February 21, 2020
An advisory from the Department of Homeland Security says that a U.S.-based natural gas-compression facility was forced to shut down operation for two days recently after being hit with a ransomware attack.
The facility was not named by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), but the alert noted personnel were unable to receive crucial real-time operational data from control and communication equipment following the infection.
“A cyber threat actor used a spearphishing link to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to encrypt data for impact on both networks. Specific assets experiencing a loss of availability on the OT network included human machine interfaces (HMIs), data historians, and polling servers,” the alert detailed.
The alert also lists several factors behind the incident, including that the victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.
In an assessment of the incident, industrial cybersecurity firm Dragos said the impacts were probably due to insufficient segregation of IT and ICS environments.
“Operational impacts were likely caused by a combination of insufficient segregation of IT and ICS environments and shared Windows operating system infrastructure. Based on reporting, the intrusion appears to only have impacted a natural gas compression facility owned by the pipeline operator. Impacted ICS devices included data historians and human machine interface (HMI) devices but did not propagate to Layer 1 devices or lower, such as PLCs.
In December, a ransomware attack on the U.S. Coast Guard led to a 30-hour operational shutdown. Ransomware known as Ryuk impaired both the IT systems and industrial control systems of a facility regulated by the Maritime Transportation Security Act (MTSA).