Did Wireless Hack Cause Massive Chlorine Release?

The Federal Bureau of Inquiry confirms that it has joined the Chemical Safety Bureau in the investigation of the 40,000-lb chlorine release at Blew Bayou Chemical Company chemical terminal outside of Baton Rouge, Louisiana. This news comes after the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) announced that its computer team had hacked the wireless controls used to transfer chlorine from a barge to tank trucks at the facility.

Johnathan Quest, an FBI spokesman, told reporters today that the statement by SFINCTER was the reason that the FBI had joined the investigation, but reiterated that the preliminary investigation by the CSB had not yet determined the cause of the release.

Issac B Kaghun, the Blew Bayou owner, confirmed that the company had recently installed Robotron radio-controlled valves on the lines used to transfer chemicals from barges to trucks and railcars at the facility. He noted that those valves had been added when the Company had upgraded the control room at the facility to allow for a fully automated transfer system.

Vera Arbeiten, Director of the CSB, confirmed that the preliminary investigation had identified the source of the leak as a transfer line that was not hooked up to a vehicle. The leak was stopped when the lone site operator suited up in chemical protective clothing and shut off a manual valve on the barge. One of the casualties in the accident was a truck driver who was backing his tank truck into the chlorine transfer station where the leak occurred.

Immanuel C. Securitage, spokes man for ECS-CERT, reported that the Robotron FGVentil-25 valves used by Blew Bayou were the subject of a recent security advisory for a capture and replay vulnerability that would allow an attacker to intercept radio control signals and re-use them to spoof control of the valves. Erich Mielke, President of Robotron, issued a statement that Robotron had coordinated with ECS-CERT in identifying and providing mitigation measures for that vulnerability, noting that the Company had no way of knowing if Blew Bayou had downloaded the firmware upgrade.

Eaton Kaghun, Operations Manager at Blew Bayou, responded when asked about the vulnerability, that he would have to contact the company’s control system contractor about the issue. He did state that the Company had not had any communications from Robotron about the vulnerability.

Three people at or near the site at the time of the accident were killed by the release. Twenty-five people remain hospitalized in critical condition after the incident earlier this week.