In February 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that ransomware impacted a U.S. pipeline operator. At one of the natural gas compression facilities of an undisclosed operator, both IT and ICS assets were affected by the malware and this resulted in a ‘loss of view’ on the process. I interviewed our cybersecurity specialists about this cybersecurity attack and how you can prevent it from your plant.
What was the result of this cybersecurity attack?
The attack used commodity ransomware that impacted only Microsoft Windows-based systems like HMI and historians. Controllers, PLC’s or other level 1 equipment were not affected. It was also reported the attacker did not have remote control of operations. So even when the control layer was not affected the disabled HMI resulted in a ‘loss of view’. The operator then deliberately started a controlled shutdown of the facility. Due to pipeline transmission dependencies, this resulted in a production stop of the entire pipeline for two days.
Were both the IT and OT networks infected?
After analysis by security researchers, it appears this incident was not specifically targeted at the ICS system. Nevertheless, it impacted a compression facility. The initial infection was via the IT network and due to a weak separation between the IT and OT networks, the ransomware also affected Windows-based ICS systems.
This risk applies to many ICS networks as most systems rely on Windows-based systems and have connections with the business IT network. Also, when attackers target the IT network of a company the attached OT network can be affected as collateral damage.
Tell me about this malicious ransomware and the ransom money that’s been paid?
The malware was identified as the ‘Ryuk’ ransomware, currently one of the most damaging pieces of ransomware. For reference, the attackers earned over $3.5 million USD in paid ransoms making it a lucrative business. The amount of operational damages is of course much more. The malware is designed to target enterprise environments, not individual systems. Therefore, it must be manually installed and operated by the attackers.
How did these hackers operate?
The initial attack was a phishing mail containing a malicious link. From there the attackers use various tools like PowerShell, Empire, and PSExec for internal reconnaissance, obtaining account privileges and distribution of the Ryuk malware on the network. Remote Desktop Protocol (RDP) is used for lateral movement to finally obtain access to a domain controller. From there batch scripts are executed to run on all domain joined systems that terminate services (like anti-virus), remove backups, and finally initiate the ransomware encryption.
How do we protect our plants against this kind of cybersecurity attacks?
These are the top 6 recommendations from our cybersecurity specialists:
1. Keep employees trained and focussed to recognize phishing emails; question, if current policies like an annual half-hour video training, are enough.
2. Strong IT and OT network separation is critical in reducing the risk of IT network compromises also affecting the OT networks;
[list][item icon=”fa-check” ]Keep Windows domains separated and configure extremely strict firewalls between both networks.[/item][/list]
[list][item icon=”fa-check” ]Implement enhanced IT/OT network monitoring[/item][/list]
3. As this type of malware is not installed and distributed automatically it will take the attackers some time on the network to prepare. Various steps as described earlier could have been detected by monitoring software.
4. A fast incident response could have prevented the attack to do actual damage. An IT/OT Security Operation Centre (SOC) would be a good example.
5. Besides creating backups, also create a disaster recovery plan in case every system becomes unavailable at the same time. Test and train these plans in simulations or tabletop exercises.
6. Keep anti-virus up-to-date and maintain patch levels of operating systems and all other applications.
Would you like more information?
Contact the cybersecurity specialists Mark Hellinghuizer en Mirsad Murtic of Yokogawa via IndustrialThreatAnalysis@nl.yokogawa.com and sign up for our cybersecurity newsletter to learn about cyber threats, vulnerabilities and proposed countermeasures for the Operational Technology domain.
