Previously, cyberattacks resulting in the targeted disruption of electricity to a geographic region were either hypothetical or featured sophisticated malware, such as Black Energy. Now, digital adversaries are adapting their tools, tactics, and procedures to threaten critical energy sector operational technology (OT) with less sophisticated, commercially available malware such as ransomware. In September 2019, ICIT and Forescout published a whitepaper, The Rise of Disruptionware: A Cyber-Physical Threat to Operational Technology Environments, that identified and characterized an emerging category of malware that was designed to disrupt the continuity of operations within an organization.
A few months later, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (AA20-049A) warning the energy sector about the threat ransomware posed to pipeline operations. A cyber attacker had compromised the information technology (IT) network of a natural gas compression facility, laterally infecting their operational technology (OT) with ransomware believed to have been specifically designed and deployed to disrupt operations. This guide examines the risk that disruptionware poses to the energy sector, provides recommendations for mitigation and remediation, and details additional guidance.