Server Crash Due to Building Control Hack

Yesterday’s Baton Rouge refinery shutdown was ultimately due to an attack on a building control system, according to reports this morning by Dragonfire Cyber. The Ravard Refinery was shutdown Sunday by three crashing servers supporting the facility control systems. Kate Libby from Dragonfire reports that those servers failed due to overheating when attackers took over control of the server room cooling system.

“Attackers changed the PLC programming for the HVAC system,” Libby told reporters this morning; “They changed room temperature set points and bypassed the temperature reporting process so that only expected temperatures were reported to the facility control room.”

Reportedly, no vulnerabilities in the PLC were involved in the attack. Access to the Robotron GS Building Control System (BCS) provided the necessary authorization to access to the PLC and change its programming. “This should require physical access to the GS BCS controls in the server room,” Libby explained; “But someone had set up port forwarding on the system firewall enabling remote access to Port 3671 on the BCS. No authentication is required when accessing the system through that port.”

A technician working with Dragonfire that is not authorized to talk to reporters told me that it looked like an integrator had set up the port forwarding to provide remote access for maintenance support for the building control system. Maintenance of the HVAC system and its associated controls is handled by a local vendor, not the refinery staff.

The Federal Bureau of Inquiry is investigating the attack on the refinery. “There is no indication that this was a terrorist attack,” FBI spokesman Johnathan Quest told reporters; “We are currently looking at the possibility that this was an economic attack.”

The refinery recently switched over their production mix to produce #2 fuel oil. This household heating fuel is shipped to the northeastern United States via pipeline. Heating oil stocks in New England are at historic lows for this time of year and the Ravard Refinery is a prime supplier into that market. It will take at least two weeks for the refinery to restart because of minor equipment damage sustained in the emergency shutdown. This will lead to shortages in heating oil supply as people are trying to fill their tanks for the coming winter season.

CAUTIONARY NOTE: This is a future news story –

Multiple Server Failures Shuts Down Refinery

The Rafael Ravard Refinery outside of Baton Rouge, LA went into an emergency shutdown early this morning. According to Cesar Chavez, spokesperson for the refinery, the cause of the shutdown was due to multiple servers in the process control system crashing at nearly the same time. “Automatic backups did not come online,” Chavez reported; “But local safety systems throughout the plant did allow for a safe shutdown.”

There were local reports of people observing widespread flaring throughout the refinery during the shutdown. “Flaring is a normal occurrence in safety shutdowns,” Chavez explained.

Dragonfire Cyber has a team on site. Kate Libby, a spokesperson for Dragonfire said: “We are working with the Ravard Refinery to determine the cause of the shutdown. We have no news at this time beyond being able to report that three Robotron servers at the facility all shut down. This was the proximate cause of the facility shutting down.”

A technician working with Dragonfire who is not authorized to talk to reporters told me that the server room had apparently overheated. “This was probably the reason that the three initial servers crashed,” she said; “Two other servers crashed shortly after our team arrived on site.”

CAUTIONARY NOTE: This is a future news story –

Semiconductor Designs Compromised

Robotron announced today that it has received reports of attacks on customers using the Robotron RoboHD semiconductor design software. The Robotron press release notes that one customer has reported a chip design compromise as a result of an attack by the AngryHD malware. Robotron is cooperating with national computer security agencies around the world on an ongoing investigation into the attacks.

Gen Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning that the CI-SOC was working with Robotron on the investigation. “We know of one instance in the US where a chip design was compromised,” Turgidson reported, “The design flaw was found before the chip went into production, so no hardware has been compromised that we know of.”

Kate Libby of Dragonfire Cyber explained on background this morning that the Robotron Kern real-time operating system (RTOS) (acquired in the recent buyout of Beratergrafik) has been found to contain a number of vulnerabilities that could be remotely exploited to compromise products like RoboHD. “We have seen similar vulnerabilities in a large number of RTOS in recent years,” she explained; “So the problems in Kern are not unusual, unfortunately.”

A technician working with CI-SOC who is not authorized to talk to reporters told me that the agency has a copy of the AngryHD malware. “This is definitely advanced stuff,” she said, “We are probably looking at a state sponsored attack here, not cyber criminals.”

Dragonfire Cyber has released indicators of compromise that will allow users of RoboHD to determine if their systems have been compromised by the AngryHD malware. Dade Murphy, chief technical officer of Dragonfire told reporters that they were working with Robotron to develop methods of blocking such attacks while Robotron was continuing to work on an update for the Kern RTOS and RoboHD products.

CAUTIONARY NOTE: This is a future news story –

Holey Condom Attack

This morning Robotron announced that new versions of sixteen different programs released in the last 60-days all have backdoor access due to a recent exploit of a vulnerability in their proprietary compiler. Customers who have received those new program versions via the automatic update process have been contacted. Robotron has provided firewall rules to block that access pending development of new code. Robotron reports that they have not received reports of any exploits of the backdoor vulnerability.

Kate Libby, a security analyst with Dragonfire Cyber, explains that: “This sounds like an exploit of the recently disclosed Trojan Source compiler vulnerability. The crafter of this attack needs access to source code used in program development, but this could be from code libraries used in the modern programing environment.”

Eric Mielke, spokesperson for Robotron, confirmed that the vulnerability arose from using a particular piece of code from a commonly used source. “We are working with the outside developer to determine how their library code had become compromised.” Mielke explained; “We expect that the developer will disclose the vulnerability within the coming week when the corrected code is released.”

Libby reported that Dragonfire has determined that the backdoor found in the new Robotron code uses Port 727. “That port is not used for other Robotron processes,” Libby explained; “We have told all of our clients to specifically ensure that that Port is blocked in all of their firewalls protecting Robotron devices.”

Gen Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), confirmed that the CI-SOC is aware of the Port 727 backdoor in the Robotron devices. “We have contacted all of our supported organizations about the vulnerability,” Turgidson explained; “We are actively monitoring communications via that Port. We will be able to detect ‘phone home’ communications via that backdoor and will quickly isolate any command-and-control system utilizing this vulnerability.”

A source at CI-SOC that is not authorized to speak to the press confirmed to me that there is a very strong possibility that other software from other vendors could be affected by this particular vulnerability that CI-SOC is internally tracking as ‘Holey Condom’. “Most compilers using the same source code would establish the same backdoor,” she explained.

CAUTIONARY NOTE: This is a future news story –