(https://www.youtube.com/watch?v=C_PRhTXp6VQ)
A video that descibes a cyber attack on a critical infrastructure (sewage system) in Australia. This was an insider attack that focused on changing the configuration of the controlling SCADA system
(http://www.slideshare.net/sommerville-videos/maroochy-water-breach)
Transcript
- Maroochy SCADA attack, 2013 Slide 1Cybersecurity Case StudyMaroochy water breachhttp://www.slideshare.net/sommervi/cs5032-case-study-maroochy-water-breach
- Maroochy SCADA attack, 2013 Slide 2Maroochy ShireImage credit:http://www.hinterlandtourism.com.au/attractions/the-maroochy-river/
- Maroochy SCADA attack, 2013 Slide 3Maroochy shire sewage system• SCADA controlled system with 142 pumpingstations over 1157 sq km installed in 1999• In 2000, the area sewage system had 47unexpected faults causing extensive sewagespillage
- Maroochy SCADA attack, 2013 Slide 4SCADA setupTypical SCADA-controlled sewage systemThis is not the system that was attacked
- Maroochy SCADA attack, 2013 Slide 5SCADA sewage control• Special-purpose control computer at eachstation to control valves and alarms• Each system communicates with and iscontrolled by central control centre• Communications between pumping stationsand control centre by radio, rather than wirednetwork
- Maroochy SCADA attack, 2013 Slide 6What happenedMore than 1m litres of untreated sewage releasedinto waterways and local parks
- Maroochy SCADA attack, 2013 Slide 7Technical problems• Sewage pumps not operating when theyshould have been• Alarms failed to report problems to controlcentre• Communication difficulties between thecontrol centre and pumping stations
- Maroochy SCADA attack, 2013 Slide 8Insider attack• Vitek Boden worked for Hunter Watertech(system suppliers) with responsibility for theMaroochy system installation.• He left in 1999 after disagreements with thecompany.• He tried to get a job with local Council butwas refused.
- Maroochy SCADA attack, 2013 Slide 9Revenge!• Boden was angry and decided to takerevenge on both his previous employer andthe Council by launching attacks on theSCADA control systems– He hoped that Hunter Watertech would be blamedfor the failure• Insiders don’t have to work inside anorganisation!
- Maroochy SCADA attack, 2013 Slide 10What happened?Image credit:http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf
- Maroochy SCADA attack, 2013 Slide 11How it happened• Boden stole a SCADA configuration programfrom his employers when he left and installedit on his own laptop• He also stole radio equipment and a controlcomputer that could be used to impersonate agenuine machine at a pumping station• Insecure radio links were used tocommunicate with pumping stations andchange their configurations
- Maroochy SCADA attack, 2013 Slide 12Incident timeline• Initially, the incidents were thought to havebeen caused by bugs in a newly installedsystem• However, analysis of communicationssuggested that the problems were beingcaused by deliberate interventions• Problems were always caused by a specificstation id
- Maroochy SCADA attack, 2013 Slide 13Actions taken• System was configured so that that id was notused so messages from there had to bemalicious• Boden as a disgruntled insider fell undersuspicion and put under surveillance• Boden’s car was stopped after an incidentand stolen hardware and radio systemdiscovered
- Maroochy SCADA attack, 2013 Slide 14Causes of the problems• Installed SCADA system was completelyinsecure– No security requirements in contract withcustomer• Procedures at Hunter Watertech wereinadequate to stop Boden stealing hardwareand software• Insecure radio links were used forcommunications
- Maroochy SCADA attack, 2013 Slide 15Causes of the problems• Lack of monitoring and logging madedetection more difficult• No staff training to recognise cyber attacks• No incident response plan in place atMaroochy Council
- Maroochy SCADA attack, 2013 Slide 16Aftermath• On October 31, 2001 Vitek Boden wasconvicted of:– 26 counts of willfully using a computer to causedamage– 1 count of causing serious environment harm• Jailed for 2 years
- Maroochy SCADA attack, 2013 Slide 17
More Resources:
(http://www.ifip.org/wcc2008/site/IFIPSampleChapter.pdf)
