A US gas network had to close down a compressor station for two days following a ‘ransomware’ cyber-attack, according to an ‘alert’ from the US’s Cybersecurity and Infrastructure Agency.
CISA said the cyber-attack affected control and communication assets on the operational technology (OT) network of a natural gas compression facility. The cyber threat actor used a ‘spear phishing’ link to obtain access to the organisation’s information technology (IT) network before pivoting to its OT network
Human machine interfaces, data historians and polling servers were unavailable. The affected assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, which meant operators could not see what was happening on the system. The company decided on a controlled shutdown.
The CISA said the network did not have robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks. The threat actor used commodity ransomware to compromise Windows-based assets.
Read the full report here.
Richard Bejtlich, principal security strategist at Corelight said: ”This incident highlights the need for operators of critical infrastructure to instrument their networks in at least three important locations:
- the gateway connecting the Internet and their information technology (IT);
- the gateway connecting the Internet and their operational technology (OT);
- the gateway connecting the IT and OT networks.”
Tim Erlin, vice president at Tripwire, said: ”While we like to think of OT networks as being populated with proprietary and unique devices, the reality is that there are an awful lot of Windows systems in these environments as well, and they are vulnerable to traditional IT threats, like ransomware.
“This attack is a good example of where robust network segmentation can have direct benefit in preventing an attacker from successfully moving through the network. Network segmentation may not be cutting edge technology, but that doesn’t mean it isn’t effective.
“Remember, ransomware by default announces itself. It has to in order to get the victim to pay the ransom. But the same attack vectors and tactics that ransomware exploits could be used by attackers who would prefer to stay hidden as well. If you’re worried about ransomware, you should be worried about other attacks as well.”
Stuart Sharp, vice president of solution engineering at OneLogin said,” Asphishing attacks become increasingly common, and increasingly sophisticated — often tailored to a targeted team with an organisation — companies cannot rely on defending against 100% of attacks. The best defence against ransomware is a robust business continuity plan which includes regular backups, version control and thorough testing of disaster recovery procedures. For enterprises that rely on Industrial Control Systems, there’s no substitute for real world testing — staff not only need to know recovery procedures, they need to practice them regularly to minimize downtime if an attack does occur.”
Martin Jartelius, CSO at Outpost24 said, ”This rather clearly shows that security should be layered. We cannot continue to perceive security as a fortress where threat actors are outside, and on the inside everyone is a good person. If an email to an employee, can lead to pivoting to the OT network, there is very basic security missing in the setup.
“…start with asking your IT team if the OT networks are properly isolated. Its free to check that way, and likely you will get eye-opening results.”
Oliver Pinson-Roxburgh, co-founder of Bulletproof said, “Industrial engineers back in the 80’s, when the first industrial control systems where being built, did not have to consider that one day they would be connected to the internet. In addition, segregation in these sorts of networks were also not a consideration. … the initial network was not the target, but was the first entry point leveraged by threat actor…
“We find that during testing our customers, the employees are the weakest link. During our phishing campaigns we will always have some success. The important point to consider is that an attacker only needs one person to fail; all they need is that one piece of equipment or persons to leverage.
“Industrial control systems security requires a very different set of knowledge and skills to protect the site, which is very different to a typical IT network”
Nigel Stanley, chief technology officer at TUV Rheinland said, ”IT and OT networks are frequently interlinked as business systems need to have a view on control systems.
“Unfortunately, with poor network segmentation, firewalling and protection of internet work conduits, pivoting of malware such as this will be seen more and more often. Of note is the need to ensure that cyberattacks on OT systems have a decent and well-rehearsed incident response plan, coupled with a similarly implemented business recovery plan. The CISA has been helpful in highlighting this incident.”
Andrea Carcano, co-founder, Nozomi Networks, said:
“This is yet another example of the significant rise in the number of cyberattacks to targeted critical infrastructures, and a reminder that the threats are real and need to be addressed. … This attack method accessed the IT network before moving into the OT network, validating the importance of integrating IT and OT systems. Thankfully, the operator was able to perform a shutdown before any loss of control or destruction was done, but had no emergency plan in place for cyberattacks.
“… To protect and optimally maintain ICS cybersecurity, it is necessary to implement non-intrusive technologies that shift an organisations’ security posture to one that utilises intelligent threat detection.”