Gas compressor facility hit by ransomware attack

Matthew Farmer 20 February 2020 (Last Updated February 20th, 2020 11:15)

The USA Cybersecurity and Infrastructure Security Agency (CISA) has given details of a cyberattack which caused a natural gas compression facility to be shut off.

Gas compressor facility hit by ransomware attack
Gas compressors could not be used after a cyberattack gained access to IT systems.

The USA Cybersecurity and Infrastructure Security Agency (CISA) has given details of a cyberattack which caused the shut down of a natural gas compression facility.

The agency said: “CISA responded to a cyberattack affecting control and communication assets on the operational technology network of a natural gas compression facility.”

It has not identified the location of the compression facility or which company it belonged to.

The attack was carried out using hyperlink designed to allow access to a computer, known as a spear-phishing link. This allowed access to the company’s IT systems, from which the infiltrator gained access to equipment connected to the network, known as operational technology (OT).

Ransomware was then deployed to encrypt files. This meant devices used to operate the compressor did not work properly, resulting in a partial loss of view, where human intervention is required to restore equipment to operability.

The hacked company stopped operations for two days. The perpetrator was not able to control the compressor, and after previous setting were restored, the facility resumed normal operations.

In its assessment, CISA said the hacked company should have better separated IT and OT networks. It also emphasised the importance of companies having emergency responses to cyberattacks.

The agency said: “The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents.

“Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures.

“These included a four-hour transition from operational to shutdown mode combined with increased physical security.”

Cybersecurity companies react to the hack

Cybersecurity services company Bulletproof co-founder Oliver Pinson-Roxburgh said: “The last time I heard about malware like this was Triton – named ‘The world’s most murderous malware’ –  malware that could affect safety controls within a petrochemical plant.

“The attackers used a similar approach by gaining initial access and then moved further into the network, eventually targeting the safety controls on the plant. The difference is that the Triton attackers focused on safety systems, and these attackers seemed to focus on disruption to plant operation. Triton was believed to be a nation-state attack.

“We find that during testing our customers, the employees are the weakest link. During our phishing campaigns, we will always have some success. The important point to consider is that an attacker only needs one person to fail; all they need is that one piece of equipment or persons to leverage.”

Independent inspection services provider TUV Rhineland chief technical officer Nigel Stanley said: “IT and OT networks are frequently interlinked as business systems need to have a view on control systems.

“Unfortunately, with poor network segmentation, firewalling and protection of internet work conduits, pivoting of malware such as this will be seen more and more often.

“Of note is the need to ensure that cyberattacks on OT systems have a decent and well-rehearsed incident response plan, coupled with a similarly implemented business recovery plan.”