Iran Oil Industry Fires, Blasts Raise Suspicions of Hacking
Iran officially insists the six known blazes over the span of three months weren't the result of a cyberattack. However, the government acknowledgment of supposedly protected facilities being infected points to the possibility of a concerted effort to target Iranian infrastructure in the years after the Stuxnet virus disrupted thousands of centrifuges at a uranium enrichment facility.
Among the worst of the fires was a massive, days-long inferno in July at the Bou Ali Sina Petrochemical Complex in Iran's southwestern province of Khuzestan. Insurance officials later estimated the damage at some $67 million. Authorities preliminarily blamed the blaze on a leak of paraxylene, a flammable hydrocarbon, without elaborating.
Other recent blazes include:
-- A July 29 fire at a storage tank at the Bistoon Petrochemical Complex in Iran's western province of Kermanshah that authorities blamed on an electrical fault;
-- An Aug. 6 gas pipeline explosion in the port city of Genaveh that killed one person and injured three;
-- An Aug. 7 fire at a storage area of the Bandar Imam Khomeini Petrochemical Complex that burned for two days;
-- An Aug. 30 inferno that erupted in a sewage unit at Iran's South Pars gas field; and
-- A Sept. 14 gas leak and fire at the Mobin Petrochemical Factory that services the South Pars gas field that injured four workers.
Initially, Brig. Gen. Gholam Reza Jalali, who heads an Iranian military unit in charge of combatting cybersabotage, dismissed any notion that the fires could have been caused by hacking. Iran's aging oil pipelines and plants, hit hard by years of Western sanctions, have seen a rapid push to increase production this year to take advantage of the nuclear deal with world powers. Iran also faces occasional separatist attacks on its pipelines.
But on Aug. 27, Jalali acknowledged Iran's petrochemical industry had been the target of cyberattacks. He put the blame on imported and installed components at the facilities.
"The viruses had contaminated petrochemical complexes," he said, according to a report by the state-run IRNA news agency. "Irregular commands by a virus may cause danger."
But despite the infections, Jalali said cyberattacks had no hand in the fires and explosions. He also said "defensive measures are underway," without elaborating.
Beyond Jalali's vague comments, what actually infected the plants remains unclear.
It's unknown if Iran, which has boosted its own cyberwarfare and defense capabilities in recent years, has sought outside assistance in its investigation. The Russian antivirus firm Kaspersky Lab, whose analysts were among the first to investigate Stuxnet, said it wasn't involved in investigating this outbreak and declined to comment.
However, Jalali's comments that the viruses spread through imported parts suggests a concerted effort by a foreign power. Iran likely relied on black-market parts while the country faced international sanctions, said Robin Mills, a Dubai-based oil industry analyst and CEO of Qamar Energy.
"Maybe they couldn't always get the high-quality parts coming from countries who are sanctioning it and had to get second-hand parts or parts not of the right specifications and put these pieces together without a lot of international expertise," Mill said. "In that case, of course, accidents can happen."
But the number of fires in row has raised suspicions of Iran being targeted.
Such an attack "requires a lot of resources" that individual hackers would not have, said Idan Udi Edry, a former Israeli air force captain who now is the CEO of Nation-E, a cybersecurity firm specializing in protecting industrial systems.
Asked if the Iranian blazes were the result of hacking, Edry said he was "100-percent" sure, based on his own company's experience and surveillance.
"No company, organization or nation in the world would like to admit they've been hacked," he said. "This specific attack was exact the same one (like Stuxnet), only on a different critical infrastructure area."
However, Ralph Langner, another industry expert who studied the Stuxnet virus, said it seemed "unlikely" the fires were caused by cyberattacks, though his firm hasn't investigated.
Stuxnet, widely believed to be an American and Israeli creation, infected thousands of centrifuges at the Natanz uranium enrichment plant at the height of Western fears over Iran's nuclear program. The virus targeted the machines through the industrial control systems that set their speeds, causing them to spin out of control and destroy themselves.
Such control devices, used for years in fields ranging from utility companies to the oil industry, are especially susceptible to hackers. That's because they weren't initially envisioned to be connected to the internet and that most security attention focuses on consumer products such as email and laptops.
While the Stuxnet virus was the most famous hack to exploit them, there have been others that caused real-world destruction. German authorities say a steel mill sustained massive damage to its blast furnace in 2014 after hackers took control of its industrial control systems, though details on the incident remain few.
Iranian hackers also allegedly penetrated the controls of a small dam less than 30 kilometers (20 miles) away from New York City. That dam's system, however, was connected directly to the internet, while the Iranian oil industry is believed to be "air-gapped" -- or not connected directly to the web.
Meanwhile, hackers of all kinds appear to be increasingly targeting industrial control systems. In the U.S. alone, a Homeland Security center tasked with handling such attacks reported it responded to 295 incidents in 2015, up from 245 the year before.
"Cyberattacks are no longer how to steal information," Edry said. "These are attacks that are meant to shut down a country."