| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
The incident reported in the article [9059] involved a hacker gaining unauthorized access to a South Houston water utility system. This incident highlighted vulnerabilities in industrial control systems, particularly SCADA systems. The hacker, using the alias "pr0f," mentioned that he has hacked other SCADA systems as well, indicating a potential pattern of security weaknesses within these systems.
(b) The software failure incident having happened again at multiple_organization:
The article [9059] mentions that the hacker, "pr0f," has hacked into other SCADA systems, including a Polish waste-water treatment plant and possibly a water metering control system from Spain or Portugal. This suggests that similar incidents of unauthorized access and potential vulnerabilities in SCADA systems may have occurred in multiple organizations beyond just the South Houston water utility. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the article is related to the design phase. The hacker, using the alias "pr0f," hacked into a South Houston water utility system to demonstrate the vulnerabilities in industrial control systems like SCADA. He mentioned that the systems are vulnerable to basic attacks due to poor configuration of services, bad password choices, and lack of restrictions on who can access the interfaces [9059]. This indicates that the failure was due to contributing factors introduced during the system development and configuration processes.
(b) The software failure incident can also be linked to the operation phase. The hacker gained unauthorized access to the SCADA systems by exploiting weaknesses in the system's operation, such as poor configuration of services and bad password choices. This unauthorized access and potential manipulation of the water utility system demonstrate a failure in the operation of the system, as it was not adequately protected against external threats [9059]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident reported in the article is primarily within the system. The hacker, using the alias "pr0f," mentioned that he was able to hack into a South Houston water utility by exploiting poor configuration of services, bad password choice, and lack of restrictions on who can access the interfaces [9059]. This indicates that the failure was primarily due to vulnerabilities and weaknesses within the system itself, allowing unauthorized access and potential manipulation of the SCADA systems. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The hacker, using the alias "pr0f," hacked into a South Houston water utility to demonstrate the vulnerability of SCADA systems [9059].
- The hacker mentioned that the intrusion did not involve any damage to the machines and was not intended for mindless vandalism [9059].
- The hacker highlighted that the intrusion was facilitated by poor configuration of services, bad password choices, and lack of restrictions on who can access the interfaces, indicating vulnerabilities in the system itself [9059].
(b) The software failure incident occurring due to human actions:
- The hacker, pr0f, mentioned that the intrusion was not a sophisticated hack and could be reproduced by someone with basic knowledge of Simatic software due to poor security practices like bad password choices and lack of access restrictions [9059].
- The article does not mention any specific human actions leading to the software failure incident. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident in the article is not directly attributed to hardware issues. The hacker, pr0f, mentioned that he gained access to the SCADA systems through a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces, indicating vulnerabilities in the software and system configuration rather than hardware issues [9059].
(b) The software failure incident in the article is primarily attributed to software vulnerabilities. The hacker, pr0f, exploited weaknesses in the SCADA systems' configurations, passwords, and access controls to gain unauthorized access. He highlighted the lack of security measures in place, such as poor configuration of services, bad password choices, and unrestricted access to interfaces, as the factors that allowed him to infiltrate the systems. This indicates that the failure originated in the software and its implementation rather than hardware issues [9059]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident in this case is malicious. The hacker, using the alias "pr0f," hacked into a South Houston water utility system to demonstrate the vulnerability of SCADA systems. The hacker mentioned that the intrusion required almost no skill and could be reproduced by someone with basic knowledge. The hacker accessed and shared sensitive information related to PLC configurations for a Polish waste-water treatment plant, SCADA data from an HMI box at Southern Methodist University, and water metering control system files from Spain or Portugal. The hacker's actions were prompted by the U.S. government's response to a previous report of an intrusion at an Illinois water plant, which the government downplayed. The hacker expressed dissatisfaction with the government's response and aimed to show the vulnerabilities of industrial control systems [9059].
(b) The software failure incident is non-malicious. The superintendent of the South Houston water plant mentioned that they were still investigating the problem to understand what was going on. The hacker, pr0f, stated that no damage was done to any machines during the intrusion, indicating that the objective was not mindless vandalism. The hacker highlighted that the intrusion was not a sophisticated hack and could be achieved through poor configuration of services, bad password choices, and lack of restrictions on accessing interfaces. Pr0f clarified that he is not a security professional and does not work in the SCADA sector but is an interested party with knowledge about ICS and embedded systems [9059]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident related to poor_decisions:
- The hacker, using the alias "pr0f," hacked into a South Houston water utility to show vulnerabilities in industrial control systems [9059].
- The hacker mentioned that he gained access through a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces [9059].
- The hacker highlighted the lack of awareness and slow reactions from organizations like ICS-CERT in addressing vulnerabilities in industrial control systems [9059].
(b) The intent of the software failure incident related to accidental_decisions:
- The hacker mentioned that the intrusion into the South Houston water utility was not intended for mindless vandalism but rather to expose vulnerabilities in the system [9059].
- The hacker stated that the intrusion did not cause any damage to the machines, indicating that the intent was not malicious destruction but rather to raise awareness about security flaws [9059]. |
| Capability (Incompetence/Accidental) |
accidental |
(a) The software failure incident in the article was not due to development incompetence but rather due to the actions of a hacker who exploited vulnerabilities in the SCADA systems of various facilities, including a water utility in South Houston [9059].
(b) The software failure incident can be categorized as accidental as it was not a result of development incompetence but rather a deliberate intrusion by a hacker using poor configurations, bad password choices, and lack of restrictions on accessing interfaces [9059]. |
| Duration |
permanent |
(a) The software failure incident in the article seems to be more of a permanent nature. The hacker "pr0f" mentioned that he hacked into a South Houston water utility to demonstrate the vulnerability of industrial control systems. He highlighted the poor configuration of services, bad password choices, and lack of restrictions on who can access the interfaces as contributing factors to his successful intrusion [9059].
Additionally, the hacker's actions were prompted by the U.S. government's response to a report of an intrusion at an Illinois water plant, where a pump was burned out. The hacker criticized the government's downplaying of the risks to national infrastructure and provided screenshots of diagrams of water and waste-water treatment facilities in South Houston, Texas, as proof of his intrusion [9059]. |
| Behaviour |
other |
(a) crash: The incident reported in the article does not involve a crash where the system loses state and does not perform any of its intended functions. The hacker, pr0f, did not cause any damage to the machines or the systems he accessed, indicating that the systems were still operational despite the unauthorized access [9059].
(b) omission: There is no indication in the article that the software failure incident was due to the system omitting to perform its intended functions at an instance(s). The hacker's actions were focused on accessing and demonstrating vulnerabilities in SCADA systems rather than causing the systems to omit their functions [9059].
(c) timing: The incident does not relate to a timing failure where the system performs its intended functions but does so too late or too early. The focus of the incident was on demonstrating vulnerabilities in industrial control systems rather than timing issues [9059].
(d) value: The software failure incident does not involve the system performing its intended functions incorrectly. The hacker, pr0f, accessed various SCADA systems to show their vulnerabilities but did not manipulate the systems to perform incorrectly [9059].
(e) byzantine: The incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The hacker's actions were aimed at highlighting security weaknesses in SCADA systems rather than causing erratic or inconsistent behavior in the systems [9059].
(f) other: The behavior of the software failure incident in this case can be categorized as unauthorized access and demonstration of vulnerabilities in SCADA systems by the hacker, pr0f. The incident does not fit into the traditional software failure categories but rather involves a security breach and potential risks to critical infrastructure systems [9059]. |