The alert from the department’s Cybersecurity and Infrastructure Security Agency described a ransomware attack on an unnamed natural-gas pipeline operator that halted operations for two days while staff shut down, then restored, systems. The alert said that although staff didn’t lose control of operations, the company didn’t have a plan in place for responding to a cyberattack.
“This incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance of implementing cybersecurity measures to guard against this risk,” a CISA spokesperson said.
This attack wasn’t sophisticated, like one in 2015 by Russia-linked hackers that knocked out utilities in Ukraine, said Brad Medairy, executive vice president and head of cyber and engineering at consulting firm Booz Allen Hamilton Inc. In this case, CISA said, hackers used commodity ransomware rather than customized malware and the systems were infected through a spearphishing attack, where a specific person is fooled into clicking on a malicious link.
This attack penetrated computers running Microsoft Corp. ’s Windows in the pipeline company’s networks used for operations and information technology. Windows machines are vulnerable if patches aren’t current, which is often a problem at energy companies, Mr. Medairy said.
“In many cases, the environments lack the same rigor around patching that a traditional enterprise has,” he said. Lack of security staff who understand both IT and industrial systems can hamper protection efforts, he said.
The always-on nature of the energy sector can leave little time for system updates, said Kyle Miller, a senior industrial cybersecurity engineer for Booz Allen. Plus, while typical businesses upgrade laptops and servers every few years, the industrial machines that pump out electricity or supply fuel to infrastructure were built to run for decades, he said.
Though common business systems, such as Windows servers, are making their way to the operations side, he said, “There’s still a mentality of, it’s not broke, don’t fix it.”
Replacing these systems is expensive and time-consuming, said Matt Devost, chief executive of Ooda LLC, which tests industrial systems for cyber vulnerabilities, adding the result of cobbling together various systems is that security is often an afterthought.
While larger operators tend to have a more rigorous approach to security, he said, some smaller companies operate systems so fragile that even testing can break them. They can also be difficult to maintain and patch as the technologies often aren’t designed to work together, he added.
“It doesn’t strike me as a surprise that off-the-shelf ransomware would be effective in that type of environment,” he said.
Separating networks for IT from those for operational technology is one way to stop attacks from spreading. But segmentation is more difficult now than in the past, Mr. Medairy of Booz Allen said.
Power and energy companies increasingly want to analyze in real time data coming in from sensors on meters and other field equipment. That information is collected on the operations side and transmitted to IT systems, sometimes continuously. “The line between OT and IT is blurring. It’s certainly not an impossible problem to solve but it’s more of a challenge to introduce true segmentation,” Mr. Medairy said.
CISA and the Transportation Security Agency began a pipeline cybersecurity initiative in 2018 and have released guidelines on best practices, but these are voluntary. In-person assessments conducted by the two agencies require the consent of the operator.
“This incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance of implementing cybersecurity measures to guard against this risk,” a CISA spokesperson said.
Technology is only one aspect of resilience, Mr. Devost said. When he worked as a hacker for the Defense Department, he said, his team had to consider how the department would remain able to engage in combat operations during a cyberattack. Energy companies should ask themselves the same question, he said.
“For some infrastructure, this idea that you can take yourself offline is not viable. You have to figure out how you sustain operations in light of an attack taking place,” he said.