Sunday, October 28, 2018

Court Says Hacking Not Force Majeure


The 14th US District Court today ruled that hacking was not “an unforeseeable event” that would trigger the force majeure clause in the contracts of a local chemical manufacturer here in Lake Charles, LA. The Blew Bayou Chemical Company had sued Parish Chemicals for breach of contract for its failure to deliver acrylonitrile in accordance with the terms of their contract. Parish Chemical argued that the disruption of their manufacturing processes by hackers should trigger the force majeure clause in the contract.

Parish Chemical has been in the news this year for a number of cyber related incidents at it’s Lake Charles Acrylonitrile Plant:

In January the ECS-CERT announced that a number of process upsets at the plant were the result of a number of random changes that had been made to the programming of process control devices at the facility by the VentilSteuerung worm.

In March Dragonfire, an industrial cybersecurity company, was hired to investigate a number of process control related quality issues and discovered multiple penetrations of security of the WindowsXP® computers used to run the Robotron Control System at the plant.

In June the Chemical Safety Bureau announced that their investigation of the acrylonitrile release that killed three employees and injured a number of local residents was due to multiple failures in the plant safety system due to the UNSICHER worm.

In July the facility was shut down for two weeks due to a ransomware attack on the facility control system by GUMMI BAREN.

That last event was responsible for the failure to deliver four railcar loads of acrylonitrile to the Blew Bayou Chemical Company that resulted in the current law suit against Parish Chemical. Bernard Fife, the lawyer for Parish, argued that the GUMMI BAREN attack was an unforeseen circumstance that should trigger the force majeure clause in the delivery contract. Blew Bayou’s Charlene Matlock argued in preliminary hearings that the pattern of cyber events at the facility showed a reckless disregard of basic cybersecurity hygiene at the facility and that the failure to adequately protect computer systems at the facility resulted in the contract breach.

Today’s ruling means that the breach of contract suit will continue next week.

In an apparently related press release, Dragonfire announced that it had determined that the cyber attacks on the Parish Chemicals computers had all come from IP addresses associated with Tianjin Chemical, a Chinese supplier of acrylonitrile.

Wednesday, October 24, 2018

Did Wireless Hack Cause Massive Chlorine Release?


The Federal Bureau of Inquiry confirms that it has joined the Chemical Safety Bureau in the investigation of the 40,000-lb chlorine release at Blew Bayou Chemical Company chemical terminal outside of Baton Rouge, Louisiana. This news comes after the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) announced that its computer team had hacked the wireless controls used to transfer chlorine from a barge to tank trucks at the facility.

Johnathan Quest, an FBI spokesman, told reporters today that the statement by SFINCTER was the reason that the FBI had joined the investigation, but reiterated that the preliminary investigation by the CSB had not yet determined the cause of the release.

Issac B Kaghun, the Blew Bayou owner, confirmed that the company had recently installed Robotron radio-controlled valves on the lines used to transfer chemicals from barges to trucks and railcars at the facility. He noted that those valves had been added when the Company had upgraded the control room at the facility to allow for a fully automated transfer system.

Vera Arbeiten, Director of the CSB, confirmed that the preliminary investigation had identified the source of the leak as a transfer line that was not hooked up to a vehicle. The leak was stopped when the lone site operator suited up in chemical protective clothing and shut off a manual valve on the barge. One of the casualties in the accident was a truck driver who was backing his tank truck into the chlorine transfer station where the leak occurred.

Immanuel C. Securitage, spokes man for ECS-CERT, reported that the Robotron FGVentil-25 valves used by Blew Bayou were the subject of a recent security advisory for a capture and replay vulnerability that would allow an attacker to intercept radio control signals and re-use them to spoof control of the valves. Erich Mielke, President of Robotron, issued a statement that Robotron had coordinated with ECS-CERT in identifying and providing mitigation measures for that vulnerability, noting that the Company had no way of knowing if Blew Bayou had downloaded the firmware upgrade.

Eaton Kaghun, Operations Manager at Blew Bayou, responded when asked about the vulnerability, that he would have to contact the company’s control system contractor about the issue. He did state that the Company had not had any communications from Robotron about the vulnerability.

Three people at or near the site at the time of the accident were killed by the release. Twenty-five people remain hospitalized in critical condition after the incident earlier this week.

Monday, October 15, 2018

City Loses Chlorine Notification Law Suit


This afternoon, Judge James (Skeeter) Willis announced that the Delano Water Maintenance Department was liable for $1.2 million in actual and punitive damages for failure of their Chlorine Release Notification System (CRNS) to notify the residents of the Greenway Apartments of a pattern of chlorine leaks during January of this year. That notification system was required to be installed by Judge Willis after the 2016 chlorine release at the WMD facility injured sixteen people in that same apartment complex adjacent to the drinking water treatment facility.

