US natural gas operator shuts down for 2 days after being infected by ransomware:
A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said on Tuesday.
Tuesday's advisory from the DHS' Cybersecurity and Infrastructure Security Agency, or CISA, didn't identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.
The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility's IT network to the facility's OT network, which is the operational technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as "commodity ransomware."
The infection didn't spread to programmable logic controllers, which actually control compression equipment, and it didn't cause the facility to lose control of operations, Tuesday's advisory said. The advisory explicitly said that "at no time did the threat actor obtain the ability to control or manipulate operations."
Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes.
[...] Facility personnel implemented a "deliberate and controlled shutdown to operations" that lasted about two days. "Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies," the advisory said. As a result, the shutdown affected the entire "pipeline asset," not just the compression facility. Normal operations resumed after that.
Also at threatpost.
(Score: 0) by Anonymous Coward on Thursday February 20 2020, @07:05AM (2 children)
Why don't those good-for-nothing congresscritters regulate 'ransomware on a computer is illegal', increase the jail time and be done with it once and for all? Do they wait for a national security crisis to shine or what?
I mean, look, if π can be regulated to a more friendly value of 3, this should be a piece of cake. And, while at it, they should repeal those pesky laws of thermodynamics, this is a serious red-tape that prevent cheap energy and jobs for Americans.
MAGA!
(large grin)
(Score: 1) by khallow on Thursday February 20 2020, @11:27AM
(Score: 0) by Anonymous Coward on Thursday February 20 2020, @02:05PM
Uh... Maybe because of this?
https://en.wikipedia.org/wiki/Electronics_right_to_repair [wikipedia.org]
https://repair.org/ [repair.org]
What? It's not about ransomware?
But "if you want your [item] back in working conditions you have to pay us, or Else..."
No? Oh, ok, my bad. Sorry. :D
CYA
(Score: 5, Insightful) by coolgopher on Thursday February 20 2020, @07:44AM (6 children)
DO NOT CONNECT SCADA* SYSTEMS TO THE INTERNET!
*) System Control And Data Acquisition
(Score: 0) by Anonymous Coward on Thursday February 20 2020, @08:15AM
I just wanted to thank you for the paranthesis. I am suddenly much more relaxed about today's tasks.
(Score: 2) by Runaway1956 on Thursday February 20 2020, @08:33AM (1 child)
That, exactly, ten thousand times over ^
You simply do not connect system critical shit to the same interwebs that Chinese hackers, Russian agents, Nigerian princes, and bored schoolkids all have access to. Fekkin' idiots. Some of our top decision makers today SHOULD HAVE been aborted. And, maybe their parents should have been aborted before that. And, that, without even getting political!!
(Score: 2) by legont on Thursday February 20 2020, @11:39PM
Security is expensive.
Imagine the system goes down and the only not fired after 2008 expert is on a vacation in Thailand and you call him and he brings himself up from a nice girl and dials in... then what?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2, Informative) by Anonymous Coward on Thursday February 20 2020, @02:39PM (1 child)
Supervisory, not System
(Score: 2) by coolgopher on Thursday February 20 2020, @10:56PM
Huh. Whaddya know, looks like I obtained faulty information at some point. Thanks for the correction!
(Score: 0) by Anonymous Coward on Thursday February 20 2020, @09:59PM
Some PHB/MBA, probably.
(Score: 0) by Anonymous Coward on Thursday February 20 2020, @11:28AM (3 children)
I'm running out of jokes about Windows security. Maybe M$ should rename Windows to something else, perhaps M$ Karen.
(Score: 2) by DannyB on Thursday February 20 2020, @03:31PM
I was going to point out that this almost certainly means they must be running Windows. Thanks for beating me to it.
I haven't heard your jokes about Windows security. Have you posted them here or on your journal?
The lower I set my standards the more accomplishments I have.
(Score: 3, Funny) by stormreaver on Thursday February 20 2020, @06:01PM (1 child)
I think Wingoatse.cx is fitting name since it's a huge, gaping pain in the ass.
(Score: 0) by Anonymous Coward on Thursday February 20 2020, @09:06PM
That's the new free Windows 10 upgrade website.
(Score: 0) by Anonymous Coward on Thursday February 20 2020, @02:18PM (2 children)
https://www.us-cert.gov/ncas/alerts/aa20-049a [us-cert.gov]
the report says
"At no time did the threat actor obtain the ability to control or manipulate operations."
The bad guy used "commodity ransomware" which got the Windows based machines but the non-Windows PLC's were unaffected.
Among the recommended mitigation is to better segment the IT/OT networks with a DMZ.
That seems a bad idea.
Kind of like adding a more complicated countermeasure to keep the squirrel out of the bird feeder.
It would be better not to have the situation in the first place.
That would require an 'airgap' or at least a one way communications path to permit look but not touch from remote.
(Perhaps an old school RS-232 link with only one direction hooked up?)
The bad guys were clearly inside the computers in the control network.
The result was the disruption of the ability to monitor the system.
It seems likely that they had sufficient access to ask a PLC to do something bad.
To say they didn't have this ability seems a failure of imagination.
For example, if one were inside a Windows system with sufficient tools to encrypt the file system without taking down the computer,
then why could they not also watch the displays, keyboards, and mouse clicks?
If the same computers were used for control, then occasionally they would see how to do that as well.
The remedy's in the report seem irresponsible. Airgaps and maybe one-way comms seem more likely to secure something important.
(Score: 2) by HiThere on Thursday February 20 2020, @04:47PM (1 child)
My suspicion is that this was commodity ransomware and didn't even know what it had infected. So, no, it didn't have the capability, because that wasn't designed into it. Something targeted with the same amount of control probably would have had the capability.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Friday February 21 2020, @12:59AM
right, there were no leet haxxors. just run of the mill ransomware some dumb ass windows user installed.