The 14th US District Court today ruled that
hacking was not “an unforeseeable event” that would trigger the force majeure
clause in the contracts of a local chemical manufacturer here in Lake Charles,
LA. The Blew Bayou Chemical Company had sued Parish Chemicals for breach of
contract for its failure to deliver acrylonitrile in accordance with the terms
of their contract. Parish Chemical argued that the disruption of their
manufacturing processes by hackers should trigger the force majeure clause in
the contract.
Parish Chemical has been in the news this year for a number
of cyber related incidents at it’s Lake Charles Acrylonitrile Plant:
In January the ECS-CERT announced
that a number of process upsets at the plant were the result of a number of
random changes that had been made to the programming of process control devices
at the facility by the VentilSteuerung worm.
In March Dragonfire, an industrial
cybersecurity company, was hired to investigate a number of process control
related quality issues and discovered multiple penetrations of security of the
WindowsXP® computers used to run the Robotron Control System at the plant.
In June the Chemical Safety Bureau
announced that their investigation of the acrylonitrile release that killed
three employees and injured a number of local residents was due to multiple
failures in the plant safety system due to the UNSICHER worm.
In July the facility was shut down
for two weeks due to a ransomware attack on the facility control system by GUMMI
BAREN.
That last event was responsible for the failure to deliver
four railcar loads of acrylonitrile to the Blew Bayou Chemical Company that
resulted in the current law suit against Parish Chemical. Bernard Fife, the lawyer
for Parish, argued that the GUMMI BAREN attack was an unforeseen circumstance
that should trigger the force majeure clause in the delivery contract. Blew
Bayou’s Charlene Matlock argued in preliminary hearings that the pattern of
cyber events at the facility showed a reckless disregard of basic cybersecurity
hygiene at the facility and that the failure to adequately protect computer
systems at the facility resulted in the contract breach.
Today’s ruling means that the breach of contract suit will
continue next week.
In an apparently related press release, Dragonfire announced
that it had determined that the cyber attacks on the Parish Chemicals computers
had all come from IP addresses associated with Tianjin Chemical, a Chinese supplier
of acrylonitrile.