CISA alert on ransomware disrupting natural gas compression

On February 18, 2020, CISA published an alert that should have been a wake-up call for every organization operating critical infrastructure: a ransomware attack on a natural gas pipeline facility forced a two-day shutdown. The attacker got in through a phishing email, moved laterally into the operational technology network, and encrypted assets on both IT and OT systems. This was not theoretical—it was a real attack with real operational consequences.

What happened and why it matters

The attack started the way most do: someone clicked a phishing link. From that initial foothold, the attacker moved through the IT network and eventually reached systems connected to operational technology. The encryption affected both corporate systems and OT assets, forcing the facility to initiate a deliberate shutdown to prevent further damage.

Here's what made this different from your typical ransomware incident: the victim could not just restore from backups and move on. When ransomware hits systems that control physical processes—pipelines, power plants, manufacturing lines—you are not just recovering data. You are ensuring that restored systems will not cause explosions, environmental damage, or safety incidents. The two-day shutdown reflected the time needed to verify safe restart conditions, not just the time to decrypt or restore files.

CISA's alert emphasized that the attacker did not need specialized OT knowledge to cause operational impact. Commodity ransomware, combined with insufficient network segmentation between IT and OT environments, was enough. The sophistication was in the initial access and lateral movement, not in understanding industrial control systems.

The IT/OT convergence problem nobody wants to solve

For years, security professionals have warned about connecting OT systems to corporate networks. And for years, operational efficiency pressures have pushed organizations to do exactly that. Remote monitoring, predictive maintenance, centralized management—all require connectivity between systems that were designed to be isolated and systems that were designed to be connected.

This attack shows what happens when that connectivity is not properly segmented. The attacker did not need to understand SCADA protocols or industrial control systems. They needed to encrypt Windows systems that happened to be connected to operational networks. The lateral movement was IT-standard; the impact was uniquely OT.

If you are running critical infrastructure with IT/OT connectivity, ask yourself: could an attacker who compromises a user workstation reach systems that affect physical operations? If the answer is yes, your segmentation is not adequate. Not might not be adequate—is not.

Incident response when physical safety is at stake

Normal incident response assumes you can contain, eradicate, and recover in ways that prioritize speed. OT incident response requires a different calculus. Before restoring any system connected to physical processes, you need to verify that restored configurations will not cause dangerous conditions. Before bringing systems back online, you need to ensure safety interlocks and fail-safes are functional.

The two-day shutdown in this case reflected responsible operational decision-making. The facility could have attempted faster restoration, but at what risk? Rushing recovery in OT environments can cause incidents worse than the ransomware itself.

Your incident response plans need to address this explicitly. Who has authority to declare systems safe for restart? What verification steps are required before restoring connectivity between IT and OT networks? What happens if you discover ransomware on systems that were thought to be isolated from affected networks?

Backups are not enough when the network is the problem

Having backups is necessary but not sufficient for OT ransomware recovery. You need to restore into an environment where the attack path no longer exists. If you restore from backup and reconnect to the same network topology that enabled lateral movement, you are just waiting for the next incident.

This means recovery planning for OT environments needs to include network architecture remediation, not just data restoration. Can you restore OT systems into a segmented network that prevents IT-to-OT lateral movement? Do you have the network diagrams, configuration documentation, and change management records to rebuild secure connectivity?

Many organizations discover during incidents that their network documentation is outdated, their segmentation is less effective than they thought, and their recovery procedures assume network conditions that no longer exist. Discover this during a tabletop exercise, not during an actual ransomware response.

The phishing problem is the initial access problem

The attack started with phishing. That is not unique—most attacks start with phishing. But it is a reminder that investment in sophisticated OT security controls is undermined if attackers can trivially compromise user workstations through email.

Multi-factor authentication, email security, user awareness training, and endpoint detection all contribute to making initial access harder. None of them are perfect, which is why defense in depth and network segmentation matter. But if your OT security strategy assumes attackers cannot get initial IT access, you are planning for a threat model that does not match reality.

Practical steps for critical infrastructure operators

• Assess IT/OT network segmentation honestly. Can an attacker who compromises a corporate workstation reach systems that affect physical operations? Document the attack paths that exist.
• Review incident response plans for OT-specific considerations including safety verification, restart authorization, and coordination with operational personnel.
• Ensure backup strategies include network architecture documentation, not just data. Can you restore into a secure network configuration?
• Implement monitoring at IT/OT boundaries to detect lateral movement attempts before they reach operational systems.
• Conduct tabletop exercises that include scenarios where ransomware affects both IT and OT systems. Test decision-making under realistic pressure.
• Coordinate with asset owners and safety personnel on recovery procedures. IT cannot unilaterally decide when OT systems are safe to restart.
• Review initial access controls including email security, MFA, and endpoint protection. The sophistication that matters is often in getting in, not in what happens after.

The pipeline ransomware incident was not an isolated event—it was an early example of what is becoming common. As IT/OT convergence continues and ransomware operators look for targets that cannot afford downtime, critical infrastructure will face increasing pressure. Organizations that take segmentation, incident response planning, and recovery verification seriously now will be better positioned for what is coming.

You may also find useful

Hand-picked articles on adjacent topics.

Infrastructure · Credibility 73/100 · April 17, 2020

CISA updates essential critical infrastructure workforce guidance

CISA updated its critical infrastructure guidance for COVID-19, clarifying which workers are 'essential' during lockdowns. If your organization supports critical infrastructure, this guidance helps navigate stay-at-home…

Infrastructure · Credibility 87/100 · August 20, 2025

Infrastructure — CISA

CISA and the CHIPS Program Office issued a joint supply chain resilience framework, outlining detection, reporting, and remediation expectations for semiconductor manufacturers receiving federal incentives.

Infrastructure · Credibility 91/100 · February 19, 2020

Infrastructure — VMware Workstation

VMware patched privilege escalation bugs in Workstation, Fusion, and ESXi in February 2020. VMSA-2020-0005 covers several vulnerabilities. Update your hypervisors and endpoints.

Infrastructure · Credibility 91/100 · February 20, 2020

Microsoft Defender ATP for Linux enters public preview

Microsoft Defender ATP is coming to Linux. The preview dropped on February 20, 2020, supporting RHEL, CentOS, Ubuntu, Debian, SLES, and Oracle Linux. If you are already in the Microsoft security stack, you can now extend…

Infrastructure · Credibility 91/100 · February 24, 2020

Apache Tomcat AJP vulnerability (CVE-2020-1938 'Ghostcat') patched

Apache released fixes for CVE-2020-1938, an AJP request injection flaw dubbed Ghostcat that allows file reads and potential remote code execution on default Tomcat installations.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Telecom Modernization Infrastructure Guide

  Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.

• Infrastructure Resilience Guide

  Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

• Edge Resilience Infrastructure Guide

  Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

Coverage intelligence

Published

February 18, 2020

Coverage pillar

Infrastructure

Source credibility

73/100 — medium confidence

Topics

CISA · ransomware · pipeline

Sources cited

3 sources (cisa.gov, iso.org)

Reading time

5 min

Documentation

1. AA20-049A: Ransomware Impacting Pipeline Operations
2. CISA Alerts Archive — CISA
3. ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization