The Department of Homeland Security has reported that an unnamed US natural gas company was forced to shut down operations for two days after being infected with ransomware. The ransomware was able to make its way into the company’s Information Technology (IT) network and then infect computers on Operational Technology (OT) by way of a spear-phishing email. While the ransomware was not mentioned by name, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) did say that it was a more commonly known variant designed to target Windows systems. The CISA report also states that the company was not well prepared for a cyber-attack and that their emergency response plan only included recovery schemes for attacks of a physical nature. Fortunately, the ransomware was not able to impact any programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes.
Cyber-risk planning should be taken seriously, especially by companies that are involved in critical infrastructure. Most malware attacks are delivered via email, web browser compromises, or unpatched server vulnerabilities on the IT network. It is extremely important for critical infrastructure organizations to segment the Operational Technology network and physical device controllers from the IT network used by employees. It is also important to monitor workstations and quickly respond to threats. Binary Defense’s Security Operations Center (SOC) will manage a company’s endpoints by having real people monitor for intrusions in real time. This allows corporations to stay ahead of security issues and be alerted as soon as something suspicious takes place. CISA also mentioned other physical security controls such as network segmentation, multi-factor authentication, regular data backups, least privilege access policies, anti-phishing filters, anti-virus, whitelisting, traffic filtering and regular patching. These are all best practices that are part of a defense-in-depth strategy to protect the network, even if attackers evade some defenses. To read the full CISA report please visit: https://www.us-cert.gov/ncas/alerts/aa20-049a