Gas Pipeline Shut Down After Ransomware Attack

Ransomware forced an unplanned shutdown of a US gas pipeline for two days. It's not yet clear if the attackers intended to have that effect.

The full details, including the identity of the pipeline and its operators, have been kept under wraps. The only official information that's been made public comes from a security alert bulletin by the Department of Homeland Security (DoHS). (Source: us-cert.gov)

The attack started as an all-too-familiar "spear phishing" attack. That's a deliberately targeted email that tries to fool somebody (that typically works for a corporation) into clicking on a rogue link, thinking it has been sent by a trusted source.

Malware Spread To Pipeline Computers

The link in question was in fact boobytrapped, which then installed malware on the pipeline operator's IT network. That's the network staff use to communicate and share information on their computers. The big problem was that insufficient technical security barriers meant the malware was able to spread to the operational technology network: the systems that control equipment for the pipeline. (Source: bbc.co.uk)

The attackers then hit both networks with what's described as "commodity ransomware," which is usually designed to encrypt files until the victim pays a ransom to regain full access.

According to the Department of Homeland Security, the attackers didn't gain access to, or take control of the pipeline systems. The pipeline operators continued to have control of the operating equipment because the ransomware only affected Windows-based systems.

DoHS Criticizes Response Plan

The problem was that the ransomware did restrict the operators from being able to read data from some equipment, which could have posed a safety risk. That led to an intentional shutdown of the pipeline for two days during which full access was restored.

The DoHS says that as well as the lack of security barriers between the two networks, the operators had failed to develop a suitably comprehensive emergency response plan. The plan only focused physical threats and did not put enough attention on possible cyber attacks.

The DoHS security alert bulletin (in which this story is referenced) also states that anyone who owns and operates secure assets needs to put more thought into cyber attacks, make sure there's no single point of failure that could cut off access to operational data, and make clearer plans about when an event does or doesn't require a complete shut down.

What's Your Opinion?

Are you surprised such an attack could have this big an effect? Is it realistic to stop phishing attacks succeeding or is it better to concentrate on containing the damage? Do you think intentional cyber attacks on infrastructure will become more common?