reported in the articles [122214]. (b) harm: People were physically harmed due to the software failure - There is no mention of people being physically harmed due to the software failure incident reported in the articles [122214]. (c) basic: People's access to food or shelter was impacted because of the software failure - The software failure incident did not directly impact people's access to food or shelter [122214]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident impacted the operations of a power firm in Queensland, potentially affecting power supply to millions of homes [122214]. (e) delay: People had to postpone an activity due to the software failure - The software failure incident did not mention people having to postpone any specific activities due to the failure [122214]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted the operations of power stations, hospitals, banks, logistics firms, and power supply to homes [122214]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had real observed consequences, such as the potential shutdown of power supply to millions of homes [122214]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss the potential consequences of a cyber war initiated by Chinese government hackers, including the possibility of shutting down power to millions of homes and the need for new laws to address cyber attacks [122214]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles do not mention any other specific consequences of the software failure incident beyond the potential impacts on critical infrastructure and power supply [122214].
Domain	utilities	The software failure incident reported in the articles was related to the utilities industry. Specifically, the incident involved a ransomware attack on Queensland power firm CS Energy's thermal coal plants, which almost led to a shutdown of power to three million homes [Article 122214]. This incident highlighted the vulnerability of critical infrastructure, such as power stations, to cyber attacks, emphasizing the importance of investing in cybersecurity defenses in the utilities sector.

Sources

Australia on knife-edge as Chinese hackers plot to turn lights out after close call in Queensland - Daily Mail - Published on: 2021-12-07
Article ID: 122214

Back to List