Thursday, January 26, 2017

Homeland Security Confirms Chemical Facility Attack

This morning the Agency for Chemical and Environmental Security (ACES) confirmed during a press conference in Atlanta that yesterday’s chlorine release at a water treatment plant outside of Atlanta, GA was apparently the result of a terrorist attack. The release of about 2,000 pounds of chlorine gas killed one employee at the facility, but the local community was not affected.

Daniel Varg, the ACES Director, reported that the secondary containment system at the facility stopped the release from spreading. The affected employee, whose name has not yet been released, was doing routine work in the containment building when the release occurred. The release occurred when the automated vent valve on the chlorine storage tank was remotely opened.

A private chemical response company is on-site remediating the chlorine released into the containment building. They are expected to complete their work this afternoon and the facility should be operational shortly thereafter. There was no effect on the quality of the drinking water produced by the facility.

Immanuel C. Securitage from ECS-CERT reported that they also have a team on-site looking at how the valve could have been tampered with. Initial reports are that the valve was provided by Robotron and that a variant of the GUMMI BAREN worm was responsible for allowing a terrorist group to gain access to operational control of the valve.

Securitage reported that his agency had received reports about the variant from an unnamed security researcher and that it apparently targeted the particular type of valve used in chlorine storage facilities. He explained that a classified report on the GUMMI BAREN CL had been posted to the ECS-CERT secure web site last month.

When asked if the facility was aware of the GUMMI BARREN CL report, Varg explained that the security contractor for the site did not have the necessary security clearance to be able to read the report. Only the facility manager had the appropriate clearance, but he was not aware of the ECS-CERT report. Varg admitted that his agency had not notified facilities of the report, noting that that was an ECS-CERT responsibility. Securitage responded that his agency did not know what facilities were using the affected valves. That was why ECS-CERT published the report on their secure web site; facility managers should be periodically checking that web site for reports affecting their facility.

Johnathan Quest of the Federal Bureau of Inquiry told the same news conference that his agency was investigating the apparent terrorist attack on the facility. He reported that they had been working with ECS-CERT on tracking down the group behind the GUMMI BARREN CL malware. Currently the FBI believes that Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) are responsible.

“We know,” he said “that they have been known to work with elements of Stasi Ehemalige – the radical German hacking collective. That group was responsible for the GUMMI BARREN ransomware and is likely the source of the CL variant.”

SFINCTER has been very vocal in their attempt to stop all uses of chlorine gas. In recent years they have become much more militant and have threatened direct action against facilities using chlorine gas. If this attack was conducted by SFINCTER, it would be the first time that they had moved beyond civil disobedience activities.

During the question and answer portion of the conference Varg was asked whey a remotely accessible valve was used in the safety system. Varg explained that the valve was the same one that was used in all chlorine contact systems at the plant. The safety system controlling the operation of that valve is a stand-alone system, but the valve was connected to the facility control system human-machine interface (HMI) for alerting purposes. That was supposed to be a one-way communication process, but a default maintenance setting on the valve allowed two-way communication over that port.