Suspicions That Explosion At US Gas Export Terminal Caused By Russian Hackers

On June 8, 2022 a damaging  explosion occurred at the Freeport Liquid Natural Gas LNG) facility in Texas and the damage suffered means the facility is not expected to resume major operations until late 2022. The subsequent investigation reached a determination that one of the facility's LNG transfer lines was over pressurized and ruptured, which caused a "rapid flashing of LNG and the release and ignition of the natural gas vapor cloud."

The description of the accident, attributed in part to “overpressure,” offers similarities to an earlier incident at the site. 

The US Pipeline and Hazardous Materials Safety Administration (PHMSA) officials say a pipe failed because the supercooled liquid was being forced, at 917 pounds per square inch, through a pipe designed to handle no more than 90 pounds per square inch. Further investigation revealed the pipe was flawed and possibly not fit to handle the cryogenic temperatures of LNG. In an enforcement report, agency officials said there were hundreds of feet of such pipe in the facility. That was one of two incidents that month.

Two weeks later he Washington Examiner published an article: “Did Russian hackers blow up a Texas LNG pipeline on June 8?” which described the Russian cyber attack of the Triconix safety systems in Saudi Arabia (Triton). It is not known what safety systems were used at the Freeport LNG facility though it would not be surprising if they also used Triconix as it is one of the most common safety systems. However, this is neither just a Freeport LNG or Triconix issue. Previously, a “sensor system malfunction” caused a shutdown of a different LNG terminal. Furthermore, I attended the Triton presentation at the April 2018 ICSJWG meeting in Albuquerque. Coincidently, I was scheduled to give a presentation on the lack of cyber insecurity of the sensors and added to my prepared presentation how compromising the sensors could have avoided the issues that caused the Russian Triton cyber attack to be unsuccessful.

As the final chapter has not been written on the Freeport LNG explosion, this blog is written as a detective story. That is, presenting motive, means, and opportunity for this to have been done maliciously.

There are several cyber-related issues that could have led to the Freeport LNG overpressure event (and interfered with its safe relief). They include:

  • Process sensor (pressure transmitter) issues – incorrect readings or safety setpoints.
  • Controller issues – controllers didn’t actuate safety systems.
  • Final element (valve) issues – Valves didn’t open in a timely manner.

Such failures could have been either accidental or the result of sabotage.

Motive

In mid-February 2022, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc. The attacks targeted companies involved with the production of LNG and were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity, which discovered the operation. They occurred on the eve of Russia’s invasion of Ukraine on February 24th, when energy markets were already roiled by tight supplies.

The Freeport LNG plant on Quintana Island, Texas can produce around 2 billion cubic feet per day of LNG. That comprises more than 15% of U.S. LNG export capacity. Freeport LNG said it doesn’t expect to be fully operational again until “late 2022” following the June 8 explosion, worsening the outlook for European buyers seeking to replace Russian energy imports.

Means

The Russians have a long history of cyber attacks against critical infrastructure in multiple countries including the US. In 2011, the Russians attempted to take over a small US water plant damaging a motor in the process. In 2013, Russia unleashed Havex (Havex is a Russian-made remote access trojan used in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors primarily in the United States and Europe). In 2014, Russia unleashed Black Energy2 in the US electric grid (BlackEnergy 2 is malware targeting GE Cimplicity HMI, Siemens WinCC and Advantech/Broadwin deployments). Additionally, the Russians did a process sensor hacking demonstration (a project known as Corsair) at the 2016 ICS Cyber Security Conference. In 2017, the Russians attempted to take control of the Triconex safety systems in a petrochemical plant in Saudi Arabia to cause it to blow up (the Triton/Trisys incident). And between 2020 and 2022, Russian ransomware has run rampant affecting industrial operations as well as IT systems.

Learning from another overpressure event

Stuxnet, the disabling cyber attack against Iranian uranium refinement centrifuges, discovered in 2010, was not a Russian operation. But it held lessons for those who might wish to attack critical infrastructure. Stuxnet compromised pressure sensor data to cause the overpressure event and prevent pressure relief to damage the centrifuges. According to Ralph Langner’s “To Kill a Centrifuge”, legitimate code executed but received fake input values, and any output (actuator) manipulations of legitimate control logic would no longer have any effect. The malicious process caused pressure to rise continuously. Pressure sensors errors are corrected by calibration. If the calibration is overwritten by malicious code on the controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as normal pressure no matter how high or low their analog values are. The pressure controller acted accordingly even though the pressure kept rising. Other sensors were compromised because they would have shown critical high or low pressure readings, automatically closing valves and triggering alarms. It can be assumed that the Russians are aware of Stuxnet.

