Incident Details

Incident: Russian Hackers Target U.S. Electrical Grid in Vermont Incident

Published Date: 2016-12-31

Postmortem Analysis
Timeline	1. The software failure incident happened in December 2016. [Article 58070]
System	The software failure incident reported in Article 58070 involved a malware code associated with the Russian hacking operation Grizzly Steppe being detected within the system of a Vermont utility. The specific system that failed in this incident was: 1. Laptop system at Burlington Electric that was not connected to the grid systems [58070].
Responsible Organization	1. Russian hackers associated with the Grizzly Steppe operation were responsible for causing the software failure incident at the Vermont utility [58070].
Impacted Organization	1. Burlington Electric - The software failure incident impacted Burlington Electric as they detected a malware code associated with the Russian hacking operation in their system [58070].
Software Causes	1. The software cause of the failure incident was the detection of a malware code associated with the Russian hacking operation Grizzly Steppe within the system of a Vermont utility [58070].
Non-software Causes	1. The failure incident was caused by Russian hackers attempting to penetrate the U.S. electric grid, leading to concerns about potential attacks [Article 58070].
Impacts	1. The software failure incident raised fears in the U.S. government that Russian government hackers are actively trying to penetrate the electrical grid, potentially leading to disruptive attacks [58070]. 2. The incident highlighted the urgent need for the federal government to vigorously pursue and put an end to Russian meddling in critical infrastructure systems like the electric grid [58070]. 3. The discovery of the malware code within the Vermont utility's system underscored the vulnerabilities of the nation's electrical grid, emphasizing the potential disastrous implications for the country's medical and emergency services [58070]. 4. The incident led to concerns about potential manipulation of the grid and the shutdown of utilities, posing a direct threat to the state of Vermont and its residents [58070]. 5. The software failure incident demonstrated the systemic, relentless, and predatory nature of Russian hacking activities, showing that hackers will target various sectors, including utilities, to disrupt the country [58070].
Preventions	1. Implementing strong cybersecurity measures such as firewalls, intrusion detection systems, and regular security audits to prevent unauthorized access to the system [58070]. 2. Conducting regular training and awareness programs for employees to recognize and avoid phishing emails that could lead to password theft [58070]. 3. Enhancing network monitoring and anomaly detection to quickly identify and isolate any suspicious activities within the system [58070]. 4. Collaborating with government agencies and sharing information about potential threats and vulnerabilities to stay informed and prepared against cyberattacks [58070].
Fixes	1. Conducting a full and complete investigation of the incident and undertaking remedies to ensure it never happens again [58070] 2. Vigorously pursuing and putting an end to Russian meddling in the electrical grid [58070] 3. Remaining vigilant and supporting sanctions against Russia for its attacks [58070]
References	1. U.S. officials 2. Burlington Electric 3. Vermont Gov. Peter Shumlin 4. Sen. Patrick J. Leahy 5. Rep. Peter Welch 6. Department of Homeland Security 7. FBI 8. Office of the Director of National Intelligence 9. Russian Embassy 10. Energy Department 11. DHS representatives [58070]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	unknown	The articles do not provide information about the software failure incident happening again at either the same organization (one_organization) or at multiple organizations (multiple_organization).
Phase (Design/Operation)	design	(a) The software failure incident in the article is related to the design phase. The incident involved the detection of a malware code associated with the Russian hacking operation within the system of a Vermont utility. The code was found in a laptop that was not connected to the organization's grid systems, highlighting vulnerabilities in the nation's electrical grid [58070]. The incident was not a result of the operation or misuse of the system but rather a design flaw that allowed the malware to infiltrate the utility's computer system.
Boundary (Internal/External)	within_system, outside_system	The software failure incident reported in the articles is related to both within_system and outside_system factors. (a) within_system: The incident involved the detection of a malware code associated with the Russian hacking operation within the system of a Vermont utility, Burlington Electric. The malware code was found in a laptop that was not connected to the organization's grid systems, indicating an internal breach within the system itself [58070]. (b) outside_system: The incident was also influenced by external factors as it was part of a larger Russian hacking operation dubbed Grizzly Steppe. The Russian hackers did not actively use the code to disrupt operations, but the discovery raised fears that Russian government hackers are actively trying to penetrate the U.S. electrical grid, indicating external threats to the system [58070].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in this case was primarily due to non-human actions. The incident involved a malware code associated with the Russian hacking operation Grizzly Steppe being detected within the system of a Vermont utility. The code was found in a laptop that was not connected to the organization's grid systems, indicating that the malware was introduced into the system without human participation [58070]. (b) Human actions also played a role in this incident as the Russian hackers were actively trying to penetrate the grid to carry out potential attacks. Additionally, the hackers used fraudulent emails to trick recipients into revealing passwords, showing a level of human involvement in the cyberattack [58070].
