back to article When the air gap is the space between the ears: A natural gas plant let ransomware spread from office IT to ops

America's Homeland Security this week disclosed it recently responded to a ransomware infection at an unnamed natural gas plant. The cyber-nasty, described as a common or garden strain of file-scrambling Windows ransomware, did not result in any physical damage to equipment nor any of the programmable logic controller units …

  1. Snake Silver badge
    Facepalm

    Hmmm

    One can only question why that processing systems shared the same network as the business systems, as I seriously doubt that process workers needed to check their emails on the compressor status screens.

    So, therefore, again, the icon, for modern design decisions.

    1. Daedalus Silver badge

      Re: Hmmm

      Probably managerial hubris. Top dog has to be able to pee everywhere, and all that. Well he got his wish.

    2. Mark 85 Silver badge

      Re: Hmmm

      My guess would be for ease of working with the installed software on the processing equipment. Probably been that way since Day 1 and no one wanted to spend the money to isolate things. But, then it's always about the money.

    3. Doctor Syntax Silver badge

      Re: Hmmm

      No budget to maintain separated networks. Instant budget to clean up afterwards.

      1. Pascal Monett Silver badge

        Well the clean up has to happen, so no surprise there.

        What is always astonishing is finding out that nobody bothered to implement any sort of security beforehand.

        Oh well, two days revenue lost is a lesson. Now, how many other natural gas plants will sit up and take notice ?

        Because I'm guessing that plant was not unique in any way.

      2. Robert Helpmann??
        Childcatcher

        Re: Hmmm

        May not be a case of setting things up this way from day one as industrial systems of this nature often predate the widespread internet connectivity of most business networks of today. Once it became possible to monitor and control remotely, people did it for ease of use and accessibility without thinking through any security considerations. After that, it becomes a case of budget and not properly understanding the risks involved. Doctor Syntax's point illustrates this; the risk analysis was probably based on incorrect costs and likelihood of such an event. Once the actual information was made horribly clear, funds are made available because there is no way to avoid the knowledge.

    4. Anonymous Coward
      Anonymous Coward

      Re: Hmmm

      In my experience, the operational networks often report operational statuses/telemetry back to business systems. In addition, you have questions around patching and other security updates. The systems we operated had PLC DMZ's, video surveillance DMZ's and then operational/management PC's that were "fully managed" by the third-party who provided the PLC's. Fully managed in this instance meant that the built the machines and asked for specific updates (AV) to be available - in generally, they were only patched semi-annually with patches that had been tested for ~1 year...

      However:

      a) it was firewalled on both sides (business and operational side managed by third-party) to prevent accidental firewall changes exposing systems on either side

      b) access should be one way (operational network to production network only) and avoid high risk services like Windows file sharing or Windows RPC.

      c) try and ensure operational network equipment is reasonably up-to-date. While the third-party service charges are high, getting things working when everything is 5+ years out of date can be hard...

      I'm not going to pretend we had all the answers - the operational network scared the crap out of us but we were contractually limited by the third-party with exactly what we could do. If the third-party brought something on-site on a laptop or media that affected the operational network, we would have had "interesting times"...

    5. hammarbtyp

      Re: Hmmm

      Prognostics, production reports, alert logging, remote diagnostics ... there many reasons.

      It has become increasing common to seeing IT and OT connected which increases the risk of these sort of things. Proper firewall protections can reduce the risk, but it is bot unknown to see such perotections bypassed by ignorant IT

  2. elDog

    For this to be announced as a CISA bulletin implies some importance

    since it gives visibility to these types of vulnerabilities.

    Generally humans-being-humans, if there is a way to bridge the air-gap to make their lives more pleasurable/efficient/whatever, the humans will do so. I've seen many examples from within TS SCIF facilities and other environments.

    One also wonders how many of these incidents are not being publicized. We know banks/etc. don't like to publish the fact that their security is lax and has been breached. Same for industrial/corporations/governments.

    1. Khaptain Silver badge

      Re: For this to be announced as a CISA bulletin implies some importance

      "One also wonders how many of these incidents are not being publicized. We know banks/etc. don't like to publish the fact that their security is lax and has been breached. Same for industrial/corporations/governments."

      That would depend on the home-ground country . Here in Europe the GDPR laws oblige the companies to admit to breaches very quickly or alternatively pay a "potentially" high price later.. ( We've not really seen any major fines getting handed out other than to the usual targets of Google/Microsoft). And of those fines that have been given out we do not even know of they have been paid...

      In the states, and especially when dealing with government facilities, I am not sure how that would work. ( This is with the presumption that it is a Governmental facility)..

      I also sincerely hope that these facilities are also not relying in DotNet or any other form of MS Library DLL for the actual hardware side of things, now that would be truly frightening.

      1. Pascal Monett Silver badge

        Re: This is with the presumption that it is a Governmental facility

        We're talking about the USA here. If something can be monetized, it will most certainly not be a Governmental facility.

  3. Anonymous Coward
    Anonymous Coward

    I'm seeing a lot more malware deliveries

    I'm in Louisiana, home of a lot of oil and gas companies, and we've recently seen school systems and cities shut down due to ransomware attacks - we just had a catalyst at ExxonMobil blow up, only a minor explosion and fire but there's been absolute silence about what caused it. Maybe it was just a coincidence but if you can hack into a refinery then it would not be too hard to change the settings to push the pressure past the limits causing a leak, that would then ignite.

    IA year ago used to see a couple of malware infection attempt delivered to the corporate mail server every month, nowadays I see half a dozen most days.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm seeing a lot more malware deliveries

      Try-out for Die Hard 4 ?

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm seeing a lot more malware deliveries

      Michigan, north-northeast of Detroit: a compressor station had to shut down in the dead of winter (coldest three days of January, I swear) due to a fire last year. Not sure the exact cause, but now that ransomware / ops takeover is a possibility, that's scary.

      Area auto plants voluntarily scaled back usual operations so as to reduce gas usage for a few days. Talk about your widespread economic effects.

      If the township will let me put a big-@$$ tank in my backyard, maybe it's time to switch all my NG systems (cooking, heat, hot water) to propane. And then get a propane-fired generator for when the electric goes down also.

      1. 's water music

        Re: I'm seeing a lot more malware deliveries

        If the township will let me put a big-@$$ tank in my backyard, maybe it's time to switch all my NG systems (cooking, heat, hot water) to propane. And then get a propane-fired generator for when the electric goes down also.

        Can I interest you in any accessories?

  4. doublelayer Silver badge

    Paranoia mode on

    "It appears the spear-phisher was more interested in holding files to ransom than specifically disrupting plant systems. Still, as a result of the infection, the plant had to be shut down as the monitoring systems were cleaned up."

    Let's say I'm a person who wants to be able to control a natural gas plant. Maybe I want the ability to turn it off. Maybe I'd even like to blow it up. Unfortunately, I don't know how to bypass their security. Therefore, I spearphish their IT people to get access to their systems, hoping to find technical documents and information about security procedures. I do, but while I'm in, I also find that their operations network is linked. Hurrah! Well, onto those machines I go, looking for even more information. How do I access the controls? What could I set them to to cause the most havoc? Maybe I can find some manuals and procedure documents used by the operators.

    Well, now that I have everything I need, there are just two problems. Problem one: I don't want to cause damage to the system now. Maybe I want to have this ready if ever my country of employment wants it, or maybe I want to make sure this will work on other plants before I make my move. Problem two: I am not impressed with their security right now, but there's no telling what they might have that I've never thought of. If they find that I've been here, there will be all sorts of warnings and I might even get tracked down. What's the solution? I infect all the systems with ransomware. All the evidence of my activities has just been obliterated in an avalanche of encryption. And at the cost of revealing my successful phish rather than hoping that nobody notices, I remove most suspicion about why I was here. I now have quite a nice vulnerability database in the bank, and if I don't have a discovered or installed back door, I at least have information about what I'd need to get in again to use the stuff I've found.

    I really hope that's wrong. Now, if you'll excuse me, I need to reset my paranoia circuit breaker again.

    1. ForthIsNotDead
      Thumb Up

      Re: Paranoia mode on

      Ooh that's very good!

      Have you read The Cukoo's Egg by Clifford Stoll? You'd enjoy it. It's an old book, but well worth the read.

    2. Pascal Monett Silver badge

      Re: Paranoia mode on

      If you're in, it would be a lot better to not make waves since doing so would inevitably introduce changes. As in, now this plant has likely separated the production network from the admin network. So, now that you have raised almighty Hell, your knowledge and access had been shredded and you can start again.

      Real spies leave no traces of their access.

      1. doublelayer Silver badge

        Re: Paranoia mode on

        It's true that the best-case scenario is not to get caught, but in the case that you know or have a strong suspicion that you will get caught, it's helpful* not to let the victim know what you were doing. Consider the situation where you break in to a place to still data by copying disks and you find out that they have a silent alarm and you've set it off. You can run out with the data you have, running the risk that they figure out that's why you were there, or you can steal a couple of harmless encrypted laptops, hopefully convincing them that you were a street thief looking for something expensive. Spies who don't manage to always stay in the shadows find ways to pretend not to be doing what they are in fact doing.

        *The above comment is written from the point of view of an attacker. I am not an attacker. Don't be an attacker, or we won't like you.

  5. steviebuk Silver badge

    New manglement or bean counters

    "I'm the new director. I can save you money by cutting down on your costly IT systems. They designed an air gap but this isn't required so we won't be implementing it, as it's an unneeded expense. With my suggestion that we don't implement it, we can save thousands per year. This will allow for cheaper running costs and everyone can be more 'agile' and work wherever they are in the plant".

