A US natural gas facility was forced to shut down operations for two days after becoming infected with commodity ransomware, the Department of Homeland Security (DHS) has revealed.

The unnamed “natural gas compression” plant was first targeted with a spear-phishing email, allowing the attacker to access its IT and then pivot to its OT network, according to the technical alert from the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

The ransomware used was not named, but described as a “commodity” type designed to infect Windows systems, rather than the new strain spotted recently that had ICS-specific functions.

As such, it didn’t manage to impact any of the programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes. Still, the ransomware was able to compromise human machine interfaces (HMIs), data historians and polling servers on the OT network.

The victim organization was ill-prepared for such an attack: a worrying sign that some critical infrastructure providers still haven’t evolved their threat modelling to take account of modern black hat techniques.

Specifically, the organization failed to implement robust segmentation between IT and OT networks, allowing the attacker to infect both. It also did not build cyber-risk into its emergency response plan, focusing solely on threats to physical safety.

“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyber-attacks,” the CISA alert noted.

“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

CISA urged critical infrastructure organizations to: add cyber-risk planning to their incident response strategies, practice failover to alternate control systems, use tabletop exercises to train employees, identify technical and human points of failure for operational visibility and recognize the safety implications of cyber-attacks, among other steps.

Among the physical security controls it recommended were network segmentation, multi-factor authentication, regular data backups, least privilege access policies, anti-phishing filters, AV, whitelisting, traffic filtering and regular patching.