(http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf)
Hacker jailed for revenge sewage attacks – Job rejection caused a bit of a stink
(http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/)
Classic Hacker Case: Maroochy
(http://www.isssource.com/classic-hacker-case-maroochy-shire/)
Published on 18 Oct 2013
Discusses a cyberwarfare case study – the Stuxnet worm which was used to attack Iran’s uranium processing facilities
- Cybersecurity Case Study STUXNET worm Stuxnet SCADA attack, 2013 Slide 1
- Stuxnet SCADA attack, 2013 Slide 2
- Cyber-warfare • The STUXNET worm is computer malware which is specifically designed to target industrial control systems for equipment made by Siemens. • These systems are used in Iran for uranium enrichment – • Enriched uranium is required to make a nuclear bomb The aim of the worm was to damage or destroy controlled equipment Stuxnet SCADA attack, 2013 Slide 3
- What is a worm? • Malware that can infect a computerbased system and autonomously spread to other systems without user intervention • Unlike a virus, no need for a carrier or any explicit user actions to spread the worm Stuxnet SCADA attack, 2013 Slide 4
- The target of the worm Stuxnet SCADA attack, 2013 Slide 5
- The STUXNET worm • Worm designed to affect SCADA systems and PLC controllers for uranium enrichment centrifuges • Very specific targeting – only aimed at Siemens controllers for this type of equipment • It can spread to but does not damage other control systems Stuxnet SCADA attack, 2013 Slide 6
- Stuxnet SCADA attack, 2013 Slide 7
- Worm actions • Takes over operation of the centrifuge from the SCADA controller • Sends control signals to PLCs managing the equipment • Causes the spin speed of the centrifuges to vary wildly, very quickly, causing extreme vibrations and consequent damage • Blocks signals and alarms to control centre from Stuxnet SCADA attack, 2013 local PLCs Slide 8
- Stuxnet penetration • Initially targets Windows systems used to configure the SCADA system • Uses four different vulnerabilities to affect systems – Three of these were previously unknown – So if it encounters some systems where some vulnerabilities have been fixed, it still has the potential to infect them. – Spread can’t be stopped by fixing a single vulnerability Stuxnet SCADA attack, 2013 Slide 9
- Stuxnet technology • Spreads to Siemens’ WinCC/PCS 7 SCADA control software and takes over configuration of the system. • Uses a vulnerability in the print system to spread from one machine to another • Uses peer-to-peer transfer – there is no need for systems to be connected to the Internet Stuxnet SCADA attack, 2013 Slide 10
- The myth of the air gap • Centrifuge control systems were not connected to the internet • Initial infection thought to be through infected USB drives taken into plant by unwitting system operators – Beware of freebies! Stuxnet SCADA attack, 2013 Slide 11
- Damage caused • It is thought that between 900 and 1000 centrifuges were destroyed by the actions of Stuxnet • This is about 10% of the total so, if the intention was to destroy all centrifuges, then it was not successful • Significant slowdown in nuclear enrichment programme because of (a) damage and (b) enrichment shutdown while the worms were cleared from equipment Stuxnet SCADA attack, 2013 Slide 12
- Unproven speculations • Because of the complexity of the worm, the number of possible vulnerabilities that are exploited, the access to expensive centrifuges and the very specific targeting, it has been suggested that this is an instance of cyberwar by nation states against Iran Stuxnet SCADA attack, 2013 Slide 13
- Stuxnet SCADA attack, 2013 Slide 14
- Unproven speculations • Because Stuxnet did not only affect computers in nuclear facilities but spread beyond them by transfers of infected PCs, a mistake was made in its development • There was no intention for the worm to spread beyond Iran • Other countries with serious infections include India, Indonesia and Azerbaijhan Stuxnet SCADA attack, 2013 Slide 15
- Unproven speculations • The Stuxnet worm is a multipurpose worm and there are a range of versions with different functionality in the wild • These use the same vulnerabilities to infect systems but they behave in different ways Stuxnet SCADA attack, 2013 Slide 16
