A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ID | Date | System | Failure Cause | Failure Result | Repair Recommendation | Sources of Faults | Duration | Location | Semantics | Behavior | Dimension | Primary Source | Secondary Sources | ||||||||||||
2 | 1 | 2021 | Water works | Lack of seperation between IT & OT network | City's water poisoned | Remove remote access⁺; Isolate critical infrastructure * | Communication Level - Connectivity | Transient | External | Arbitrary | Soft | Software | https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html | |||||||||||||
3 | 2 | 2021 | Oil pipeline | Hack of business network; lack of separation between business & operation networks | Shutdown of a major oil pipeline | Isolate critical infrastructure network⁺ | Application Level | Transient | External | Arbitrary | Hard | Software | https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html | |||||||||||||
4 | 3 | 2021 | Public transportation | Zero day attack in remote access software; malware web shells | Unauthorized access; $370000 response cost | Scan periodically for backdoor web shells⁺ | Communication Level - Connectivity | Transient | Internal | Arbitrary | Soft | Software | https://www.nytimes.com/2021/06/02/nyregion/mta-cyber-attack.html | |||||||||||||
5 | 4 | 2019 | Water treatment facility | Un-updated discharged personnel authentication; unsecure remote access | Unauthorized access; altered cleaning & disinfecting process | Update personnel changes to all security systems* | Communication Level - Connectivity | Transient | External | Arbitrary | Soft | Software | https://www.wired.com/story/threat-to-water-supply-is-real-and-only-getting-worse/ | |||||||||||||
6 | 5 | 2015 | Power plant | Unsecure supply chain network; malware repositories | Unauthorized access; leak of critical information | Secure & isolate supply chain network* | Communication Level - Connectivity | Transient | External | Arbitrary | Soft | Software | https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html | https://www.cisa.gov/uscert/ncas/alerts/TA18-074A | ||||||||||||
7 | 6 | 2015 | Power distribution center | Unsecure remote access; lack of 2FA for SCADA | Loss of power for 230000 residents | Enable 2FA for safety-critical remote access⁺ | Communication Level - Connectivity | Transient | External | Arbitrary | Hard | Software | https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/ | |||||||||||||
8 | 7 | 2019 | Autonomous car | Failed to detect parked vehicle , stop sign, flashing red lights; ineffective driver engagement monitor | Fatal collision | Increase auto emergency braking efforts*; stringent user engagement monitor⁺ | Application Level | Permanent | Internal | Value | Hard | Software | https://www.nytimes.com/2021/08/17/business/tesla-autopilot-accident.html | |||||||||||||
9 | 8 | 2019 | Autonomous car | Failed to detect merging vehicle; neglected radar data; ineffective driver engagement monitor | Fatal collision | Create redundancy in object detection system⁺; stringent user engagement monitor⁺ | Application Level | Permanent | Internal | Value | Hard | Software | https://www.nytimes.com/2021/07/05/business/tesla-autopilot-lawsuits-safety.html | |||||||||||||
10 | 9 | 2019 | Connected car | Default authentication for user accounts; lack of isolation for safety-critical functions | Unauthorized access to safety-critical functions | Disable default authentication⁺; isolate safety-critical functions* | Application Level | Transient | External | Arbitrary | Soft | Software | https://www.wired.com/story/car-hacking-biometric-database-security-roundup/ | https://www.vice.com/en/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps | ||||||||||||
11 | 10 | 2018 | Autonomous car | Ineffective parked vehicle identification; ineffective driver engagement monitor | Fatal collision | Increase parked vehicle detection efforts*; stringent user engagement monitor⁺ | Application Level | Permanent | Internal | Value | Hard | Software | https://www.nytimes.com/2021/08/16/business/tesla-autopilot-nhtsa.html | |||||||||||||
12 | 11 | 2018 | Autonomous car | Failed to detect road barrier; ineffective driver engagement monitor | Fatal collision | Increase object detection & emergency braking efforts*; stringent user engagement monitor⁺ | Application Level | Permanent | Internal | Value | Hard | Software | https://www.wired.com/story/tesla-autopilot-self-driving-crash-california/ | |||||||||||||
