US natural gas operator shuts down for 2 days after being infected by ransomware

reader feedback

22
with 17 posters collaborating

A US-based natural gas facility shut down operations for two days after sustaining a ransomware an infection that prevented personnel from receiving essential real-time operational information from management and communication equipment, the Division of Homeland Safety mentioned on Tuesday.

Tuesday’s advisory from the DHS’s Cybersecurity and Infrastructure Safety Company, or CISA, didn’t establish the positioning besides to say that it was a natural gas-compression facility. Such websites sometimes use generators, motors, and engines to compress natural gas so it may be safely moved by means of pipelines.

The attack began with a malicious hyperlink in a phishing e mail that allowed attackers to pivot from the ability’s IT network to the ability’s OT network, which is the operational technology hub of servers that management and monitor bodily processes of the ability. With that, each the IT and OT networks had been infected with what the advisory described as “commodity ransomware.”

The an infection didn’t unfold to programmable logic controllers, which really management compression equipment, and it didn’t trigger the ability to lose management of operations, Tuesday’s advisory mentioned. The advisory explicitly mentioned that “at no time did the threat actor obtain the ability to control or manipulate operations.”

Nonetheless, the attack did knock out essential management and communications gear that on-site workers rely upon to observe the bodily processes.

“Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers,” CISA officers wrote. “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.”

Facility personnel carried out a “deliberate and controlled shutdown to operations” that lasted about two days. “Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies,” the advisory mentioned. As a result, the shutdown affected your complete “pipeline asset,” not simply the compression facility. Regular operations resumed after that.

Safety lapses

The advisory disclosed a number of lapses within the facility’s safety routine. The first lapse concerned inadequacies within the facility’s emergency response plan, which “did not specifically consider cyberattacks.” As an alternative, the plan targeted on threats to bodily safety.

“Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures,” the advisory acknowledged. “These included a four-hour transition from operational to shutdown mode combined with increased physical security.”

One other hole was a failure to implement strong segmentation defenses between the IT and OT networks. As a result, the an infection was in a position to “traverse the IT-OT boundary and disable assets on both networks.”

The full “planning and operations part of the advisory had been:

• At no time did the risk actor acquire the flexibility to regulate or manipulate operations. The sufferer took offline the HMIs that learn and management operations on the facility. A separate and geographically distinct central management office was in a position to keep visibility however was not instrumented for management of operations.
• The sufferer’s present emergency response plan targeted on threats to bodily safety and never cyber incidents. Though the plan referred to as for a full emergency declaration and rapid shutdown, the sufferer judged the operational affect of the incident as much less extreme than these anticipated by the plan and determined to implement restricted emergency response measures. These included a four-hour transition from operational to shutdown mode mixed with elevated bodily safety.
• Though the direct operational affect of the cyberattack was restricted to 1 management facility, geographically distinct compression services additionally needed to halt operations due to pipeline transmission dependencies. This resulted in an operational shutdown of your complete pipeline asset lasting roughly two days.
• Though they thought of a spread of bodily emergency eventualities, the sufferer’s emergency response plan didn’t particularly contemplate the danger posed by cyberattacks. Consequently, emergency response workout routines additionally failed to supply workers with decision-making experience in coping with cyberattacks.
• The sufferer cited gaps in cybersecurity data and the big selection of possible eventualities as causes for failing to adequately incorporate cybersecurity into emergency response planning.

The advisory comes two weeks after researchers from industrial cybersecurity agency Dragos reported {that a} ransomware pressure often called Ekans deliberately tampered with industrial management techniques that gas services and different vital infrastructure depend on to maintain equipment working reliably and safely.

There’s no proof the malware that hit the gas-compression facility was Ekans. Tuesday’s advisory doesn’t establish the precise piece of ransomware that was used. Researchers from Dragos didn’t instantly reply to questions. This post can be up to date if a response comes later.