Ransomware cyberattack shuts down US gas facility

The CISA describes how the cyberattack affected control and communication systems at the unnamed facility, after the hacker sent a “spearfishing” email containing a malicious link to gain initial access to the organisation’s IT system, and from there was able to attack the operating technology (OT) network.

A type of widely available “commodity” ransomware was then able to encrypt data on target systems, in order to interrupt availability to system and network resources. 

Destructive malwares are being developed and tested, and critical infrastructure operators need to be able to identify and mitigate anomalous behaviour in real-time

 

Andrea Carcano, co-founder, Nozomi Networks

This meant that specific assets on the OT network were disrupted, including human machine interfaces (HMIs), data historians, and polling servers.

These parts of the network were no longer able to read and aggregate real-time operational data, resulting in a partial loss of view for the operators.

However, the attack did not extend to any programmable logic controllers, and at no point did the asset owner lose control of operations.

It made the decision to implement a controlled shutdown to operations lasting approximately two days and resulting in a loss of productivity and revenue before normal operations resumed.

Andrea Carcano is co-founder and chief product officer at Nozomi Networks, a provider of Internet of Things and OT security solutions. Commenting on the news, he said: “This is yet another example of the significant rise in the number of cyberattacks to targeted critical infrastructures, and a reminder that the threats are real and need to be addressed.

“Hackers are learning new tactics and avenues to infiltrate industrial control systems (ICS) like this US natural gas compressor. This attack method accessed the IT network before moving into the OT network, validating the importance of integrating IT and OT systems.

“The potential consequences of not investing in industrial cybersecurity technologies could be numerous and severe. Destructive malwares are being developed and tested, and critical infrastructure operators need to be able to identify and mitigate anomalous behaviour in real-time.

“To protect and optimally maintain ICS cybersecurity, it is necessary to implement non-intrusive technologies that shift an organisations’ security posture to one that utilises intelligent threat detection.

“Overall, industrial organisations need to ensure critical infrastructure resilience so that risks from wherever and in whatever format can be identified and remediated immediately.”

The CISA is now encouraging asset owner operators across all critical infrastructure sectors to review the techniques used by the hacker and to apply corresponding mitigations.

CISA is a standalone federal agency, under Department of Homeland Security oversight.

 

---

Comments

Login on register to comment

Login Register