Gas Pipeline Stops Operations After Cyber Attack
The Department of Homeland Security in the United States has revealed that a cyberattack has hit a gas pipeline operator, which forced it to cease operations for two days.
Cybercriminals successfully launched a ransomware attack on the unnamed natural gas compression facility, and the Department’s Security Cybersecurity and Infrastructure Security Agency (DHS CISA) has since released some details on the nature of the hack.
The agency has said that the ransomware attack occurred shortly after “a cyber threat actor used a spearphishing link to obtain initial access to the organisation’s information technology (IT) network before pivoting to its operational (OT) network.”
As noted by tech author Catalin Cimpanu, “an OT network is different from an IT network. It’s a network with workstations for managing critical factory equipment and other factory operations. IT networks are usually dedicated for office and other administrative work. In theory, IT and OT networks should be air-gapped,” meaning that they should not be connected to the internet to make them as safe as possible.
CISA says that after accessing the OT network of the gas pipeline operator, cybercriminals then launched a ransomware attack that encrypted the company’s data, requesting a ransom payment in exchange for providing access to its networks once again.
The agency says that the ransomware attack did not take control of programmable logic controllers (PLCs), which are sensors and devices that control factory and pipeline equipment, meaning that hackers did not have control over physical capabilities.
CISA has stated, however, that there was a ‘partial loss’ of the pipeline’s staff being able to access data of the pipeline’s status, which was part of the reason the pipeline operator was forced to close down for two days, launching a “deliberate and controlled shutdown to operations,” to avoid any potential accidents.
CISA has released the findings of its investigation into the hack, which have been listed below:
At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.
The victim's existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures.
These included a four-hour transition from operational to shutdown mode combined with increased physical security.
Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.
Although they considered a range of physical emergency scenarios, the victim's emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.
The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.