Department of Homeland Security CISA is warning critical infrastructure operators
to redouble their security efforts after a natural gas compression facility was
hit and shut down by a ransomware attack.
attackers used a spearphishing email containing a link to gain access to the
operator’s network and then moved laterally to the target’s operational
technology (OT) network where ransomware was downloaded encrypting files on
both networks. This resulted in a loss of availability on the OT network to
include human machine interfaces, data historians, and polling servers.
assets were no longer able to read and aggregate real-time operational data
reported from low-level OT devices, resulting in a partial Loss of View for
human operators. The attack did not impact any programmable logic controllers and
at no point did the victim lose control of operations,” CISA reported.
did not have a cyberattack response plan in place, only one for protecting the
facility against a physical attack, but did take the correct cybersecurity
measure and shut down its operations for two days to handle the problem.
highlights a growing problem across the industrial control space. While many
organizations operate under the assumption that their ICS systems are isolated,
increased connectivity, poor security awareness, and human mistakes continue to
expose critical infrastructure to attack. While the effect of these attacks
might not be catastrophic, ransomware can cause significant disruption, bring
systems down, and further erode the public’s confidence in the security of our
critical systems, Saurabh Sharma, vice president, Virsec, told SC Media.
was successful, CISA determined, because, “The victim failed to implement
robust segmentation between the IT and OT networks, which allowed the adversary
to traverse the IT-OT boundary and disable assets on both networks.”
used only effected Windows machines on the IT and OT networks and not the programmable
logic controllers, but in order to regain full functionality the operator had
to replace the damaged equipment and then use back ups of the last known good
To prepare against such attacks CISA recommended all critical infrastructure and other organizations:
- Ensure robust Network Segmentation
between IT and OT networks to limit the ability of adversaries to pivot to the
OT network even if the IT network is compromised.
- Organize OT assets into logical zones
by taking into account criticality, consequence, and operational necessity.
- Require Multi-Factor Authentication
[M1032] to remotely access the OT and IT networks from external sources.
- Implement regular Data Backup [M1053]
procedures on both the IT and OT networks. Ensure that backups are regularly
tested and isolated from network connections that could enable the spread of
- Ensure user and process accounts are
limited through Account Use Policies [M1036], User Account Control [M1052], and
Privileged Account Management [M1026]. Organize access rights based on the
principles of least privilege and separation of duties.
- Enable strong spam filters to prevent
phishing emails from reaching end users.