February 21, 2020
DHS Issues Ransomware Alert After Attack on Gas Pipeline
A recent ransomware attack shut down a US natural gas facility for two days. According to the alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the ransomware entered the facility’s system via a phishing email. While the facility didn’t lose total control of their operations, the attack still knocked out crucial aspects of their operation.
According to the CISA, the victim failed to implement robust segmentation between the IT and OT networks, which allowed the cyber attackers to traverse the IT-OT boundary and disable assets on both networks. To avoid a similar situation, they recommend:
Planning and Operational Mitigations
- Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue.
- Exercise the ability to failover to alternate control systems, including manual operation while assuming degraded electronic communications. Capture lessons learned in emergency response playbooks.
- Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Capture lessons learned in emergency response playbooks.
- Identify single points of failure (technical and human) for operational visibility. Develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised.
- Implement redundant communication capabilities between geographically separated facilities responsible for the operation of a single pipeline asset. Coordinate planning activities across all such facilities.
- Recognize the physical risks that cyberattacks pose to the safety and integrate cybersecurity into the organization’s safety training program.
- Ensure the organization’s security program and emergency response plan consider third parties with a legitimate need for OT network access, including engineers and vendors.
To learn more about the current state of ransomware and other cybersecurity threats to businesses, check out Datto’s State of the Channel Ransomware Report. In this report, you’ll find new data on ransomware attack frequency across SMBs and MSPs, ransomware defense measures MSPs are implementing, popular ransomware recovery methods, and more.