    Or Bean Counter

    "IT is an unneeded expense. We could use low skilled works to replace the current IT. If we pick people that don't have the required skill sets we can pay them less. After all, we hardly ever hear from the current IT so they clearly do nothing all day. And when they do, all they suggest is "Have you turned it off and on again?"

    Cocks.

    1. Anonymous South African Coward Silver badge

      Re: New manglement or bean counters

      What I'm also saying - and the BOFH as well - beancounters are the natural enemy of the BOFH.

      They will usually suggest something to cut costs, but they will NOT think ahead as to where said cost cutting may lead to, only that they save a few $$, and will recoup more savings as time goes by.

      Until the brown stuff arrives... and when it arrives, the cost of cleaning up the mess is more than the "savings" they have made.

      1. Charles 9 Silver badge

        Re: New manglement or bean counters

        Thing is, it won't be on THEIR hands, as they'll be long gone before then.

  6. the.spike
    Stop

    Consequences

    Until people start to suffer the consequences of their inability to not open dodgy attachments (such as disciplinary action up to and including being fired), this sort of thing will continue.

    1. Pascal Monett Silver badge

      Re: Consequences

      That's nice, but if you burn everyone at the stake for their misdeeds, you'll have no one left who have learned from their mistakes and you'll always be on the witch hunt.

      1. Charles 9 Silver badge

        Re: Consequences

        Plus, what if the HUNTER (as in someone up top) is the one at fault.

    2. steviebuk Silver badge

      Re: Consequences

      And then you'll be known as the arsehole boss from hell and no one will ever want to work with you. Others will hide what has happened if they can. People make mistakes.

      Case in point, 2 people from the same department come and tell me, independently.

      Person 1

      "I got this invoice. I was expecting one. I'm sorry but I clicked on it but it did nothing". Too which I reply don't worry but it would have done something just silently. User walked off not fearing IT, I watched what the malware was doing (it just downloaded a file from the internet and created a task to run later. That, in testing, never did anything). Wiped the laptop, all OK.

      Person 2

      "I got this invoice person 1 got but I DIDN'T click it".

      Person 2 much higher up than person 1 so I trust what person 2 has said.

      3 months later. Person 2 has a totally different issue with IE. I remember about the malware. The malware that created a task ONLY if you clicked the invoice file. That task was there. So all along person 2 HAD clicked the invoice but lied.

      God only knows what that had been doing on the network for 3 months. That person should of just had a warning from higher up, not a disciplinary, just an education but because of their position all just went quiet.

      Nothing ever came of the 3 month laptop infection. No longer work there but know the network is apparently still fine and no sign of the infection.

  7. Anonymous Coward
    Anonymous Coward

    A problem waiting to happen

    It doesn't surprise me. Many years ago, when auditing offshore oil export systems, one platform had decided to update the flow monitoring computers. The "traditional" system used discrete computers for each flow stream, hard coded and self-contained to take parameters from its stream instruments (flow rate, density, and several pressure and temperature sensors) to calculate the "standard" volume exported. This approach was proven and robust. However, one operator decided they wanted to monitor the system from an onshore office (rather than rely on onsite personnel sending the readings in a daily email) - so installed a system of "virtual" flow computers running under Windows XP. In my report I expressed concern from two angles:

    a) How would the system accommodate OS updates (as there was a reliance on specialist drivers)? Basically, they would need to block all OS updates unless the supplier also updated drivers - and proven for each update.

    b) How well was the system protected from attack (as the system was being monitored over the corporate intranet and especially since it couldn't be patched without significant expense - point a)?

    This, realising we were talking about a system that recorded production worth several million dollars a day - revenue lost any time the system was offline.

    I never returned there but have often wondered how it has fared since. Anonymous, to protect the guilty!!

  8. hammarbtyp

    An attack by any other name

    "A cyber threat actor used a spear-phishing link to obtain initial access to the organization’s information technology network before pivoting to its operational technology network"

    More likely the IT system was randomly targetted, without the attacker actually knowing what the PC's did. The OT system was just collateral damage for the ransomware attack.

    But it sounds sexier if you try and make out it was some sort of cyber-terrorist thing

    My question is why the IT systems did not have up to date AV and malware detection on them

    1. JCitizen Bronze badge
      FAIL

      Re: An attack by any other name

      It is almost impossible to detect today's malware; I only use AM as a stop gap measure - I rely on other methods to hopefully foil the plans of the criminals who write such code - kernel based methods can protect the system, but if the criminal gains administrative access, all bets are off. BTW; the malware today is also highly automated and can call downloads from the internet that can foil most firewalls and add more capability in an automated attack - the original criminal doesn't even have to take control for a while, because the malware can do almost all his dirty work. RDP control is usually his last step.

    2. Anonymous Coward
      Anonymous Coward

      Re: An attack by any other name

      Probably because it would've BROKEN the system, meaning no money gets made, meaning no one gets PAID.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021