An unnamed US gas pipeline operator has falled victim to ransomware, which managed to encrypt data both on its IT (information technology) and operational technology (OT) networks and led to a shutdown of the affected natural gas compression facility, the Cybersecurity and Infrastructure Security Agency (CISA) has revealed.
“At no time did the threat actor obtain the ability to control or manipulate operations,” CISA’s advisory noted.
“Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.”
The attackers started by sending a spearphishing email containing a malicious link. Whether that link lead to malware or a phishing page is unknown, but it allowed the attackers to gain access to the target facility’s IT network.
Next, they pivoted to the OT network, and deployed “commodity ransomware” on both networks. It affected human machine interfaces (HMIs), data historians, and polling servers, making it impossible to read and aggregate real-time operational data reported from low-level OT devices and, consequently, resulted in a partial loss of view for human operators.
Programmable logic controllers (PLCs), which read and manipulate physical processes at the facility, were now affected because the ransomware was only capable to affect Windows-based systems.
The attack was successful because the facility IT/security operators failed to implement robust segmentation between the IT and OT networks, and the extent and length of the shutdown was partly because the operator’s emergency response plan did not take into consideration the risk posed by cyberattacks.
“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” the agency pointed out. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”
The ransomware used in the attack has not been named, so we don’t know whether it’s EKANS, the recently uncovered ransomware that’s able of stopping a number of processes related to industrial control system operations.
CISA advised asset owner operators across all sectors to learn from these mistakes and implement a number of planning, operational, technical and architectural mitigations to prevent becoming the next victim.
Among these are:
- Robust network segmentation between IT and OT networks
- Use of multi-factor authentication for remote access to the networks
- A better organization of access rights
- Conducting regular scans of IT network assets with AV programs
- Limiting access to resources over the network
- The implementation of application whitelisting
- The integration of cybersecurity into the organization’s safety training program
- Ensuring the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, and more.
The Transportation Security Administration (TSA) – an agency of the US Department of Homeland Security (DHS) – is tasked with developing broad policies to protect US pipelines, and offers resources and assessments (along with CISA) to help pipeline operators enhance their cybersecurity posture – though there have been calls for an increased mandatory oversight of cybersecurity for gas pipelines and for transferring the oversight responsibility for gas pipelines from the TSA to the US Department of Energy (DOE).