DHS’s cyber wing responds to ransomware attack on pipeline operator

The incident serves as a warning for industrial companies of the ways that ransomware can impact operations.
industrial control systems
Kaspersky's industrial security specialists responded to the incident (Getty Images).

The Department of Homeland Security’s cybersecurity agency recently responded to a ransomware attack on a natural gas compression facility that led the organization to shut down its operations for two days, the agency said Tuesday.

The hackers were able to encrypt data on the organization’s IT and “operational technology” network, a broad term for a network that oversees industrial processes. No longer able to read data coming from across its enterprise, the facility shut down its various assets, including its pipelines, for two days.

The incident serves as a warning for industrial companies of the ways that ransomware can impact operations.

“Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations,” says the advisory from DHS’s Cybersecurity and Infrastructure Security Agency.


The unnamed gas facility is back up and running, but CISA said it was releasing a report to help other organizations protect themselves against similar attacks. U.S. lawmakers have previously called on DHS, and its Transportation and Security Agency specifically, to do more to help protect pipeline operators from cyberthreats. In April 2018, a cyberattack struck accounting software used by a Texas-based owner of more than 71,000 miles of pipelines, disrupting a customer transaction service used by the company.

In the incident flagged Tuesday by CISA, the attackers knocked offline human machine interfaces (HMIs), the dashboards that connect operators to industrial equipment. They did not, however, affect the more sensitive programmable logic controllers (PLC), the ruggedized computers that monitor and control industrial systems.

“At no time did the threat actor obtain the ability to control or manipulate operations,” CISA said. It did not say who was responsible for the attack or if the victim paid the ransom.

Beyond this one incident, CISA is sending a signal to critical infrastructure operators that a failure to plan for ransomware can be costly.

“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning,” the advisory says.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts