A ransomware attack shut down a natural gas compressor station for two days causing a "loss of productivity and revenue," according to an alert last week from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The disruption represents a growing threat to the domestic energy sector, with more sophisticated attacks beginning to target the industrial control systems (ICS) which help to run electric grids and pipeline systems. The compressor station attack began on the information technology (IT) side of a pipeline company's operations, but spread to the operations technology (OT) side because of a lack of system segmentation, experts say.

Security analysts have seen a growth in malware targeting the OT side of energy operations and a new report from Dragos finds the cyber risk to ICS networks "continues to grow and remains at a high level."

IT to OT threats

Dragos's review of 2019 cyber threats found a growing number of hacker groups targeting ICS systems, and warned "ransomware and other malware infections continue to be a major issue across industrial operations."

That was the technique used by attackers to shut down operations at a gas pipeline compressor station, according to CISA. While the ransomware obtained initial access to the organization’s IT systems through a spearphishing attack, it was then able to "pivot" to the OT side, the agency said.

"Impacted assets were no longer able to read and aggregate real-time operational data," according to the government analysis of the attack. "Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations."

Security experts say the attack can serve as a warning for electric utilities — though they should have already insulated themselves from similar intrusions.

The malware spread from IT to OT "due to lack of network segmentation, which all electric utilities should already have in place," Phil Neray, vice president of industrial cybersecurity for security firm CyberX, told Utility Dive.

Electric utilities have the benefit of many years of critical infrastructure protection (CIP) standards developed by the North American Electric Reliability Corp. (NERC), Neray said. Those standards have helped to raise awareness about cyber risks and minimum best practices.

"But security professionals know that passing a compliance audit does not necessarily mean you're secure," Neray said, warning that electric utilities "should constantly be examining their security controls to ensure they've reduced the risk to an acceptable level."

Expert: Oil, gas operations may be more exposed than electric utilities

NERC does not release statistics regarding compliance with CIP standards, though it does audit utilities through its Compliance Monitoring and Enforcement Program. Utility Dive's 2020 State of the Electric Utility survey found less than 60% of respondents "believe their organization is in or approaching compliance with government cybersecurity mandates."

Natural gas systems are more automated and there can be unattended remote devices along the entire length of a pipeline, RunSafe Security CEO Joe Saunders told Utility Dive in an email.

"Most utilities don’t have IP enabled smart grid at any scale and SCADA is a little harder to attack," Saunders said. "But as they shift, they need protection in this area." Older operating and information systems need to be protected or upgraded, he added.

Oil and gas operations are likely more at-risk than the electrical generation facilities, according to Richard Henderson, head of global threat intelligence at cybersecurity firm Lastline. But he stressed that the successful compressor station attack was a failure of the organization to establish hard boundaries between its IT environment and its OT environment.

"It’s just as likely that this was a crime of opportunity by an overseas attacker than a targeted attack against a critical infrastructure player" Henderson told Utility Dive. "If you do not have very clear delineation and segregation from your regular IT infrastructure to the OT infrastructure where all your operations run, attacks like this are not an if, but a when."

In March 2019, a denial-of-service cyberattack targeted wind and solar assets in what is thought to have been the first attack on U.S. renewable generators.

Cybersecurity experts at the time said it revealed the utility sector was not sufficiently vigilant, as it struck a known vulnerability in an unpatched Cisco firewall.

Organizations need to begin immediately "getting their OT systems in a better place security-wise," Henderson said.

"It’s one thing when the HQ office PCs all go down from a commodity ransomware infection. It becomes something else altogether when things at the plant start doing things they shouldn’t," Henderson said.

'Chokepoints' can limit malware spread: Dragos security recommendations

Following news of the compressor station hack, Dragos released a series of recommendations for asset owners and operators to implement "to prevent the infection and spread of ransomware that could potentially impact ICS operations."

"Aggressively monitor outbound communications from ICS networks to identify signs of infection events within OT space," Dragos said.

The security consultant also recommended: training employees to recognize and respond to phishing campaigns; developing strong network defenses between the IT and OT networks; creating "chokepoints" to limit malware spread; and keeping anti-virus signatures up to date.

In the compressor station hack, operational impacts were likely caused by a combination of insufficient segregation of IT and ICS environments and shared Windows operating system infrastructure, Dragos said. That allowed the impacts to spread beyond the attackers' initial targets.

"Even though CISA reporting indicates only one compression facility was directly targeted, overall pipeline operations ceased for two days during restoration from backup operational data and stored configuration files," the firm warned.

"Aggressively monitor outbound communications from ICS networks to identify signs of infection events within OT space," Dragos also said.