Incident Details

Incident: Malware Infection on U.S. Military Drones' Control Systems

Published Date: 2011-10-07

Postmortem Analysis
Timeline	1. The software failure incident with the computer virus infecting the drones' cockpits was first detected nearly two weeks before the article was published on October 7, 2011 [8422]. Therefore, the software failure incident likely happened around late September or early October 2011.
System	1. Host-Based Security System 2. Creech Air Force Base's computers and network 3. Predator and Reaper drones' ground control stations (GCS) 4. BCWipe software
Responsible Organization	1. The computer virus was responsible for causing the software failure incident on the drones' systems at Creech Air Force Base in Nevada [8422].
Impacted Organization	1. The military's Host-Based Security System [8422] 2. Creech Air Force Base in Nevada [8422] 3. American military drone systems [8422]
Software Causes	1. The software failure incident was caused by a computer virus infecting the cockpits of America's Predator and Reaper drones, logging pilots' keystrokes [Article 8422]. 2. The virus had a keylogger payload that captured keystrokes, potentially compromising classified information [Article 8422]. 3. The virus spread through the use of removable drives, specifically through removable hard drives used by Predator and Reaper crews to load map updates and transport mission videos [Article 8422].
Non-software Causes	1. The use of removable hard drives to load map updates and transport mission videos from one computer to another at Creech Air Force Base [8422]. 2. The bridging of the "air gaps" between classified and public networks through the use of discs and removable drives, which introduced the agent.btz worm to hundreds of thousands of Defense Department computers in late 2008 [8422].
Impacts	1. The virus infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke during missions over Afghanistan and other warzones, raising concerns about potential data capture and transmission to an outside source [8422]. 2. The virus resisted multiple removal efforts, leading to the need to erase the GCS' internal hard drives using BCWipe and rebuild them from scratch, causing a time-consuming effort [8422]. 3. The incident led to the banning of the use of removable hard drives at drone units at other Air Force bases worldwide to prevent further spread of the virus [8422].
Preventions	1. Implementing stricter restrictions on the use of removable drives and discs within military operations, especially in sensitive areas like drone control centers [8422]. 2. Regularly updating and patching software systems to address known vulnerabilities and prevent malware infections [8422]. 3. Enhancing network security measures to prevent unauthorized access and the spread of viruses between classified and public networks [8422].
Fixes	1. Implementing stricter restrictions on the use of removable drives and discs to prevent the spread of viruses like the one affecting the drone systems at Creech Air Force Base [8422]. 2. Conducting comprehensive security audits and updates on all systems to ensure they are protected against malware and keyloggers [8422]. 3. Enhancing network security measures to prevent unauthorized access and data exfiltration [8422].
References	1. Military's Host-Based Security System 2. Network security specialists 3. Source familiar with the network infection 4. Lt. Col. Tadd Sholtis, spokesman for Air Combat Command 5. Insiders at Creech Air Force Base

