Suspicions That Explosion At US Gas Export Terminal Caused By Russian Hackers

Uploaded on 2022-07-15 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

On June 8, 2022 a damaging  explosion occurred at the Freeport Liquid Natural Gas LNG) facility in Texas and the damage suffered means the facility is not expected to resume major operations until late 2022. The subsequent investigation reached a determination that one of the facility's LNG transfer lines was over pressurized and ruptured, which caused a "rapid flashing of LNG and the release and ignition of the natural gas vapor cloud."

The description of the accident, attributed in part to “overpressure,” offers similarities to an earlier incident at the site. 

The US Pipeline and Hazardous Materials Safety Administration (PHMSA) officials say a pipe failed because the supercooled liquid was being forced, at 917 pounds per square inch, through a pipe designed to handle no more than 90 pounds per square inch. Further investigation revealed the pipe was flawed and possibly not fit to handle the cryogenic temperatures of LNG. In an enforcement report, agency officials said there were hundreds of feet of such pipe in the facility. That was one of two incidents that month.

Two weeks later he Washington Examiner published an article: “Did Russian hackers blow up a Texas LNG pipeline on June 8?” which described the Russian cyber attack of the Triconix safety systems in Saudi Arabia (Triton). It is not known what safety systems were used at the Freeport LNG facility though it would not be surprising if they also used Triconix as it is one of the most common safety systems. However, this is neither just a Freeport LNG or Triconix issue. Previously, a “sensor system malfunction” caused a shutdown of a different LNG terminal. Furthermore, I attended the Triton presentation at the April 2018 ICSJWG meeting in Albuquerque. Coincidently, I was scheduled to give a presentation on the lack of cyber insecurity of the sensors and added to my prepared presentation how compromising the sensors could have avoided the issues that caused the Russian Triton cyber attack to be unsuccessful.

As the final chapter has not been written on the Freeport LNG explosion, this blog is written as a detective story. That is, presenting motive, means, and opportunity for this to have been done maliciously.

There are several cyber-related issues that could have led to the Freeport LNG overpressure event (and interfered with its safe relief). They include:

  • Process sensor (pressure transmitter) issues – incorrect readings or safety setpoints.
  • Controller issues – controllers didn’t actuate safety systems.
  • Final element (valve) issues – Valves didn’t open in a timely manner.

Such failures could have been either accidental or the result of sabotage.

Motive

In mid-February 2022, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc. The attacks targeted companies involved with the production of LNG and were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity, which discovered the operation. They occurred on the eve of Russia’s invasion of Ukraine on February 24th, when energy markets were already roiled by tight supplies.

The Freeport LNG plant on Quintana Island, Texas can produce around 2 billion cubic feet per day of LNG. That comprises more than 15% of U.S. LNG export capacity. Freeport LNG said it doesn’t expect to be fully operational again until “late 2022” following the June 8 explosion, worsening the outlook for European buyers seeking to replace Russian energy imports.

Means

The Russians have a long history of cyber attacks against critical infrastructure in multiple countries including the US. In 2011, the Russians attempted to take over a small US water plant damaging a motor in the process. In 2013, Russia unleashed Havex (Havex is a Russian-made remote access trojan used in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors primarily in the United States and Europe). In 2014, Russia unleashed Black Energy2 in the US electric grid (BlackEnergy 2 is malware targeting GE Cimplicity HMI, Siemens WinCC and Advantech/Broadwin deployments). Additionally, the Russians did a process sensor hacking demonstration (a project known as Corsair) at the 2016 ICS Cyber Security Conference. In 2017, the Russians attempted to take control of the Triconex safety systems in a petrochemical plant in Saudi Arabia to cause it to blow up (the Triton/Trisys incident). And between 2020 and 2022, Russian ransomware has run rampant affecting industrial operations as well as IT systems.

Learning from another overpressure event

Stuxnet, the disabling cyber attack against Iranian uranium refinement centrifuges, discovered in 2010, was not a Russian operation. But it held lessons for those who might wish to attack critical infrastructure. Stuxnet compromised pressure sensor data to cause the overpressure event and prevent pressure relief to damage the centrifuges. According to Ralph Langner’s “To Kill a Centrifuge”, legitimate code executed but received fake input values, and any output (actuator) manipulations of legitimate control logic would no longer have any effect. The malicious process caused pressure to rise continuously. Pressure sensors errors are corrected by calibration. If the calibration is overwritten by malicious code on the controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as normal pressure no matter how high or low their analog values are. The pressure controller acted accordingly even though the pressure kept rising. Other sensors were compromised because they would have shown critical high or low pressure readings, automatically closing valves and triggering alarms. It can be assumed that the Russians are aware of Stuxnet.

