US natural gas operator shuts down for 2 days after being infected by ransomware

[Karlston]

CRITICAL INFRASTRUCTURE —

US natural gas operator shuts down for 2 days after being infected by ransomware

Infection spread to site's OT network that monitors and controls physical processes.

Enlarge

Glen Dillon

A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said on Tuesday.

 

Tuesday’s advisory from the DHS’ Cybersecurity and Infrastructure Security Agency, or CISA, didn’t identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.

 

The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, which is the operational technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

 

The infection didn’t spread to programmable logic controllers, which actually control compression equipment, and it didn’t cause the facility to lose control of operations, Tuesday’s advisory said. The advisory explicitly said that “at no time did the threat actor obtain the ability to control or manipulate operations.”

 

Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes.

 

“Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers,” CISA officials wrote. “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.”

 

Facility personnel implemented a “deliberate and controlled shutdown to operations” that lasted about two days. “Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies,” the advisory said. As a result, the shutdown affected the entire “pipeline asset,” not just the compression facility. Normal operations resumed after that.

Security lapses

The advisory disclosed several lapses in the facility’s security regimen. The first lapse involved inadequacies in the facility’s emergency response plan, which “did not specifically consider cyberattacks.” Instead, the plan focused on threats to physical safety.

 

“Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures,” the advisory stated. “These included a four-hour transition from operational to shutdown mode combined with increased physical security.”

 

Another gap was a failure to implement robust segmentation defenses between the IT and OT networks. As a result, the infection was able to “traverse the IT-OT boundary and disable assets on both networks.”

 

The full “planning and operations" section of the advisory were:

• At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.
• The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security.
• Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.
• Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.
• The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.

 

The advisory comes two weeks after researchers from industrial cybersecurity firm Dragos reported that a ransomware strain known as Ekans intentionally tampered with industrial control systems that gas facilities and other critical infrastructure rely on to keep equipment running reliably and safely.

 

There’s no evidence the malware that hit the gas-compression facility was Ekans. Tuesday’s advisory doesn’t identify the specific piece of ransomware that was used. Researchers from Dragos didn’t immediately respond to questions. This post will be updated if a response comes later.

 

 

Source: US natural gas operator shuts down for 2 days after being infected by ransomware (Ars Technica)  

[duddy]

US Govt Warns Critical Industries After Ransomware Hits Gas Pipeline Facility

 

 

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) earlier today issued a warning to all industries operating critical infrastructures about a new ransomware threat that if left unaddressed could have severe consequences.

The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed spear-phishing to deliver ransomware to the company's internal network, encrypting critical data and knocking servers out of operation for almost two days.

"A cyber threat actor used a spear-phishing link to obtain initial access to the organization's information technology network before pivoting to its operational technology network. The threat actor then deployed commodity ransomware to encrypt data for impact on both networks," CISA noted in its alert.

 

As ransomware attacks continue to escalate in frequency and scale, the new development is yet another indication that phishing attacks continue to be an effective means to bypass security barriers and that hackers don't always need to exploit security vulnerabilities to breach organizations.

CISA highlighted that the attack did not impact any programmable logic controllers (PLCs) and that the victim did not lose control of its operations. But in the aftermath of the incident, the company is reported to have initiated a deliberate operational shutdown, resulting in a loss of productivity and revenue.

Noting that the impact was limited to Windows-based systems and assets located in a single geographic locality, it said the company was able to recover from the attack by getting hold of replacement equipment and loading last-known-good configurations.

Although the notification is lean on the specifics of the attack, this is not the first time phishing links have been employed to deliver ransomware. Lake City's I.T. network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot Trojan and Ryuk ransomware.

The evolving threat landscape means companies need to consider the full scope of threats posed to their operations, including maintaining periodic data backups and devising fail-over mechanisms in the event of a shutdown.

Aside from securing the email channel and identifying and protecting the most attacked individuals, this also underscores the need for adopting appropriate anti-phishing measures to stop social engineering attempts from reaching their targets' inboxes and training people to spot mails that get through.

Additionally, it's imperative that vulnerable organizations safeguard the digital supply chain by segmenting critical network infrastructure using firewalls and conducting periodic security audits to identify gaps and weaknesses.

For a full list of mitigative measures that can be undertaken, head to the CISA advisory here.

 

Update: 

 

Cybersecurity firm Dragos issued an assessment on Wednesday linking the attack on the facility to an alert put out by the US Coast Guard in December. The Ryuk ransomware infection had forced the facility to shut down for 30 hours, disrupting camera and physical access control systems, along with shutting down the entire corporate IT network at the facility.

The analysis cited overlaps in the outage period between the two reports, the impact on Windows-based systems, and the primary attack vector being an email message containing a malicious link.

 

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

 

Source

[Karlston]

Similar topic merged.

 

(Again, older news (Feb 19) is likely to have already been posted. A search for "ransomware" finds this earlier topic, 3rd on the search results)