Thursday , May 6 2021

A US gas pipeline operator was infected by malware — your questions answered, Ars Technica


      FAQ –


The infection has generated no shortage of questions and opinions. Here’s what we know.



Tuesday’s news that a ransomware infection shut down a US pipeline operator for two days has generated no shortage of questions, not to mention a near-endless stream of tweets.

Some determ and arm-chair incident responders consider the event to be extremely serious. That’s because the debilitating malware spread from the unnamed company IT network — where email, accounting, and other business is conducted — to the company operational technology, or OT, network, which automatically monitors and controls critical operations carried out by physical equipment that can create catastrophic accidents when things go wrong.

Others said the reaction to the incident was overblown. They noted that, per the advisory issued on Tuesday, the threat actor never obtained the ability to control or manipulate operations, that the plant never lost control of its operations, and that facility engineers deliberately shut down operations in a controlled manner. This latter group also cited evidence that the infection of the plant’s industrial control systems, or ICS, network appeared to be unintentional on the part of the attacks.

Assessing the threat that the event posed to public safety requires an understanding of ICS and the way ransomware infections have evolved . What follows are answers to some of the most frequently asked questions:

(What happened?

Details are frustratingly scarce. According to an advisory published by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, the ransomware infected an unnamed natural gas compression facility. The attack started with a malicious link in a phishing email that allowed attackers to obtain initial access to the organization’s information technology (IT) network and later pivot to the company’s OT network. Eventually, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

The infection of the OT network caused engineers to lose access to several automated resources that read and aggregate real-time operational data from equipment inside the facility’s compression operations. These resources included human machine interfaces, or HMIs, data historians, and polling servers. The loss of these resources resulted in a partial “loss of view” for engineers.

Facility personnel responded by implementing a “deliberate and controlled shutdown to operations” that lasted about two days. Compression facilities in other geographic locations that were connected to the hacked facility were also shut down, causing the entire pipeline to be nonoperational for two days. Normal operations resumed after that.

What’s a natural gas compression facility and what do they do?

Before natural gas can be moved through interstate pipelines, it must be highly pressurized at periodic intervals along the way. This process is done by compression facilities, which are typically spaced (to 728 miles apart along the pipeline. Natural gas flows into the compression facility, which is also known as a compressor station or a pumping station, where the gas is compressed by a turbine, motor, or engine. For more, see this link .

A diagram of a natural gas pipeline. What’s a data historian?

(Read More)

About admin

Leave a Reply

Your email address will not be published. Required fields are marked *