Infrastructure Briefing — CISA alert on ransomware disrupting natural gas compression

Executive briefing: CISA warned that a ransomware event at a natural gas compression facility encrypted both IT and OT assets, including HMIs and data historians, forcing the operator to halt pipeline operations for two days. The alert highlighted insufficient segmentation between enterprise and control networks and reliance on a single disaster recovery site.

Why it matters

• Operational impact: Encryption of Windows-based control components cascaded into loss of view and control across the compression facility.
• Sector relevance: Similar architectures exist across midstream operators, making lateral movement from IT to OT a recurring risk.
• Regulatory scrutiny: Pipeline operators face heightened oversight after demonstrated ransomware-driven shutdowns.

Operator actions

1. Segment OT networks: Enforce strict firewalling and one-way data flows between corporate IT and operational assets; remove unnecessary remote access paths.
2. Backup and restore: Maintain offline, tested backups for HMI, engineering workstation, and historian images to expedite recovery.
3. Tabletop scenarios: Run ransomware tabletop exercises that include loss of view/control, site failover, and communication protocols with regulators.
4. Detection: Deploy network monitoring for abnormal SMB, RDP, and file-encryption behaviors within OT DMZs.