Malware
& Ransomware
on
ICS Systems

More “ransomware” and “malware” were used to infect ICS systems and shut down operations at natural-gas pipeline compressor stations as CISA reported. Majority of data breaches (e.g., more than 90%) start with spear phishing attacks. Thus, the “ransomware” accesses the IT systems after successful spear phishing attacks. Then, the OT side becomes impacted assets. Finally, ICSs cannot access any real-time operational data.
This attacking scenario is viable due to a lack of network segmentation. More specifically, operational impacts can be caused by a combination of insufficient segregation of IT and ICS environments and shared operating system infrastructure in the successful compressor station attacks. Thereby, overall pipeline operations ceased during restoration from backup operational data and configuration files. It makes sensible to “establish hard boundaries” between organizational IT and its OT environments for reducing the successful compressor station attack by ransomware. Thus, potential recommendations include: monitoring of outbound communications from ICS networks to identify signs of infection events within OT sides; developing strong network defenses between the IT and OT networks; creating choke points to limit malware spread; and others.