A ransomware infection at a natural gas compression facility in the United States resulted in a two-day operational shutdown of an entire pipeline asset, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday.
The targeted organization has not been named and it’s unclear exactly when the incident occured. According to CISA, the cyberattack affected control and communication assets on the victim’s operational technology (OT) network.
A compression facility helps transport natural gas from one location to another through a pipeline. Natural gas needs to be highly pressurized during transportation, and compression facilities along the pipeline help ensure that it remains pressurized.
The agency said the attackers used spear-phishing to gain initial access to the facility’s IT network, after which they managed to make their way to the OT network. The hackers then deployed commodity ransomware that encrypted files to Windows machines on both the IT and OT networks.
This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but CISA said the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.
Nevertheless, the victim decided to respond to the attack by shutting down operations. While the ransomware only directly affected one facility, other compression facilities were also forced to suspend operations due to pipeline transmission dependencies. CISA said the incident resulted in an operational shutdown of the entire pipeline asset for roughly two days.
“The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process,” the agency said in its alert.
According to CISA, the victim had an emergency response plan in place, but it focused on physical safety and it did not specifically cover cyberattacks.
“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” CISA said. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”
The agency published an alert to warn gas and other critical infrastructure operators about the risk of cyberattacks, and provide recommendations for mitigating the threat.