A ransomware attack has targeted critical infrastructure belonging to a U.S. based natural gas compression facility, a statement put out by the Department of Homeland Security (DHS) from February 18 has confirmed.
The security advisory—published by the Cybersecurity and Infrastructure Security Agency (CISA), a wing of the DHS—makes no reference either to the date of the attack or to its exact nature. However, it does describe the event as having affected “control and communication assets on the operational technology (OT) network” belonging to the natural gas compression facility in question.
The targeted critical infrastructure is confirmed to have been a pipeline operation, according to CISA.
Aside from providing generalized features of the attack, the security advisory also provides technical details of the incident and recommendations in order for other critical infrastructure operators would be able to take precautions and improve their emergency response planning.
What we know about the ransomware attack
The DHS stated that the incident took place after a “cyber threat actor used a spearphishing link to obtain initial access to the organization’s information technology (IT) network before pivoting to its operational (OT) network.”
This would suggest that an employee at the targeted critical infrastructure facility had opened a web link that likely contained a malicious download (‘spearfishing with a link’), and that it was this error that ultimately led to the success of the ransomware attack.
While unconfirmed, this is a theory that is supported by the security advisory, which admitted to fault on the part of the facility. While infrastructure security agency CISA did not provide explicit details as to why the ransomware attack occurred in the first place, it did state that there had been a general lack of preparedness for such an occurrence.
According to the security advisory, the facility “cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning” ahead of the ransomware attack.
CISA admitted that—because the critical infrastructure facility was not adequately prepared for a cyberattack—the facility began a “deliberate and controlled shutdown” as soon as it detected the attack was taking place. The shutdown allegedly lasted for two full days.
Despite the scale of the ransomware attack, CISA nonetheless points out that the attack “did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations.”
Prompting new recommendations
In light of the recent ransomware attack, CISA has indicated that they are taking measures not only to protect the targeted facility, but also to prevent similar attacks from taking place on critical infrastructure across the U.S.
According to the security advisory, these constitute “planning and operational mitigations” and “technical and operational mitigations,” both using a “risk-based assessment strategy.” These include nineteen distinct points of action, designed to help facilities and organizations assuage potential cybersecurity risks.
Among the most noteworthy recommendations include ensuring that emergency response plans consider “the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety,” and training workers to gain “decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios.”
CISA also recommends that organizations utilize multi-factor authentication in order to “remotely access the OT and IT networks from external sources.”
A long battle with critical infrastructure vulnerabilities
The ransomware attack raises concerns around the capability of U.S. industrial controls in critical infrastructure to handle cyber threats.
Such concerns have been at the top of the agenda for the DHS for many years and prompted the department to mandate the development of the National Infrastructure Protection Plan (NIPP) in 1998.
Revised most recently back in 2013 to account for growing cybersecurity concerns, the NIPP is designed to streamline the protection efforts of U.S. critical infrastructure and relies on the coordination of both private and public sector resources. The NIPP obligates that frequent vulnerability assessments are conducted on infrastructure, with measures being taken to ensure that both cybersecurity and infrastructure security needs are adequately met.
More specifically, these measures include voluntary Cyber Resilience Reviews (CRRs), which are conducted by the DHS to “help evaluate and enhance cybersecurity capacities and capabilities” of infrastructure. This includes their ability to “manage cyber risk to its critical services during normal operations and times of operational stress and crisis.”
As of yet, there has been no statement made by either the DHS or its subsidiary CISA to address whether CRRs were inadequately conducted, or whether a lack of implementation of those reviews that led to the recent ransomware attack on the U.S. pipeline facility.