Saturday, February 22, 2020

Two-Day Shutdown of U.S. Gas Pipeline complements of ransomware

    Many people believe that cybersecurity training and awareness isn’t important in their jobs, especially if their role isn’t technical. However, social engineering has led to the human element being the weakest link in the cybersecurity chain and attackers can be very resourceful and clever in their attempts. A recent attack on a U.S. natural gas compression facility shows just how important this awareness can be.

    The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week stating that attackers had compromised the IT and Operation Technology (OT) networks of a natural gas compression facility. They deployed ransomware that encrypted data on both networks, causing a Loss of View event affecting Human Machine Interfaces (HMIs), data historians, and polling servers. Human operators could no longer monitor the status of operations, which lead the company to enact an operational shutdown of the entire pipeline for 2 days while parts were replaced and backups were restored. 

    The attack did not result in any operational loss of control, however. he attackers didn’t get into the network through some zero-day vulnerability or magical hacking skills: they used a spear-phishing campaign to get an employee to click a malicious link. The link allowed them access to the IT network where they were able to pivot into ICS machines due to a lack of segregation between the corporate business network and the operations network. The ransomware only affected Windows-based systems and not Programmable Logic Controllers (PLCs).

    The CISA recommends asset owners to ensure IT and OT networks are segregated and provide logical zones within to help stop lateral movement. They also recommend multi-factor authentication for remote access to operations net- works and a robust backup system. Another failing point in this attack was the lack of preparedness in the emergency response plan for cyberattacks: it only addressed physical safety threats.

    User training and cybersecurity awareness can go a long way in helping to prevent attacks like these. Humans may always be the weak link in cybersecurity, and it requires effort on the part of everyone in an organization to help protect it, no matter what their role may be.