SC Media, IS Buzz News, February 19, 2020, with comments by Saurabh Sharma;
A natural gas compression facility had to shut down this week after being hit by a ransomware attack. The DHS Cybersecurity and Infrastructure Security Agency (CISA) is now warning operators to step up security.
As is often the method, the attackers placed a malicious link in a spearphishing email that once clicked on by victims, gave attackers access to the operator’s network. Once they had access, they moved to the operational technology (OT) network and downloaded the ransomware. The ransomware encrypted files on both networks, shutting down access on the OT network to HMI (human machine interfaces), data historians and polling servers.
CISA said this about the attacked system: “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators. The attack did not impact any programmable logic controllers and at no point did the victim lose control of operations.”
ICS Facilities Not Ready for Cyberattacks
Like so many critical infrastructure facilities, this plant did not have a cyberattack readiness plan in place. They were prepared for a physical attack, but not one coming through their networks.
They only had a plan for protecting the facility against a physical attack. Fortunately they did take the correct cybersecurity measure and halting its operations for two days and were able to limit the damage by doing so. They addressed the problem during that down time.
Fortunately, while the IT and OT networks were affected, the programmable logic controllers (PLC) were not. Damaged equipment had to be replaced and backups were used to restore data back to the last reliable configuration. Still, the damage could have been far worse.
“This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness, and human mistakes continue to expose critical infrastructure to attack. While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems,” says Saurabh Sharma, vice president, Virsec, told SC Media.
How Critical Infrastructure Facilities Can Get Prepared
CISA revealed that the attack was successful because, “The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”
CISA provides the recommendations below for all critical infrastructure and other organizations to prepare for cyberattacks:
- Ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised.
- Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity.
- Require Multi-Factor Authentication [M1032] to remotely access the OT and IT networks from external sources.
- Implement regular Data Backup [M1053] procedures on both the IT and OT networks. Ensure that backups are regularly tested and isolated from network connections that could enable the spread of ransomware.
- Ensure user and process accounts are limited through Account Use Policies [M1036], User Account Control [M1052], and Privileged Account Management [M1026]. Organize access rights based on the principles of least privilege and separation of duties.
- Enable strong spam filters to prevent phishing emails from reaching end users.
Virsec’s Unique and Effective Application, Runtime and Memory Protection Stands Up to Ransomware
Virsec takes a unique approach to guard-railing your applications and countering a broad spectrum of cyber attacks, including ransomware attacks.
Only Virsec Security Platform Delivers:
- Protection of application workflows, processes, file systems, libraries, memory and more at runtime
- Precise attack remediation and automation early in the attack cycle without need for expert analysis or machine learning
- Deterministic threat detection based on request deviations initiated by malicious code, remote hackers, files and trusted processes no matter how attacks originate.
See below for more information about how Virsec stops ransomware attacks before they start.