Experts Insight On Ransomware Attack Forces U.S. Gas Pipeline To Shut Down

The Cybersecurity and Infrastructure Agency (CISA) responded to a ransomware attack that targeted a U.S. natural gas facility, forcing it to shut down for two days. CISA did not reveal when the incident happened or the identity of the victim organization. 

An employee of the facility clicked on a malicious link from a spear-phishing email, allowing a malicious actor to jump from the gas compression facility’s IT network onto the operational technology (OT) network. The attacker was then able to deploy data-encrypting ransomware on the networks.

Experts Comments

February 20, 2020
Nathan Brubaker
Senior Manager, Cyber Physical Team
FireEye
It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware. This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware (definitely including critical and industrial sectors)—and interestingly is the topic of one of our presentations taking place at RSA next week. The traditional approach to ransomware attacks.....Read More
It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware. This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware (definitely including critical and industrial sectors)—and interestingly is the topic of one of our presentations taking place at RSA next week. The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach are often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organisations have moved toward adopting a more operationally complex post-compromise approach. In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators. Actors cast wider nets that impact critical systems, which maximises the scale and effectiveness of their end-stage operations by inflicting maximum pain to the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves.  Read Less
February 20, 2020
Dr. Vinay Sridhara
CTO
Balbix
This is yet another breach where humans are the easiest path to infiltration by attackers. As with other high profile events, this one propagated from a lower value target to an extremely high value target. Starting with a targeted phishing attack, the adversary then pivoted across networks, eventually using commodity ransomware to encrypt critical infrastructure data. Organizations, especially those protecting critical assets, must ensure that propagation risk doesn't overshadow other efforts.....Read More
This is yet another breach where humans are the easiest path to infiltration by attackers. As with other high profile events, this one propagated from a lower value target to an extremely high value target. Starting with a targeted phishing attack, the adversary then pivoted across networks, eventually using commodity ransomware to encrypt critical infrastructure data. Organizations, especially those protecting critical assets, must ensure that propagation risk doesn't overshadow other efforts to protect those assets. The organization also cited ‘gaps in cybersecurity knowledge and the wide range of possible scenarios.’ Every organization's attack surface is huge, and grows with digital transformation and with the ever increasing number of attack methods available to adversaries, leaving an unlimited number of things that can go wrong. Cybersecurity is no longer a human scale problem, so risk-based prioritization, across all assets and attack vectors, must form the basis for information security decision making.  Read Less
February 20, 2020
Max Vetter
Chief Cyber Officer
Immersive Labs
This latest ransomware attack demonstrates the need to ensure both technological and human cyber security capabilities are as strong as they can possibly be. The natural gas facility has specifically named a lack of practised cyber skills as a fundamental cause of the breach, which has led to the pipeline being shut. Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company,.....Read More
This latest ransomware attack demonstrates the need to ensure both technological and human cyber security capabilities are as strong as they can possibly be. The natural gas facility has specifically named a lack of practised cyber skills as a fundamental cause of the breach, which has led to the pipeline being shut. Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change. In particular, the organisation said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning. Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either. Although many companies run "fire drills" or cyber crisis simulations, they are shockingly infrequent, often specific to only a small number of attacks, and therefore inadequate at preparing staff for the multitude of security incidents they could face. All organisations, and particularly those that play a role in critical national infrastructure, should be conducting cyber crisis simulation exercises frequently and repeatedly, to practice and prepare for each incident type.  Read Less
February 20, 2020
Tal Zamir
Founder and CTO
Hysolate
Organizations that handle critical infrastructure cannot trust OS-based security solutions as these had been proven to fail over and over again, similar to this recent example of ransomware successfully hitting US-based OT networks. Instead, these organizations must apply isolation/segregation approaches both at the network level and at the endpoint level. Isolation can be achieved by a strong physical or virtual "air gap", but must ensure that the IT or OT assets do not have direct network.....Read More
Organizations that handle critical infrastructure cannot trust OS-based security solutions as these had been proven to fail over and over again, similar to this recent example of ransomware successfully hitting US-based OT networks. Instead, these organizations must apply isolation/segregation approaches both at the network level and at the endpoint level. Isolation can be achieved by a strong physical or virtual "air gap", but must ensure that the IT or OT assets do not have direct network connectivity from one to the other.  Read Less
February 20, 2020
Saurabh Sharma
VP
Virsec
This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness, and human mistakes continue to expose critical infrastructure to attack. While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems.
February 20, 2020
Joseph Carson
Thycotic
Chief Security Scientist
Cyber security of critical infrastructure is absolutely crucial, as the consequences of an attack can be severe and widespread with the potential on having a cascading effect on other facilities or suppliers. Cyberattacks against the energy sector can have rippling effects to other critical infrastructure that depends heavily on energy such as hospitals without power, logistics on hold and transportation delays such as road, rail and flights, meaning that major cities within 24 to 48 hours can.....Read More
Cyber security of critical infrastructure is absolutely crucial, as the consequences of an attack can be severe and widespread with the potential on having a cascading effect on other facilities or suppliers. Cyberattacks against the energy sector can have rippling effects to other critical infrastructure that depends heavily on energy such as hospitals without power, logistics on hold and transportation delays such as road, rail and flights, meaning that major cities within 24 to 48 hours can run out of food, which could easily lead to chaotic events. In this case, the attacker gained access to the network via a phishing email which gave the attackers a way into both the facility’s IT network and their OT network, and to defend against such attacks an organisation needs a balanced approach between strong technology and employee training. Enforcing a least privilege strategy will limit the damage if an employee does accidently fail victim, but from a human standpoint it is important that employees are empowered to speak and report when they identify suspicious activity as an early warning can allow the IT department to catch early attempts and add them to the email filter to prevent similar attacks. One major security lapse that was highlighted was the lack of incident response and business continuity plan relating to cyber-attacks meaning this facility was not ready to deal with modern day cyber incidents. A strong incident response plan and business continuity should be a top priority for all critical infrastructure providers and it should be tested.  Read Less
February 20, 2020
Stuart Reed
UK Director
Orange Cyberdefense
A natural gas pipeline having to shut down for two days from a spear-phishing attack is yet another example of the real world implications of cyber on critical national infrastructure. This has knock on effects for customers and partners who rely on that supply to conduct their own business, not to mention putting the gas facility in a difficult position. Above all it shines a light on the importance of supply chain security and ensuring those businesses connected to you have similar processes.....Read More
A natural gas pipeline having to shut down for two days from a spear-phishing attack is yet another example of the real world implications of cyber on critical national infrastructure. This has knock on effects for customers and partners who rely on that supply to conduct their own business, not to mention putting the gas facility in a difficult position. Above all it shines a light on the importance of supply chain security and ensuring those businesses connected to you have similar processes and precautions in place to deliver a robust security posture. For example, having a layered approach to cybersecurity that takes into account a range of techniques, from cyber awareness training to network-based detection and response, is vital to ensuring malicious activity can be identified and eliminated as quickly as possible. The crux of the matter is that attacks don’t need to be sophisticated to have a significant impact.  Read Less
February 20, 2020
Andrea Carcano
Co-founder and CPO
Nozomi Networks
This is yet another example of the significant rise in the number of cyberattacks to targeted critical infrastructures, and a reminder that the threats are real and need to be addressed. Hackers are learning new tactics and avenues to infiltrate industrial control systems (ICS) like this U.S. natural gas compressor. This attack method accessed the IT network before moving into the OT network, validating the importance of integrating IT and OT systems. Thankfully, the operator was able to.....Read More
This is yet another example of the significant rise in the number of cyberattacks to targeted critical infrastructures, and a reminder that the threats are real and need to be addressed. Hackers are learning new tactics and avenues to infiltrate industrial control systems (ICS) like this U.S. natural gas compressor. This attack method accessed the IT network before moving into the OT network, validating the importance of integrating IT and OT systems. Thankfully, the operator was able to perform a shutdown before any loss of control or destruction was done, but had no emergency plan in place for cyberattacks. The potential consequences of not investing in industrial cybersecurity technologies could be numerous and severe. Destructive malwares are being developed and tested, and critical infrastructure operators need to be able to identify and mitigate anomalous behavior in real-time. To protect and optimally maintain ICS cybersecurity, it is necessary to implement non-intrusive technologies that shift an organisations’ security posture to one that utilises intelligent threat detection. Overall, industrial organisations need to ensure critical infrastructure resilience so that risks from wherever and in whatever format can be identified and remediated immediately.  Read Less
February 20, 2020
Elad Shapira
Head of Research
Panorays
This latest cyberattack on a US natural gas compression facility illustrates what can happen when there’s no formal cyber action plan in place. In this case, the facility’s emergency response plan did not even consider cyber incidents, so that employees had no knowledge about how to deal with the attack. Moreover, other facilities needed to halt operations for two days as well because of pipeline transmission dependencies. Clearly, all members of the supply chain must put robust.....Read More
This latest cyberattack on a US natural gas compression facility illustrates what can happen when there’s no formal cyber action plan in place. In this case, the facility’s emergency response plan did not even consider cyber incidents, so that employees had no knowledge about how to deal with the attack. Moreover, other facilities needed to halt operations for two days as well because of pipeline transmission dependencies. Clearly, all members of the supply chain must put robust cybersecurity processes in place to thoroughly assess and continuously monitor cybersecurity, and create reliable action plans in case of an attack.  Read Less
February 20, 2020
Peter Goldstein
CTO and Co-founder
Valimail
Phishing is implicated in more than 90% of all cyberattacks, and this attack on a U.S. natural gas facility shows exactly why: Email is a highly effective attack vector. Many companies invest in security training to prevent these types of cyberattacks, but as a defense, this is not completely reliable. That’s because malicious actors often leverage impersonation and social engineering to appear as trustworthy senders to victims, making their fraudulent messages indistinguishable from.....Read More
Phishing is implicated in more than 90% of all cyberattacks, and this attack on a U.S. natural gas facility shows exactly why: Email is a highly effective attack vector. Many companies invest in security training to prevent these types of cyberattacks, but as a defense, this is not completely reliable. That’s because malicious actors often leverage impersonation and social engineering to appear as trustworthy senders to victims, making their fraudulent messages indistinguishable from legitimate ones. In fact, users in the U.S. open 30% of phishing emails, and 12% of those targeted by these emails click on the infected links or attachments. The consequences of a cyberattack are far too high to put the onus on employees to identify malicious emails. To stop crippling ransomware attacks, organizations need to prevent the phish from getting into their inboxes in the first place — which can be done by properly enforcing DMARC and implementing advanced anti-phishing solutions to authenticate and validate sender identity. By doing so, organizations can add a crucial defensive layer to keep ransomware attacks at bay and defend critical infrastructure against disruption.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.