By Matt Fleharty, System Engineer, Forescout
As we discussed in our recent joint report with the Institute for Critical Infrastructure Technology (ICIT), disruptionware is an emerging category of malware designed to slow or stop critical business processes, rather than simply withhold data. This trend recently played out yet again when DHS CISA published an alert that a cyberattack against a US natural gas compression facility had shut down pipeline operations for two days.
This trend played out in February when DHS CISA published an alert that a cyberattack against a US natural gas compression facility had shut down pipeline operations for two days.
The threat actor used a spear-phishing link to gain access to the IT network before pivoting into the OT network. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers. DHS highlighted that,
“The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks and the threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks.”
As a result of this attack, cybersecurity in oil & gas, and critical infrastructure in general, has skyrocketed to the top of everyone’s mind. Here are 4 important steps you can take now to help protect against a disruptionware attack:
01. Apply Critical Patches
OT patching is an expensive, resource-intensive task, exacerbated by the fact that new vulnerabilities are published daily. Patch management is a recurring activity, which increases exponentially as critical infrastructure operations expand, thereby rendering manual patching all but impossible. Develop a patching strategy that sets forth requirements for prioritization, standardization, and prevention. Select a tool that can identify assets in need of patching in near real-time.
02. Develop a Segmentation Strategy for Your OT Networks
A lack of separation between IT and OT networks in the oil & gas industry is not uncommon. However, segmentation is particularly important in critical infrastructure organizations for several reasons:
- Minimizing attack vectors: When all systems are connected, there are multiple endpoints where a hacker can easily gain access. When properly segmented, endpoints are substantially reduced, and therefore more easily managed to protect against threats.
- Monitoring traffic: Restricting OT network traffic to protocols used by critical infrastructure reduces the potential for lost packets, as well as unplanned downtime. IT protocols tend to consume higher bandwidth and more resources, potentially interrupting communications between critical infrastructure systems.
- Managing access: Multiple stakeholders require access to various business systems. In addition to restricting points of entry, segmentation helps ensure higher fidelity with respect to authorized network access.
- Isolating threats: If an asset becomes compromised, segmentation minimizes the impact to the broader organization.
Factoring in criticality, consequence, and operational necessity, organize your OT assets into logical zones and deploy security controls to make sure risky IT devices can’t communicate with a control system. Be sure to simulate your segmentation process before actually executing it. Use a tool with a graphical matrix of current communication flows to visualize what these segments might look like and also validate that the segmentation strategy won’t break critical parts of a process.
03. Continuously Monitor Your OT Network
As mentioned, new vulnerabilities arise faster than our ability to manually protect against them. Additionally, critical infrastructure limitations often inhibit the viability of actively scanning for new threats. Instead, automated, agentless tools that continuously monitor for threats in a passive manner have been shown to be superior protection strategies against a constantly evolving cybersecurity threat landscape.
04. Backup Critical Assets
Using a redundancy system that allows multiple iterations of backups to be saved and stored offline can be indispensable if you are targeted by disruptionware, especially if the most recent set of backups includes encrypted or infected files. Routinely test backups for data integrity to ensure you can recover intact data from them.