On February 18, the U.S. Department of Homeland Security announced that a natural gas compression facility had been hit by a ransomware attack.
According to DHS’ Cybersecurity and Infrastructure Security Agency, the cyber attack impacted control and communication assets on the pipeline operator’s operational technology network. The hacker reportedly used a spear phishing link to gain access to the organization’s information technology network and then moved on to the OT network.
Once the hacker had infiltrated the OT network, they deployed ransomware on both networks. This resulted in several disruptions to systems on the OT network, including human machine interfaces, data historians, and polling servers. These assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices.
While the ransomware attack did not cause the pipeline operator to lose control of the operation at any time, the organization shut down for two days. According to CISA, this resulted in a loss of productivity and revenue.
“The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks,” CISA wrote in an alert. “The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks…Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted. The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process. All OT assets directly impacted by the attack were limited to a single geographic facility.”
According to the agency, the targeted pipeline operator said they failed to adequately incorporate cybersecurity into their emergency response planning because of gaps in their cybersecurity knowledge and a lack of understanding about the wide range of possible scenarios that could occur.
“Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks,” CISA writes. “Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.”
CISA is encouraging all asset owner operators across all critical infrastructure sectors to review the threat actor techniques used in the recent ransomware attack to ensure the corresponding mitigations are applied.
“CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks,” CISA wrote in the alert.
The alert contains a number of mitigations operators can pursue on the planning, operational, technical and architectural side. Operators are advised to, “ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue.”
According to CISA, operators should also identify single points of failure for operational visibility, and develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised. Operators are also urged to recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into their safety training programs.
In it’s alert, CISA references the MITRE ATT&CK resource, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The resource provides information on mitigation techniques operators can use to protect themselves. Specifically, CISA recommends operators implement network segmentation, multi-factor authentication, account use policies, execution prevention, and more.