Suspicions That Explosion At US Gas Export Terminal Caused By Russian Hackers

Uploaded on 2022-07-15 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

On June 8, 2022 a damaging  explosion occurred at the Freeport Liquid Natural Gas LNG) facility in Texas and the damage suffered means the facility is not expected to resume major operations until late 2022. The subsequent investigation reached a determination that one of the facility's LNG transfer lines was over pressurized and ruptured, which caused a "rapid flashing of LNG and the release and ignition of the natural gas vapor cloud."

The description of the accident, attributed in part to “overpressure,” offers similarities to an earlier incident at the site. 

The US Pipeline and Hazardous Materials Safety Administration (PHMSA) officials say a pipe failed because the supercooled liquid was being forced, at 917 pounds per square inch, through a pipe designed to handle no more than 90 pounds per square inch. Further investigation revealed the pipe was flawed and possibly not fit to handle the cryogenic temperatures of LNG. In an enforcement report, agency officials said there were hundreds of feet of such pipe in the facility. That was one of two incidents that month.

Two weeks later he Washington Examiner published an article: “Did Russian hackers blow up a Texas LNG pipeline on June 8?” which described the Russian cyber attack of the Triconix safety systems in Saudi Arabia (Triton). It is not known what safety systems were used at the Freeport LNG facility though it would not be surprising if they also used Triconix as it is one of the most common safety systems. However, this is neither just a Freeport LNG or Triconix issue. Previously, a “sensor system malfunction” caused a shutdown of a different LNG terminal. Furthermore, I attended the Triton presentation at the April 2018 ICSJWG meeting in Albuquerque. Coincidently, I was scheduled to give a presentation on the lack of cyber insecurity of the sensors and added to my prepared presentation how compromising the sensors could have avoided the issues that caused the Russian Triton cyber attack to be unsuccessful.

As the final chapter has not been written on the Freeport LNG explosion, this blog is written as a detective story. That is, presenting motive, means, and opportunity for this to have been done maliciously.

There are several cyber-related issues that could have led to the Freeport LNG overpressure event (and interfered with its safe relief). They include:

  • Process sensor (pressure transmitter) issues – incorrect readings or safety setpoints.
  • Controller issues – controllers didn’t actuate safety systems.
  • Final element (valve) issues – Valves didn’t open in a timely manner.

Such failures could have been either accidental or the result of sabotage.

Motive

In mid-February 2022, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc. The attacks targeted companies involved with the production of LNG and were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity, which discovered the operation. They occurred on the eve of Russia’s invasion of Ukraine on February 24th, when energy markets were already roiled by tight supplies.

The Freeport LNG plant on Quintana Island, Texas can produce around 2 billion cubic feet per day of LNG. That comprises more than 15% of U.S. LNG export capacity. Freeport LNG said it doesn’t expect to be fully operational again until “late 2022” following the June 8 explosion, worsening the outlook for European buyers seeking to replace Russian energy imports.

Means

The Russians have a long history of cyber attacks against critical infrastructure in multiple countries including the US. In 2011, the Russians attempted to take over a small US water plant damaging a motor in the process. In 2013, Russia unleashed Havex (Havex is a Russian-made remote access trojan used in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors primarily in the United States and Europe). In 2014, Russia unleashed Black Energy2 in the US electric grid (BlackEnergy 2 is malware targeting GE Cimplicity HMI, Siemens WinCC and Advantech/Broadwin deployments). Additionally, the Russians did a process sensor hacking demonstration (a project known as Corsair) at the 2016 ICS Cyber Security Conference. In 2017, the Russians attempted to take control of the Triconex safety systems in a petrochemical plant in Saudi Arabia to cause it to blow up (the Triton/Trisys incident). And between 2020 and 2022, Russian ransomware has run rampant affecting industrial operations as well as IT systems.

Learning from another overpressure event

Stuxnet, the disabling cyber attack against Iranian uranium refinement centrifuges, discovered in 2010, was not a Russian operation. But it held lessons for those who might wish to attack critical infrastructure. Stuxnet compromised pressure sensor data to cause the overpressure event and prevent pressure relief to damage the centrifuges. According to Ralph Langner’s “To Kill a Centrifuge”, legitimate code executed but received fake input values, and any output (actuator) manipulations of legitimate control logic would no longer have any effect. The malicious process caused pressure to rise continuously. Pressure sensors errors are corrected by calibration. If the calibration is overwritten by malicious code on the controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as normal pressure no matter how high or low their analog values are. The pressure controller acted accordingly even though the pressure kept rising. Other sensors were compromised because they would have shown critical high or low pressure readings, automatically closing valves and triggering alarms. It can be assumed that the Russians are aware of Stuxnet.

