U.S. Government Issues Powerful Cyberattack Warning As Gas Pipeline Forced Into Two Day Shut Down
A major cyberattack has hit a gas compression facility, forcing it to shut it down for two days as it struggled to recover, according to an alert from the U.S. government.
The Cybersecurity and Infrastructure Agency (CISA) said it had responded to the ransomware attack on a natural gas facility, but it did not reveal when the incident took place, or the identity of the victim organization.
Get started on your cybersecurity degree at American Military University.
The attack happened because the adversary was able to hop from the gas compression facility’s IT network onto the operational technology (OT) network when an employee mistakenly clicked on a malicious email link.
Once in, the attacker deployed the data-encrypting malware, ransomware, on both networks.
What is operational technology?
Defined by analyst Gartner as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise,” OT is often found in industrial control systems such as supervisory control and data acquisition (SCADA) systems.
These systems are used to power so-called critical national infrastructure (CNI) organizations such as power stations and electrical grids.
A “deliberate and controlled shutdown”: How the ransomware attack impacted the gas compression facility
The impact of the attack on the gas compression facility was significant: Loss of availability occurred on human machine interfaces (HMIs), data historians, and polling servers.
“Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial loss of viewfor human operators,” according to the CISA alert.
However, the attack was limited to Windows based systems, so it did not impact any programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes–and “at no point did the victim lose control of operations,” CISA said.
But crucially, the victim’s emergency response plan did not specifically consider cyberattacks. “The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents,” the CISA alert reads.
“Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures.”
These included a four-hour transition from operational to shutdown mode combined with increased physical security.
The CISA alert describes how the gas compression facility decided to implement a “deliberate and controlled shutdown” to operations, lasting approximately two days.
But the attack also had a knock-on effect. While the direct operational impact of the cyber-assault was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline for the two days.
Failure to segment IT and OT networks: A massive mistake
The cyberattack took place because the gas compression facility had failed to segment its IT and OT networks, allowing the attacker to hop from one to another. This is a critical factor, says Ian Thornton-Trump, CISO at Cyjax.
“Access into the OT environment needs to be highly protected. The technology exists–data diodes–which allow network telemetry and communications out to the monitoring system but not back in, protecting the OT infrastructure.”
Even so, the impact of the attack could have been a lot worse, says Thornton-Trump. “It’s good news that the damage was limited to availability and payloads did not target PLCs. Manipulation of those components could have had catastrophic consequences.”
Critical national infrastructure: A major cyberattack risk
As nation state actors eye the damage that can be done by an attack on CNI, the risk of a cyber-assault on SCADA based systems continues to grow. Perhaps the most famous attack on a SCADA-based system was Stuxnet, which ravaged a Iranian nuclear facility back in 2010. More recently, attacks have hit Saudi oil companies as cyber warfare rages on.
Cyberattacks such as these on industries including oil and gas are increasingly common as adversaries look to disrupt operations. The risk is amplified by the fact that systems were often built many years ago and were never intended to be connected to the internet.
“With each system that is connected, the attack surface increases,” says Javvad Malik, security awareness advocate at KnowBe4.
He points out that this is made worse when email is on the same network as critical infrastructure, allowing the attacker access it through a simple phishing attack.
“Technical controls should be deployed to prevent phishing attacks getting to users’ inboxes, but they will not be completely effective,” he warns, adding that “up to date and appropriate security awareness and training” is “essential.”
Protecting critical infrastructure from cyberattacks
CNI security is a major issue, which is why steps are already being taken by governments across the world to try and urgently address the problem. Last year, the U.S. government announced a surprise move to try and secure systems using “retro” technologies.
While this work continues, it’s important that organizations are prepared. One essential step is to ensure detection and recovery controls are in place. These should be agreed beforehand so it’s possible to detect when an infection has occurred on systems, says Malik. In addition: “Have a plan of action to remediate the threats without adversely impacting systems.”
Andrea Carcano, co-founder and CPO of Nozomi Networks, recommends the use of “anomaly detection technologies to identify unusual behaviour, and traditional threat detection capabilities to provide additional context around suspicious actors.”
Work is being done to try and address critical infrastructure security, but the problem is complex and difficult to resolve–especially taking into account the issues around connecting legacy technology to the internet.
As industries such as oil and gas become an increasing target for cyberattacks by nation state actors, it’s important that organizations work together to try to counter the threat.
Update: February 19 at 12:37 ET
On February 19, cybersecurity firm Dragos published a blog identifying the likely victim as the U.S. Coastguard, which suffered a very similar incident last year. If the U.S. Coastguard is the victim, it was hit by the Ryuk ransomware.