Connect with us

Hi, what are you looking for?



Report: DHS Requested Gas Pipeline Companies to Let Attackers Lurk Inside Networks

DHS Warns Natural Gas Companies

DHS Warns of Cyber Attack Targeting Natural Gas Industry: Companies Requested Not To Take Action to Remove Attackers, Says Source

DHS Warns Natural Gas Companies

DHS Warns of Cyber Attack Targeting Natural Gas Industry: Companies Requested Not To Take Action to Remove Attackers, Says Source

According to reports, which were confirmed Friday by ICS-CERT, an active Phishing campaign is responsible for the U.S. Department of Homeland Security (DHS) issuing three warnings since the end of March that the natural gas industry has been under ongoing cyber attack. However, it’s the advice that the DHS is giving that should raise some red flags.

The specter of a cyber attack against critical infrastructure is a reality, but not because the DHS is guarding the Internet, but because the networks running the critical infrastructure are so poorly protected. It’s gotten to the point that simple Phishing attacks, things that proper email protection and awareness training cover, rate three separate warnings and alerts.

“Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign. The campaign appears to have started in late December 2011 and is active today,” the CERT alert advised.

As reported by the DHS though the Transportation Security Administration’s Office of Intelligence, the U.S. pipeline system is comprised of 161,189 miles of liquid pipelines with more than 200 operators; 309,503 miles of natural gas transmission pipelines with more than 700 operators; and 1.9 million miles of natural gas distribution pipelines with more than 1,300 operators.

“Virtually the entire U.S. pipeline system and critical infrastructure is owned and operated by private entities,” the agency said in a pipeline threat assessment memo from 2011.

“Oil and natural gas pipeline system operations rely heavily on industry control systems (ICSs) including supervisory control and data acquisition (SCADA) networks. Terrorist groups have discussed attacks on unspecified SCADA systems, but it is uncertain whether al-Qa’ida or any other group has the capability to conduct a successful cyber attack. The TSA-OI is not aware of any credible, specific threat reporting targeting U.S. pipelines’ industry control systems or the supervisory control and data acquisition networks.”

Still, the idea that something as simple as a Phishing attack could cripple the nation’s pipeline system – as the alerts lead one to believe – is sad, but it get’s worse. Someone who has seen the three alerts from the DHS, which were allegedly kept from the public due to sensitive information, told the Christian Science Monitor what they essentially requested from those in the industry.

Advertisement. Scroll to continue reading.

“There are several intriguing and unusual aspects of the attacks and the US response to them not described in Friday’s public notice,” CSM Staff Writer, Mark Clayton, noted. “One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.”

According to the source, the companies were “specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.”

“In essence they were saying: ‘Do not put in any mitigation or blocks against these active intruders,’” the CSM’s source said. “But if you’re telling an investor owned utility not to do anything, that’s pretty unheard of. Step one is always block these guys and get them off the system. It’s pretty unusual in the commercial world to just let them collect data. Heaven forbid that the intruders gain control…”

Based on the information released by, the let them in and watch approach doesn’t seem to be on the training calendar for June’s National Level Exercise (NLE).

NLE 2012, which will involve thirteen states, four countries, nearly every major governmental department in the U.S. in addition to a few NGOs, private sector firms, and universities, is set to focus on “cyber threats to critical infrastructure and the “real world” implications for government and law enforcement of large-scale cyber attacks.”

“Given the response, it would seem clear that the DHS is interested not in simply repelling the attack, but getting to the people behind it,” Wade Williamson, Senior Security Analyst at Palo Alto Networks told SecurityWeek.

The DHS will not comment on “For Official Use Only” and other sensitive memos, so their reasoning for allowing the attackers to look around will remain in speculation.

Related Reading: A New Cyber Security Model for SCADA

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...