The Department of Homeland Security (DHS) announced this week that a ransomware attack shut down a natural gas compressor facility for two days. While in the network, the attacker deployed software trying to “identify critical assets” before setting off the ransomware and in the process, may have also disabled detection processes in place to identify the ransomware. The date of the attack was not specified.
According to DHS, this attack is illustrative of the many attacks that are recently targeting energy and other critical infrastructure. The attack started through spear phishing emails that included malicious links. The attack allowed the intruder to access the information technology system, and because the IT system was not segmented from the operational technology (OT) system, the attacker was able to access the OT system as well.
Although the attackers were not able to obtain control over the facility, the facility implemented a controlled shutdown because the operator was unable to access and read operational information in real time. Unfortunately, according to reports, the facility’s emergency response plan did not address risk and response to cyber-attacks.
It is imperative that emergency response, incident response, contingent operations and disaster recovery plans all anticipate and are able to respond to cyber-attacks. DHS further urged critical infrastructure organizations to:
- include cyber-risk planning in their incident response strategies;
- practice failover to alternate control systems (back-ups);
- conduct tabletop exercises to train employees, identify technical and human points of failure for operational visibility; and
- recognize the safety implications of cyber-attacks, among other steps.
These are all basic cyber-hygiene practices that critical infrastructure facilities and operators may wish to consider implementing, particularly because of the devastation that could result from a significant cyber-attack.