Published Date: 2016-01-07
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident occurred in December 2015 [Article 60183]. 2. The software failure incident occurred in December 2016 [Article 39841, Article 60404]. 3. The software failure incident occurred in December 2016 [Article 39825]. 4. The software failure incident occurred in December 2016 [Article 126885]. 5. The software failure incident occurred in February 2022 [Article 126721]. 6. The software failure incident occurred in January 2022 [Article 131184]. 7. The timeline cannot be estimated for the other articles, so it is 'unknown'. |
| System | 1. Supervisory Control and Data Acquisition (SCADA) tools and Programmable Logic Controllers (PLCs) [26607] 2. Control systems used to coordinate remote substations [39825] 3. Malicious software known as Black Energy 3 and KillDisk [39841] 4. Supervisory Control and Data Acquisition (SCADA) network that controlled the grid [41368] 5. CrashOverride malware [60183, 60317, 60319, 60404] 6. Siprotec protective relays [89176] 7. SCADA systems [126721] 8. Industroyer malware [126721, 126885] |
| Responsible Organization | 1. The Russian hacking group known as Sandworm was responsible for causing the software failure incident in Ukraine [39841, 126721, 126885]. 2. The Ukrainian SBU security service also blamed the attack on the Russian government [39825]. |
| Impacted Organization | 1. Government websites and a financial institution in Ukraine [123256] 2. Ukrainian electric utility targeted by the hackers [126885] |
| Software Causes | 1. The software causes of the failure incident were serious vulnerabilities found in SCADA tools and programmable logic controllers (PLCs) used by real-world critical infrastructure providers, as well as the use of malicious software such as Black Energy 3 and KillDisk in cyberattacks [26607, 39825, 39841]. 2. The malware known as Crash Override was also a software cause of the failure incident, as it was used to target the Ukraine power grid and could be easily modified to harm critical infrastructure operations globally [60183, 60317, 60319, 60404]. 3. The malware Industroyer, including its upgraded version Industroyer2, was another software cause of the failure incident, as it was used in cyberattacks targeting power grid networks in Ukraine [89176, 126721, 126885]. |
| Non-software Causes | 1. Lack of two-factor authentication for workers logging remotely into the SCADA network [41368] 2. Overwriting firmware on critical devices at substations, leaving them unresponsive to remote commands [41368] 3. Probing of industrial control systems by hackers to gain crucial access [41368] 4. Lack of required protective relay fail-safes at the station [89176] |
| Impacts | None |
| Preventions | 1. Implementing two-factor authentication for workers logging remotely into the SCADA network could have prevented the software failure incident [41368]. 2. Monitoring the network for abnormal traffic, including signs of malware searching for the location of substations or sending messages to switch breakers, could have detected the malicious software and prevented the incident [60404]. 3. Having a robust logging system in place, as seen in the case of Ukrainian power distribution companies, could help in reconstructing events and preventing future attacks [41368]. 4. Close monitoring of control system networks by power-grid operators to spot malware's reconnaissance scans before launching its payloads could have prevented the incident [60319]. 5. Timely response and collaboration with cybersecurity companies like Eset and Microsoft to identify and neutralize the malicious software used in the attack could prevent such incidents [126889]. |
| Fixes | None | References | 1. U.S. Homeland Security and intelligence agencies [Article 39825] 2. Ukrainian SBU security service [Article 39825] 3. iSight Partners [Article 39825, Article 39841] 4. U.S. energy industry security group [Article 39841] 5. Ukrainian and US computer security experts [Article 41368] 6. Lee and Michael J. Assante from the SANS Institute [Article 41368] 7. Dan Gunter from Dragos [Article 60183] 8. ESET [Article 60319, Article 126721] 9. Dragos [Article 60319] 10. Microsoft [Article 123256, Article 126721, Article 126889] 11. GRU military intelligence agency [Article 126721] 12. Cybersecurity firm Mandiant [Article 131184] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: The incident involving a cyberattack on the Ukrainian power grid in 2016 was a follow-up hack on an electrical substation outside of Kyiv, which caused a smaller blackout. The hacking tool used in this recent attempted cyberattack on the Ukrainian power company was a variation of the malicious software known as Industroyer that was used in the 2016 hack [126885]. (b) The software failure incident having happened again at multiple_organization: The same Russian group that targeted U.S. industrial control systems in 2014 was responsible for turning out the lights in Ukraine in 2015. This indicates that similar incidents have occurred at different organizations or in different contexts [60183]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident occurring due to the development phases: - The incident in Ukraine where the power grid was disrupted involved attackers