Another day, another ransomware attack – This time, hackers have hit critical infrastructure of the government of the United States.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Tuesday revealing that a natural gas facility in the country shut down its operations for two consecutive days after suffering a massive ransomware attack.
The malware prevented employees from receiving real-time operational data from crucial control and communication equipment, as per the CISA advisory. The facility wasn’t identified by the agency and it only mentioned that it was a natural gas-compression site, the operations of which usually involve using turbines, engines, and motors for saving transmission of gas through pipelines.
It all started with an infected link embedded in a phishing email. The attackers managed to infect the IT and OT networks of the facility with a “commodity ransomware” These units are responsible for handling operational technology servers and controls of the site’s physical processes.
According to CISA, the ransomware wasn’t a new one equipped with ICS-specific functions but a rather common one used to infect Windows systems. The ransomware did impact human-machine interfaces, OT network’s polling servers, and data historians.
The advisory explained that the infection was prevented from spreading to the facility’s programmable logic controllers, which are responsible for controlling compression equipment. Hence, the facility didn’t lose operational control and the attackers couldn’t achieve their objective of manipulating the site’s operations. However, the attack did compromise key control and communications equipment, which is certainly a big achievement.
Moreover, the targeted facility wasn’t prepared for such an attack and didn’t implement strong segmentation between its IT and OT networks due to which both the networks got affected. And, there wasn’t any emergency response plan in place to deal with cybersecurity issues. This is a cause of concern given the nature of the facility.
CISA has urged organizations that handle critical infrastructure to devise cyber-risk planning and response strategies, train their employees to timely identify human and technical errors regarding operational visibility, and learn to recognize probable consequences of cyberattacks.
It also recommended the implementation of robust physical security controls including multi-factor authentication, network segmentation, frequently created data backups, anti-phishing filters, traffic filtering, restrictive privilege access policies, AV whistling and ensuring regular updating of critical systems.
It is obvious that ransomware attacks are increasing. In 2018, an estimated 2 million cyberattacks took place costing more than $45 billion in damages worldwide while ransomware-type attacks caused $8 billion in damages. It is believed that ransomware attacks will grow to cost $20 billion in 2021.