Suspicions That Explosion At US Gas Export Terminal Caused By Russian Hackers

Uploaded on 2022-07-15 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

On June 8, 2022 a damaging  explosion occurred at the Freeport Liquid Natural Gas LNG) facility in Texas and the damage suffered means the facility is not expected to resume major operations until late 2022. The subsequent investigation reached a determination that one of the facility's LNG transfer lines was over pressurized and ruptured, which caused a "rapid flashing of LNG and the release and ignition of the natural gas vapor cloud."

The description of the accident, attributed in part to “overpressure,” offers similarities to an earlier incident at the site. 

The US Pipeline and Hazardous Materials Safety Administration (PHMSA) officials say a pipe failed because the supercooled liquid was being forced, at 917 pounds per square inch, through a pipe designed to handle no more than 90 pounds per square inch. Further investigation revealed the pipe was flawed and possibly not fit to handle the cryogenic temperatures of LNG. In an enforcement report, agency officials said there were hundreds of feet of such pipe in the facility. That was one of two incidents that month.

Two weeks later he Washington Examiner published an article: “Did Russian hackers blow up a Texas LNG pipeline on June 8?” which described the Russian cyber attack of the Triconix safety systems in Saudi Arabia (Triton). It is not known what safety systems were used at the Freeport LNG facility though it would not be surprising if they also used Triconix as it is one of the most common safety systems. However, this is neither just a Freeport LNG or Triconix issue. Previously, a “sensor system malfunction” caused a shutdown of a different LNG terminal. Furthermore, I attended the Triton presentation at the April 2018 ICSJWG meeting in Albuquerque. Coincidently, I was scheduled to give a presentation on the lack of cyber insecurity of the sensors and added to my prepared presentation how compromising the sensors could have avoided the issues that caused the Russian Triton cyber attack to be unsuccessful.

As the final chapter has not been written on the Freeport LNG explosion, this blog is written as a detective story. That is, presenting motive, means, and opportunity for this to have been done maliciously.

There are several cyber-related issues that could have led to the Freeport LNG overpressure event (and interfered with its safe relief). They include:

  • Process sensor (pressure transmitter) issues – incorrect readings or safety setpoints.
  • Controller issues – controllers didn’t actuate safety systems.
  • Final element (valve) issues – Valves didn’t open in a timely manner.

Such failures could have been either accidental or the result of sabotage.

Motive

In mid-February 2022, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc. The attacks targeted companies involved with the production of LNG and were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity, which discovered the operation. They occurred on the eve of Russia’s invasion of Ukraine on February 24th, when energy markets were already roiled by tight supplies.

The Freeport LNG plant on Quintana Island, Texas can produce around 2 billion cubic feet per day of LNG. That comprises more than 15% of U.S. LNG export capacity. Freeport LNG said it doesn’t expect to be fully operational again until “late 2022” following the June 8 explosion, worsening the outlook for European buyers seeking to replace Russian energy imports.

Means

The Russians have a long history of cyber attacks against critical infrastructure in multiple countries including the US. In 2011, the Russians attempted to take over a small US water plant damaging a motor in the process. In 2013, Russia unleashed Havex (Havex is a Russian-made remote access trojan used in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors primarily in the United States and Europe). In 2014, Russia unleashed Black Energy2 in the US electric grid (BlackEnergy 2 is malware targeting GE Cimplicity HMI, Siemens WinCC and Advantech/Broadwin deployments). Additionally, the Russians did a process sensor hacking demonstration (a project known as Corsair) at the 2016 ICS Cyber Security Conference. In 2017, the Russians attempted to take control of the Triconex safety systems in a petrochemical plant in Saudi Arabia to cause it to blow up (the Triton/Trisys incident). And between 2020 and 2022, Russian ransomware has run rampant affecting industrial operations as well as IT systems.

Learning from another overpressure event

Stuxnet, the disabling cyber attack against Iranian uranium refinement centrifuges, discovered in 2010, was not a Russian operation. But it held lessons for those who might wish to attack critical infrastructure. Stuxnet compromised pressure sensor data to cause the overpressure event and prevent pressure relief to damage the centrifuges. According to Ralph Langner’s “To Kill a Centrifuge”, legitimate code executed but received fake input values, and any output (actuator) manipulations of legitimate control logic would no longer have any effect. The malicious process caused pressure to rise continuously. Pressure sensors errors are corrected by calibration. If the calibration is overwritten by malicious code on the controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as normal pressure no matter how high or low their analog values are. The pressure controller acted accordingly even though the pressure kept rising. Other sensors were compromised because they would have shown critical high or low pressure readings, automatically closing valves and triggering alarms. It can be assumed that the Russians are aware of Stuxnet.

