| Recurring |
multiple_organization |
(a) The software failure incident related to cryptojacking malware impacting industrial control systems has happened at a water utility in Europe, as reported by Radiflow. This specific incident is the first known instance of mining malware being used against an industrial control system [68176].
(b) The articles mention that cryptojacking malware incidents are becoming more common and sophisticated, with attackers compromising popular web plugins like Browsealoud to steal mining power from users on thousands of mainstream websites, including those of the United States federal courts system and the United Kingdom's National Health Service. Additionally, reports surfaced about a group of Russian scientists being arrested for allegedly using a supercomputer at a secret Russian research and nuclear warhead facility for Bitcoin mining [68176]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the article where cryptocurrency mining malware was discovered in the operational technology network of a water utility in Europe. The malware was built to run quietly in the background, using processing power to mine cryptocurrency without overwhelming the system and creating obvious problems. It was also designed to detect and disable security scanners and defense tools that might flag it, indicating a sophisticated design to evade detection [68176].
(b) The software failure incident related to the operation phase is evident in the same article where the mining malware attack on the water utility's industrial control system had a significant impact on systems. The increased processor and network bandwidth usage caused by the malware could lead to industrial control applications hanging, pausing, or crashing, potentially degrading the operator's ability to manage the plant. This impact on the operation of the system highlights the failure introduced by the operation or misuse of the system [68176]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident described in the articles is primarily within the system. The failure was caused by the presence of cryptocurrency mining malware within the operational technology network of a water utility in Europe. The malware was designed to run quietly in the background, using processing power to mine cryptocurrency without overwhelming the system. It was also built to detect and disable security scanners and defense tools within the system [68176].
(b) outside_system: The software failure incident also involved contributing factors that originated from outside the system. Attackers exploited vulnerabilities in the system's network security to introduce the cryptocurrency mining malware. The attackers were looking for unused processing power within the internal network of the utility to benefit from mining cryptocurrency. The malware spread internally within the system, moving laterally from an internet-connected server to others that were not meant to be exposed [68176]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the articles is related to non-human actions, specifically the presence of cryptocurrency mining malware in the operational technology network of a water utility in Europe. The malware was designed to quietly mine cryptocurrency without overwhelming the system, disable security scanners, and increase processor and network bandwidth usage, potentially causing industrial control applications to hang, pause, and crash [68176].
(b) The articles also mention human actions contributing to software failure incidents. For example, reports surfaced about a group of Russian scientists being arrested for allegedly using a supercomputer at a secret Russian research and nuclear warhead facility for Bitcoin mining [68176]. Additionally, technicians with access to industrial control systems may yield to temptation, allowing hackers to exploit flaws in the system's defenses for mining purposes [68176]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident related to hardware: The incident described in the articles is not directly attributed to hardware failure. Instead, the failure was caused by malicious mining malware infecting the operational technology network of a water utility in Europe, impacting the systems and potentially degrading the operator's ability to manage the plant [68176].
(b) The software failure incident related to software: The software failure incident in this case was caused by malicious mining malware that infected the operational technology network of a water utility in Europe. The malware was designed to run quietly in the background, using processing power to mine cryptocurrency without overwhelming the system. It was also built to detect and disable security scanners and defense tools, increasing processor and network bandwidth usage, which could cause industrial control applications to hang, pause, and crash [68176]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The objective of the software failure incident was malicious. The incident involved the discovery of cryptocurrency mining malware in the operational technology network of a water utility in Europe, marking the first known instance of mining malware being used against an industrial control system. The malware was designed to run quietly in the background, using processing power to mine cryptocurrency without causing obvious problems, while also disabling security scanners and defense tools. The attack had a significant impact on the systems, potentially degrading the operator's ability to manage the plant [68176]. Additionally, the incident highlighted the potential dangers of malicious miners on industrial control systems, emphasizing the need for heightened security measures to prevent such attacks [68176].
