#cybersecurity | hacker | CISA issues warns critical infrastructure sectors after successful ransomware attack on pipeline operator

Department of Homeland Security CISA is warning critical infrastructure operators
to redouble their security efforts after a natural gas compression facility was
hit and shut down by a ransomware attack.

attackers used a spearphishing email containing a link to gain access to the
operator’s network and then moved laterally to the target’s operational
technology (OT) network where ransomware was downloaded encrypting files on
both networks. This resulted in a loss of availability on the OT network to
include human machine interfaces, data historians, and polling servers.

assets were no longer able to read and aggregate real-time operational data
reported from low-level OT devices, resulting in a partial Loss of View for
human operators. The attack did not impact any programmable logic controllers and
at no point did the victim lose control of operations,” CISA reported.

The victim
did not have a cyberattack response plan in place, only one for protecting the
facility against a physical attack, but did take the correct cybersecurity
measure and shut down its operations for two days to handle the problem.

“This alert
highlights a growing problem across the industrial control space. While many
organizations operate under the assumption that their ICS systems are isolated,
increased connectivity, poor security awareness, and human mistakes continue to
expose critical infrastructure to attack. While the effect of these attacks
might not be catastrophic, ransomware can cause significant disruption, bring
systems down, and further erode the public’s confidence in the security of our
critical systems, Saurabh Sharma, vice president, Virsec, told SC Media.

The attack
was successful, CISA determined, because, “The victim failed to implement
robust segmentation between the IT and OT networks, which allowed the adversary
to traverse the IT-OT boundary and disable assets on both networks.”

The ransomware
used only effected Windows machines on the IT and OT networks and not the programmable
logic controllers, but in order to regain full functionality the operator had
to replace the damaged equipment and then use back ups of the last known good

To prepare against such attacks CISA recommended all critical infrastructure and other organizations:

  • Ensure robust Network Segmentation
    between IT and OT networks to limit the ability of adversaries to pivot to the
    OT network even if the IT network is compromised.
  • Organize OT assets into logical zones
    by taking into account criticality, consequence, and operational necessity.
  • Require Multi-Factor Authentication
    [M1032] to remotely access the OT and IT networks from external sources.
  • Implement regular Data Backup [M1053]
    procedures on both the IT and OT networks. Ensure that backups are regularly
    tested and isolated from network connections that could enable the spread of
  • Ensure user and process accounts are
    limited through Account Use Policies [M1036], User Account Control [M1052], and
    Privileged Account Management [M1026]. Organize access rights based on the
    principles of least privilege and separation of duties.
  • Enable strong spam filters to prevent
    phishing emails from reaching end users.

Original Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.