The Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert of a ransomware attack launched against a pipeline operator. In the cyber attack, actors used spear phishing to gain a foothold into the organization’s IT network, then pivot to the operations technology (OT) network.
CISA issued the alert on February 18 and encourages organizations in all critical infrastructure sectors to review threat actor techniques. In addition, CISA also provided solid mitigation guidance.
The attack
Once they gained access to the organization’s Windows computers, the bad actors then proceeded to encrypt data on both the IT and OT networks. As a result, certain assets experienced an outage and loss of availability.
Impacted operational assets included human machine interfaces (HMIs), data historians and polling servers.
“Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices,” CISA stated in the alert.
As a result, the human operators experiences a partial “loss of view.”
“The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations,” CISA added.
However, the organization implemented a controlled shutdown to operations that lasted approximately two days. As a result, the company lost productivity and revenue until normal operations resumed.
Technical challenges
According to CISA, the victim “failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”
Segregation of networks is a sound security control that should be used in other industries as well. For instance, separation of networks used for point-of-sale systems (in retail) should be separated from the corporate network (such as Windows laptops and desktops for business use).
The good news?
According to the report, “at no point did the victim lose control of operations.” Furthermore, the attack did not impact any programmable logic controllers (PLCs).
The victim was also able to replace impacted equipment and implement a successful recovery process (e.g., load “last-known-good configurations”).
Overall, just one location appeared to be impacted.
Mitigation guidance
CISA provided some good guidelines in the areas of ‘Planning and Operations’ and also ‘Technical and Architectural’ mitigations.
Just a sample of some of the guidance includes:
- Make sure your emergency response plan includes potential cyberattack impacts to operations.
- Use tabletop exercises that incorporate loss of visibility and control scenarios for “lessons learned”
- Identify single points of failure and build redundancy (to include communications).
- Understand the potential safety and physical security risks cyber attacks may pose.
- Build in robust network segmentation to separate out IT and OT networks.
- Use of Multi-Factor Authentication for remote access to critical IT and OT systems.
- Enable strong spam filters to prevent phishing emails, anti-malware, software patches, and much more.