Opportunity

In 2017, the International Society of Automation (ISA) formed a special working group in ISA99 (Industrial Automation and Control System Cyber Security) to determine if legacy control system devices such as process sensors could meet the requirements in ISA/IEC 62443-4-2, the component cyber security specification. Most of the major control system process instrumentation suppliers were members of this special working group. The conclusions were that the legacy field devices could not meet the standard. This led to another special working group, this time within the process safety committee, to evaluate the sensor issues in more detail. The intent of the ISA84.09 (Process Safety/Cyber Security) effort was to determine the relative conformance and applicability of the ISA 62443-4-2 component specification’s individual security requirements to legacy (what is being built today as well those already installed in the field) process sensors. Consequently, in early 2021, the ISA84.09 working group selected as the use case was a state-of-the-art digital safety pressure transmitters in an LNG facility.  The study found that 69 of the 138 individual cyber security requirements in ISA 62443-4-2, including fundamental cyber security requirements such as passwords, could not be met. This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer.

December 2021, Ankit Suthar noted: “We have been doing the commissioning of more than 3,000 smart instruments (i.e., Foundation Fieldbus-FF, HART) which includes loop check, simulation, calibration, and datasheet verification, Asset Management System (AMS) configuration for each instrument. (HART - Highway Addressable Remote Transducer- is a hybrid analog and digital industrial automation open protocol. Wired HART communicates over legacy 4–20 mA analog instrumentation current loops using 1200 Baud modems. These controls lacked basic network protection features.

There were no passwords, for these systems even by default. You simply plug in your HART communicator and change whatever you want.”

Process sensor and actuator device calibrations or other maintenance activities utilize maintenance devices with no cyber security, yet these devices have direct connections to the Internet. These and other unsecured access points can be entry points into the control and safety equipment used in the Freeport LNG facility. Unfortunately, there is little cyber forensics at this level.

Conclusions

The Freeport LNG explosion could have simply been the result of unintentional system or personnel problems. Freeport LNG did not have a stellar safety record. But this wasn’t the only LNG facility to have a control system-related event. The explosion could have also been the result of malicious cyber-related issues as sophisticated attackers can make cyber attacks look like equipment malfunctions. Stuxnet did just that.

All too often, chemical plant (and other plant) piping failures are investigated by people who are expert in piping failures, but not with people who are experts in instrumentation, control systems, automation, or control system cyber security.

CISA and other US security agencies  continue to issue sending out warnings about potential Chinese and Russian cyber attacks on critical infrastructure.

With the June Freeport LNG explosion, the February 21, 2022, Marathon refinery explosion (the same day the US imposed sanctions on Russia), 34 food process plant fires since 2021, and loss of view or control for more than 30 minutes of 150 control center SCADA systems since 2018, maybe the Russians are already here.

Joe Weiss is Managing Partner at Applied Control Solutions

You Might Also Read: 

Process Sensor Cyber Security Is A Vital Issue:

 

« Creating A Security Awareness Training Program
Conversational Commerce Is Going To Be Big - But Could Be Risky »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ZDL Group

ZDL Group

At ZDL (formerly ZeroDayLab) we take a comprehensive view of our clients cyber security risks and provide quality services to address those risk

Energy Sec

Energy Sec

EnergySec is a United States 501(c)(3) non-profit corporation formed to support energy sector organizations with the security of their critical technology infrastructures.

RU-CERT

RU-CERT

RU-CERT is the CSIRT / CERT team of the Russian Federation.

IntSights

IntSights

IntSights is an intelligence driven security provider offering rapid, accurate cyberthreat intelligence and incident mitigation in real time

Bugcrowd

Bugcrowd

As leaders in crowdsourced security testing, Bugcrowd connects companies and their applications to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities.

Network Integrity Systems

Network Integrity Systems

Network Integrity Systems is a leader in network infrastructure security and offers solutions specifically developed for Government and Private Enterprise.

Segusoft

Segusoft

With its encryption platform SEGULINK, Segusoft provides standard software for companies to securely transfer files and messages.

Center for Cyber & Homeland Security (CCHS)

Center for Cyber & Homeland Security (CCHS)

The Center for Cyber and Homeland Security at Auburn University is a nonpartisan think tank that works to develop innovative strategies to address current and future threats to the United States.

ZecOps

ZecOps

ZecOps is a cybersecurity automation company offering solutions for servers, endpoints, mobile devices, and custom devices.

ProofID

ProofID

ProofID is a specialist provider of Identity Access Management (IAM) solutions. We focus on the solving the complex needs of the modern enterprise.

Pivot Technology School

Pivot Technology School

Pivot Tech offers Data Analytics, Software Development and Cyber Security training in boot camp style cohorts.

Blackrock Cyber

Blackrock Cyber

Blackrock Cyber consults on critical security decisions, oversees compliance for your payment initiatives, and details cyber security training for your entire organization and board reporting.

Red Goat Cyber Security

Red Goat Cyber Security

Red Goat Cyber Security have created excellent, informative and interactive Social Engineering Awareness training which is suitable for all levels of staff.

Cloud4C

Cloud4C

Cloud4C is a leading automation-driven, application focused cloud Managed Services Provider.

AirDroid Business

AirDroid Business

AirDroid Business is an efficient mobile device management solution for Android devices, helping businesses to remotely control and access devices in large quantities using a centralized approach.

Digital.ai

Digital.ai

Digital.ai empowers organizations to scale software development teams, continuously deliver software with greater quality and security.