Again, another phishing email. This time the attackers went after a natural gas operator in the US. The attack was aimed at the Industrial Control System (ICS), affecting "crucial real-time operational data from control and communication equipment," according to the Department of Homeland Security. The malware invaded the Operation Technology (OT) network through the Information Technology (IT) network. Basically, the software infected the servers that monitor physical tasks. The Department of Homeland Security's advisor made clear that the company did not lose control of its compression equipment at any time. The attackers were never in control of the facility's operations. In short, they only reduced the gas operator’s ability to monitor its physical processes using its control systems.
When facility personnel realized they were under attack, they initiated a "deliberate and controlled shutdown." This affected all the facilities connected to the same pipeline. It took approximately two days to regain control and return to normal operations.
The Department of Homeland Security has produced a list of security flaws at the facility. For instance, the current emergency response plan did not address cyberattacks. So, employees did not know what to do when the attack occurred. The staff made real-time decisions using their own best judgment. They decided to treat the attack as less severe than the ones enumerated in their emergency response plan. Also, employees were not armed with a clear decision-making process for dealing with this type of attack. Finally, the report mentioned that the operator had not implemented cybersecurity measures to prevent malware moving from IT to OT networks. from one to the other.
This is one of the first attacks in the United States aimed directly at industrial control systems. A few months ago, malware called Ekans was discovered which primarily targets ICS. This new software is not only capable of encrypting data but also shuts down ICS processes before locking down the system.