This morning the Agency for Chemical and Environmental
Security (ACES) confirmed during a press conference in Atlanta that yesterday’s
chlorine release at a water treatment plant outside of Atlanta, GA was
apparently the result of a terrorist attack. The release of about 2,000 pounds
of chlorine gas killed one employee at the facility, but the local community
was not affected.
Daniel Varg, the ACES Director, reported that the secondary
containment system at the facility stopped the release from spreading. The
affected employee, whose name has not yet been released, was doing routine work
in the containment building when the release occurred. The release occurred
when the automated vent valve on the chlorine storage tank was remotely opened.
A private chemical response company is on-site remediating
the chlorine released into the containment building. They are expected to
complete their work this afternoon and the facility should be operational
shortly thereafter. There was no effect on the quality of the drinking water
produced by the facility.
Immanuel C. Securitage from ECS-CERT reported that they also
have a team on-site looking at how the valve could have been tampered with.
Initial reports are that the valve was provided by Robotron and that a variant
of the GUMMI BAREN worm was responsible for allowing a terrorist group to gain
access to operational control of the valve.
Securitage reported that his agency had received reports
about the variant from an unnamed security researcher and that it apparently
targeted the particular type of valve used in chlorine storage facilities. He
explained that a classified report on the GUMMI BAREN CL had been posted to the
ECS-CERT secure web site last month.
When asked if the facility was aware of the GUMMI BARREN CL
report, Varg explained that the security contractor for the site did not have
the necessary security clearance to be able to read the report. Only the
facility manager had the appropriate clearance, but he was not aware of the
ECS-CERT report. Varg admitted that his agency had not notified facilities of
the report, noting that that was an ECS-CERT responsibility. Securitage
responded that his agency did not know what facilities were using the affected
valves. That was why ECS-CERT published the report on their secure web site;
facility managers should be periodically checking that web site for reports
affecting their facility.
Johnathan Quest of the Federal Bureau of Inquiry told the
same news conference that his agency was investigating the apparent terrorist
attack on the facility. He reported that they had been working with ECS-CERT on
tracking down the group behind the GUMMI BARREN CL malware. Currently the FBI
believes that Students for Immediate Neutralization of Chlorine Technology and
Energy Reversion (SFINCTER) are responsible.
“We know,” he said “that they have been known to work with
elements of Stasi Ehemalige – the radical German hacking collective. That group
was responsible for the GUMMI BARREN ransomware and is likely the source of the
CL variant.”
SFINCTER has been very vocal in their attempt to stop all
uses of chlorine gas. In recent years they have become much more militant and
have threatened direct action against facilities using chlorine gas. If this
attack was conducted by SFINCTER, it would be the first time that they had
moved beyond civil disobedience activities.
During the question and answer portion of the conference
Varg was asked whey a remotely accessible valve was used in the safety system.
Varg explained that the valve was the same one that was used in all chlorine
contact systems at the plant. The safety system controlling the operation of
that valve is a stand-alone system, but the valve was connected to the facility
control system human-machine interface (HMI) for alerting purposes. That was
supposed to be a one-way communication process, but a default maintenance
setting on the valve allowed two-way communication over that port.