Tuesday, June 13, 2017

ECS-CERT Reports on HighTempOverride Attack on Refinery

Today the DHS ECS-CERT announced that the recent shutdown of the Rafael Ravard Refinery in Louisiana was a direct result of a cyber-attack on the facility using the recently discovered HighTempOverride malware. The refinery is still in shutdown mode two weeks after the attack.

ECS-CERT spokesman Immanuel C. Securitage said that attack last month at Ravard Refinery was very similar to attacks on an unnamed chlorine production facility two months ago. That earlier attack caused a number of process shutdowns over the period of a couple of days and then shut the plant down when the control system software used at the plant was wiped from the system control computers.

Securitage explained that the process shutdowns were caused by spoofing temperature readouts in the reaction monitoring system, causing the control system to think that the process was entering a potentially dangerous out of control condition. This is the source of the ECS-CERT name for the malware, HighTempOverride.

The Federal Bureau of Inquiry spokesman Johnathan Quest said that the earlier attack was claimed by Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER). No one has yet claimed responsibility for the Ravard Refinery attack.

Cesar Chavez, President of the Ravard Refinery, noted that his facility had taken precautions against this type of attack by ensuring that all control system files were routinely backed up. This would normally allow for a quick restart after this type of attack. According to the Agency for Chemical and Environmental Security (ACES) the attackers had apparently modified the malware to include a module that infected backup files.

Chaves told reporters that he did not know when the refinery would be able to resume production. Due to retirements over the last couple of years, there were very few employees that were familiar with routine manual operations at the facility. ECS-CERT and the refinery engineering staff were working with Robotron, the control system supplier, to try to remove the malware from the control system.

Chaves noted that every day the refinery was shutdown cost the company $1.5 million.