An alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a ransomware attack caused a natural gas compressor station to shut down for two days.
The attack began on the information technology (IT) side of a pipeline company’s operations, but spread to the operations technology (OT) side, experts say.
CISA says the ransomware obtained initial access to the organization’s IT systems through a spear-phishing attack, and was able to “pivot” to the OT side. A government analysis of the attack said, “Impacted assets were no longer able to read and aggregate real-time operational data…the decision was made to implement a deliberate and controlled shutdown to operations.”
Phil Neray of CyberX security firm says the malware spread from IT to OT “due to lack of network segmentation, which all electric utilities should already have in place.”
Cybersecurity firm Dragos recommends training employees to recognize and respond to phishing campaigns, forming strong network defenses between the IT and OT networks, creating “chokepoints” to limit malware spread, and ensuring anti-virus signatures are updated. Dragos believes operational impacts were likely caused by a combination of insufficient segregation of IT and industrial control system (ICS) environments and shared Windows operating system infrastructure, enabling the impacts to spread beyond the attackers’ initial targets. Dragos adds, “Aggressively monitor outbound communications from ICS networks to identify signs of infection events within OT space.”