13 | 12 | 2016 | Autonomous car | Failed to detect turning vehicle & stop at collision; ineffective driver engagement monitor | Fatal collision | Increase object detection & emergency braking efforts*; stringent user engagement monitor* | Application Level | Permanent | Internal | Value | Hard | Software | https://www.nytimes.com/2016/07/13/business/tesla-autopilot-fatal-crash-investigation.html | |||||||||||||
14 | 13 | 2015 | Connected car | Zero day exploit of entertainment system firmware | Unauthorized access to safety-critical functions | Isolate safety-critical functions⁺; auto monitor CAN bus⁺ | Communication Level - Link | Transient | External | Arbitrary | Soft | Software | https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ | |||||||||||||
15 | 14 | 2015 | Connected car | Unsecure remote access protocol (SMS, SSH w/ default key) in telematics dongle | Unauthorized access to safety-critical functions | Secure remote access⁺; isolate safety-critical functions⁺ | Communication Level - Connectivity | Transient | External | Arbitrary | Soft | Software | http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/ | |||||||||||||
16 | 15 | 2019 | Connected RTOS | Networking protocol bug in COTS; Lack of software bill of materials | Exploitable vulnerabilities | Maintain software bill of materials⁺ | Communication Level - Connectivity | Transient | Internal | Arbitrary | Soft | Software | https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/ | |||||||||||||
17 | 16 | 2018 | Smart home products | Lack of all users' consent; abuse enabling user experience | Domestic abuse; psychological stress | Require system consent from all users* | Application Level | Transient | External | Arbitrary | Soft | Software | https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html | |||||||||||||
18 | 17 | 2016 | Smart thermostat | Bug in software update | Battery depletion; Unprompted temperature decrease | Comprehensive device testing for software updates* | Perception Level - Embedded Software | Transient | Internal | Crash | Hard | Software | https://www.nytimes.com/2016/01/14/fashion/nest-thermostat-glitch-battery-dies-software-freeze.html | |||||||||||||
19 | 18 | 2016 | Old connected devices | Processors with default authentication | Botnet DDoS; internet outage | Disable default authentication⁺; stringent testing for old COTS* | Perception Level - Embedded Software | Transient | Internal | Arbitrary | Soft | Software | https://www.wired.com/2016/10/internet-outage-webcam-dvr-botnet/ | |||||||||||||
20 | 19 | 2019 | Smart baby vital monitor | Device to server to phone app connection loss | False sense of safety | Alert when connection lost* | Application Level | Transient | Internal | Crash | Hard | Software | https://www.nytimes.com/2020/04/17/parenting/owlet-baby-monitor.html | |||||||||||||
21 | 20 | 2019 | Smart diabetes monitor | Device to server to phone app connection loss | False sense of safety | Alert when connection lost⁺ | Service Level | Transient | Internal | Crash | Hard | Software | https://www.nytimes.com/2019/12/02/well/live/Dexcom-G6-diabetes-monitor-outage.html | |||||||||||||
22 | 21 | 2019 | Spacecraft | Contract software with bug caused early communication query | Early state change depleted fuel | Comprehensive testing across supply chain deliverables* | Perception Level - Embedded Software | Transient | Internal | Timing | Soft | Software | https://www.nytimes.com/2020/02/07/science/boeing-starliner-nasa.html | https://www.nytimes.com/2019/12/20/science/boeing-starliner-launch.html | ||||||||||||
23 | 22 | 2019 | Aircraft | Faulty sensor; lack of sensor redundancy; lack of updated system training | Catastrophic crashes | Create redundancy for critical systems⁺; training for updated systems* | Perception Level - Sensor/Actuator | Permanent | Internal | Crash | Hard | Software | https://www.nytimes.com/interactive/2019/business/boeing-737-crashes.html | https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html https://ieeexplore.ieee.org/document/9280967 | ||||||||||||
24 | ||||||||||||||||||||||||||
25 | ||||||||||||||||||||||||||
26 | ||||||||||||||||||||||||||
27 | ||||||||||||||||||||||||||
28 | ||||||||||||||||||||||||||
29 | ||||||||||||||||||||||||||
30 | ||||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |