We’ve written about this in the past, especially after malware such as Stuxnet spread like wildfire a few years back in Critical Infrastructure organizations. We also elaborated on the amount of damage that could be caused if control systems were compromised at things such as power and other critical plants. With the type of damage that is possible, it is no wonder that Critical Infrastructure continues to have a big target on its back when it comes to hackers looking to do harm. The good thing is that government agencies, like the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), continue to monitor and provide warnings to all industries that operate critical infrastructure about new cyber threats such as ransomware that show up.
So, it wasn’t a big surprise when an article surfaced recently discussing about a recent advisory that CISA had issued in response to a cyberattack targeting and unnamed natural gas compression facility. This attack used spear-phishing to deliver ransomware to the company’s internal network. Critical data ended up becoming encrypted and operations at the facility were down for almost two days as the organization initiated a deliberate operational shutdown which resulted in lost productivity and revenues.
The surprising thing about this attack was that it was limited to Windows-based systems and did not impact any programmable logic controllers (PLCs), which would be typical in this case in order to shut down critical control systems. The company was able to recover from the attack by retrieving and putting replacement equipment in with last-known-good configurations.
On the other hand, another article put out by the register, on this same incident, paints a less than rosy picture about how the attack was carried out. In their article, it was brought up that the malware that did the damage to this natural gas plant was “a common or garden strain of file-scrambling Windows ransomware” and, although it didn’t result in any physical damage to equipment of any of the PLCs that directly control the gas flow, it was spread from an office computer through the plant’s IT network to the operational network. According to the CISA, the plant’s operator fell short on separating its IT network from the operational systems of the plan, making it easier for the malware to move between the two networks when they really should have been isolated from one another, usually through some sort of air gap.
While malware infections at critical infrastructure organizations, such as oil and gas plants, have always been seen as potentially catastrophic, usually, the attackers utilize purpose-built malware and spyware to inflict as much damage as possible to the infrastructure. In this case, because of what could be seen as less than stellar security, “commodity” ransomware was able to do damage just by going through the network looking for Windows-based PCs to lock up.
So, in this sort of scenario, what can be done to help prevent attacks like these? Well, for one, it is probably best to ensure that there are air gaps put in place between IT networks and OT networks. At the same time, what can be done at the outset in order to prevent the spear-phishing attack from even entering the IT network in the first place? Critical Infrastructure organizations should consider putting in place solutions such as Wedge’s Advanced Malware Blocker (WedgeAMB).
Instead of relying on employees to be on the lookout and NOT click on potentially harmful links, as well as using a Detect and Remediate approach to security, WedgeAMB instead allows the organization to implement a DETECT and BLOCK approach. By detecting the phishing attack and blocking it BEFORE it even gets to the employees’ computers, it eliminates the possibility of further allowing the ransomware payload from getting downloaded and causing whatever damage it is looking to do! At Wedge, we’re trying to do our part to help secure Critical Infrastructure facilities by offering a FREE 90 day trial of our WedgeAMB product. Contact us at: info@wedgenetworks.com to find out more!
