A U.S.-based natural gas plant stopped operating two days after suffering a ransomware infection that prevented staff from getting important real-time operational data from control and communication devices, the Department of Homeland Security said Tuesday With.
DHS's Cybersecurity and Infrastructure Security Agency (CISA) report Tuesday identified the site only to say that it is a natural gas compression facility. Such locations typically use turbines, engines, and engines to compress natural gas so that it can be safely transported through pipelines.
The attack started with a malicious link in a phishing email that allowed attackers to switch from the facility's IT network to the facility's OT network, the operational technology hub of servers that control the facility's physical processes and monitor. This infected both the IT and the OT network with what was referred to in the recommendation as "commodity ransomware".
The infection did not spread to programmable logic controllers that actually control compression devices and did not cause the facility to lose control of operations, the Tuesday recommendation said. The opinion explicitly said that "the threat actor has never been given the ability to control or manipulate operations."
Nevertheless, the attack has turned off important means of control and communication, which the local employees rely on to monitor the physical processes.
"The specific assets in which a loss of availability (T826) occurs in the OT network include human-machine interfaces (HMIs), data historians and query servers," write CISA employees. "Affected assets were no longer able to read and aggregate real-time operational data reported by low-level OT devices, resulting in partial vision loss (T829) for human operators."
The facility personnel performed an "intentional and controlled business interruption" that lasted approximately two days. "Geographically different compression systems also had to stop operating due to the transmission dependencies of the pipeline," says the report. As a result, the shutdown affected the entire “pipeline asset”, not just the compression feature. Then normal operation was resumed.
The report revealed several errors in the facility's security regime. The first mistake concerned shortcomings in the facility's contingency plan, in which “cyber attacks were not specifically considered”. Instead, the plan focused on threats to physical security.
"Although the plan included a full emergency statement and immediate shutdown, the victim judged the operational impact of the incident to be less severe than expected and decided to take limited emergency measures," said the advisor. "This included a four-hour transition from operating to shutdown mode with increased physical security."
Another gap was that no robust segmentation protection measures were implemented between the IT and OT networks. As a result, the infection "could cross the IT-OT barrier and deactivate assets in both networks".
The full section "Planning and Operation" of the report read:
- At no time did the threat actor have the opportunity to control or manipulate processes. The victim has taken the HMIs, which read and control the processes in the facility, offline. A separate and geographically separate central control point was able to maintain visibility, but was not instrumental in controlling the operation.
- The victim's existing contingency plan focused on physical security threats rather than cyber incidents. Although the plan provided for a full emergency statement and immediate shutdown, the victim judged the operational impact of the incident to be less severe than the plan and decided to take limited emergency measures. This included a four-hour transition from operating to shutdown mode with increased physical security.
- Although the direct operational impact of the cyber attack was limited to a control system, geographically different compression systems also had to stop operating due to dependencies in the pipeline transmission. This resulted in an outage of the entire pipeline asset that lasted approximately two days.
- Although they considered a number of physical emergency scenarios, the victim's emergency plan did not specifically consider the risk of cyberattacks. As a result, employees were not able to gain any decision-making experience in dealing with cyber attacks during emergency measures.
- The victim cited gaps in knowledge about cybersecurity and the multitude of possible scenarios as reasons why cybersecurity was not adequately included in emergency planning.
The report comes two weeks after researchers at industrial cyber security company Dragos reported that a ransomware strain known as Ekans has deliberately tampered with industrial control systems that rely on gas systems and other critical infrastructures to ensure reliable and safe device operation.
There is no evidence that the malware that hit the gas compression facility was Ekans. Tuesday's recommendation does not specify which ransomware was used. Dragos researchers did not immediately respond to questions. This post will be updated if an answer comes later.