Homeland Security Reports Ransomware Attack Shut Gas Pipeline Facility for Two Days

February 19, 2020

The U.S. Department of Homeland Security has alerted energy and other infrastructure firms to review their cybersecurity after a ransomware attack interrupted a natural gas compression facility.

The attack caused the unidentified pipeline facility to lose access and visibility to certain data and operations but it did not lose control of its overall operations. Management decided to deliberately shut down operations as a precaution. Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days, according to DHS.

According to the department’s Cybersecurity and Infrastructure Security Agency (CISA), the cyber threat actor used a Spearphishing Link to obtain initial access to the organization’s information technology (IT) network before pivoting to its operational technology (OT) network. The attacker then deployed commodity ransomware to Encrypt Data for Impact on both networks. The government did not say if the attackers asked for payment of any ransom to halt their attack.

CISA, which responded to the event, was critical of the facility’s emergency response plan for focusing on threats to physical safety but not cyber incidents.

“Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” CISA said.

The agency also said the plant management cited “gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

Although the facility’s plan called for a full emergency declaration and immediate shutdown, management “judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures,” according to CISA. The limited measures included a four-hour transition from operational to shutdown mode combined with increased physical security.

CISA is encouraging asset owner operators across all critical infrastructure sectors to review the details of this attack and take mitigation steps to protect their organizations against similar ransomware attacks.

CISA did not identify the source of the attack.

Last August, CISA said China was the greatest threat to the U.S. and its operational priority was reducing the risks to the global supply chain.

In 2019, cyber experts suspected Iran was stepping up its cyber attacks against the U.S. government and critical infrastructure.

In 2018, the FBI and the Department of Homeland Security issued a report saying that Russian hackers have been attacking the electric grid, power plants, air transportation facilities and targets in the commercial and manufacturing sectors — attempting to gain remote access or install malware or make spear phishing attempts.

In 2018, Bloomberg reported that Insurers were limiting how much coverage they are willing to provide energy companies against a major attack by hackers, with the result being the industry is largely unprepared for a hacker-triggered catastrophe.

Related:

Was this article valuable?

Here are more articles you may enjoy.