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident has happened again at one_organization: The incident of a computer virus infecting the drones' systems at Creech Air Force Base in Nevada is not the first time such a security breach has occurred within the U.S. military. In late 2008, removable drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers, leading to a widespread infection that the Pentagon is still disinfecting machines from three years later [8422]. (b) The software failure incident has happened again at multiple_organization: The use of removable drives to transfer data and updates between computers has been a common practice in various drone units at Air Force bases worldwide. However, following the virus infection at Creech Air Force Base, drone units at other Air Force bases have been ordered to stop using removable drives to prevent the spread of similar malware incidents [8422].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase is evident in the article. The virus that infected the drones' systems was able to resist multiple efforts to remove it, indicating a design flaw in the system's security measures. Despite attempts to wipe it off, the virus kept coming back, leading to the eventual need to erase the GCS' internal hard drives and rebuild them from scratch [8422]. (b) The software failure incident related to the operation phase is also highlighted in the articles. The virus is believed to have spread through removable drives used by Predator and Reaper crews to load map updates and transport mission videos from one computer to another. This operation practice of using removable drives contributed to the spread of the virus within the system [8422].
Boundary (Internal/External)	within_system, outside_system	(a) The software failure incident related to the computer virus infecting the drones' cockpits at Creech Air Force Base can be categorized as within_system. The virus was detected within the military's Host-Based Security System and resisted multiple removal efforts from Creech's computers [8422]. Additionally, the virus is believed to have spread through removable hard drives used by Predator and Reaper crews to load map updates and transport mission videos [8422].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in the article was primarily due to non-human actions. The incident involved a computer virus infecting the cockpits of America's Predator and Reaper drones, logging pilots' keystrokes as they flew missions over warzones. The virus was first detected by the military's Host-Based Security System and resisted multiple removal efforts, indicating a non-human origin [8422]. Additionally, the virus was believed to have spread through removable drives used by drone crews to load map updates and transport mission videos, further emphasizing the non-human aspect of the failure [8422]. (b) However, human actions also played a role in the software failure incident. The use of removable hard drives by Predator and Reaper crews to transfer data between computers contributed to the spread of the virus. The article mentions that the virus is believed to have spread through these removable drives, indicating a human action of using these drives for data transfer [8422].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident in the articles is related to hardware as the computer virus infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other warzones. The virus is believed to have spread through removable drives used by Predator and Reaper crews to load map updates and transport mission videos [8422]. (b) The software failure incident is also related to software as the virus, including its "keylogger" payload, has resisted multiple efforts to remove it from the computers at Creech Air Force Base. Technicians had to use a software tool called BCWipe to completely erase the GCS' internal hard drives, indicating a software-related issue [8422].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident involving the computer virus infecting the drones' cockpits at Creech Air Force Base appears to be malicious in nature. The virus, which included a keylogger payload, was logging pilots' every keystroke as they remotely flew missions over warzones. The virus was resistant to removal efforts and had the potential to capture and transmit classified data to an external source [8422]. (b) On the non-malicious side, the article mentions that the virus may have been introduced accidentally rather than intentionally. It raises the possibility that the virus was a common piece of malware that made its way into the sensitive networks at Creech Air Force Base [8422].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The software failure incident involving the computer virus infecting the drones' cockpits at Creech Air Force Base could be attributed to poor decisions. The article mentions that the virus and its keylogger payload may have been introduced intentionally or by accident, indicating a potential security vulnerability due to poor decisions in network security ([8422]). Additionally, the use of removable hard drives to load map updates and transport mission videos, which ultimately led to the virus spreading, highlights a poor decision in the security practices at the base ([8422]).
Capability (Incompetence/Accidental)	accidental	(a) The software failure incident in the article was not explicitly attributed to development incompetence. However, the article mentions that the virus infecting the drones' systems may have been introduced unintentionally or accidentally, indicating a potential accidental cause [8422]. (b) The article suggests that the virus infecting the drones' systems may have been introduced accidentally, as military network security specialists were unsure whether the virus and its keylogger payload were introduced intentionally or by accident. This uncertainty points towards a potential accidental introduction of the virus [8422].
Duration	permanent, temporary	The software failure incident described in the articles can be categorized as both temporary and permanent: (a) Permanent: The software failure incident can be considered permanent due to the ongoing security risks highlighted in the article. The virus infecting the drones' systems has resisted multiple removal efforts and keeps coming back despite attempts to eradicate it. This indicates a persistent and enduring issue that has not been fully resolved [8422]. (b) Temporary: On the other hand, the software failure incident can also be seen as temporary as efforts are being made to remove the virus from the affected systems. Technicians at Creech Air Force Base have been working on eradicating the virus by using software tools like BCWipe to completely erase the GCS' internal hard drives. This suggests a temporary disruption in the system that is being actively addressed and remediated [8422].
Behaviour	crash, omission, value, other	(a) crash: The software failure incident in the article can be categorized as a crash. The virus infected the drones' systems, causing them to lose control over the keystrokes of the pilots and potentially compromising classified information. Despite efforts to remove the virus, it kept coming back, leading to a situation where the system was not functioning as intended [8422]. (b) omission: The software failure incident can also be linked to omission. The virus infected the drones' systems, potentially leading to the omission of performing their intended functions correctly. The keylogger aspect of the virus could have omitted the proper logging of keystrokes and compromised the security of the system [8422]. (c) timing: The timing of the software failure incident is not explicitly mentioned in the article. However, the fact that the virus was detected nearly two weeks ago and efforts to remove it have been ongoing suggests a potential timing issue in terms of the system not being able to address the problem promptly [8422]. (d) value: The software failure incident can be associated with a value failure. The virus caused the system to perform its intended functions incorrectly by logging pilots' keystrokes and potentially transmitting classified information outside the military chain of command. This incorrect behavior compromised the integrity and security of the system [8422]. (e) byzantine: The software failure incident does not align with a byzantine failure. The virus infection and keylogger behavior, although malicious, were consistent in their actions of logging keystrokes and potentially transmitting data outside the military network. There were no indications of inconsistent responses or interactions within the system [8422]. (f) other: The software failure incident can be further categorized as a security breach. The virus infection and keylogger behavior led to a breach in the security of the drones' systems, potentially exposing classified information to unauthorized sources. This breach in security goes beyond just a technical failure and encompasses a significant risk to national security [8422].

