The Department of Homeland Security (DHS) revealed that a ransomware attack on a US natural gas facility forced it to shut down operations for two days.
What happened?
A US natural gas compression facility, whose name wasn’t disclosed, had to shut down operations after becoming infected with commodity ransomware.
Malware potential
Though the ransomware couldn’t impact any of the programmable logic controllers (PLCs) based processes, it was still able to compromise human-machine interfaces (HMIs), data historians, and polling servers on the OT network.
It was designed to infect only the Windows systems.
Reaction to the attack
As disclosed by CISA, the victim’s emergency response plan focused on physical safety and did not entirely encompass cyberattacks. So, a deliberate choice was made to proceed with a controlled shutdown of operations.
In its alert, the agency said, “The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process.”
Reasoning the malware penetration
It is a worrying sign that critical infrastructure providers still haven’t evolved their threat modeling to counter or mitigate modern blackhat attack techniques.
Specifically, the victim organization lacked robust segmentation between its IT and OT networks, allowing the attacker to pervade both. It also failed to develop a cyber-risk response plan.
“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning,” read an excerpt from the alert.
CISA Warning
CISA, in response to the threat, has warned critical U.S. infrastructure operators of a possible attack on their networks and urged them to add cyber risk planning to their incident response strategies. It has advised them to:
Among the physical security controls, the agency further recommended operators to ensure network segmentation, multi-factor authentication, anti-phishing filters, whitelisting, traffic filtering, regular data backups, least privilege access policies, and regular patching.
Publisher