Industrial Cyber Attacks
Mining, Oil & Gas

Ransomware attack hits U.S. gas pipeline

February 18, 2020
Ransomware attack hits U.S. gas pipeline

On February 18, the U.S. Department of Homeland Security announced that a natural gas compression facility had been hit by a ransomware attack.

According to DHS’ Cybersecurity and Infrastructure Security Agency, the cyber attack impacted control and communication assets on the pipeline operator’s operational technology network. The hacker reportedly used a spear phishing link to gain access to the organization’s information technology network and then moved on to the OT network.

Once the hacker had infiltrated the OT network, they deployed ransomware on both networks.  This resulted in several disruptions to systems on the OT network, including human machine interfaces, data historians, and polling servers. These assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices.

While the ransomware attack did not cause the pipeline operator to lose control of the operation at any time, the organization shut down for two days. According to CISA, this resulted in a loss of productivity and revenue.

“The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks,” CISA wrote in an alert. “The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks…Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted. The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process. All OT assets directly impacted by the attack were limited to a single geographic facility.”

According to the agency, the targeted pipeline operator said they failed  to adequately incorporate cybersecurity into their emergency response planning because of gaps in their cybersecurity knowledge and a lack of understanding about the wide range of possible scenarios that could occur.

“Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks,” CISA writes. “Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.”

CISA is encouraging all asset owner operators across all critical infrastructure sectors to review the threat actor techniques used in the recent ransomware attack to ensure the corresponding mitigations are applied.

“CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks,” CISA wrote in the alert.

The alert contains a number of mitigations operators can pursue on the planning, operational, technical and architectural side. Operators are advised to, “ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue.”

According to CISA, operators should also identify single points of failure for operational visibility, and develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised. Operators are also urged to recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into their safety training programs.

In it’s alert, CISA references the MITRE ATT&CK resource, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The resource provides information on mitigation techniques operators can use to protect themselves. Specifically, CISA recommends operators implement network segmentation, multi-factor authentication, account use policies, execution prevention, and more.

Rebecca Addison
Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
The Takepoint Research report indicates a significant shift towards adopting the Zero Trust model in OT, with 72% of professionals integrating it to boost security and efficiency. It highlights secure remote access as a key application, aligning with goals to reduce risk and enhance operations. Moreover, it points out the need for collaborative efforts across organizational roles to implement Zero Trust effectively, aiming to improve productivity and security.
Xage-Takepoint Research report reveals growing adoption of zero trust security in industrial enterprises
Forescout research finds surge in Chinese-manufactured devices on US networks, including critical infrastructure
Forescout research finds surge in Chinese-manufactured devices on US networks, including critical infrastructure
New MITRE Engage mappings released for ATT&CK for ICS, ATT&CK for Mobile
New MITRE Engage mappings released for ATT&CK for ICS, ATT&CK for Mobile
Growing need to implement effective post-incident recovery strategies in evolving OT, ICS environments
Growing need to implement effective post-incident recovery strategies in evolving OT, ICS environments
CISA’s JCDC initiative launches 2023 Pipelines Cyber Defense Planning Effort to safeguard ONG sector
CISA’s JCDC initiative launches 2023 Pipelines Cyber Defense Planning Effort to safeguard ONG sector
EclecticIQ details Operation FlightNight targeting Indian government entities, energy sector
EclecticIQ details Operation FlightNight targeting Indian government entities, energy sector