- One called Duqu has significantly affected computers, especially in Iran. This does not damage equipment but logs keystrokes and sends confidential information to outside servers. Stuxnet SCADA attack, 2013 Slide 17
- Summary 2013, Slide 18
- Stuxnet worm is an early instance of cyberwarfare where SCADA controllers were targeted
- Intended to disrupt Iran’s uranium enrichment capability by varying rotation speeds to damage centrifuges
- Used a range of vulnerabilities to infect systems Stuxnet SCADA attack
- Cybersecurity Case Study STUXNET wormMaroochy SCADA attack, 2013 Slide 1
- Cyber-warfare • The STUXNET worm is computer malware which is specifically designed to target industrial controllers made by Siemens • These controllers are used in Iran in uranium enrichment equipment • Thought to be an instance of cyber- warfareMaroochy SCADA attack, 2013 Slide 2
- The STUXNET worm • Worm designed to affect SCADA systems and PLC controllers • Identified in 2010 • Very specific targeting – Siemens controllers controlling specific processes and equipment • Spreads to but does not damage otherMaroochy SCADA attack, 2013 systems Slide 3
- Worm actions • Takes over operation of the centrifuge from controller • Blocks signals and alarms to control centre • Causes the spin speed of the centrifuges to vary wildly, causing them to damage themselvesMaroochy SCADA attack, 2013 Slide 4
- Stuxnet technology • Uses a number of different vulnerabilities to affect systems • Initially targets Windows systems used to configure the SCADA system • Initial infection thought to be through infected USB drives taken into plant by unwitting controllers • Spreads by peer to peer transfer – no need for Internet connection • Spreads to Siemens WinCC/PCS 7 SCADA control software and takes over configuration of the systemMaroochy SCADA attack, 2013 Slide 5
- Damage caused • It is thought that between 900 and 1000 centrifuges were destroyed by the actions of Stuxnet • This is about 10% of the total so, if the intention was to destroy all centrifuges, then it was not successful • Significant slowdown in nuclear enrichment programme because of (a) damage and (b) more significantly, enrichment shutdown while the worms were cleared from equipmentMaroochy SCADA attack, 2013 Slide 6
- Unproven speculations • Because of the complexity of the worm, the number of possible vulnerabilities that are exploited and the very specific targeting, it has been suggested that this is an instance of cyberwar against Iran • It has been suggested that the developers of the worm were the secret services of the USA and IsraelMaroochy SCADA attack, 2013 Slide 7
- Unproven speculations • Because Stuxnet did not only affect computers in nuclear facilities but spread beyond them by transfers of infected PCs, a mistake was made in its development • There was no intention for the worm to spread beyond Iran • Other countries with serious infections include India, Indonesia and AzerbiajhanMaroochy SCADA attack, 2013 Slide 8
- Unproven speculations • The Stuxnet worm is a multipurpose worm and there are a range of versions with different functionality in the wild • One called Duqu has significantly affected computers, especially in Iran. This does not damage equipment but logs keystrokes and sends confidential information to outside servers.Maroochy SCADA attack, 2013 Slide 9
- Aftermath • We don’t know what will happen next • Possible further cyber attacks on Iran’s nuclear infrastructure • Possible retaliatory cyber-actions from Iran against the US and Israel • Escalation of cyber-warfareMaroochy SCADA attack, 2013 Slide 10
More Resources:
Kushner, D. (2013) The Real Story of Stuxnet – How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program
(http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet)
This article is an accessible description of the Stuxnet worm that attacked nuclear processing facilities in Iran.
(https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
Airbus 330/340 flight control system – software and hardware redundancy
Explains how redundancy and diversity is used in the flight control system of Airbus aircraft to ensure reliability and availability.
