US Natural Gas Pipeline Operator Hit with Ransomware
According to an advisory from the US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA), networks at a natural gas compression facility were infected with ransomware. The incident is believed to be the same one reported by the US Coast Guard in December 2019. The initial vector of attack was a phishing email; the malware then made its way from an office computer through the IT network to the operational technology (OT) network.
Network isolation often includes the need to interact with and transfer data to other non-isolated systems. Using a trusted gateway or one-way link reduces the risks, and data transfer processes still need active anti-malware protections.
One should not pass up an opportunity to remind management that e-mail (and browsing) should be isolated from mission critical applications. We cannot tolerate a situation where the cost of compromise of the enterprise is equal to that of social engineering any one of many users. Consider a combination of strong authentication, restrictive (as opposed to promiscuous or permissive) access control policy, and end-to-end application-layer encryption.
William Hugh Murray
Read more in
US-CERT: Alert (AA20-049A) Ransomware Impacting Pipeline Operations
Ars Technica: A US gas pipeline operator was infected by malware--your questions answered
The Register: When the air gap is the space between the ears: A natural gas plant let ransomware spread from office IT to ops
SC Magazine: CISA issues warns critical infrastructure sectors after successful ransomware attack on pipeline operator
ZDNet: DHS says ransomware hit US gas pipeline operator
Ars Technica: US natural gas operator shuts down for 2 days after being infected by ransomware
BBC: Ransomware-hit US gas pipeline shut for two days
Threatpost: U.S. Pipeline Disrupted by Ransomware Attack
Fifth Domain: Could this attack signal the future of ransomware?
The Hill: DHS warns of cyber threats to critical systems after attack on pipeline operator
NextGov: CISA Shares Details About Ransomware that Shut Down Pipeline Operator