A ransomware attack on a U.S. natural gas supplying facility brought its operations to a standstill for two days when the organization’s incidence response team implemented a deliberate and controlled shutdown to contain the ransomware spread. In an alert issued by CISA (Cybersecurity and Infrastructure Security Agency), the government agency did not mention the time, date, type/name of the ransomware or the natural gas facility name that was impacted. But it did mention other vital information like the way this ransomware attack was carried out so that in future other organizations can take useful notes in planning their risk mitigation measures.
The Ransomware Attack
- Initially, the threat actor used a Spear phishing link to obtain access to the organization’s IT network. Unfortunately, there was no network segmentation implemented to segregate the IT network and OT (Operational Technology) network of the gas facility. Thus, the threat actor slowly and successfully began compromising the OT network.
- Simultaneously, a commodity ransomware was deployed to encrypt data on both these networks. This impacted the organizations’ OT network including its human machine interfaces (HMIs), data historians, and polling servers. The level of its impact was such that it resulted in a partial loss of control to its human controllers.
- However, the programmable logic controllers (PLCs) used for controlling the supply chain of the gas facility were at no point compromised and thus, a total loss of operational control was averted when a complete shutdown was implemented.
Lessons Learnt
- The organization did not implement network segmentation between its IT and OT networks. This allowed the threat actors to cross the IT-OT boundary and compromise both networks for a wider impact.
- The attack was targeted towards Windows-based systems, whereas, PLCs only read the code programmed in their logic unit. Thus, no impact was recorded on PLCs directly reading and performing physical processes at the facility.
- The gas facility had in place an incidence response for physical threats but never took into consideration a cyberthreat. Thus, they had a replacement equipment and last-known-good configurations backup ready. This at least facilitated a quick recovery process.
- CISA also cited an absence of Multi-Factor Authentication system for remote access into the OT and IT networks from external sources. It strongly recommends having at least one additional check of authentication in such a critical infrastructure environment.