The Radiflow Security Blog
The Cybersecurity and Infrastructure Security Agency (CISA) has recently reported a malware attack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility
Here’s what we know:
- The attacker used a spear-phishing link (email or electronic communication containing malware, and often ransomware) to enter the IT network as a pathway to the OT network.
- The ransomeware was intended only to encrypt data on the IT and OT networks.
- While no PLCs were affected in the attack, Windows™ servers on the OT network hosting SCADA servers and HMIs were affected. The company managed to perform controlled system shutdown, and was able to install replacement equipment and load last-known good configurations.
- CISA officials confirmed that the threat actor has never obtained the ability to control or manipulate operations during the attack.
- Although the attack had a limited direct impact on operations to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. The cyberattack resulted in an operational shutdown of the entire pipeline asset for approximately two days.
Behind the news:
- IT-to-OT: While full details of the attack have yet to be published, what’s clear is that it continues the trend of IT attackers increasingly targeting OT networks. Although this attack wasn’t aimed at the actual industrial process, nevertheless the attackers targeted the HMI, historian, and other servers on the OT network.
- No network segmentation: As in other cases of OT networks attacked using malware intended for IT assets, such as the LockerGoga ransomeware, (which was able to disrupt operations at a Norsk Hydro aluminium manufacturing facility by taking advantage of inherent IT network architecture vulnerabilities) as well as WannaCry, NotPetya and Industroyer, which have all impacted OT networks in the past. In this case the crossover malware took advantage of un-segmented or inadequately segmented IT-OT networks. A truly segmented network would require DPI-firewall separation of the corporate and the operational networks for monitoring incoming traffic, a strict access authorization mechanism to specific assets (for maintenance and preventing malware to propagate between network segments) and ongoing monitoring of network traffic to detect any anomalous behavior that could indicate a breach attempt. As for recovering the encrypted data from a backup, a successful network segmentation plan should also include segmentation of the backup process.
- Business-Driven risk analysis: the amount of risk an OT asset introduced into the network very much depends on its business process’ links to other business processes and to external resources. In this case, business-driven risk analysis would have zeroed in on the specific business process that relates the infected SCADA server to key operations, and at the same time would have flagged that process as high risk due to its links to external IT/Internet addresses.
- Bottom line: This attack could have been contained and prevented from breaching the OT network, and all malicious effects on the OT network—and thus to operations—could have been averted, had the correct risk-mitigation measures put in place: finding and eliminating network vulnerabilities by means of ICS data traffic analysis as well as threat simulation; DPI-firewalled access to sub-networks and business processes; and ongoing threat detection and network activity monitoring for proactive cyber protection.