(https://www.youtube.com/watch?v=EOexjozpBdI)
(http://www.slideshare.net/sommerville-videos/airbus-fcs)
The Ariane 5 Launcher Failure Case Study (Doc 13KB)
(https://www.youtube.com/watch?v=W3YJeoYgozw)
Explains why a software failure on the first launch of the Ariane 5 rocket was responsible for the failure and complete destruction of the rocket and its payload.
YouTube Video – Ariane 5 Rocket First Launch Failure – A video of the take-off and explosion after 37 seconds – Longer video of ‘Ariane 5’ Rocket first launch failure/explosion
(https://www.youtube.com/watch?v=gp_D8r-2hwk)
People have uploaded shorter copies, but here’s a longer copy of the Ariane 5 rocket’s ill-fated first launch, which ended in explosion back in 1996. Now a quite reliable rocket, the failure was caused by a “software bug”. As it was an unmanned flight, there were no victims, but it was an expensive blunder, destroying the scientific “Cluster” spacecraft, which luckily managed to get the funding be re-built for a later mission. In this video, you see the engine starting, the countdown announcer, most of the launch, the rocket’s failure, and people watching debris falling from the sky.
- The Ariane 5 Launcher Failure Ian Sommerville Ariane launcher failure, Case study, 2013 Slide 1
- June 4th 1996 Total failure of the Ariane 5 launcher on its maiden flight Ariane launcher failure, Case study, 2013 Slide 2
- Ariane 5 • A European rocket designed to launch commercial payloads (e.g.communications satellites, etc.) into Earth orbit • Successor to the successful Ariane 4 launchers Ariane launcher failure, Case study, 2013 Slide 3
- Ariane launcher failure, Case study, 2013 Slide 4
- Ariane 5 can carry a heavier payload than Ariane 4 • Now the standard launch vehicle for the European Space Agency Ariane launcher failure, Case study, 2013 Slide 5
- Ariane launcher failure, Case study, 2013 Slide 6
- Launcher failure • First test launch of Ariane 5 in June 1996 • Appoximately 37 seconds after a successful lift-off, the Ariane 5 launcher lost control Ariane launcher failure, Case study, 2013 Slide 7
- Ariane launcher failure, Case study, 2013 Slide 8
- Incorrect control signals were sent to the engines and these swivelled so that unsustainable stresses were imposed on the rocket • The vehicle started to break up because of the stresses imposed and selfdestructed Ariane launcher failure, Case study, 2013 Slide 9
- The problem • The attitude and trajectory of the rocket are measured by a computer-based inertial reference system. • The IRS transmits commands to the engines to maintain attitude (the angle to the vertical) and direction Ariane launcher failure, Case study, 2013 Slide 10
- The system failure was a direct result of a software failure. • However, it was symptomatic of a more general systems validation failure Ariane launcher failure, Case study, 2013 Slide 11
- Sensors IRS 1 IRS 2 Instructions to engine control system Ariane launcher failure, Case study, 2013 Slide 12
- The IRS had both a primary and a backup computer • The backup computer was included to cope with hardware failure but both the primary and the backup system ran the same software. Ariane launcher failure, Case study, 2013 Slide 13
- The IRS software in both the primary and the backup computer shut itself down 37 seconds after take-off • Diagnostic data about the shutdown was sent to the engine control system • This system did not expect such data and interpreted these as real data • The values were such that the system swivelled the rocket engines to an extreme position Ariane launcher failure, Case study, 2013 Slide 14
- Software failure • Software failure occurred when an attempt to convert a 64-bit floating point number representing the horizontal velocity to a signed 16-bit integer caused the number to overflow (become too big). Ariane launcher failure, Case study, 2013 Slide 15
