As described in an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), a ransomware attack on a natural gas compression facility led its operator to shut down its operations for two days.
This incident is a reminder to oil and gas pipeline operators, who must continuously and rigorously implement and update their security programs to ensure continuous system operations and maintain reliability.
What does this attack mean for pipeline operators?
CISA recommends that pipeline operators consider several potential mitigation actions based on their particular risk assessment programs. These include:
- Ensure that the emergency response plan considers cyberattacks and the potential impacts of a cyberattack on operations. According to CISA, this organization’s emergency response plan focused on threats to physical safety and not cyber incidents.
- Conduct tabletop exercises so that employees can become familiar with these and other cyberattack scenarios, and gain decision-making experience to prepare for same.
- Implement network segmentation between information technology (IT) and operational technology (OT) networks.
- Update and patch all software, including operating systems, applications and firmware on IT network assets. Determine which OT network assets should participate in the patch management program.
- Require multi-factor authentication to remotely access IT and OT networks.
- Make sure the organization can “fail over” to alternate control systems in the event of an attack.
How did the attack happen?
The attackers gained initial access to the organization’s IT network by using a spearfishing link. Spearfishing is an attempt to gain access to a network or steal sensitive information from a specific individual.
The bad actors likely learned personal details about the individual, and then pretended to be a trustworthy friend or entity in an email message. The targeted individual then opened an attachment or clicked on a link that allowed the threat actor access to the organization’s network.
Once inside the IT network, the attackers moved to the organization’s OT network. The OT network involves those computers that monitor or control physical systems.
The attackers then deployed ransomware on both the IT and OT networks, resulting in a loss of availability of certain assets. Broadly speaking, the organization lost the ability to view some operational data reported by some OT devices.
Significantly, the attack did not affect any programmable logic controllers (PLCs) — the computers that control certain processes, devices and activities — and the organization did not lose control of its operations.
Our Privacy, Cybersecurity and Data Management team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on this issue.