On Feb. 19, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (AA20-049A) that specifically drew attention to a serious ransomware attack that knocked an American fuel pipeline offline for two days. The gas pipeline ransomware attack, according to CISA, originated in a spear-phishing email to an employee. The threat actor was able to leverage the initial access to the IT sphere, via the email, to then enter the OT network and deploy a commodity ransomware.
Once the ransomware took effect, the threat actor was able to affect the OT network by making certain elements unavailable including “human-machine interfaces (HMIs), data historians, and polling servers.” More specifically, as CISA words it in their alert, “impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.”
In an analysis of the attack, CISA was able to zero-in on the specific factors that allowed the attacker to do as much damage as they did. The IT and OT networks, for instance, were not segmented, which obviously allowed the attacker to disrupt both networks with ease. Even though the attack specifically affected one facility, the two-day shutdown occurred because, as the report states, “geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies.”
The most egregious error, however, seems to stem from the unnamed facility’s cyber-incident plan. According to CISA, “the victim’s emergency response plan did not specifically consider the risk... Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.” As a result of this, CISA gave a detailed step-by-step mitigation plan for any at-risk facilities vital to U.S. energy infrastructure. Some of the fixes include exercising the “ability to failover to alternate control systems” and identifying “single points of failure (technical and human) for operational visibility.”
Any key point of a nation-state’s infrastructure, be it energy or otherwise, will come under attack at some point. As this incident proves, the U.S., in particular, is not prepared for a large-scale cyberattack. Those in charge of decision-making, more specifically cybersecurity policy, need to use this incident as a wakeup call.
Featured image: Wikimedia