Critical Infrastructure: Another Key Target for Ransomware Attacks

No Gravatar

We’ve written about this in the past, especially after malware such as Stuxnet spread like wildfire a few years back in Critical Infrastructure organizations.  We also elaborated on the amount of damage that could be caused if control systems were compromised at things such as power and other critical plants.  With the type of damage that is possible, it is no wonder that Critical Infrastructure continues to have a big target on its back when it comes to hackers looking to do harm.  The good thing is that government agencies, like the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), continue to monitor and provide warnings to all industries that operate critical infrastructure about new cyber threats such as ransomware that show up.

So, it wasn’t a big surprise when an article surfaced recently discussing about a recent advisory that CISA had issued in response to a cyberattack targeting and unnamed natural gas compression facility.  This attack used spear-phishing to deliver ransomware to the company’s internal network.  Critical data ended up becoming encrypted and operations at the facility were down for almost two days as the organization initiated a deliberate operational shutdown which resulted in lost productivity and revenues.

The surprising thing about this attack was that it was limited to Windows-based systems and did not impact any programmable logic controllers (PLCs), which would be typical in this case in order to shut down critical control systems.  The company was able to recover from the attack by retrieving and putting replacement equipment in with last-known-good configurations.
On the other hand, another article put out by the register, on this same incident, paints a less than rosy picture about how the attack was carried out.  In their article, it was brought up that the malware that did the damage to this natural gas plant was “a common or garden strain of file-scrambling Windows ransomware” and, although it didn’t result in any physical damage to equipment of any of the PLCs that directly control the gas flow, it was spread from an office computer through the plant’s IT network to the operational network.  According to the CISA, the plant’s operator fell short on separating its IT network from the operational systems of the plan, making it easier for the malware to move between the two networks when they really should have been isolated from one another, usually through some sort of air gap. 

While malware infections at critical infrastructure organizations, such as oil and gas plants, have always been seen as potentially catastrophic, usually, the attackers utilize purpose-built malware and spyware to inflict as much damage as possible to the infrastructure.  In this case, because of what could be seen as less than stellar security, “commodity” ransomware was able to do damage just by going through the network looking for Windows-based PCs to lock up.
So, in this sort of scenario, what can be done to help prevent attacks like these?  Well, for one, it is probably best to ensure that there are air gaps put in place between IT networks and OT networks.  At the same time, what can be done at the outset in order to prevent the spear-phishing attack from even entering the IT network in the first place?  Critical Infrastructure organizations should consider putting in place solutions such as Wedge’s Advanced Malware Blocker (WedgeAMB).  

Instead of relying on employees to be on the lookout and NOT click on potentially harmful links, as well as using a Detect and Remediate approach to security, WedgeAMB instead allows the organization to implement a DETECT and BLOCK approach.  By detecting the phishing attack and blocking it BEFORE it even gets to the employees’ computers, it eliminates the possibility of further allowing the ransomware payload from getting downloaded and causing whatever damage it is looking to do!  At Wedge, we’re trying to do our part to help secure Critical Infrastructure facilities by offering a FREE 90 day trial of our WedgeAMB product.  Contact us at: to find out more!

About Wedge Co-founder, CEO & CTO

Hongwen Zhang, Co-founder, Chief Executive Officer & Chief Technical Officer Co-founder of Wedge Networks, Inc., Dr. Zhang previously co-founded the 24C Group Inc., which pioneered the first digital receipts infrastructure for secure electronic commerce, and was a principal of Servidium Inc., a global leader in agile development methodology. He holds a Ph.D. in Computer Science and a M.Sc. in Computer Engineering. Throughout his 25+ years career and leadership in the enterprise software industry, Dr. Zhang has been instrumental in launching several commercially successful cyber security and safety products into the global market. This has resulted in successful customer adoptions; from his involvement in the Digital Receipt Infrastructure (with the 24C Group, and later AxWay), through his work with companies such as Valmet/Telvent (now Schneider), and Servidium (acquired by Thought Works Inc.). Dr. Zhang served as the Chair of the Metro Ethernet Forum’s (MEF) Security-as-a-Service working group, which defined the practices of Managed Security Service Providers (MSSPs) for many of the largest telecom service providers in the world. He is a well-respected speaker and writer in the areas of security and cloud computing. As a co-founder of Wedge Networks, Dr. Zhang has led the design, implementation, and launch of the firm’s patented, award-winning Deep Content Inspection and Security Services Orchestration platform.
This entry was posted in Industry News, Latest Security News, Wedge News and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Before you submit form:
Human test by Not Captcha