Opportunity

In 2017, the International Society of Automation (ISA) formed a special working group in ISA99 (Industrial Automation and Control System Cyber Security) to determine if legacy control system devices such as process sensors could meet the requirements in ISA/IEC 62443-4-2, the component cyber security specification. Most of the major control system process instrumentation suppliers were members of this special working group. The conclusions were that the legacy field devices could not meet the standard. This led to another special working group, this time within the process safety committee, to evaluate the sensor issues in more detail. The intent of the ISA84.09 (Process Safety/Cyber Security) effort was to determine the relative conformance and applicability of the ISA 62443-4-2 component specification’s individual security requirements to legacy (what is being built today as well those already installed in the field) process sensors. Consequently, in early 2021, the ISA84.09 working group selected as the use case was a state-of-the-art digital safety pressure transmitters in an LNG facility.  The study found that 69 of the 138 individual cyber security requirements in ISA 62443-4-2, including fundamental cyber security requirements such as passwords, could not be met. This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer.

December 2021, Ankit Suthar noted: “We have been doing the commissioning of more than 3,000 smart instruments (i.e., Foundation Fieldbus-FF, HART) which includes loop check, simulation, calibration, and datasheet verification, Asset Management System (AMS) configuration for each instrument. (HART - Highway Addressable Remote Transducer- is a hybrid analog and digital industrial automation open protocol. Wired HART communicates over legacy 4–20 mA analog instrumentation current loops using 1200 Baud modems. These controls lacked basic network protection features.

There were no passwords, for these systems even by default. You simply plug in your HART communicator and change whatever you want.”

Process sensor and actuator device calibrations or other maintenance activities utilize maintenance devices with no cyber security, yet these devices have direct connections to the Internet. These and other unsecured access points can be entry points into the control and safety equipment used in the Freeport LNG facility. Unfortunately, there is little cyber forensics at this level.

Conclusions

The Freeport LNG explosion could have simply been the result of unintentional system or personnel problems. Freeport LNG did not have a stellar safety record. But this wasn’t the only LNG facility to have a control system-related event. The explosion could have also been the result of malicious cyber-related issues as sophisticated attackers can make cyber attacks look like equipment malfunctions. Stuxnet did just that.

All too often, chemical plant (and other plant) piping failures are investigated by people who are expert in piping failures, but not with people who are experts in instrumentation, control systems, automation, or control system cyber security.

CISA and other US security agencies  continue to issue sending out warnings about potential Chinese and Russian cyber attacks on critical infrastructure.

With the June Freeport LNG explosion, the February 21, 2022, Marathon refinery explosion (the same day the US imposed sanctions on Russia), 34 food process plant fires since 2021, and loss of view or control for more than 30 minutes of 150 control center SCADA systems since 2018, maybe the Russians are already here.

Joe Weiss is Managing Partner at Applied Control Solutions

You Might Also Read: 

Process Sensor Cyber Security Is A Vital Issue:

 

« Creating A Security Awareness Training Program
Conversational Commerce Is Going To Be Big - But Could Be Risky »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Civica

Civica

Civica provides cloud-based managed IT services, hosting and outsourcing.

Logscape

Logscape

Logscape provides a big data analytical tool for log file analysis and operational analytics.

KayHut

KayHut

KayHut is a young, innovative company engaged in cyber research and security solutions.

Somansa

Somansa

Somansa is a global leader in Data Security and Compliance solutions designed to protect valuable company information from leakage and help meet regulatory compliance requirements.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

ACPL Systems

ACPL Systems

We offer leading-edge technology solutions, expert professional and managed services and proven methodologies to ensure your data is protected and business risks are reduced.

Procsima Group

Procsima Group

Procsima Group was created to help you achieve good IT management and security excellence.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Ergo

Ergo

Ergo is a world-class IT Partner of choice, leveraging the latest technology available in cloud, mobility, big data, analytics, and social media.

Guardara

Guardara

Guardara's mission is to help our customers to continuously improve in every aspect of software development.

Aligned Technology Solutions (ATS)

Aligned Technology Solutions (ATS)

ATS manage, monitor, and maintain everything from your network and servers to your workstations and mobile devices, and we do it proactively to eliminate downtime and keep hackers at bay.

Commission Nationale de l'Informatique et des Libertés (CNIL)

Commission Nationale de l'Informatique et des Libertés (CNIL)

The mission of CNIL is to protect personal data, support innovation, and preserve individual liberties.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.

StrongDM

StrongDM

StrongDM is the leader in Zero Trust Privileged Access Management (PAM).

Compugen Systems Inc (CSI)

Compugen Systems Inc (CSI)

Compugen Systems is an IT service delivery company that focuses on enabling your business outcomes.

Secure Domains

Secure Domains

Secure Domains is the first company in the GCC to offer cloud-based DNS firewall services and security through its flagship SaaS product, DNS Armor.