Ransomware Attack Against Critical Infrastructure
Craig Reeds, CISSP, CRISC
Senior Controls Surveillance & Compliance Analyst - Posts do not reflect the views of my employer.
On Tuesday, February 18th, 2020, the DHS’s Cybersecurity and Infrastructure Security Agency, or CISA announced that a US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment. The announcement didn’t identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.
The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, or Operational Technology network. This is where the mistakes were made. IT and OT networks should never have bi-directional communications between them. Data should flow out of the OT network to the IT network, but nothing should go from the IT network into the OT network, EVER. What ended up happening was both the IT and OT networks were infected by the ransomware and that caused the need to shut down everything.
The good part of this is that the infection did not spread to programmable logic controllers (PLCs), which actually control compression equipment, and therefore didn’t cause the facility to lose control of operations. At no time did the threat actor obtain the ability to control or manipulate operations. What the attack did was stop crucial control and communications gear that on-site employees depend on to monitor the physical processes. So, the facility was still operating, but the people controlling it had no way to see what it was doing.
These are the sorts of attacks that organizations with ICS/OT networks can expect to happen more often in the future. The fact that the attacker was in the IT and OT networks for a period of time where they were able to access the various systems, could have resulted in a catastrophic event. Organizations that have Operational Technology (OT) environments must consider their OT networks as the backbone of their environment and work to properly secure them, isolate them and only allow the necessary access to those environments. The OT environments need to be isolated, not air gapped and their OT organizations to consider the access to the systems a high priority, with strong accounts and restrictions.
Finally, it's important to educate your employees in cybersecurity. Ransomware often enters via a phishing attack. Teaching users via Security Awareness Training to not engage with suspect or unusual emails is a solid first step in lowering the risk of successful attack. This is where the Cybersecurity Team at EPS Engineering and Design can help. First, we can train your employees on how to recognize phishing e-mails and other attempts to access the network by hackers. Also, we can run vulnerability scans and perform penetration tests against your IT and OT networks to locate potential problems. If you would like more information on how EPS Engineering and Design’s Cybersecurity Team can help your organization, please contact me.
Craig Reeds | NERC and Cyber Security Compliance Manager
11960 Westline Industrial Dr., Suite 330, Maryland Heights, MO 63146 | Mobile: (314) 706-6820