overwriting firmware on critical devices at substations, leaving them unresponsive to remote commands from operators. This was a result of a failure in the design phase, where the attackers wrote malicious firmware to replace legitimate firmware on serial-to-Ethernet converters at substations, preventing operators from sending remote commands to re-close breakers during a blackout [41368]. - The Crash Override malware discovered in Ukraine in 2016 was found to have the potential to harm critical infrastructure operations globally. The malware could be easily modified to target U.S. critical information networks and systems, indicating a failure in the design phase of the software [60404]. (b) The software failure incident occurring due to the operation phases: - The Ukrainian power outage incident caused by the Crash Override malware required human intervention in previous disruptive attacks on industrial targets. This indicates a failure in the operation phase, where human intervention was necessary to carry out the attack [60404]. - The malware known as Industroyer2 succeeded in disrupting one component of the impacted power station's management systems, also known as SCADA systems, due to penetration of power grid networks and uploading of the malware by the attackers. This highlights a failure in the operation phase of the system [126721]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident was within the system due to contributing factors that originated from within the system. The incident involved a sophisticated malware campaign that compromised U.S. industrial control systems, leading to concerns about potential harm to critical infrastructure operations globally [Article 39841]. Additionally, the malware known as CrashOverride disrupted an energy system in Ukraine and was specifically tailored to disrupt or destroy industrial control systems, indicating an internal system failure [Article 60183]. (b) outside_system: The software failure incident was also influenced by contributing factors that originated from outside the system. For example, the attack on the Ukrainian power grid involved hackers allied with the Russian government who devised a cyberweapon, indicating an external threat [Article 60183]. Furthermore, the incident highlighted the need for the U.S. cybersecurity community to counter potential cyber threats to critical infrastructure, suggesting external factors impacting the system [Article 126885]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The incident in Ukraine in 2016 involved a cyberattack that resulted in an electrical power outage, where control systems used to coordinate remote substations were disabled in the cyberattack [39825]. - Malicious software like Crash Override was identified as the cause of a December 2016 Ukraine power outage, which could be easily modified to harm critical infrastructure operations globally [60404]. - The malware used in the cyberattack on the Ukrainian power company in 2016 was a variation of the malicious software known as Industroyer, indicating a non-human action causing the failure [126885]. (b) The software failure incident occurring due to human actions: - Researchers found serious vulnerabilities in industrial control systems, highlighting that devices often don’t do adequate validation of the data being sent to them, leading to failures in checking malicious streams of information [26607]. - The attackers in the Ukraine power outage incident were able to hijack credentials and gain crucial access to systems that controlled the breakers due to workers logging remotely into the SCADA network without two-factor authentication [41368]. - The hackers remotely manipulated control systems to cause a blackout in Ukraine, indicating human actions were involved in the cyberattack [60183]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident in Ukraine involved hackers replacing legitimate firmware on serial-to-Ethernet converters at substations, preventing operators from sending remote commands to re-close breakers during a blackout [41368]. - The malware CrashOverride was designed to interact directly with electric utility equipment, including sending rapid-fire commands to open circuit breakers and trigger mass power outages [89176]. (b) The software failure incident occurring due to software: - Researchers found serious vulnerabilities in SCADA systems used by critical infrastructure providers, highlighting issues with protocols and data validation [26607]. - Malicious software was used to compromise industrial control systems in the U.S., although no outages or physical destruction were reported [39841]. - The malware CrashOverride was used in Ukraine to trigger automated attacks on infrastructure, disrupting energy systems [60183]. - Malicious software was uncovered as the cause of a power outage in Ukraine in December 2016, with the potential to harm critical infrastructure globally [60404]. - The malware used in the 2016 Ukraine power outage was a variation of Industroyer, a known malicious software [126885]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident described in the articles is malicious in nature. The incidents involve cyberattacks on industrial control systems, such as the CrashOverride malware targeting energy systems in Ukraine and potentially other critical infrastructure globally [60183, 60404]. These attacks were designed to disrupt or destroy industrial control systems, causing power outages and hindering recovery efforts [126721]. The malware used in these incidents was specifically tailored to cause harm and destruction, rather than seeking financial gain [123256]. (b) The software failure incidents were not non-malicious in nature. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident in the reported articles seems to align more with poor_decisions, where the failure was due to contributing factors introduced by poor decisions. In Article 41368, it is mentioned that the attackers exploited intentional features in the power supply system, such as convincing workers to enable macros in a document, which led to the infection of their machines with BlackEnergy3. The attackers also wrote malicious firmware to replace legitimate firmware on converters at substations, preventing operators from sending remote commands to re-close breakers during a blackout. This level of planning and exploitation of intentional features indicates a deliberate and sophisticated attack strategy, rather than accidental decisions or mistakes. Additionally, in Article 89176, it is highlighted that the attackers in the Ukrenergo case intended to trigger destruction when grid operators turned the power back on, using the utility's own recovery efforts against them. This indicates a strategic intent to cause physical damage and disrupt operations, showcasing a deliberate and calculated approach rather than accidental decisions. Therefore, the software failure incidents described in the articles point towards poor_decisions as the contributing factor leading to the failures. |
| Capability (Incompetence/Accidental) | None | None |
| Duration | permanent | (a) The software failure incident in the Ukraine power outage was intended to be permanent, aiming to cause lasting damage that could have led to power outages for weeks or even months [Article 89176]. The attackers wanted to trigger destruction when grid operators turned the power back on, using the utility's own recovery efforts against them [Article 89176]. (b) The software failure incident in the Ukraine power outage resulted in temporary outages lasting one to six hours for the affected areas [Article 41368]. The malware used in the attack had a "time bomb" functionality that could create outages lasting a few hours, but not more than a couple of days [Article 60183]. |
| Behaviour | crash, omission, value, other | (a) crash: Article 89176 mentions a software failure incident where unusual malware took over industrial control systems, essentially switching off the lights, indicating a crash scenario where the system lost its state and failed to perform its intended functions. (b) omission: Article 39825 describes a cyberattack in Ukraine where control systems used to coordinate remote substations were disabled, leading to power outages. This indicates a failure due to the system omitting to perform its intended functions at that instance. (c) timing: Article 41368 describes an incident where an operator watched as the software navigated towards controlling circuit breakers and took the substation offline. This indicates a timing failure where the system performed its intended functions, but at an incorrect time. (d) value: Article 26607 discusses weaknesses in devices where they fail to adequately validate data being sent to them, leading to actions and decisions based on potentially fake data. This indicates a failure due to the system performing its intended functions incorrectly. (e) byzantine: The articles do not provide specific information about a failure due to the system behaving erroneously with inconsistent responses and interactions. (f) other: Article 60319 discusses the Crash Override malware, which is designed to disrupt or destroy industrial control systems, leading to mass power outages. This could be considered as a failure scenario where the system behaves in a way not described in the options (a to e), potentially falling under the "other" category. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, actuator, processing_unit, network_communication, embedded_software | (a) sensor: Failure due to contributing factors introduced by sensor error - Article 26607 mentions that devices often don’t do adequate validation of the data being sent to them, which can lead to malicious streams of information being sent rather than legitimate bits and bytes determining their functions. This lack of validation can be attributed to sensor errors. (b) actuator: Failure due to contributing factors introduced by actuator error - Article 41368 discusses how attackers overwrote firmware on critical devices at 16 substations in Ukraine, leaving them unresponsive to remote commands from operators. This indicates a failure related to actuator errors. (c) processing_unit: Failure due to contributing factors introduced by processing error - Article 39825 mentions that control systems used to coordinate remote substations were disabled in the cyberattack on the Ukraine power outage. This disruption in control systems points to a failure related to processing errors. (d) network_communication: Failure due to contributing factors introduced by network communication error - Article 39841 talks about a sophisticated malware campaign compromising U.S. industrial control systems, indicating a failure in network communication that allowed the malware to compromise the systems. (e) embedded_software: Failure due to contributing factors introduced by embedded software error - Article 89176 discusses the malicious software Industroyer used in the 2016 hack on the Ukrainian power company, highlighting a failure related to embedded software errors that allowed the cyberattack to occur. |
| Communication | connectivity_level | [39825] The cyberattack on the Ukrainian power grid involved the disabling of control systems used to coordinate remote substations, indicating a failure at the communication layer of the cyber physical system. This incident highlighted vulnerabilities in the industrial control systems that manage critical infrastructure, such as power distribution. The attack disrupted electrical power for several hours and affected tens of thousands of people, showcasing the impact of a cyberattack on the communication layer of the system. |
| Application | FALSE | The software failure incidents mentioned in the articles were not specifically related to the application layer of the cyber physical system as defined. The failures were primarily attributed to cyberattacks targeting industrial control systems, causing power outages and disruptions in critical infrastructure. Therefore, there is no specific information in the articles to indicate that the failures were related to the application layer of the cyber physical system. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | harm, property, delay, non-human, theoretical_consequence | (a) death: There is no mention of people losing their lives due to the software failure incidents in the provided articles. (b) harm: The articles discuss potential physical harm that could result from the software failures. For example, in the incident in Ukraine, the attackers overwrote firmware on critical devices at substations, leaving them unresponsive to remote commands, which could potentially lead to physical harm if not controlled properly [41368]. (c) basic: There is no direct mention of people's access to food or shelter being impacted due to the software failure incidents. (d) property: The software failure incidents resulted in impacts on property, particularly in the case of the Ukraine power outage where control systems used to coordinate remote substations were disabled in the cyberattack [39825]. (e) delay: The incidents caused delays and disruptions, such as the control centers in Ukraine still not being fully operational more than two months after the attack, requiring workers to control breakers manually [41368]. (f) non-human: Non-human entities, such as industrial control systems and critical infrastructure equipment, were impacted by the software failure incidents, leading to disruptions in services and operations [39825, 60404]. (g) no_consequence: There were observed consequences of the software failure incidents, such as power outages and disruptions in control systems. (h) theoretical_consequence: The articles discuss potential consequences of the software failures that did not occur, such as the possibility of physical destruction to power equipment and infrastructure, as well as the potential for widespread and longer-lasting outages [60319, 89176]. (i) other: The articles do not mention any other specific consequences of the software failure incidents. |
| Domain | information, utilities | (a) The failed system was related to the information industry as it involved cyberattacks on critical infrastructure systems used for information dissemination and control [26607, 39825, 39841, 41368, 60183, 60404, 61284, 89176, 124551]. (b) There is no specific mention of the transportation industry in the provided articles. (c) There is no specific mention of the natural resources industry in the provided articles. (d) There is no specific mention of the sales industry in the provided articles. (e) There is no specific mention of the construction industry in the provided articles. (f) There is no specific mention of the manufacturing industry in the provided articles. (g) The failed system was related to the utilities industry, specifically affecting power distribution systems in Ukraine [39825, 39841, 41368, 89176]. (h) There is no specific mention of the finance industry in the provided articles. (i) There is no specific mention of the knowledge industry in the provided articles. (j) There is no specific mention of the health industry in the provided articles. (k) There is no specific mention of the entertainment industry in the provided articles. (l) There is no specific mention of the government industry in the provided articles. (m) The failed system was not directly related to any other industry mentioned in the options. |
Article ID: 41793
Article ID: 126721
Article ID: 126889
Article ID: 60183
Article ID: 41368
Article ID: 60404
Article ID: 39825
Article ID: 126885
Article ID: 39841
Article ID: 26607
Article ID: 60319
Article ID: 123256
Article ID: 126879
Article ID: 124551
Article ID: 60317
Article ID: 131184
Article ID: 61284
Article ID: 89176