- 0 111111111111111 Sign Ariane launcher failure, Case study, 2013 16-bit integer Max value (32768) Slide 16
- There was no exception handler associated with the conversion so the system exception management facilities were invoked. These shut down the software controlling the IRS. • Redundant but not diverse software • The backup software was a copy and behaved in exactly the same way i.e. the number overflowed and the system was shut down Ariane launcher failure, Case study, 2013 Slide 17
- Avoidable failure? • The software that failed was reused from the Ariane 4 launch vehicle. The computation that resulted in overflow was not used by Ariane 5. • The calculations had been transferred to a ground-based system in Ariane 5 Ariane launcher failure, Case study, 2013 Slide 18
- Implementation decisions • Decisions were made – Not to remove the facility as this could introduce new faults – Not to test for overflow exceptions because the processor was heavily loaded. – For dependability reasons, it was thought desirable to have some spare processor capacity Ariane launcher failure, Case study, 2013 Slide 19
- Why not Ariane 4? • The physical characteristics of Ariane 4 (A smaller vehicle) are such that it has a lower initial acceleration and build up of horizontal velocity than Ariane 5 • The value of the variable on Ariane 4 could never reach a level that caused overflow during the launch period. • This calculation had been carried out during the development of Ariane 4 and it was therefore decided that no overflow check was required Ariane launcher failure, Case study, 2013 Slide 20
- Validation failure • As the facility that failed was not required for Ariane 5, there was no requirement associated with it. • As there was no associated requirement, there were no tests of that part of the software and hence no possibility of discovering the problem. Ariane launcher failure, Case study, 2013 Slide 21
- Simulator-based testing • During system testing, simulators of the inertial reference system computers were used. • These did not generate the error as there was no requirement for the unused code to be included in the simulator Ariane launcher failure, Case study, 2013 Slide 22
- Review failure • Review failures? • The inertial reference system software was not reviewed because it had been used in a previous version • The review failed to expose the problem or that the test coverage would not reveal the problem • The review failed to appreciate the consequences of system shutdown during a launch Ariane launcher failure, Case study, 2013 Slide 23
- Ariane launcher failure, Case study, 2013 Slide 24
- Lessons learned • Don’t run software in critical systems unless it is actually needed • As well as testing for what the system should do, you may also have to test for what the system should not do • Do not have a default exception handling response which is system shut-down in systems that have no fail-safe state Ariane launcher failure, Case study, 2013 Slide 25
- Lessons learned • In critical computations, always return best effort values even if the absolutely correct values cannot be computed • Wherever possible, use real equipment and not simulations • Improve the review process to include external participants and review all assumptions made in the code Ariane launcher failure, Case study, 2013 Slide 26
(http://www.rvs.uni-bielefeld.de/publications/Reports/ariane.html)
(http://sunnyday.mit.edu/accidents/Ariane5accidentreport.html)
(https://www.youtube.com/watch?v=wzoxek74RTs)
Explains how the software controlling the braking system on an Airbus was a causal factpr in an accident when the plane ran into banking at the end of the runway.
