A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said on Tuesday.

Tuesday’s advisory from the DHS’ Cybersecurity and Infrastructure Security Agency, or CISA, didn’t identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.

The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, which is the operational technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

The infection didn’t spread to programmable logic controllers, which actually control compression equipment, and it didn’t cause the facility to lose control of operations, Tuesday’s advisory said. The advisory explicitly said that “at no time did the threat actor obtain the ability to control or manipulate operations.”

Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes.

“Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers,” CISA officials wrote. “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.”

Facility personnel implemented a “deliberate and controlled shutdown to operations” that lasted about two days. “Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies,” the advisory said. As a result, the shutdown affected the entire “pipeline asset,” not just the compression facility. Normal operations resumed after that.

Security lapses

The advisory disclosed several lapses in the facility’s security regimen. The first lapse involved inadequacies in the facility’s emergency response plan, which “did not specifically consider cyberattacks.” Instead, the plan focused on threats to physical safety.

“Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures,” the advisory stated. “These included a four-hour transition from operational to shutdown mode combined with increased physical security.”

Another gap was a failure to implement robust segmentation defenses between the IT and OT networks. As a result, the infection was able to “traverse the IT-OT boundary and disable assets on both networks.”

The full “planning and operations" section of the advisory were:

At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.

The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security.

Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.

Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.

The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.

The advisory comes two weeks after researchers from industrial cybersecurity firm Dragos reported that a ransomware strain known as Ekans intentionally tampered with industrial control systems that gas facilities and other critical infrastructure rely on to keep equipment running reliably and safely.

There’s no evidence the malware that hit the gas-compression facility was Ekans. Tuesday’s advisory doesn’t identify the specific piece of ransomware that was used. Researchers from Dragos didn’t immediately respond to questions. This post will be updated if a response comes later.