A cyberattack on a natural gas compression facility highlighted longstanding concerns that some pipeline operators are not deploying best practices to foil hackers.
The U.S. Department of Homeland Security revealed the attack on an unnamed pipeline system in a Feb. 18 alert. The attackers gained access to information technology systems, infecting them with ransomware that jumped to operational technology systems, or OT systems, which control industrial systems in factories, plants and infrastructure.
The company never lost control of industrial systems that control physical operations, and the attack only impacted OT systems at a single gas compression facility on the pipeline system. However, the operator shut down the pipeline system for about two days while it restored the affected systems from backup files.
The attack initially raised a high level of concern because cybersecurity analysts have warned that state-sponsored hackers are trying to penetrate industrial control systems at critical infrastructure facilities, such as electric utilities, refineries and pipelines. Successful attacks could allow these actors to shut down parts of the electric grid or cause a plant or pipeline accident.
In this case, cybersecurity company Dragos said the attacker did not attempt to intentionally "alter, modify, or degrade the integrity" of industrial control systems at the gas compression plant. Instead, the attack on the Microsoft Windows-based systems spread to some industrial operations because the company did not erect barriers between its IT and OT systems, Dragos said in a Feb. 19 blog post.
Dragos believed that the event was likely the same one identified by the U.S. Coast Guard on Dec. 16, 2019, based on information from sources and a comparison of details described in each report. In both cyberattack descriptions, the attacker convinced an employee to click a phishing link, allowing the hacker to plant ransomware, which locks down a company's information until the company pays to have it released.
Company failed to follow best practices
DHS' Cybersecurity and Infrastructure Security Agency identified the company's failure to segment IT systems, which includes front-office operations such as email, from OT systems that encompass industrial control systems.
Making matters worse, the company's emergency response plan did not specifically account for cybersecurity risks, and employees lacked decision-making experience in the event of an intrusion, DHS reported.
Industry groups have long promoted segmentation as a best practice. It involves using routers and firewalls to segment a network into different zones, known as subnets, according to Gabe Authier, director for product management at cybersecurity solutions company Tripwire. Segmenting allows companies to prevent viruses from spreading from one subnet to another, thereby limiting the impact of a cyber intrusion.
Some companies do not segment their network because it is easier to maintain an unsegmented system, or flat network, Authier said. In a segmented network, companies must apply software patches to each segment. In a flat network, a company can simply apply a blanket patch across the entire network.
The threat of ransomware jumping from IT to OT systems is not new. It occurred at some of the companies impacted by the worldwide WannaCry ransomware attack in 2017, Authier said.
Attack raises questions about regulation
Security risks linked to companies not following best practices such as segmenting are "very widespread, unfortunately," Authier said. The cyberattack revealed by DHS demonstrated that federal minimum standards similar to those imposed on electric transmission companies would boost pipeline safety, Authier said.
"Regulation doesn't equal security, but certainly it helps companies start going down what we call their cybersecurity journey," Authier said. "Right now, a lot of these companies clearly are pretty unsecure and not very mature when it comes to cybersecurity. Regulation, like it or not, it does help push companies to at least start that journey."
Credit rating agency Moody's and Federal Energy Regulatory Commission members Neil Chatterjee and Richard Glick have also called for minimum standards for pipeline operators. But the industry has long warned that regulation could make companies less willing to share information with the government because they would fear being sanctioned or fined.
The alert from DHS demonstrates the importance of such information sharing, said Gwendolyn Keyes Fleming, a partner at Van Ness Feldman who advises clients on cyber and physical threats to energy infrastructure. It also shows that companies need to consider cybersecurity in their incident response plans and train workers to avoid phishing attempts.
"I think this is evidence of the more general warnings that have been longstanding for years," she said. "I think those that want to do these kind of attacks, they're committed to doing them, and we need to remain vigilant in protecting our systems."