Yesterday, the Cybersecurity and Infrastructure Agency (CISA) released an advisory informing the public that a ransomware attack has impacted the operations of an unnamed natural gas compression facility. This has forced the facility to shut down operations for two days while attempting to recover from the attack.
According to the advisory, a malicious actor gained access to the Information Technology (IT) network by employing a spear phishing link. Spear phishing is a targeted email attack that capitalizes on well-researched victims by purporting to be from a trusted source.
Upon entering into the network, the attacker pivoted to the Operational Technology (OT) Network. The attacker was able to deploy a data encrypting ransomware to effectively lock up their system. Data from Human-Machine Interfaces (HMIs), data historians, and polling servers were rendered unusable. Simply put, those working at the facility were unable to read or act upon any of their operational data. As a result, two days were lost as employees worked to replace their affected equipment and load reliable past configurations during the recovery process.
The advisory has zeroed on a critical mistake made by the facility; indeed, the culprit is a failure to implement robust segmentation between the IT and OT networks. Security measures could have prevented the attacker from pivoting so quickly between the two networks. This may have significantly decreased or mitigated the attack surface.
A variety of mitigation techniques for future cyber-attacks have been considered, including tabletop exercises, emergency response playbooks for operational visibility, and alternative control systems to defer to in case of failure. The mitigation strategies seem to have a bias towards focusing on addressing attacks that call for a total operational shutdown, rather than low-risk cyber events that allow work to continue.
The official name of the ransomware strand has not been specifically cited.