The Cybersecurity and Infrastructure Security Agency (CISA) revealed that a natural gas compression facility suffered a ransomware attack.
According to CISA Alert (AA20-049A), digital attackers leveraged a spearphishing link and abused the lack of robust network segmentation to infect Windows-based assets on both the IT and OT networks at a natural gas compression facility. Those affected OT assets included HMIs, data historians and polling servers based at a single geographic facility. "While we like to think of OT networks as being populated with proprietary and unique devices, the reality is that there are an awful lot of Windows systems in these environments," said Tim Erlin, VP of product management & strategy at Tripwire. "They are vulnerable to traditional IT threats like ransomware." The ransomware attack did not affect programmable logic controllers (PLCs) responsible for reading and manipulating physical processes at the facility. As such, the malicious actors behind the attack did not acquire the means of controlling or manipulating operations at the affected location. At the time of the attack, the natural gas compression facility's emergency response plan focused on physical safety, not digital security incidents. Even so, the facility used this plan to disable its HMIs responsible for reading and controlling operations while it worked to obtain replacement equipment and load last-known good configurations. These recovery efforts affected other compression facilities because of pipeline compression dependencies, thus producing a shutdown of the entire pipeline asset for two days. Erlin noted that the attack disclosed by the CISA highlights the need for organizations to prevent a ransomware attack. One prevention technique in particular stands out for him:
This attack is a good example of where robust network segmentation can have direct benefit in preventing an attacker from successfully moving through the network. Network segmentation may not be cutting edge technology, but that doesn’t mean it isn’t effective.
Organizations' digital security efforts shouldn't end there, either. "Remember, ransomware by default announces itself," Erlin continued. "It has to in order to get the victim to pay the ransom. But the same attack vectors and tactics that ransomware exploits could be used by attackers who would prefer to stay hidden as well. If you’re worried about ransomware, you should be worried about other attacks, as well." As such, organizations should educate their workforce about the common types of phishing attacks in circulation today. They should also invest in a security tool such as Tripwire File Analyzer that's capable of analyzing malicious files that could be carrying ransomware and other threats.