Acrylic Acid Explosion the Result of Cyber Attack

Daniel Varg, the spokesman for Agency for Chemical and Environmental Security (ACES) announced at a news conference today that last week’s explosion and fire was apparently due to a deliberate cyber attack on the control systems at the Blew Bayou Chemical facility outside of Baton Rouge. The plant produces acrylic acid, acrylamide and other associated polymers. Varg reported that both the ECS-CERT and the Federal Bureau of Inquiry are now participating in the ACES investigation.

Johnathan Quest, the FBI spokesman was asked why the agency was not leading the investigation since it was now about a criminal act. He noted that ACES investigators had been on-site for almost a week now and were more familiar with the hazards associated with working around a chemical incident of this sort. Immanuel C. Securitage from ECS-CERT added that his agency had a recent history of working closely with both organizations and the teams were working well together.

Varg reported that the ACES investigators had determined that the initial explosion at the facility took place in one of the 50,000 gallon storage tanks in an enclosed tank farm building. The reason for the explosion was that an exothermic reaction had taken place in the tank when nitrogen had somehow been substituted for an air sparge in the tank. Daniel noted that with the nitrogen displacing the dissolved oxygen in the tank the inhibitor in the acrylic acid no longer functioned to stop the polymerization reaction. The liquid expansion due to heat and polymerization caused the tank to burst, damaging several adjacent acrylic acid tanks. The subsequent fire and explosion in the storage tank building resulted when acrylic acid fumes were ignited in an apparently improperly secured control panel.

Securitage explained that the cyber portion of the attack is what caused the nitrogen sparge. Their investigators looking at the data historian logs for the facility found that a number of valves had been opened by an unknown attacker allowing nitrogen to be routed to the air sparge line via an empty vessel in an adjacent part of the facility that had both types of lines feeding the vessel.

When asked if this was the result of poor design, Varg told reporters that there was check valve in the air line to that vessel, but it was not functioning properly and was scheduled to be replaced before the plant started operations after the holidays. IC Securitage told reporters that the attacker would have had to have detailed knowledge about the facility engineering to have determined what valves to open to achieve the nitrogen sparge of the tank. He did note that there was evidence that an attacker had been in the control system network for months before the attack happened.

Varg also reported that the explosion that caused the injuries to the three responding fire fighters took place in an acrylamide transfer line near where they were standing. There should not have been a significant amount of acrylamide in that line, but it was full and that was also probably a result of the cyber attack on the facility. As the line was heated by the nearby fires the acrylamide started to polymerize and the combined heat for the fire caused the water in the acrylamide to turn to steam and rupture the line. All three fire fighters were expected to recover.

In a separate announcement earlier in the day, Issac B Kaghun, a spokesman for Blew Bayou Chemical, reported that it would be months before the company could resume shipment of acrylic acid from the facility. As a result, the company was declaring force majeure on their acrylic acid contracts. In light of today’s announcement by the FBI and Blew Bayou’s earlier law suit against Parish Chemical, there may be objections to that claim.

In related news, Tianjin Chemical’s American subsidiary China Water Treatment, announced that it currently had a surplus of acrylic acid in its terminal in New Orleans and was looking to take on new customers. Kaghun reportedly had unprintable comments about the offer at the end of today’s news conference, noting that Tianjin was a disreputable supplier with numerous quality control issues. He did acknowledge that even before last week’s incident, that the domestic acrylic acid supply in this country was tight.

CAUTIONARY NOTE: This is a future news story –

Multiple Chemical Company Systems Hacked

Cybersecurity Agency (CSA) announced today that it had discovered an advanced persistent attack targeted at chemical manufacturing facilities in the United States. Ida Long explained that at least fourteen chemical facilities from three separate companies have had their corporate computer systems and chemical control systems compromised in the last couple of months. The attacks have been accomplished by a new cyber attack group being called ChemStat by the CSA. ChemStat may be associated with the Chinese government according to Long.

Long reported that the CSA had been monitoring email systems for a large number of chemical facilities for the last six months. The attacks had started as targeted phishing attacks with emails being sent to control systems engineers and technicians at twenty different chemical facilities that CSA had been monitoring. The emails were purportedly from control system suppliers announcing new control system software and upgrades that were available.

Links in the email took people who clicked on the links to look-alike web sites where sophisticated software compromised the systems of those visiting the site. The attackers then used those compromised machines to pivot into both the corporate IT network and the facility’s control system networks.

When asked if the companies involved knew that CSA was monitoring their email systems, Long responded that since the monitoring was not being done from corporate resources, CSA was not required to inform the companies that their systems were under surveillance. CSA was operating these monitoring efforts as part of a congressional mandate to be more proactive in defending critical infrastructure system from nation-state attacks. Long assured reporters that CSA was not reading all of the emails, just those that appeared to contain phishing attacks.

Long would not confirm what other critical infrastructure sectors were being monitored in the same way.

Immanuel C. Securitage confirmed that ECS-CERT was the lead agency looking at the control system infiltration at the affected plants. He noted that the longest any system had been affected was 30-days and that ECS-CERT had not found any indications that anything beyond data exfiltration had been done on those systems.

Securitage did note that once ECS-CERT had become involved in the process, they immediately notified the affected facilities had had their control systems compromised and worked with them to identify the limits of that compromise and restore all systems to their prior condition.

He did explain that his group was not allowed to tell the affected facilities how they had become aware of the control system compromise. ECS-CERT had not become aware until todays press conference that the IT systems at the companies had also been compromised.

CAUTIONARY NOTE: This is a future news story –