Dimension (Hardware/Software)	software	(a) The software failure incident in the article is not attributed to hardware issues. The incident involved a malware code associated with the Russian hacking operation being detected within the system of a Vermont utility, which was not connected to the grid systems. The malware code was found in a laptop that was not attached to the organization's grid systems, indicating that the failure originated from software-related vulnerabilities rather than hardware issues [58070]. (b) The software failure incident in the article is directly related to software issues. Specifically, the incident involved the detection of a malware code associated with the Russian hacking operation within the system of a Vermont utility. The malware code was found in a laptop that was not connected to the organization's grid systems, highlighting vulnerabilities in the software that allowed for the intrusion. This incident underscores the risks posed by software vulnerabilities in critical infrastructure systems like the electrical grid [58070].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident reported in the articles is malicious. The incident involved Russian hackers attempting to penetrate the U.S. electrical grid by planting malware code associated with the Russian hacking operation Grizzly Steppe in a Vermont utility's system [58070]. The discovery of the code raised fears that Russian government hackers were actively trying to penetrate the grid to carry out potential attacks, indicating malicious intent to disrupt operations and potentially manipulate the grid [58070]. The incident was seen as a direct threat to the state of Vermont, with officials expressing concerns about the possibility of shutting down the grid in the middle of winter [58070]. Additionally, the joint analysis report by the FBI and DHS highlighted that the Russian military and civilian services' activity, including the cyber-enabled operations directed at the U.S. government and its citizens, was part of an ongoing campaign of cyber-enabled operations, indicating a deliberate and malicious effort to target U.S. networks [58070]. The report also mentioned that the hackers involved in the Russian operation used fraudulent emails to trick recipients into revealing passwords, further demonstrating malicious intent [58070].
Intent (Poor/Accidental Decisions)	accidental_decisions	The intent of the software failure incident described in the articles appears to be related to potential malicious activities by Russian hackers. The incident involved the detection of a malware code associated with the Russian hacking operation within the system of a Vermont utility. While the Russians did not actively use the code to disrupt operations, the discovery raised fears that Russian government hackers are actively trying to penetrate the grid to carry out potential attacks [58070]. This incident suggests an intent of potential disruption or manipulation of the utility's operations by the hackers. The attack was described as beyond hackers having electronic joy rides and was seen as a direct threat to the state of Vermont [58070]. The article also mentions that it is unclear what the intentions of the Russians might have been, with possibilities including disrupting the utility's operations or testing the ability to penetrate a portion of the grid [58070]. Therefore, based on the information provided in the articles, the intent of the software failure incident appears to be more aligned with the option of 'accidental_decisions' due to mistakes or unintended decisions made by the hackers in attempting to access and potentially manipulate the grid.
Capability (Incompetence/Accidental)	accidental	(a) The software failure incident in Article 58070 was not due to development incompetence. It was reported that a code associated with the Russian hacking operation was detected within the system of a Vermont utility, indicating a deliberate attempt by external actors to infiltrate the system [58070]. (b) The software failure incident in Article 58070 was accidental. The malware code associated with the Russian hacking operation was detected in a laptop that was not connected to the organization’s grid systems. The company took immediate action to isolate the laptop and alert federal authorities, indicating that the infiltration was accidental and not actively used to disrupt operations [58070].
Duration	temporary	The software failure incident reported in the articles can be categorized as a temporary failure. The incident involved the detection of a malware code associated with the Russian hacking operation within the system of a Vermont utility. The malware was found in a laptop that was not connected to the organization's grid systems, and immediate action was taken to isolate the laptop and alert federal authorities [58070]. This indicates that the failure was temporary and did not result in a permanent disruption to the utility's operations.
Behaviour	other	(a) crash: The software failure incident in the article did not involve a crash where the system lost state and did not perform any of its intended functions. The incident was related to the detection of a malware code within the system of a Vermont utility, which was not actively used to disrupt operations [Article 58070]. (b) omission: The software failure incident did not involve an omission where the system omitted to perform its intended functions at an instance(s). The incident was more about the detection of the malware code within the system rather than the system omitting any functions [Article 58070]. (c) timing: The software failure incident did not involve a timing issue where the system performed its intended functions correctly but too late or too early. The incident was more focused on the detection of the malware code within the system and the potential implications of such a breach [Article 58070]. (d) value: The software failure incident did not involve a value issue where the system performed its intended functions incorrectly. The incident was related to the detection of a malware code within the system, which was not actively used to disrupt operations [Article 58070]. (e) byzantine: The software failure incident did not exhibit a byzantine behavior where the system behaved erroneously with inconsistent responses and interactions. The incident was more about the detection of the malware code within the system and the concerns raised about potential Russian hacking attempts on the U.S. electrical grid [Article 58070]. (f) other: The software failure incident can be categorized as a security breach due to the detection of a malware code associated with Russian hacking within the system of a Vermont utility. The incident raised concerns about the vulnerabilities of the nation's electrical grid and the potential threats posed by Russian government hackers [Article 58070].

