Freeport said its preliminary determination of the June 8, 2022 explosion was that one of the facility's LNG transfer lines was over pressurized and ruptured, which caused a "rapid flashing of LNG and the release and ignition of the natural gas vapor cloud." The description of the accident, attributed in part to “overpressure,” offers similarities to an earlier incident at the site. In August 2019, Freeport personnel were opening the first production line, or “train.” According to EENews, the Pipeline and Hazardous Materials Safety Administration (PHMSA) officials say a pipe failed because the supercooled liquid was being forced, at 917 pounds per square inch, through a pipe designed to handle no more than 90 pounds per square inch. Further investigation revealed the pipe was flawed and possibly not fit to handle the cryogenic temperatures of LNG. In an enforcement report, agency officials said there were hundreds of feet of such pipe in the facility. That was one of two incidents that month.
June 21, 2022, Tom Rogan of the Washington Examiner wrote an article: “Did Russian hackers blow up a Texas LNG pipeline on June 8?” He described the Russian cyberattack of the Triconix safety systems in Saudi Arabia (Triton). It is not known what safety systems were used at the Freeport LNG facility though it would not be surprising if they also used Triconix as it is one of the most common safety systems. However, this is neither just a Freeport LNG or Triconix issue. Previously, a “sensor system malfunction” caused a shutdown of a different LNG terminal. Furthermore, I attended the Triton presentation at the April 2018 ICSJWG meeting in Albuquerque. Coincidently, I was scheduled to give a presentation on the lack of cyber insecurity of the sensors and added to my prepared presentation how compromising the sensors could have avoided the issues that caused the Russian Triton cyberattack to be unsuccessful.
As the final chapter has not been written on the Freeport LNG explosion, this blog is written as a detective story. That is, presenting motive, means, and opportunity for this to have been done maliciously.
There are several cyber-related issues that could have led to the Freeport LNG overpressure event (and interfered with its safe relief). They include:
- Process sensor (pressure transmitter) issues – incorrect readings or safety setpoints
- Controller issues – controllers didn’t actuate safety systems
- Final element (valve) issues – Valves didn’t open in a timely manner
Such failures could have been either accidental or the result of sabotage.
Motive
In mid-February 2022, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc. The attacks targeted companies involved with the production of LNG and were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity Inc., which discovered the operation. They occurred on the eve of Russia’s invasion of Ukraine on February 24th, when energy markets were already roiled by tight supplies. (https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine)
The Freeport LNG plant on Quintana Island, Texas can produce around 2 billion cubic feet per day of LNG. That comprises more than 15% of U.S. LNG export capacity. Freeport LNG said it doesn’t expect to be fully operational again until “late 2022” following the June 8 explosion, worsening the outlook for European buyers seeking to replace Russian energy imports.
Means
The Russians have a long history of cyberattacks against critical infrastructure in multiple countries including the US. In 2011, the Russians attempted to take over a small US water plant damaging a motor in the process. In 2013, Russia unleashed Havex (Havex is a Russian-made remote access trojan used in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors primarily in the United States and Europe). In 2014, Russia unleashed Black Energy2 in the US electric grid (BlackEnergy 2 is malware targeting GE Cimplicity HMI, Siemens WinCC and Advantech/Broadwin deployments). Additionally, the Russians did a process sensor hacking demonstration (a project known as Corsair) at the 2016 ICS Cyber Security Conference. In 2017, the Russians attempted to take control of the Triconex safety systems in a petrochemical plant in Saudi Arabia to cause it to blow up (the Triton/Trisys incident). And between 2020 and 2022, Russian ransomware has run rampant affecting industrial operations as well as IT systems.
Learning from another overpressure event
Stuxnet, the disabling cyberattack against Iranian uranium refinement centrifuges, discovered in 2010, was not a Russian operation. But it held lessons for those who might wish to attack critical infrastructure. Stuxnet compromised pressure sensor data to cause the overpressure event and prevent pressure relief to damage the centrifuges. According to Ralph Langner’s “To Kill a Centrifuge”, legitimate code executed but received fake input values, and any output (actuator) manipulations of legitimate control logic would no longer have any effect. The malicious process caused pressure to rise continuously. Pressure sensors errors are corrected by calibration. If the calibration is overwritten by malicious code on the controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as normal pressure no matter how high or low their analog values are. The pressure controller acted accordingly even though the pressure kept rising. Other sensors were compromised because they would have shown critical high or low pressure readings, automatically closing valves and triggering alarms. It can be assumed that the Russians are aware of Stuxnet.
Opportunity:
In 2017, the International Society of Automation (ISA) formed a special working group in ISA99 (Industrial Automation and Control System Cyber Security) to determine if legacy control system devices such as process sensors could meet the requirements in ISA/IEC 62443-4-2, the component cyber security specification. Most of the major control system process instrumentation suppliers were members of this special working group. The conclusions were that the legacy field devices could not meet the standard. This led to another special working group, this time within the process safety committee, to evaluate the sensor issues in more detail. The intent of the ISA84.09 (Process Safety/Cyber Security) effort was to determine the relative conformance and applicability of the ISA 62443-4-2 component specification’s individual security requirements to legacy (what is being built today as well those already installed in the field) process sensors. Consequently, in early 2021, the ISA84.09 working group selected as the use case was a state-of-the-art digital safety pressure transmitters in an LNG facility. The study found that 69 of the 138 individual cyber security requirements in ISA 62443-4-2, including fundamental cyber security requirements such as passwords, could not be met. This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer.
December 2021, Ankit Suthar noted: “We have been doing the commissioning of more than 3,000 smart instruments (i.e., Foundation Fieldbus-FF, HART) which includes loop check, simulation, calibration, and datasheet verification, Asset Management System (AMS) configuration for each instrument. (HART - Highway Addressable Remote Transducer- is a hybrid analog and digital industrial automation open protocol. Wired HART communicates over legacy 4–20 mA analog instrumentation current loops using 1200 Baud modems. These controls lacked basic network protection features. There were no passwords, for these systems even by default. You simply plug in your HART communicator and change whatever you want.” https://www.controlglobal.com/blogs/unfettered/a-vulnerability-worse-than-log4j-and-it-can-blow-up-facilities-and-shut-down-the-grid/
Process sensor and actuator device calibrations or other maintenance activities utilize maintenance devices with no cyber security, yet these devices have direct connections to the Internet. These and other unsecured access points can be entry points into the control and safety equipment used in the Freeport LNG facility. Unfortunately, there is little cyber forensics at this level.
Conclusions
The Freeport LNG explosion could have simply been the result of unintentional system or personnel problems. Freeport LNG did not have a stellar safety record. But this wasn’t the only LNG facility to have a control system-related event. The explosion could have also been the result of malicious cyber-related issues as sophisticated attackers can make cyberattacks look like equipment malfunctions. Stuxnet did just that.
All too often, chemical plant (and other plant) piping failures are investigated by people who are expert in piping failures, but not with people who are experts in instrumentation, control systems, automation, or control system cyber security.
CISA and DOE continue sending out warnings about potential Russian cyberattacks on critical infrastructure. Maybe the Russians are already here – with the June Freeport LNG explosion, the February 21, 2022, Marathon refinery explosion (the same day the US imposed sanctions on Russia), 34 food process plant fires since 4/30/21, and loss of view or control for more than 30 minutes of 150 control center SCADA systems since 2018. DOE and CISA - you can’t find what you’re not looking for.
Joe Weiss
