A US-based natural gas compression facility recently contended with a ransomware attack, according to a public announcement from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA).
The attack unfolded via a spear phishing link, targeting the organization’s IT and operational (OT) networks.
Once successfully in the OT network, the malicious actors encrypted company data with malware and deployed ransomware. After potentially damaging corporate assets, the intruders demanded a ransom payment.
According to experts, the facility’s factory equipment was not harmed. “…at no time did the threat actor obtain the ability to control or manipulate operations.”
However, the attack did affect critical control and communications equipment, resulting in significantly reduced visibility into the pipeline facility’s physical processes.
The public announcement also noted that “Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies,” demonstrating how a cyber attack on a single facility can have a domino effect.
To avert potential catastrophe, decision-makers chose to shut down the pipeline for two full days.
In addition to a thin emergency response plan, which did not specifically include cyber attacks, the organization’s IT and OT networks were not segmented. The lack of segmentation enabled the attackers to maneuver from the IT network into the OT network, harming both. “The technology exists –data diodes- which allow network telemetry and communications out to the monitoring system but not back in, protecting the OT infrastructure,” says one industry expert.
The facility’s day-to-day initiatives power “critical national infrastructure” (CNI), including electrical grids.
Knowledge gaps on the part of the organization appear to have contributed to the severity of the attack.
For more on this story, visit ZDNet.