Junior Butts, the lawyer for the complex, filed the law suit after hackers from the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) published data from the CRNS showing a series of chlorine releases from the water disinfection system in January that were not reported to the residents of Greenway. Butts, a resident of the complex, is well known for his legal support of environmental activists including members of SFINCTER.

George Funderburke, the Director of the Delano WMD, argued at trial that the same hackers who accessed the wireless sensor network to obtain the data reported by SFINCTER could have planted that data during their illegal access to the system.

The SFINCTER hackers were not heard from at trial because of their potential for being arrested on federal computer hacking charges. Instead, Butts convinced Willis to request an investigation of the CRNS by the ECS-CERT. Immanuel C. Securitage, the Director of ECS-CERT, agreed to conduct the investigation only after receiving a formal request by Funderburke.

At trial, Securitage confirmed that the CRNS sensor logs showed the data that had been published on-line by SFINCTER. During cross examination he confirmed that known security issues with both the WiFi network equipment and the sensor system made it impossible to tell when the data was entered into the logs. Butts argued that those same security issues could be used to explain why there were inconsistencies in the pattern of readings from the sensor network that the defense argued demonstrated that the reported readings could not have come from any release during the weather conditions present on the days of the reputed releases.
                                             
In his comments before pronouncing judgement today, Willis noted that Delano WMD was responsible for the security of the CRNS network and could not use that inadequate security as a defense in this case. In any case, he noted, the settlement agreement in the previous case required that the CRNS provide immediate alerts whenever sensors reported chlorine readings in excess of 5 ppm and CRNS records showed no such reports from any of the releases recorded by the system.

William H. Lee, III, the Mayor of Delano, noted that the Delano WMD is owned by the City and the City self-insures. The payment of the fine will be discussed at the City Council meeting next week.

Wednesday, October 10, 2018

Last Week’s Sulfuric Acid Release Was Chemical Hack


Augusta, GA

At a press conference today, Special Agent Johnathan Quest of the Federal Bureau of Inquiry (FBI) confirmed that the FBI was investigating the accident last week at the Mayberry Chemical manufacturing facility in nearby Mayberry, GA as a cyberattack on the facility.

That incident involved the release of sulfuric acid from a storage tank that resulted in the injury of seven people including six elementary school students that were working on a class environmental project in a stream adjacent to the facility at the time of the release. Three of the students are still in the hospital in critical condition as is one employee of Mayberry Chemical.

The FBI was brought into the investigation after a preliminary investigation by the Chemical Safety Bureau (CSB) uncovered control system anomalies that apparently precipitated the incident.

Vera Arbeiten, spokesperson for the CSB, reported that sensor data during a reaction vessel filling operation had been doctored to allow the vessel to be overfilled during cleaning operations which resulted in a backflow of water and caustic soda into the sulfuric acid tank. The resulting chemical reaction resulted in the pressurization of the tank and the subsequent release of sulfuric acid fumes and droplets. Those droplets caused the worst injuries to the affected personnel including chemical burns to the faces of three of the students.

Andrew Gryfin, the President of Mayberry Chemical, explained that the company was a specialty chemical manufacturing company and that it was currently working on a project with university researchers for production of a specialty phenolic resin to be used in a DOD study of a potential radar adsorbing coating for aircraft.

Gryfin noted that the company has been suffering from a number of minor process and quality issues since beginning work on the DOD related project. A preliminary cybersecurity review by the ECS-CERT requested by CSB has indicated that the earlier anomalies and the recent incident were related to a previously unreported malware discovered on the control system computer systems. Immanuel C. Securitage from ECS-CERT noted that company control logs documented many of the malware actions that contributed to past incidents as well as the current release incident.

Unfortunately, no one at the company had reviewed those logs, according to Gryfin. The company has no on-site cybersecurity personnel and the logs were set up by a contractor fulfilling a DOD cybersecurity requirement.

Arbeiten noted that the company had put manual safeguards into place to prevent such overfilling, cross-contamination incidents. This incident would have been prevented if a manual valve on the sulfuric acid fill line on the reaction vessel had been closed prior to the start of the process. Closing this valve is part of the written instructions for this process, but the valve was open when investigators arrived on site.

Gryfin noted that the facility had been short staffed lately due to personnel cutbacks. The company had been experiencing some loss of business due to the quality and production problems being experienced.

Quest reported that the FBI investigation was on going and they were getting some technical assistance from units at the nearby military base.