The Department of Homeland Security CISA is warning critical infrastructure operators to redouble their security efforts after a natural gas compression facility was hit and shut down by a ransomware attack.
The attackers used a spearphishing email containing a link to gain access to the operator’s network and then moved laterally to the target’s operational technology (OT) network where ransomware was downloaded encrypting files on both networks. This resulted in a loss of availability on the OT network to include human machine interfaces, data historians, and polling servers.
“Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators. The attack did not impact any programmable logic controllers and at no point did the victim lose control of operations,” CISA reported.
The victim did not have a cyberattack response plan in place, only one for protecting the facility against a physical attack, but did take the correct cybersecurity measure and shut down its operations for two days to handle the problem.
“This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness, and human mistakes continue to expose critical infrastructure to attack. While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems, Saurabh Sharma, vice president, Virsec, told SC Media.
The attack was successful, CISA determined, because, “The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”
The ransomware used only effected Windows machines on the IT and OT networks and not the programmable logic controllers, but in order to regain full functionality the operator had to replace the damaged equipment and then use back ups of the last known good configuration.
To prepare against such attacks CISA recommended all critical infrastructure and other organizations:
- Ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised.
- Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity.
- Require Multi-Factor Authentication [M1032] to remotely access the OT and IT networks from external sources.
- Implement regular Data Backup [M1053] procedures on both the IT and OT networks. Ensure that backups are regularly tested and isolated from network connections that could enable the spread of ransomware.
- Ensure user and process accounts are limited through Account Use Policies [M1036], User Account Control [M1052], and Privileged Account Management [M1026]. Organize access rights based on the principles of least privilege and separation of duties.
- Enable strong spam filters to prevent phishing emails from reaching end users.