How a Ransomware Attack Shut Down a US Gas Pipeline Operator’s Activities
In a statement released by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA), a natural gas pipeline facility in US was forced to shut down for two days by its operators because of a ransomware attack. This came as a surprise to the operator, being that they had not prepared for a cyberattack of any kind before the attack. The summary of how it happened is summarized in one word; cybersecurity. But then how did the attack go down?
A ransomware is a form of malware in which the attacker locks an owner out of their resources through encryption, thereafter demanding payments to restore access. In the case of this attack, the attacker sent spearphising link to an employee in the company, who in turn clicked on it and as a result, gave access to the attacker.
The evolution of data driven industrial processes in the past decades has connected two traditionally separate resources used industrial operations; Information Technology (IT) Network and Operational Technology (OT) Network. An IT network is a digital telecommunication network that is used for sharing information between computing technologies. OT network on the other hand is a network with workstations that are used for managing equipment, operations and processes. While automation requires that these two resources stay interconnected, it is important that they are also air-gaped for security reasons.
The operator that was attacked did not properly air-gap their IT and OT networks, and they had no security measures in place as the systems were left unmanned. The attacker used spearphising mails, which gave him access to the IT network of the facility. They then navigated their way into the OT network and deployed commodity ransomware on both networks.
Specific assets that are highly dependent on the OT network experienced loss of availability. These assets included Human Machine Interfaces (HMI), polling servers, and data historians. As a result, the assets were no longer capable of reading real-time operational data from other OT devices, leading to shut down of operations. This shutdown, coupled with the fact that an emergency response exercised failed let to two days shutdown. The physical processes were not affected as the programmable logical controllers (PLC) could not be accessed by the attacker. This is because the attack only affected windows-based systems, where PLCs are not hosted.
A lot of organizations operate with assumptions that their systems are isolated. However, poor security awareness, lack of preparedness, and human mistakes has continued to expose critical infrastructure to attack. The attack in itself is saddled with a lot of mistakes, most of which can be remedied with the implementation of critical planning, technical, operational and architectural mitigations. Some of which are the segmentation of IT and OT networks, the use of multi-factor authentication for remote access to IT networks, limitation of access to resources using identity access management, and ensuring that an emergency response team has a redundant plan in case of cyberattacks.