IoT System Layer

Layer	Option	Rationale
Perception	processing_unit, network_communication, embedded_software	(a) The failure was not directly related to a sensor error as mentioned in the articles. The software failure incident was primarily due to a computer virus infecting the drones' systems, particularly the cockpits of America's Predator and Reaper drones, which logged pilots' keystrokes and posed a security risk [8422]. (b) The failure was not directly related to an actuator error as mentioned in the articles. The software failure incident was primarily due to a computer virus infecting the drones' systems, particularly the cockpits of America's Predator and Reaper drones, which logged pilots' keystrokes and posed a security risk [8422]. (c) The failure was related to contributing factors introduced by processing error. The computer virus that infected the drones' systems, particularly the cockpits of America's Predator and Reaper drones, was causing issues with the processing units by logging pilots' keystrokes and resisting removal efforts [8422]. (d) The failure was related to contributing factors introduced by network communication error. The computer virus that infected the drones' systems, particularly the cockpits of America's Predator and Reaper drones, was spreading through removable drives used for map updates and mission videos, highlighting a vulnerability in network communication within the system [8422]. (e) The failure was related to contributing factors introduced by embedded software error. The computer virus that infected the drones' systems, particularly the cockpits of America's Predator and Reaper drones, was impacting the embedded software within the systems, leading to security risks and the need for extensive efforts to remove the virus [8422].
Communication	connectivity_level	The software failure incident described in the articles is related to the connectivity level of the cyber-physical system. The failure was due to contributing factors introduced by the network layer. The virus that infected the drones' systems spread through removable drives used to load map updates and transport mission videos, indicating a breach at the network layer [8422].
Application	TRUE	The software failure incident described in the articles is related to the application layer of the cyber physical system. The failure was caused by a computer virus that infected the drones' systems, logging pilots' keystrokes and potentially capturing classified information. The virus was introduced through removable drives used to load map updates and transport mission videos, indicating a vulnerability at the application layer due to incorrect usage of these drives [8422].

Other Details

Category	Option	Rationale
Consequence	death, property, non-human, theoretical_consequence, other	(a) death: People lost their lives due to the software failure - The article mentions that American military drones have killed more than 2,000 suspected militants and civilians in various operations [8422]. (b) harm: People were physically harmed due to the software failure - The article does not specifically mention physical harm to individuals due to the software failure. (c) basic: People's access to food or shelter was impacted because of the software failure - The article does not mention any impact on people's access to food or shelter due to the software failure. (d) property: People's material goods, money, or data was impacted due to the software failure - The article discusses the potential capture of secret data by the keylogger virus and its transmission over the public internet, raising concerns about data security [8422]. (e) delay: People had to postpone an activity due to the software failure - The article does not mention any specific activities being postponed due to the software failure. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident primarily affected the operation of military drones and the security of sensitive networks [8422]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had observable consequences, such as the persistence of the virus despite removal efforts and concerns about potential data breaches [8422]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article discusses the possibility of secret data being captured by the keylogger virus and transmitted outside the military chain of command, but there are no confirmed incidents of classified information being lost or sent to an outside source [8422]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The article highlights the ongoing security risks posed by the software failure incident, emphasizing the vulnerability of the U.S. military's drone systems to security flaws and malware attacks [8422].
Domain	government	(a) The failed system was intended to support the government and defense industry. The software failure incident involved a computer virus infecting the cockpits of America's Predator and Reaper drones, which are crucial tools used by the U.S. military in various warzones [8422]. The incident highlighted the security risks in the U.S. military's drone systems, which are extensively used for surveillance and targeted strikes in conflicts around the world.

Sources

Exclusive: Computer Virus Hits U.S. Drone Fleet - WIRED - Published on: 2011-10-07
Article ID: 8422

Back to List