YouTube Video –
Transcript
- Warsaw airbus accident 1993 Ian Sommerville Warsaw aircraft accident, 1993 Slide 1
- 2. What happened • A Lufthansa Airbus on a flight from Frankfurt landed at Warsaw Airport in bad weather (rain and strong winds) • On landing, the aircraft’s software controlled braking system did not deploy when activated by the flight crew and it was about 9 seconds before the braking system activated Warsaw aircraft accident, 1993 Slide 2
- 3. • There was insufficient runway remaining to stop the plane and the aircraft ran into a glass embankment • Two people were killed and 54 injured Warsaw aircraft accident, 1993 Slide 3
- 4. Causes of the accident • As with most accidents, there were multiple factors that contributed to this accident. The three main contributory causes were: – The aircraft pilots were given outdated information on the wind speed and direction by the landing controllers – The aircrew failed to notice that the on-board information about the wind direction was inconsistent with that provided by the controllers Warsaw aircraft accident, 1993 and that their approach speed was higher than Slide 4
- 5. • The aircraft braking control software specification had failed to take into account the landing conditions encountered Warsaw aircraft accident, 1993 Slide 5
- 6. Focus on software • The braking control system on the Airbus behaved exactly as specified • There were no bugs or errors in the software • This is an example of a situation of where a reliable software system was unsafe Warsaw aircraft accident, 1993 Slide 6
- Aircraft braking • Aircraft braking depends on deployment of spoilers which are flaps on the wings that are deployed to slow down the plane • It also makes use of ‘reverse thrust’ which means that the engines are run ‘backwards’ so that their effect is to Warsaw aircraft accident, 1993 Slide 7
- It is critical to the safety of the flight that neither the spoilers nor the reverse thrust is deployed while the plane is in the air • Therefore, the braking system software includes checks to ensure that the plane has landed before the braking system is deployed Warsaw aircraft accident, 1993 Slide 8
- Weight on wheels • The landing gear includes sensors that can detect if the wheel struts are compressed i.e. that there is weight on the wheels. • The software specification was that landing could be recognised if there was weight on both wheels Warsaw aircraft accident, 1993 Slide 9
- Wheel rotation • Each wheel included sensors that checked whether the wheel was rotating or not. • The software specification was that the aircraft had landed if the speed of wheel rotation was greater than 72 knots Warsaw aircraft accident, 1993 Slide 10
- The braking system could be deployed if either of these conditions were true • This was checked by the braking system control software Warsaw aircraft accident, 1993 Slide 11
- The software specification did not anticipate a situation where neither of these conditions would hold during landing IF weight-on-both-wheels OR (left-wheel-turning OR right-wheel-turning) THEN braking-system-deployment := permitted Warsaw aircraft accident, 1993 Slide 12
- In this case, because of the weather conditions, the plane landed at an angle so that one wheel touched the runway first • The runway was wet and that wheel ‘acquaplaned’ so skidded along the runway without turning Warsaw aircraft accident, 1993 Slide 13
- What went wrong? • The pilots were told that there was a crosswind across the runway • Standard procedure for a crosswind landing to bank the aircraft so that initial touchdown is on one wheel and the crosswind then acts on the wing to push the other wheel onto the runway Warsaw aircraft accident, 1993 Slide 14
- However, in this case, the wind had changed direction so that it was a tailwind rather than a crosswind • This meant that the landing speed was higher than normal and there was no need for a single wheel touchdown This was not noticed by the pilots and the higher speed was a contributory factor to the accident Warsaw aircraft accident, 1993 Slide 15
- Warsaw aircraft accident, 1993 Slide 16
- Warsaw aircraft accident, 1993 Slide 17
- The Warsaw Airbus landed on one wheel but there was no crosswind to push down the other wheel so, for 9 seconds, the plane was landing on a single wheel • Because there was only weight on a single wheel, the on-ground condition of weight on both wheels in the braking system did not hold Warsaw aircraft accident, 1993 Slide 18
- Acquaplaning Warsaw aircraft accident, 1993 Slide 19
- The single wheel on the ground was acquaplaning rather than turning so the condition that one or both wheels should be rotating at more than 72 knots did not hold • After about 9 seconds, the 2nd wheel made contact with the runway and the braking system deployed • But it was too late to stop the aircraft and the accident occurred Warsaw aircraft accident, 1993 Slide 20
- Warsaw aircraft accident, 1993 Slide 21
- Conclusions • In practice, it is impossible to make any system completely safe • It is impossible for system designers to anticipate every possible condition and they have to make assumptions such as the pilots being given correct wind information • No blame in this case was associated with the software but it was modified to take this particular situation into account should it happen again Warsaw aircraft accident, 1993 Slide 22
Main Commission Aircraft Accident Investigation Warsaw (1994) Report on the Accident to Airbus A320-211 Aircraft in Warsaw on 14 September 1993
(http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/ComAndRep/Warsaw/warsaw-report.html)
The enquiry report after the accident that sets out the (complex) causes of the accident and discusses how the software behaviour was a contributory factor to this.