(b) The incident was non-malicious in the sense that the attackers were not specifically targeting the water utility's network for a cyberattack. Instead, they were looking for unused processing power that they could exploit for their benefit. The attackers were leveraging fallow processing power within the industrial control system to mine cryptocurrency, taking advantage of the system's high processor availability and electricity consumption. The incident also shed light on the vulnerabilities present in industrial control systems, such as running dated and unpatched software, which could inadvertently facilitate such attacks [68176]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The intent of the software failure incident related to poor_decisions:
- The incident of cryptocurrency mining malware being used against an industrial control system in a water utility in Europe was not a targeted attack but rather attackers looking for unused processing power to benefit themselves [68176].
- The malware was designed to run quietly in the background to mine cryptocurrency without overwhelming the system and creating obvious problems, indicating a deliberate attempt to exploit the system's resources without being detected [68176].
- The attackers were trying to look for unused processing power that they could use for their benefit, showing a strategic decision to target industrial control systems for mining purposes [68176].
(b) The intent of the software failure incident related to accidental_decisions:
- The incident of cryptocurrency mining malware infecting the water treatment plant was designed to spread internally, moving laterally from an internet-connected remote monitoring server to others that weren't meant to be exposed, indicating an unintended consequence of the malware's propagation within the system [68176].
- The malware could find weak spots even on a temporary basis and expand, suggesting an accidental consequence of the malware's ability to exploit vulnerabilities within the network [68176]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the article where it discusses the discovery of cryptocurrency mining malware in the operational technology network of a water utility in Europe. The malware was designed to run quietly in the background, using processing power to mine cryptocurrency without causing obvious problems. It was also built to detect and disable security scanners and defense tools, indicating a level of sophistication that could potentially be harmful to the industrial control system [68176].
(b) The accidental software failure incident is highlighted in the article where Radiflow discovered the cryptocurrency mining malware in the water utility's network. The CEO of Radiflow mentioned that they had no idea they would find a malicious miner when they installed intrusion detection products on the utility's network. The communication with multiple external IP addresses from the utility's servers was unexpected, indicating that the attackers were trying to exploit unused processing power without being specifically targeted [68176]. |
| Duration |
temporary |
The software failure incident described in the articles can be categorized as a temporary failure. The incident involved the discovery of cryptocurrency mining malware in the operational technology network of a water utility in Europe, which had a significant impact on the systems [68176]. The malware was designed to run quietly in the background, using processing power to mine cryptocurrency without overwhelming the system and creating obvious problems. It was also built to detect and disable security scanners and defense tools that might flag it, indicating a deliberate attempt to remain undetected [68176].
Additionally, the incident highlighted the vulnerability of industrial control systems to such attacks, with concerns raised about the potential for malicious miners to exploit flaws in the defenses of these systems and cause disruptions [68176]. The sophistication of attacks involving mining malware has been increasing, with attackers targeting critical infrastructure like water treatment plants and spreading internally within networks [68176]. This indicates that the failure was not permanent but rather a result of specific circumstances and vulnerabilities that were exploited by the attackers. |
| Behaviour |
crash, omission, value, byzantine, other |
(a) crash: The incident involving cryptocurrency mining malware in the operational technology network of a water utility in Europe had a significant impact on systems, potentially causing industrial control applications to hang, pause, and even crash, degrading the operator's ability to manage the plant [68176].
(b) omission: The mining malware was designed to run quietly in the background, using processing power to mine cryptocurrency without overwhelming the system and creating obvious problems. It was also built to detect and disable security scanners and defense tools that might flag it, indicating an omission of security measures [68176].
(c) timing: The malware attack increased processor and network bandwidth usage, potentially causing industrial control applications to hang, pause, and crash, affecting the timing of system operations [68176].
(d) value: The mining malware was using processing power to mine cryptocurrency, indicating a failure in the system performing its intended functions correctly [68176].
(e) byzantine: The mining malware was designed to spread internally, moving laterally from an internet-connected remote monitoring server to others that weren't meant to be exposed, showing inconsistent responses and interactions within the system [68176].
(f) other: The incident also highlights the potential for malicious mining malware to cause physical damage to infected devices like smartphones, indicating a different type of behavior not covered by the previous options [68176]. |