IoT System Layer

Layer	Option	Rationale
Perception	unknown	(a) sensor: Failure due to contributing factors introduced by sensor error - The incident reported in the articles does not specifically mention a sensor error as the cause of the software failure. The focus is more on the detection of Russian malware within the system of a Vermont utility, indicating a cybersecurity breach rather than a sensor error [Article 58070]. (b) actuator: Failure due to contributing factors introduced by actuator error - The articles do not mention any actuator error as a contributing factor to the software failure incident. The main issue highlighted is the presence of Russian malware in the utility's system [Article 58070]. (c) processing_unit: Failure due to contributing factors introduced by processing error - The software failure incident discussed in the articles is related to a cybersecurity breach involving Russian malware detected within the system of a Vermont utility. There is no specific mention of a processing error as a contributing factor to the failure [Article 58070]. (d) network_communication: Failure due to contributing factors introduced by network communication error - The failure incident reported in the articles is linked to a cybersecurity breach where Russian malware was detected within the system of a Vermont utility. The focus is on the vulnerability of the nation's electrical grid and the potential threat posed by Russian government hackers trying to penetrate the grid, rather than a network communication error [Article 58070]. (e) embedded_software: Failure due to contributing factors introduced by embedded software error - The software failure incident discussed in the articles is related to the detection of Russian malware within the system of a Vermont utility. The incident highlights the presence of the Grizzly Steppe malware code in the utility's operations, indicating a cybersecurity breach involving embedded software rather than an embedded software error as a contributing factor to the failure [Article 58070].
Communication	connectivity_level	The software failure incident reported in the articles is related to the connectivity_level of the cyber physical system. The incident involved the detection of a malware code associated with the Russian hacking operation within the system of a Vermont utility, indicating a breach at the network or transport layer rather than the physical layer [58070]. The malware code was found in a laptop that was not connected to the organization's grid systems, highlighting the vulnerability of the nation's electrical grid at the network level [58070].
Application	FALSE	The software failure incident reported in the articles was related to the application layer of the cyber physical system. The failure was due to the presence of a malware code associated with the Russian hacking operation Grizzly Steppe that was detected within the system of a Vermont utility. The malware code was found in a laptop that was not connected to the organization's grid systems, indicating that the failure was caused by external factors introduced by the malicious code [Article 58070].

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence	(d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving Russian hackers targeting the U.S. electrical grid raised concerns about the vulnerabilities of the nation's electrical infrastructure. While the Russians did not actively disrupt operations, the discovery of the malware code within a Vermont utility's system highlighted the potential risks to critical infrastructure. The incident led to immediate actions by Burlington Electric to isolate the affected laptop and alert federal authorities, indicating a direct impact on the utility's operations and data security [Article 58070].
Domain	utilities	(a) The failed system was related to the utilities industry, specifically the electrical grid system. The incident involved a malware code associated with the Russian hacking operation being detected within the system of a Vermont utility, Burlington Electric [Article 58070]. The utility industry is highly computerized, and any disruptions in the grid can have disastrous implications for the country's medical and emergency services. The malware code was found in a laptop that was not connected to the organization's grid systems, prompting immediate action to isolate the laptop and alert federal authorities. (g) The incident directly impacted the utilities industry, particularly the electrical grid system. The discovery of the malware code within the Vermont utility's system raised fears in the U.S. government that Russian government hackers were actively trying to penetrate the grid to carry out potential attacks. The attack was seen as a direct threat to Vermont, with concerns about potential manipulation of the grid and shutdowns during critical times like winter [Article 58070].

Sources

Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say - The Washington Post - Published on: 2016-12-31
Article ID: 58070

Back to List