A cyberattack on a single gas compression facility resulted in the shutdown of a natural gas pipeline for two days, according to a recent alert from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
CISA reported that it responded to a ransomware attack that adversely impacted control and communication assets on the facility’s operational technology (OT) network. The term “ransomware” refers to a type of software that restricts a user’s access to data, thereby holding it “hostage” until the attacker’s demands (usually a financial ransom) are met. In this case, the attacker gained unauthorized access to the pipeline’s information technology (IT) network using a spearphishing link, before migrating to the organization’s OT network. The attacker then deployed its ransomware payload on both IT and OT networks, preventing some assets from processing real-time operational data and creating a partial loss of situational awareness.
Although details on the attack are limited, the CISA alert highlights the unique operational challenges posed by cybersecurity incidents in the energy sector, which often involve multiple interdependent systems that must remain operationally reliable at all times. Owners and operators of critical energy infrastructure should consider the importance of the following issues raised in the CISA alert:
- Cyberincident Response: According to the CISA alert, the pipeline’s emergency response plan did not specifically address cyberattacks, resulting in the operator judging the event as less severe than it was and implementing limited emergency response measures. As a best practice, owners and operators of critical infrastructure should maintain dedicated cyberincident response processes. Initiating a controlled response through a playbook or other procedural mechanism is essential for properly diagnosing the impact of a cyberattack and guiding subsequent operational decisionmaking.
- Training and Security Awareness: The CISA alert suggests that the cyberattack may have been exacerbated by the pipeline operator’s “gaps in cybersecurity knowledge” and the failure to conduct cybersecurity response exercises. Cyberincident response programs should be supported by periodic training and security awareness communications. Training, such as tabletop drills, provides opportunities for operators to exercise and refine their incident response plans. Security awareness communications can further ensure that employees remain apprised of existing and emerging threats, such as spearphishing attempts.
- Critical System Interdependencies: Many energy infrastructure systems are automated and interdependent, which means the compromise of a less critical asset can still create an operational impact. In this case, although the ransomware did not directly impact operations, it nonetheless had a ripple effect—the pipeline operator was forced to suspend operations on other “geographically distinct” compression facilities, which ultimately led to a temporary shutdown of the entire pipeline.
- Limited OT Network Access Points: The attacker traversed the pipeline’s IT network and gained unauthorized access to its OT network due to the absence of “robust segmentation” between the networks. As the CISA alert explains, maintaining limited and well-guarded entry points into an OT network can mitigate the risk of a compromised corporate or IT network, which are usually less secure than operational networks.
- Recovery and Supply Chain: The operator was able to recover from the attack by securing replacement equipment and loading last-known-good configurations, demonstrating the importance of regular configuration backups. Energy sector operators should also consider engaging their vendors to secure on-demand emergency services and access to spare or backup equipment, as a prophylactic measure.