Opportunity

In 2017, the International Society of Automation (ISA) formed a special working group in ISA99 (Industrial Automation and Control System Cyber Security) to determine if legacy control system devices such as process sensors could meet the requirements in ISA/IEC 62443-4-2, the component cyber security specification. Most of the major control system process instrumentation suppliers were members of this special working group. The conclusions were that the legacy field devices could not meet the standard. This led to another special working group, this time within the process safety committee, to evaluate the sensor issues in more detail. The intent of the ISA84.09 (Process Safety/Cyber Security) effort was to determine the relative conformance and applicability of the ISA 62443-4-2 component specification’s individual security requirements to legacy (what is being built today as well those already installed in the field) process sensors. Consequently, in early 2021, the ISA84.09 working group selected as the use case was a state-of-the-art digital safety pressure transmitters in an LNG facility.  The study found that 69 of the 138 individual cyber security requirements in ISA 62443-4-2, including fundamental cyber security requirements such as passwords, could not be met. This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer.

December 2021, Ankit Suthar noted: “We have been doing the commissioning of more than 3,000 smart instruments (i.e., Foundation Fieldbus-FF, HART) which includes loop check, simulation, calibration, and datasheet verification, Asset Management System (AMS) configuration for each instrument. (HART - Highway Addressable Remote Transducer- is a hybrid analog and digital industrial automation open protocol. Wired HART communicates over legacy 4–20 mA analog instrumentation current loops using 1200 Baud modems. These controls lacked basic network protection features.

There were no passwords, for these systems even by default. You simply plug in your HART communicator and change whatever you want.”

Process sensor and actuator device calibrations or other maintenance activities utilize maintenance devices with no cyber security, yet these devices have direct connections to the Internet. These and other unsecured access points can be entry points into the control and safety equipment used in the Freeport LNG facility. Unfortunately, there is little cyber forensics at this level.

Conclusions

The Freeport LNG explosion could have simply been the result of unintentional system or personnel problems. Freeport LNG did not have a stellar safety record. But this wasn’t the only LNG facility to have a control system-related event. The explosion could have also been the result of malicious cyber-related issues as sophisticated attackers can make cyber attacks look like equipment malfunctions. Stuxnet did just that.

All too often, chemical plant (and other plant) piping failures are investigated by people who are expert in piping failures, but not with people who are experts in instrumentation, control systems, automation, or control system cyber security.

CISA and other US security agencies  continue to issue sending out warnings about potential Chinese and Russian cyber attacks on critical infrastructure.

With the June Freeport LNG explosion, the February 21, 2022, Marathon refinery explosion (the same day the US imposed sanctions on Russia), 34 food process plant fires since 2021, and loss of view or control for more than 30 minutes of 150 control center SCADA systems since 2018, maybe the Russians are already here.

Joe Weiss is Managing Partner at Applied Control Solutions

You Might Also Read: 

Process Sensor Cyber Security Is A Vital Issue:

 

« Creating A Security Awareness Training Program
Conversational Commerce Is Going To Be Big - But Could Be Risky »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Sonatype

Sonatype

Sonatype protects the world's enterprise software from security, compliance, licensing risks, while reducing application development and deployment time.

Ethio-CERT

Ethio-CERT

National Cyber Emergency Readiness and Response Team of Ethiopia.

8MAN

8MAN

8MAN is a leading Access Rights Management (ARM) solution in Microsoft and virtual server environments.

Ilex International

Ilex International

Ilex International is a European software vendor which specialises in Identity & Access Management solutions.

Sintef Digital

Sintef Digital

Sintef Digital carries out research in Information and Communication Technology for industry and the public sector.

Codified Security

Codified Security

Codified is a testing platform for mobile application software. We make it easier than ever for companies to detect and fix security vulnerabilities and ensure their applications are compliant.

Cyxtera Technologies

Cyxtera Technologies

Cyxtera offers powerful, secure IT infrastructure capabilities paired with agile, dynamic software-defined security.

ReFoMa

ReFoMa

ReFoMa is a consultancy and advisory company with a focus on information Security.

Mitre

Mitre

At Mitre we work across government to tackle challenges to the safety, stability, and well-being of our nation. Areas of expertise include Cybersecurity.

Elitecyber Group

Elitecyber Group

Elitecyber group is a team of Cyber Security recruitment experts who work for Cyber Security and Cyber Defence clients and candidates throughout Europe.

Secured Communications

Secured Communications

Secured Communications has developed the only unified secure communications platform trusted by public safety and counter terrorism professionals around the world.

Institute for Security and Technology (IST)

Institute for Security and Technology (IST)

The Institute for Security and Technology's goal is to provide the tools and insights needed for companies and governments to outpace emerging global security threats.

Norma Inc.

Norma Inc.

Norma provides the secured wireless environment (WiFi and Bluetooth) with the unauthorized AP detection, and secures your IoT assets from various threats.

NightDragon

NightDragon

NightDragon is a venture capital firm investing in innovative growth and late stage companies within the cybersecurity, safety, security, and privacy industry.

Rampart AI

Rampart AI

Tackling DevSecOps Issues In Application Security. Rampart has revolutionized the shift left security approach, applying zero-trust to application development.

Anch.AI

Anch.AI

Anch.AI is an Ethical AI Governance platform that helps you comply with EU regulations and avoid risks and penalties when developing and using AI as part of your business.