Kegworth Air Crash, 1989
This was an air accident that illustrates the complexity of system failure.
Kegworth air disaster
(https://en.wikipedia.org/wiki/Kegworth_air_disaster)
The Kegworth air disaster occurred when a Boeing 737-400 crashed on to the embankment of the M1 motorway near Kegworth, Leicestershire, England, while attempting to make an emergency landing at East Midlands Airport on 8 January 1989.
British Midland Flight 92 was on a scheduled flight from London Heathrow Airport to Belfast Airport, when a fan-blade broke in the left engine, disrupting the air-conditioning and filling the flight-deck with smoke. The pilots believed that this indicated a fault in the right engine, since earlier models of the 737 ventilated the flight-deck from the right, and they were unaware that the 400 used a different system. The crew mistakenly shut down the good engine, and pumped more fuel into the malfunctioning one, which burst into flames. Of the 126 people aboard, 47 died and 74 sustained serious injuries.
The inquiry attributed the blade fracture to metal fatigue, caused by heavy vibration in the newly upgraded engines, which had only been tested in the laboratory and not under representative flight conditions.
Presentation Slides –
(http://www.slideshare.net/sommervi/cs5032-case-study-kegworth-air-disaster)
Transcript
London Ambulance Service Computer Aided Dispatch (LASCAD) Failure
The London Ambulance Service introduced a new computer-aided despatch system in 1992 which was intended to automate the system that despatched ambulances in response to calls from the public and the emergency services. This new system was extremely inefficient and ambulance response times increased markedly. Shortly after its introduction, it failed completely and LAS reverted to the previous manual system. The systems failure was not just due to technical issues but to a failure to consider human and organisational factors in the design of the system.
This case study can be used in a discussion of human factors as an illustration of how procurement, human and organisational issues can be major contributors to system failure.
Download Failure of LASCAD PowerPoint Presentation (PPT 432KB)
Download LASCAD Failure PowerPoint Presentation – Sommerville (PPT KB)
An overview of the Case Study
Download LASCAD Case Study (Word 30KB)
Download London Ambulance System Disaster Case Study (Word 86KB)
Download LASCAD Project Management Presentation (PDF KB)
London Ambulance Service
(https://en.wikipedia.org/wiki/London_Ambulance_Service)
A report of the official enquiry into the system failure
Finkelstein, A. and Dowell, J. () A Comedy of Errors: the London Ambulance Service case study
(http://www0.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf)
Download “A Comedy of Errors: the London Ambulance Service case study” (PDF 23KB)
Overview of the LASCAD report
Beynon-Davies, P. (1995) Information systems ‘failure’: the case of the London Ambulance Service’s Computer Aided Despatch project, European Journal of Information Systems, Vol. 4 pp.171-184
London Ambulance Service Computer Aided Dispatch (LASCAD) Failure – An analysis of the failure of the London Ambulance Service Computer Aided Dispatch system
(http://www.savive.com/casestudy/londonambulance.html)
CAD Failure LAS. 1992
(http://www.lond.ambulance.freeuk.com/cad.html)
Oct. 26, 1992: Software Glitch Cripples Ambulance Service
(https://www.wired.com/2009/10/1026london-ambulance-computer-meltdown/)
The 1992 London Ambulance Service Computer Aided Dispatch System Failure
(http://erichmusick.com/writings/technology/1992-london-ambulance-cad-failure.html)
London Ambulance Service computer fails again
(http://catless.ncl.ac.uk/Risks/14.02.html#subj9.1)
Ambulance Dispatch System
(http://catless.ncl.ac.uk/Risks/17.39.html#subj1)
London Ambulance Service Inquiry Report (long)
(http://catless.ncl.ac.uk/Risks/14.48.html#subj3)
London Ambulance Service
(http://catless.ncl.ac.uk/Risks/13.88.html#subj1)
Failure of London Ambulance despatch system
(http://catless.ncl.ac.uk/Risks/13.89.html#subj7)