| Recurring |
multiple_organization |
(a) The software failure incident related to vulnerabilities in SCADA systems affecting critical infrastructure has happened again at multiple organizations. The vulnerabilities targeted systems made by Siemens, Iconics, 7-Technologies, and DATAC [4620]. These systems are used in oil, gas, water management facilities, factories, and automated factories [4620]. The exploit codes released targeted specific vulnerabilities in these systems, potentially allowing attackers to crash systems, siphon sensitive data, gain foothold access, and find additional security holes that could impact core processes [4620]. The incident highlights the ongoing security challenges faced by organizations using SCADA systems in critical infrastructures. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the vulnerabilities found in SCADA systems made by Siemens, Iconics, 7-Technologies, and DATAC. The attack codes released targeted specific vulnerabilities in these systems, such as buffer-overflow vulnerabilities in the Siemens system and vulnerable processes in the Iconics and 7-Technologies systems. These vulnerabilities were identified by a security researcher who published the exploits to draw attention to security problems with SCADA systems [4620].
(b) The software failure incident related to the operation phase is highlighted by the potential impact of the vulnerabilities on critical infrastructure systems. While the vulnerabilities may not directly affect the backend systems that control critical processes, they could allow attackers to gain a foothold on a system and potentially find additional security holes that could impact core processes. The attack codes released could allow attackers to crash systems, siphon sensitive data, or even execute malicious code on the systems, affecting what operators see on their monitors [4620]. |
| Boundary (Internal/External) |
within_system |
(a) The software failure incident described in the articles is primarily within_system. The vulnerabilities and attack codes were discovered within the SCADA systems themselves, such as Siemens, Iconics, 7-Technologies, and DATAC. The vulnerabilities allowed attackers to crash systems, siphon sensitive data, gain footholds, and potentially execute malicious code within the systems [4620]. The attacks targeted specific vulnerabilities within the SCADA systems, indicating that the failure originated from within the software systems themselves. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case is primarily due to non-human actions, specifically vulnerabilities in SCADA systems made by various companies like Siemens, Iconics, 7-Technologies, and DATAC. These vulnerabilities were exploited by attack codes released by a security researcher, allowing attackers to crash systems, siphon sensitive data, and potentially gain a foothold to find additional security holes [4620]. The vulnerabilities were not highly dangerous on their own but could still impact critical processes [4620].
(b) Human actions also played a role in this software failure incident as the attack codes exploiting the vulnerabilities were released by a security researcher named Luigi Auriemma. Auriemma published the vulnerabilities and attack codes to draw attention to security problems with SCADA systems, which caught the attention of U.S. ICS-CERT [4620]. Additionally, the vulnerabilities in the systems were identified through tests conducted by Auriemma, showcasing how human actions can contribute to software failures [4620]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in the articles is primarily related to vulnerabilities found in SCADA systems used in critical infrastructure facilities such as oil, gas, water management, and factories. These vulnerabilities were identified in systems made by companies like Siemens, Iconics, 7-Technologies, and DATAC [4620].
(b) The software failure incident is specifically related to software vulnerabilities in SCADA systems, such as buffer-overflow vulnerabilities in the Siemens system, vulnerabilities in Iconics, 7-Technologies IGSS, and DATAC RealWin systems. These vulnerabilities could allow attackers to crash systems, siphon sensitive data, remote-copy files, execute remote code, and manipulate data displayed on operator screens [4620]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. The incident involved a researcher releasing attack code that exploited vulnerabilities in SCADA systems used in critical infrastructure facilities such as oil, gas, water management, and factories [4620]. The vulnerabilities targeted by the attack code could allow an attacker to crash systems, siphon sensitive data, gain unauthorized access, and potentially impact core processes [4620]. The researcher published the vulnerabilities and attack codes to draw attention to security issues with SCADA systems, highlighting the malicious intent behind the incident [4620]. Additionally, the attack codes released targeted specific vulnerabilities in systems like Siemens Tecnomatix FactoryLink, Iconics, Genesis32, Genesis64, DATAC RealWin, and 7-Technologies IGSS, indicating a deliberate effort to exploit weaknesses in these systems [4620]. |
| Intent (Poor/Accidental Decisions) |
accidental_decisions |
The intent of the software failure incident described in the articles is related to accidental decisions. The incident involved a security researcher, Luigi Auriemma, who discovered vulnerabilities in SCADA systems used in critical infrastructure facilities. Auriemma published exploit codes to draw attention to security issues with SCADA systems, not with the intention of causing harm but to highlight the vulnerabilities for improvement and patching [4620]. |
| Capability (Incompetence/Accidental) |
accidental |
(a) The software failure incident reported in the articles is not related to development incompetence. The incident was caused by a security researcher, Luigi Auriemma, who discovered vulnerabilities in SCADA systems used in critical infrastructure facilities and released attack codes to draw attention to security problems with these systems [4620].
(b) The software failure incident can be categorized as accidental. The vulnerabilities in the SCADA systems were accidentally discovered by Luigi Auriemma during a series of tests, and he published the vulnerabilities and attack codes to highlight the security issues with these systems [4620]. |
| Duration |
temporary |
The software failure incident described in the articles is more aligned with a temporary failure rather than a permanent one. The incident involves the discovery and exploitation of vulnerabilities in SCADA systems used in critical infrastructure facilities such as oil, gas, water management, and factories. The vulnerabilities were identified by a security researcher who released attack codes targeting specific systems made by Siemens, Iconics, 7-Technologies, and DATAC [4620].
The vulnerabilities discovered in the SCADA systems were not deemed highly dangerous on their own, as they mainly allowed attackers to crash systems or siphon sensitive data. The vulnerabilities were targeted at operator viewing platforms rather than the backend systems directly controlling critical processes. However, experts cautioned that these vulnerabilities could potentially allow attackers to gain a foothold in the system to discover additional security holes that could impact core processes [4620].
The incident highlights a temporary failure scenario where specific circumstances, in this case, the presence of vulnerabilities in the SCADA systems, led to a potential security breach. The vulnerabilities were identified and exploited, indicating a temporary failure that could be addressed through patching and security measures to prevent further exploitation. |
| Behaviour |
crash, omission, value, other |
(a) crash: The vulnerabilities in the SCADA systems could allow an attacker to crash a system. For example, one of the attacks against the Siemens system would result in a denial-of-service [4620].
(b) omission: The vulnerabilities in the SCADA systems could potentially allow an attacker to mask what an operator sees on their monitor, by changing data that appears on the screen, thus omitting to show the correct information to the operator [4620].
(c) timing: There is no specific mention of a timing-related failure in the articles.
(d) value: The vulnerabilities in the SCADA systems could allow an attacker to siphon sensitive data or to remote-copy files into the file systems, potentially leading to incorrect data handling [4620].
(e) byzantine: The vulnerabilities in the SCADA systems could allow an attacker to gain a foothold on a system to find additional security holes that could affect core processes, showing inconsistent responses and interactions [4620].
(f) other: The software failure incident described in the articles involves vulnerabilities in SCADA systems that could potentially allow an attacker to execute malicious code on the system, drop files onto the host, and modify operator graphics to deceive the operator, which could be considered as other types of behavior not explicitly covered by the options (a) to (e) [4620]. |