Skip to main content

U.S. Warns of Ransomware Attacks Targeting Pipeline Ops

by Chris Brook on Wednesday February 19, 2020

Contact Us
Free Demo

Following an attack on a gas compression facility, CISA is urging organizations to take steps to safeguard their systems.

Some of the juicier details aren’t yet known but according to an alert via the U.S. Department of Homeland Security this week, hackers recently took aim at a natural gas compression facility, took advantage of some weaknesses in its systems and spread ransomware.

While the organization didn't lose control of operations, the attack did result in a loss of productivity and revenue.

In a disclosure made public on Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) – an agency within DHS – said that attackers used a spearphishing link and exploited what it called a lack of segmentation between the facility's IT and OT networks to disable assets across both networks. CISA did not disclose the name of the facility.

CISA is using the incident as a way to spread awareness to industrial control facilities, like those that manage pipelines, of the dangers that overlooking cybersecurity can pose.

Using an unnamed strain of "commodity ransomware," the attackers were able to compromise Windows-based assets on both networks, including human-machine interfaces, or HMIs, data historians, and polling servers. It can be argued that the facility dodged a bullet somewhat in the sense that programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes at the facility weren't affected; the attack only hit Windows-based systems.

“Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators,” the alert reads.

CISA makes a point in its alert to clarify that the attackers didn't have the ability to control or manipulate the facility's operations. That said, because of the nature of the attack and pipeline dependencies, other compression facilities also had to halt operations for two days.

The victim organization was able to recover from the attack, CISA notes, by loading previously saved configurations on replacement equipment. A select number of assets, contained to one geographic facility, was impacted by the attack.

In order to prevent future ransomware attacks, CISA is encouraging organizations across all sectors but especially those that oversee critical infrastructure to follow a set of planning and operational mitigations, in addition to a set of technical and architectural mitigations.

While much of the guidance is likely already followed by organizations - require multi-factor authentication, implement data backup procedures, filter network traffic, and so on - it's a worthy checklist to review.

CISA regularly warns about current security issues affecting enterprises. Earlier this year it warned about vulnerabilities in unpatched Pulse Secure VPN servers, Iranian state-sponsored cyberattacks, and news on the Dridex strain of malware.

Tags:  Ransomware

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.