This blog is a response to a recently published article that implied a link between the June 8th explosion at the Freeport LNG plant and Russian threat actors. The author attempted to connect non-existent dots between Triton malware that has been associated with the Russian-linked APT group “XENOTIME” and the Freeport incident.
What was the Freeport Explosion?
I’ve researched the available information about the Freeport explosion, and based on the current evidence, the incident appears to have been most likely caused by operator error and not the elite Russia-linked APT group. The reality is that 90% of incidents discovered in the Industrial Control System (ICS) environment are related to human error.
What caused the Freeport Explosion?
The timing of this particular event is a key clue in this case. The company was less than two months out of a turnaround where Liquification Train 1 was under scheduled maintenance and the remaining Trains 2 and 3 were both tripped by a power interruption while operating. Prior to the post turnaround start-up, the system is required to be pressurized and vented for purging. According to industry’s guidelines, the American Gas Association’s Purging Principles and Practice, “The safe procedure is to pressurize the system with nitrogen or carbon dioxide to a pressure that will assure achievement of the end-point and then allow the system to stand for a while to assure mixing before blowing the system down.”
If this safety procedure is skipped or otherwise not completed it is possible for operations to pressure up a line that hasn’t been fully purged and cause a detonation by internal auto-ignition of a gas-air mixture. There is good reason to think that is what happened in Freeport, and caused the explosion. Here is an excerpt from Freeport LNG’s official news release:
"The incident occurred in pipe racks that support the transfer of LNG from the facility’s LNG storage tank area to the terminal’s dock facilities located on the intracoastal (i.e., north) side of Freeport LNG’s dock basin. None of the liquefaction trains, LNG storage tanks, dock facilities, or LNG process areas were impacted. In coordination with local, state and federal officials, Freeport LNG’s investigation into the cause of the incident, and what steps are necessary to safely resume liquefaction operations, is underway. Preliminary observations suggest that the incident resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud. Additional investigation is underway to determine the underlying precipitating events that enabled the overpressure conditions in the LNG piping."
An additional piece of evidence is this recent job posting on Freeport’s website
Had the incident been a cyber attack on their ICS systems, I believe the job postings for a Reliability Engineer and weeks later for a Sr. Process Engineer would have been quite different. This leads me to believe that this was operator error and not a shadow group bent on causing chaos in the OT systems of the LNG industry in North America.
How to Prevent Similar Incidents Like the Freeport Explosion Using SCADAfence
I have worked at many facilities, plants, and refineries in my career and I have been present for numerous security and operational incidents. One memorable one happened during the startup of a sulfur plant post-turnaround. The operations staff were having issues pumping liquid sulfur to the blocking plant. They heated up the beds to roughly 600F (315C) and started to pump sulfur through the pipe. However due to the fact that there was improper purging of the sulfur line and the chemistry of sulfur when it cools, there was a giant blockage in the line. This caused the line to pop holes throughout the system streaming molten hot sulfur into the forest. Once sulfur hits air it rapidly cools and hardens, which in this case created a dangerous winter yellow wonderland in the woods.
For the many companies promising protection from cyber attacks and breaches by threat actors, it is easy to engage in this sort of “ambulance chasing” in the hopes that creating fear, uncertainty, and doubt will ultimately drive product sales.I am of the opinion that a company selling OT security assesment products would do better to stand behind experience, knowledge, and research to show the value of their tools.
Organizations that are part of the critical infrastructure, manufacturing and other industrial sectors that are heavily OT dependent, absolutely must be concerned about OT cyber security, but this concern must be coupled with processes optimization and engineering excellence, and well trained personnel to ensure true safety.
To learn more about how the SCADAfence Platform can protect your OT network request a demo today.