The American Cybersecurity and Infrastructure Security Agency (CISA) has announced that an American critical infrastructure operation has been affected by ransomware attacks. The attack was caused by a Spearphishing technique that targeted workers of a natural gas compression facility. The ransomware encrypted the plant’s IT and OT networks causing a partial loss of view for human operators. While the attack only infected Windows devices, the impact of human-machine interfaces had a significant impact.
In light of this, several cybersecurity professionals have imparted some insight into the case, highlighting the lessons that enterprises should learn from this event:
Richard Bejtlich, principal security strategist at Corelight:
“This incident highlights the need for operators of critical infrastructure to instrument their networks in at least three important locations:
1) at the gateway connecting the Internet and their information technology (IT);
2) at the gateway connecting the Internet and their operational technology (OT); and
3) at the gateway connecting the IT and OT networks.”
Nigel Stanley, CTO at TUV Rheinland:
“IT and OT networks are frequently interlinked as business systems need to have a view on control systems. Unfortunately, with poor network segmentation, firewalling and protection of internet work conduits, pivoting of malware such as this will be seen more and more often. Of note is the need to ensure that cyberattacks on OT systems have a decent and well-rehearsed incident response plan, coupled with a similarly implemented business recovery plan. The CISA has been helpful in highlighting this incident.”
Stuart Sharp, VP of Solution Engineering, OneLogin:
“As phishing attacks become increasingly common, and increasingly sophisticated — often tailored to a targeted team with an organisation — companies cannot rely on defending against 100% of attacks. The best defence against ransomware is a robust Business Continuity Plan which includes regular backups, version control and thorough testing of disaster recovery procedures. For enterprises that rely on Industrial Control Systems, there’s no substitute for real world testing — staff not only need to know recovery procedures, they need to practice them regularly to minimise downtime if an attack does occur.”
Tim Erlin VP at Tripwire:
“While we like to think of OT networks as being populated with proprietary and unique devices, the reality is that there are an awful lot of Windows systems in these environments as well, and they are vulnerable to traditional IT threats, like ransomware.
This attack is a good example of where robust network segmentation can have direct benefit in preventing an attacker from successfully moving through the network. Network segmentation may not be cutting edge technology, but that doesn’t mean it isn’t effective.
Remember, ransomware by default announces itself. It has to in order to get the victim to pay the ransom. But the same attack vectors and tactics that ransomware exploits could be used by attackers who would prefer to stay hidden as well. If you’re worried about ransomware, you should be worried about other attacks as well.”
Martin Jartelius, CSO at Outpost24:
“This rather clearly shows that security should be layered. We cannot continue to perceive security as a fortress where threat actors are outside, and on the inside, everyone is a good person. If an email to an employee, can lead to pivoting to the OT network, there is very basic security missing in the setup.
For organisations that think segmentation actually is in place, where detection and other controls are implemented, getting analysts to ensure proper segmentation, for example using simulated attacks. But to save money – start with asking your IT team if the OT networks are properly isolated. Its free to check that way, and likely you will get eye-opening results.”
Oliver Pinson-Roxburgh, co-founder of Bulletproof:
“This sort of attack typically requires a very specific skillset. The last time I heard about malware like this was Triton (named “The world’s most murderous malware”) malware that could affect safety controls within a petrochemical plant. The attackers used a similar approach by gaining initial access and they moved further into the network, eventually targeting the safety controls on the plant. The difference is that the Triton attackers focused on safety systems, and these attackers seemed to focus on disruption to plant operation. Triton was believed to be a nation state attack.
Industrial engineers back in the 80’s, when the first industrial control systems where being built, did not have to consider that one day they would be connected to the internet. In addition, segregation in these sorts of networks were also not a consideration. As we can see in both examples, the initial network was not the target, but was the first entry point leveraged by threat actor. In this example, they moved to the OT proving that segregation was not effective or was non-existent – similar to the Triton attack.
We find that during testing our customers, the employees are the weakest link. During our phishing campaigns we will always have some success. The important point to consider is that an attacker only needs one person to fail; all they need is that one piece of equipment or persons to leverage.
Industrial control systems security requires a very different set of knowledge and skills to protect the site, which is very different to a typical IT network. The focus is not protecting information, its SAFE, correct, efficient and continuous physical operation of the plant. The IT controls need to be more considered when it comes to industrial control systems as its often not in scope of the typically security operations within ICS’s as the focus has always been on the ensuring safe operation of physical hardware that could affect the safety of humans.
In this day and age, IT security is becoming critical to protecting the physical world as everything is becoming interconnected.”
With this attack in mind, and the continued prevalence of phishing attacks on critical infrastructure, it is essential to work together as an industry to ensure that cybercriminals do not get the upper hand. While this may seem like an uphill battle, one should take note of expert recommendations moving forward to ensure that no system is left unprotected.