The Cybersecurity and Infrastructure Security Agency (CISA) revealed that a natural gas compression facility suffered a ransomware attack.

According to CISA Alert (AA20-049A), digital attackers leveraged a spearphishing link and abused the lack of robust network segmentation to infect Windows-based assets on both the IT and OT networks at a natural gas compression facility. Those affected OT assets included HMIs, data historians and polling servers based at a single geographic facility.

“While we like to think of OT networks as being populated with proprietary and unique devices, the reality is that there are an awful lot of Windows systems in these environments,” said Tim Erlin, VP of product management & strategy at Tripwire. “They are vulnerable to traditional IT threats like ransomware.”

The ransomware attack did not affect programmable logic controllers (PLCs) responsible for reading and manipulating physical processes at the facility. As such, the malicious actors behind the attack did not acquire the means of controlling or manipulating operations at the affected location.

At the time of the attack, the natural gas compression facility’s emergency response plan focused on physical safety, not digital security incidents. Even so, the facility used this plan to disable its HMIs responsible for reading and controlling operations while it worked to obtain replacement equipment and load last-known good configurations. These recovery efforts affected other compression facilities because of pipeline compression dependencies, thus producing a shutdown of the entire pipeline asset for two days.

Erlin noted that the attack disclosed by the CISA highlights the need for organizations to prevent a ransomware attack. One prevention technique in particular stands out for him:

This attack is a good example of where robust network segmentation can have direct benefit in preventing an attacker from successfully moving through the network. Network segmentation may not be (Read more...)