DHS issues alert after gas pipeline taken offline in ransomware attack
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure and Security Agency has issued a warning of potential cyberattacks after an unnamed gas pipeline was shut down following a ransomware attack last year.
The attack targeted the control and communication assets on the operational technology network of a natural gas compression facility according to the alert Tuesday. The attack vector started with a spear-phishing attack –that’s the practice of sending emails from an apparent trusted sender to get recipients to reveal confidential information — that gave those behind the attack access to the targeted network, which they then used to install ransomware.
Although safety is said not to have been jeopardized, the victim of the attack decided to implement a “deliberate and controlled shutdown of operations” as a precaution. The shutdown lasted two days, costing the unnamed gas pipeline operation revenue. Interestingly, the owner of the pipeline is said to have replaced network equipment affected by the ransomware attack rather than addressing the encryption of data.
CISA didn’t hold back in its alert, putting some of the blame on the pipeline owner. “The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks,” the agency said.
“Phishing is implicated in more than 90% of all cyberattacks and this attack on a U.S. natural gas facility shows exactly why: Email is a highly effective attack vector,” Peter Goldstein, chief technology officer and co-founder of email security firm Valimail Inc., told SiliconANGLE. “Many companies invest in security training to prevent these types of cyberattacks, but as a defense, this is not completely reliable.”
The reason, he explained, is that malicious actors often leverage impersonation and social engineering to appear as trustworthy senders to victims, making their fraudulent messages indistinguishable from legitimate ones. In fact, he added, users in the U.S. open 30% of phishing emails, and 12% of those targeted by these emails click on the infected links or attachments.
Sam Roguine, Director at data protection company Arcserve LLC, noted that damaging ransomware attacks targeted at critical infrastructure have been on the rise in recent years. “If your cybersecurity and disaster recovery procedures aren’t up to the task of combating modern-day cybercrime, hackers will find the vulnerabilities and exploit them – that’s just the reality,” he said.
Kyle Miller, chief technologist at information technology consulting firm Booz Allen Hamilton Inc., explained that “operational technology” includes systems that help monitor and control physical equipment and processes found across industries. In turn, they help manage critical infrastructure that ensures reliable electricity, heat for buildings, fuel for cars and more.
“The new alert from CISA says the threat actor gained access to an organization’s IT network before pivoting to its OT network,” Miller said. “While commodity malware was used, the fact that they pivoted into the OT environment suggests that this may have been a targeted ransomware attack which is something we’re seeing more frequently.”
Miller noted that there’s an uptick in attackers trying to target softer environments such as OT systems because data backup and traditional security and antivirus technologies aren’t always used. “Because security isn’t always as robust in those environments, threat actors can use commodity ransomware and potentially make a broader impact,” he said.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.