SC Media, IS Buzz News, February 19, 2020, with comments by Saurabh Sharma;
A natural gas compression facility had to shut down this week after being hit by a ransomware attack. The DHS Cybersecurity and Infrastructure Security Agency (CISA) is now warning operators to step up security.
As is often the method, the attackers placed a malicious link in a spearphishing email that once clicked on by victims, gave attackers access to the operator’s network. Once they had access, they moved to the operational technology (OT) network and downloaded the ransomware. The ransomware encrypted files on both networks, shutting down access on the OT network to HMI (human machine interfaces), data historians and polling servers.
CISA said this about the attacked system: “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators. The attack did not impact any programmable logic controllers and at no point did the victim lose control of operations.”
Like so many critical infrastructure facilities, this plant did not have a cyberattack readiness plan in place. They were prepared for a physical attack, but not one coming through their networks.
They only had a plan for protecting the facility against a physical attack. Fortunately they did take the correct cybersecurity measure and halting its operations for two days and were able to limit the damage by doing so. They addressed the problem during that down time.
Fortunately, while the IT and OT networks were affected, the programmable logic controllers (PLC) were not. Damaged equipment had to be replaced and backups were used to restore data back to the last reliable configuration. Still, the damage could have been far worse.
“This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness, and human mistakes continue to expose critical infrastructure to attack. While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems,” says Saurabh Sharma, vice president, Virsec, told SC Media.
CISA revealed that the attack was successful because, “The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”
CISA provides the recommendations below for all critical infrastructure and other organizations to prepare for cyberattacks:
Virsec takes a unique approach to guard-railing your applications and countering a broad spectrum of cyber attacks, including ransomware attacks.
Only Virsec Security Platform Delivers:
See below for more information about how Virsec stops ransomware attacks before they start.
Read full CISA issues warns critical infrastructure sectors after successful ransomware attack on pipeline operator article.
Further resources:
Solution Brief: Ransomware Protection
Case Study: Raytheon and Virsec Partner to Guard the Grid
White Paper: Triton ICS Attack
Defending critical infrastructures from cyberattacks
ICS vulnerabilities could be exploited to cause severe operational impact report warns
Critical Infrastructure is Under Assault – Raytheon and Virsec May Have a Solution
Critical infrastructure will have to operate if there's malware on it or not