A recent ransomware cyberattack caused a natural gas company to shut down a pipeline for two days, according to an alert from the Department of Homeland Security.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said yesterday it responded to the incident, but the agency did not say where or when the attack occurred. The technical document marks the first time the U.S. government has publicly reported a disruptive hack of U.S. pipeline networks.
The unspecified "threat actor" behind the attack breached the facility’s network in a malicious link sent in an email, according to CISA. The malware first infected the information technology network before spreading to the operational technology network in a natural gas compression station. The hackers then triggered the ransomware, which encrypted data and blocked systems from running properly.
The operators of the facility chose to shut down a "pipeline asset" for two days, "resulting in a loss of productivity and revenue," DHS said. The hackers were able to get into the OT networks due the operators not properly dividing it from the IT systems, CISA said.
During the attack, the hackers disrupted various devices needed for operators to view what was happening in the compression station, CISA said, though "at no point did the victim lose control of operations."
The facility was able to restore the last known safe computer configurations and replace equipment, the agency said.
According to CISA, the facility lacked an emergency response plan that considered cyberthreats.
CISA said that the facility’s owner "cited gaps in cybersecurity knowledge and the wide range of possible scenarios" as reasons for not having a plan for hacking threats.
Clint Bodungen, CEO and founder of the cybersecurity firm ThreatGEN, said he often sees planning oversights with his midstream customers. He also said that a lack of segmentation between IT and more sensitive OT networks is not uncommon.
"This is consistent with the industry," Bodungen said. "We go out there and do tests and vulnerability assessments for so many customers, and there are so, so many of them who are in the same boat."
‘Bigger and badder’ threats?
Bodungen last month reported discovering "Ryuk" ransomware attacks on five oil and gas facilities (Energywire, Jan. 27). He said he wasn’t sure if the latest CISA alert is about one of those incidents, which date back to November.
The alert from CISA corresponds to warnings from cybersecurity experts who cite increasing dangers from cyberattacks on old and unpatched OT systems like those used in some pipelines and power grids.
While CISA’s description of the attack was vague, Bodungen warned that if it was intentional, it could mean that the hackers have the capability to cause direct and physical damage to an oil and gas facility.
"If they had the intent, if they had the OT-specific knowledge — system-specific, process-specific knowledge — then they could do bigger and badder things," Bodungen said.
Ransomware attacks are usually indiscriminate: Hackers spread malicious links to as many people as possible in massive online campaigns. But recently, ransomware threats have become more targeted and selective, experts say — especially when it comes to cyberattacks against the energy sector.
Nathan Brubaker, senior manager of the cyber-physical intelligence team at cybersecurity firm FireEye Inc., said financially motivated criminal hacker groups have "matured" from targeting IT and business processes to OT systems and physical processes. By hitting critical networks that are needed to keep the facility running, hackers end up "inflicting maximum pain to the victim."
"As a result, they are better positioned to negotiate and can often demand much higher ransoms" to give up the key to encrypted data, Brubaker said in an email.
Attacks on industrial control systems have dramatically increased last year, rising over 2,000%, according to a recent report from IBM. The uptick has been facilitated by a rising interest from financially motivated criminal hacking groups. Attacks on the energy sector have also increased, rising from the 10th-most attacked industry to the ninth, according to IBM’s report (Energywire, Feb. 11).
CISA did not go into detail on the specifics of the malware but said that the attack used a "commodity ransomware," meaning that it was bought online.
Cybersecurity company Dragos Inc. recently warned of a new type of ransomware that directly targets control systems. The so-called Ekans ransomware is not particularly dangerous due to the criminals’ lack of knowledge of specialized industrial networks, Dragos said, but the company did warn that the developments were "deeply concerning" (Energywire, Feb. 4).
Reached for comment, a CISA official said that "while operations have since been restored, this incident is just the latest example of the risk ransomware and other cyberthreats can pose to industrial control systems and of the importance implementing cybersecurity measures to guard against this risk."
