Natural Gas Ransomware Attack Offers Critical Lessons for Electric Utilities, Analysts Say

An alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a ransomware attack caused a natural gas compressor station to shut down for two days.

The attack began on the information technology (IT) side of a pipeline company’s operations, but spread to the operations technology (OT) side, experts say.

CISA says the ransomware obtained initial access to the organization’s IT systems through a spear-phishing attack, and was able to “pivot” to the OT side. A government analysis of the attack said, “Impacted assets were no longer able to read and aggregate real-time operational data…the decision was made to implement a deliberate and controlled shutdown to operations.”

Phil Neray of CyberX security firm says the malware spread from IT to OT “due to lack of network segmentation, which all electric utilities should already have in place.”

Cybersecurity firm Dragos recommends training employees to recognize and respond to phishing campaigns, forming strong network defenses between the IT and OT networks, creating “chokepoints” to limit malware spread, and ensuring anti-virus signatures are updated. Dragos believes operational impacts were likely caused by a combination of insufficient segregation of IT and industrial control system (ICS) environments and shared Windows operating system infrastructure, enabling the impacts to spread beyond the attackers’ initial targets. Dragos adds, “Aggressively monitor outbound communications from ICS networks to identify signs of infection events within OT space.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s