Ransomware Attack Hit US Natural Gas FacilityCISA Alert: Incident Led to Two-Day Shutdown
A ransomware attack on a U.S. natural gas compression facility led to a two-day shutdown of operations, according to an alert from the Cybersecurity and Infrastructure Security Agency.
Attackers used a spear-phishing technique to gain access to the facility's information technology network and then pivoted to the operational technology network, according to the alert, which did not identify the facility. From there, attackers planted what the agency called "commodity ransomware" within both networks that encrypted data throughout the facility.
CISA, the division within the U.S. Department of Homeland Security that’s responsible for securing critical infrastructure, says the ransomware incident affected the control and communication assets within the facility’s OT network.
The CISA alert notes that the company implemented a two-day “deliberate and controlled shutdown” of operations, after which systems were restored. But it did not offer details about when the attack happened, what strain of ransomware was involved or whether a ransom was paid.
Energy Sector Attacks
Attackers are increasingly targeting critical infrastructure in the energy and oil and gas sectors, according to security analysts.
On Feb. 3, security firm Dragos released research about a new type of ransomware called Ekans or Snake, which appears to have been designed to target the types of OT networks used by these types of companies. No confirmed attacks associated with this ransomware have been found yet, but there are samples of the malware in the wild, according to the report (see: New Ransomware Targets Industrial Controls: Report).
Earlier this month, the U.S. National Counterintelligence and Security Center identified the protection of critical infrastructure, including the energy sector, as one of the top priorities for 2020 (see: US Counterintelligence Outlines 5 Key Priorities)
In 2018, at least five natural gas pipeline operators, including Energy Transfer Partners and TransCanada, reported that their third-party electronic communications systems had been shut down due to a security incident, Bloomberg reported.
Lack of a Plan
CISA says it issued an alert about the ransomware attack to warn other businesses about such attacks and offer some defensive and mitigation best practices. The report notes that the target of the attack did not have an adequate plan that addressed these types of cyberthreats.
"The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning," according to CISA.
Fabian Wosar, the CTO of security company Emsisoft, notes that ransomware updates from CISA and other government agencies are useful reminders.
"The U.S. government has issued a number of alerts recently, including alerts related to Maze, LockerGoga and MegaCortex and a Marine Safety Information Bulletin related to Ryuk," Wosar tells Information Security Media Group. "This is obviously a very good thing. If organizations are made aware of threats, they can take steps to minimize their risks."
In its advisory, CISA notes that all organizations should have an emergency response plan that considers all the potential impacts of an attack. They also should train employees to deal with different scenarios. The agency also suggests greater segmentation of IT and OT networks and elimination of unregulated communications between the two networks, which can keep ransomware from spreading.
The report also advises firms to create fail-over systems to allow for the use of manual controls to help with communication. "Identify single points of failure (technical and human) for operational visibility. Develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised," the report states.
CISA also recommends the use of multifactor authentication, regular back-ups and software updates, strong spam filters and application whitelisting. The U.S. National Institute of Standards and Technology recently unveiled similar guidelines for mitigating and containing ransomware attacks (see: NIST Drafts Guidelines for Coping With Ransomware)
Impact of Attack
In the ransomware attack that CISA described, the agency noted that malware affected the "human machine interfaces, data historians and polling servers," of the natural gas compression facility, which meant the operators lost the ability to read real-time data from OT devices, according to the report.
In addition, Windows-based devices within both the IT and OT networks were compromised. But because the attack was limited to Windows devices, there was no impact on programmable logic controllers that are used to read and manipulate physical data within the OT operations, the report states.
Managing Editor Scott Ferguson contributed to this report.