Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Operations at U.S. Natural Gas Facilities Disrupted by Ransomware Attack

A ransomware infection at a natural gas compression facility in the United States resulted in a two-day operational shutdown of an entire pipeline asset, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday.

A ransomware infection at a natural gas compression facility in the United States resulted in a two-day operational shutdown of an entire pipeline asset, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday.

The targeted organization has not been named and it’s unclear exactly when the incident occured. According to CISA, the cyberattack affected control and communication assets on the victim’s operational technology (OT) network.

A compression facility helps transport natural gas from one location to another through a pipeline. Natural gas needs to be highly pressurized during transportation, and compression facilities along the pipeline help ensure that it remains pressurized.Natural gas compression facility hit by ransomware

The agency said the attackers used spear-phishing to gain initial access to the facility’s IT network, after which they managed to make their way to the OT network. The hackers then deployed commodity ransomware that encrypted files to Windows machines on both the IT and OT networks.

This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but CISA said the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.

Nevertheless, the victim decided to respond to the attack by shutting down operations. While the ransomware only directly affected one facility, other compression facilities were also forced to suspend operations due to pipeline transmission dependencies. CISA said the incident resulted in an operational shutdown of the entire pipeline asset for roughly two days.

Learn More About Attacks on Critical Infrastructure at SecurityWeek’s 2020 ICS Cyber Security Conference

“The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process,” the agency said in its alert.

According to CISA, the victim had an emergency response plan in place, but it focused on physical safety and it did not specifically cover cyberattacks.

“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” CISA said. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

The agency published an alert to warn gas and other critical infrastructure operators about the risk of cyberattacks, and provide recommendations for mitigating the threat.

Related: TSA Lacks Cybersecurity Expertise to Manage Pipeline Security Program

Related: Several U.S. Gas Pipeline Firms Affected by Cyberattack

Related: U.S. Oil and Gas Industry Lagging in Security

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.