Natural Gas Pipeline Shut Down by Ransomware Attack

A cyberattack shut down a U.S. natural gas pipeline for two days, and the attack triggered a special alert today from the Cybersecurity and Infrastructure Security Agency (CISA).

CISA is not naming the company involved, but is sharing the techniques (TTPs) used by the hackers as a warning to those in critical infrastructure.

This has significant implications, as well, for those in smart manufacturing.

How did the gas pipeline cyberattack unfold?

According to CISA, hackers targeted the company's natural gas compression facility by sending a spearphishing email with a malicious link. It worked for hackers:

"...to obtain initial access to the organization's information technology (IT) network before pivoting to its operational technology (OT) network. The threat actor then deployed commodity ransomware to Encrypt Data for Impact on both networks."

Operational technology is the use of computers to monitor or alter the  state of a physical system, such as a power plant, a smart factory, or in this case, a natural gas compression site and its gas pipeline.

IT attack leads to OT attack, gas pipeline shutdown

CISA says the following things happened as a result of the attack which spread from the IT network to the OT network.

• A loss of availability on the OT network including human machine interfaces (HMIs), data historians, and polling servers
• Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators.
• The decision was made to implement a deliberate and controlled shutdown to operations. This lasted approximately two days, resulting in a Loss of Productivity and Revenue after which normal operations resumed. 
• Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.

On the bright side, CISA says attackers did not take control of the facility.

Cybersecurity shortfalls in natural gas pipeline attack

CISA notes some important cybersecurity failings by the organization involved.

One of the key failings? The company had no incident response plan for a cyberattack.

"Although they considered a range of physical emergency scenarios, the victim's emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks."

The company involved told CISA "gaps in cybersecurity knowledge and the wide range of possible scenarios" led to a lack of planning for cyber incidents.

Network convergence increasing cybersecurity risk and impacts

This situation is the reason Dr. John Opala, VP of IT Security at McCormick, will be presenting on the topic at SecureWorld Charlotte 2020.

His session asks a question worth asking about your organization: Are You Ready for the Convergence of IIoT, OT, and IT Security?

"The technologies such as Industrial Internet of Things (IIoT) are being layered on top of manufacturing floor machinery to provide that needed insight into business operations and productivity. These improvements and perceived operational excellence have come with cybersecurity risks which were not commonplace in the manufacturing space previously. It for this reason that there is now a convergence between OT, IIoT, and IT," Opala says.

"This intersection is becoming very evident in manufacturing, supply chain, and traditional production organization or companies."

Evident across organizations, and to hackers as well.

[Related CISA Alert: Ransomware Attack Impacting Pipeline Operations]