Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Operations at U.S. Natural Gas Facilities Disrupted by Ransomware Attack

A ransomware infection at a natural gas compression facility in the United States resulted in a two-day operational shutdown of an entire pipeline asset, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday.

A ransomware infection at a natural gas compression facility in the United States resulted in a two-day operational shutdown of an entire pipeline asset, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday.

The targeted organization has not been named and it’s unclear exactly when the incident occured. According to CISA, the cyberattack affected control and communication assets on the victim’s operational technology (OT) network.

A compression facility helps transport natural gas from one location to another through a pipeline. Natural gas needs to be highly pressurized during transportation, and compression facilities along the pipeline help ensure that it remains pressurized.Natural gas compression facility hit by ransomware

The agency said the attackers used spear-phishing to gain initial access to the facility’s IT network, after which they managed to make their way to the OT network. The hackers then deployed commodity ransomware that encrypted files to Windows machines on both the IT and OT networks.

This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but CISA said the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.

Nevertheless, the victim decided to respond to the attack by shutting down operations. While the ransomware only directly affected one facility, other compression facilities were also forced to suspend operations due to pipeline transmission dependencies. CISA said the incident resulted in an operational shutdown of the entire pipeline asset for roughly two days.

Learn More About Attacks on Critical Infrastructure at SecurityWeek’s 2020 ICS Cyber Security Conference

“The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process,” the agency said in its alert.

According to CISA, the victim had an emergency response plan in place, but it focused on physical safety and it did not specifically cover cyberattacks.

Advertisement. Scroll to continue reading.

“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” CISA said. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

The agency published an alert to warn gas and other critical infrastructure operators about the risk of cyberattacks, and provide recommendations for mitigating the threat.

Related: TSA Lacks Cybersecurity Expertise to Manage Pipeline Security Program

Related: Several U.S. Gas Pipeline Firms Affected by Cyberattack

Related: U.S. Oil and Gas Industry Lagging in Security

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.