U.S. Gas Pipeline Shut Down for Days: Industrial Control Systems Infected by Malware

February 25, 2020 by Alessandro Mascellino

A ransomware infection shut down a US natural gas pipeline for two days last week, an advisory released by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed.

The attack began with a successful phishing attempt, which saw one of the company’s employees clicking on a link allowing attackers to obtain access to first IT systems and later OT networks.

Uncertain Damage Assessments

While extensive details about the attack have not been publicly disclosed, it is understood from the CISA’s advisory that when the “commodity ransomware” reached the OT network, it gained access to the physical processes of the facility, disabling control and communications gear.

According to the report, assets experiencing a loss of availability on the OT network included HMIs.

“Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators,” the advisory reads.

However, the document also clarified that the attacker did not manage to achieve active access to any PLCs in charge of compression equipment.

“Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies,” the advisory added.

As a result, the shutdown of these systems affected the entire “pipeline asset,” not just the compression facility. Normal operations, however, resumed after 48 hours.


Why Preventative Measures Are Critical

Commenting on the attack, the advisory pointed out that, despite the facility’s system structure remained relatively unscathed, the company lacked the necessary measures to tackle situations like this.

Once the facility was aware, they immediately shut down. The advisory stated, “the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures.”

This included a transition that took hours to go from fully operational to shutdown mode. Additionally, it was combined with increased physical security, and were deployed as the company’s response plan “did not specifically consider cyberattacks”, focusing instead only on the physical safety of its systems.


gas operations and control systems

Actuated control valve and valve positioner control by PLC to control the gas conditioning process. 


Another reason this may have happened is that there was a failure to implement effective segmentation defenses between the IT and OT networks. Because of this, the attackers were able to “traverse the IT-OT boundary and disable assets on both networks.”

According to CISA’s advisory, the victim facility confirmed the points above, citing gaps in cybersecurity knowledge as the main reason for failing to adequately produce effective emergency response planning against modern cyberattacks.


Potential Threat from Known Malware 

The report from CISA did not name the specific piece of malware that attacked the facility, only referring to it as “commodity ransomware”, a malicious software designed by hackers to be intuitive and easy enough to use for people without high-level computer security skills.

However, some sources have suspected the attack came from Ryuk, a widely known, dangerous ransomware. Ryuk specifically targets enterprise environments and would be managed only by the group under the name of WIZARD SPIDER.

While it cannot be confirmed that Ryuk was involved in this attack, it is critical for gas facilities and those operating the control systems to reconsider their cyber defense efforts if they want to effectively protect themselves from rapidly evolving cyber threats and malicious actors. 


For those running these industrial control systems, do you know if your company’s security measures are up to date?