CISA informs of a cyber-attack that was launched recently, aﬀecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link to obtain initial access to the organization’s information technology (IT) network before proceeding to its OT network. The threat actor then deployed commodity ransomware to encrypt data on both IT and OT networks.
Speciﬁc assets experienced a Loss of Availability on the OT network. These included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators. The attack did not impact any programmable logic controllers (PLCs) and the victim did not lose control of operations. Operational shutdown had to be implemented.
Deliberate and controlled shutdown of operations had to be implemented for two days, due to lack of cyber-security accommodation in their emergency response plan. A Loss of Productivity and Revenue had to be endured meanwhile, that usually happens when adversaries cause disruption and even damage to the availability and integrity of control system operations, devices, and related processes. Normal operations were resumed afterwards.
The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks. The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted. The victim was able to obtain replacement equipment and load last-known-good conﬁgurations to facilitate the recovery process. All OT assets directly impacted by the attack were limited to a single geographic facility.
Although only one geographical control facility was aﬀected, other geographically distinct compression facilities also had to halt operations due to pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days. The victim acknowledges the lack in their cyber-security knowledge for failing to adequately incorporate cyber-security into emergency response planning.
CISA recommends following mitigations to avoid and handle cyber attacks on operational control devices and networks.
Technical and Architectural Mitigations
Planning and Operational Mitigations