Opportunity

In 2017, the International Society of Automation (ISA) formed a special working group in ISA99 (Industrial Automation and Control System Cyber Security) to determine if legacy control system devices such as process sensors could meet the requirements in ISA/IEC 62443-4-2, the component cyber security specification. Most of the major control system process instrumentation suppliers were members of this special working group. The conclusions were that the legacy field devices could not meet the standard. This led to another special working group, this time within the process safety committee, to evaluate the sensor issues in more detail. The intent of the ISA84.09 (Process Safety/Cyber Security) effort was to determine the relative conformance and applicability of the ISA 62443-4-2 component specification’s individual security requirements to legacy (what is being built today as well those already installed in the field) process sensors. Consequently, in early 2021, the ISA84.09 working group selected as the use case was a state-of-the-art digital safety pressure transmitters in an LNG facility.  The study found that 69 of the 138 individual cyber security requirements in ISA 62443-4-2, including fundamental cyber security requirements such as passwords, could not be met. This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer.

December 2021, Ankit Suthar noted: “We have been doing the commissioning of more than 3,000 smart instruments (i.e., Foundation Fieldbus-FF, HART) which includes loop check, simulation, calibration, and datasheet verification, Asset Management System (AMS) configuration for each instrument. (HART - Highway Addressable Remote Transducer- is a hybrid analog and digital industrial automation open protocol. Wired HART communicates over legacy 4–20 mA analog instrumentation current loops using 1200 Baud modems. These controls lacked basic network protection features.

There were no passwords, for these systems even by default. You simply plug in your HART communicator and change whatever you want.”

Process sensor and actuator device calibrations or other maintenance activities utilize maintenance devices with no cyber security, yet these devices have direct connections to the Internet. These and other unsecured access points can be entry points into the control and safety equipment used in the Freeport LNG facility. Unfortunately, there is little cyber forensics at this level.

Conclusions

The Freeport LNG explosion could have simply been the result of unintentional system or personnel problems. Freeport LNG did not have a stellar safety record. But this wasn’t the only LNG facility to have a control system-related event. The explosion could have also been the result of malicious cyber-related issues as sophisticated attackers can make cyber attacks look like equipment malfunctions. Stuxnet did just that.

All too often, chemical plant (and other plant) piping failures are investigated by people who are expert in piping failures, but not with people who are experts in instrumentation, control systems, automation, or control system cyber security.

CISA and other US security agencies  continue to issue sending out warnings about potential Chinese and Russian cyber attacks on critical infrastructure.

With the June Freeport LNG explosion, the February 21, 2022, Marathon refinery explosion (the same day the US imposed sanctions on Russia), 34 food process plant fires since 2021, and loss of view or control for more than 30 minutes of 150 control center SCADA systems since 2018, maybe the Russians are already here.

Joe Weiss is Managing Partner at Applied Control Solutions

You Might Also Read: 

Process Sensor Cyber Security Is A Vital Issue:

 

« Creating A Security Awareness Training Program
Conversational Commerce Is Going To Be Big - But Could Be Risky »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Synopsys

Synopsys

Synopsys delivers trusted and comprehensive silicon to systems design solutions, from electronic design automation to silicon IP and system verification and validation.

Mitol PerfectBackup

Mitol PerfectBackup

Mitol PerfectBackup provide Enterprise Online Backup, Disaster Recovery and Cloud Computing Services.

NetMotion Software

NetMotion Software

NetMotion Software specializes in mobile performance management solutions to manage, secure and support the mobile enterprise.

Repository of Industrial Security Incidents (RISI)

Repository of Industrial Security Incidents (RISI)

RISI is a database of cyber security incidents that have (or could have) affected process control, industrial automation or SCADA systems.

GuardiCore

GuardiCore

GuardiCore is an innovator in internal data center security and breach detection and is transforming security inside data centers and clouds.

Invensis Learning

Invensis Learning

Invensis Learning is a professional training and certification company providing IT Service Management, IT Security & Governance, DevOps, Cloud Computing and Digital Awareness training.

HelseCERT

HelseCERT

HelseCERT is the health and care sector's national information security center for Norway.

StrongKey

StrongKey

StrongKey (formerly StrongAuth) is a leader in Enterprise Key Management Infrastructure, bringing new levels of capability and data security at a price point significantly lower than other solutions.

KeepSolid

KeepSolid

KeepSolid is a Virtual Private Network services provider offering secure encrypted access to the internet.

Ensign InfoSecurity

Ensign InfoSecurity

Ensign InfoSecurity is Southeast Asia’s largest pure-play cybersecurity firm.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

Cyral

Cyral

Easily observe, control, and protect your data endpoints in a cloud and DevOps-first world. Discover Data Mesh Security with Cyral.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

NASK

NASK

NASK is a National Research Institute under the supervision of the Chancellery of the Prime Minister of Poland. Our key activities involve ensuring security online.

Secure Blink

Secure Blink

Secure Blink provides automated application and API security solutions that empower developers and security engineers to protect critical assets from exploitation.

Scalarr

Scalarr

Scalarr is an innovative, next-generation cyber security firm focused on automation and AI to detect and prevent threats in mobile and Edge/IoT infrastructures.