The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

U.S. Warns of Ransomware Attacks Targeting Pipeline Ops

by Chris Brook on Wednesday February 19, 2020

Contact Us
Free Demo
Chat

Following an attack on a gas compression facility, CISA is urging organizations to take steps to safeguard their systems.

Some of the juicier details aren’t yet known but according to an alert via the U.S. Department of Homeland Security this week, hackers recently took aim at a natural gas compression facility, took advantage of some weaknesses in its systems and spread ransomware.

While the organization didn't lose control of operations, the attack did result in a loss of productivity and revenue.

In a disclosure made public on Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) – an agency within DHS – said that attackers used a spearphishing link and exploited what it called a lack of segmentation between the facility's IT and OT networks to disable assets across both networks. CISA did not disclose the name of the facility.

CISA is using the incident as a way to spread awareness to industrial control facilities, like those that manage pipelines, of the dangers that overlooking cybersecurity can pose.

Using an unnamed strain of "commodity ransomware," the attackers were able to compromise Windows-based assets on both networks, including human-machine interfaces, or HMIs, data historians, and polling servers. It can be argued that the facility dodged a bullet somewhat in the sense that programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes at the facility weren't affected; the attack only hit Windows-based systems.

“Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators,” the alert reads.

CISA makes a point in its alert to clarify that the attackers didn't have the ability to control or manipulate the facility's operations. That said, because of the nature of the attack and pipeline dependencies, other compression facilities also had to halt operations for two days.

The victim organization was able to recover from the attack, CISA notes, by loading previously saved configurations on replacement equipment. A select number of assets, contained to one geographic facility, was impacted by the attack.

In order to prevent future ransomware attacks, CISA is encouraging organizations across all sectors but especially those that oversee critical infrastructure to follow a set of planning and operational mitigations, in addition to a set of technical and architectural mitigations.

While much of the guidance is likely already followed by organizations - require multi-factor authentication, implement data backup procedures, filter network traffic, and so on - it's a worthy checklist to review.

CISA regularly warns about current security issues affecting enterprises. Earlier this year it warned about vulnerabilities in unpatched Pulse Secure VPN servers, Iranian state-sponsored cyberattacks, and news on the Dridex strain of malware.

Tags: Ransomware

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.