Thursday, August 19, 2010
Thanks to the folks at Putnam.net I was able to download a copy of a Honeywell white paper on implementing control system recommendations from the Buncefield investigation. That investigation was conducted by UK safety authorities in the wake of the massive fuel-air explosion in 2005 at the Buncefield fuel storage facility. The vapor cloud that formed the source of the explosion resulted from overfilling a storage tank. There were two interesting things in this white paper. First there is a brief discussion about a number of similar incidents that belies the claims of the fuel industry that these tank farms are not potential terrorist targets (or more accurately shouldn’t be regulated as potential terrorist targets) because of the difficulty in forming the requisite vapor cloud. Second there is a lengthy discussion of the requirements for designing a safety system that would prevent the accidental overfilling of these storage tanks. History of Vapor Cloud Explosions The white paper states that: “Records show that overfilled or leaking petroleum tanks have been cited as the cause of an industrial accident almost every five years since the early 1960s.” (pg 4) It then goes on to list seven vapor cloud explosions in that period (and it doesn’t include the more recent incident in Puerto Rico). To be fair there are a number of factors that are a pre-requisite to the formation of a gasoline vapor cloud. There has to be some measure of ‘congestion’ which serves to prevent natural dispersion of the vapor cloud. There must be low to no wind at the site that would disperse the vapor cloud. There must, of course, be a very large leak of fuel that provides a large enough surface area to provide the vapor cloud. And finally there must be a source of ignition. Any reasonable assessment of the risk of potential terrorist attack would see that only the first of these pre-requisites is an inherent factor at a given fuel facility. The others are factors that are either potentially at the control of terrorists or form a timing issue for a particular attack. Requiring fuel facilities to submit a Top Screen and having DHS evaluate the ‘congestion’ at the site and then evaluating the potential effects of a potential vapor cloud explosion would allow for a reasonable determination of whether or not a particular fuel depot was at high-risk of terrorist attack. Preventing the Overfilling of Fuel Storage Tanks As one would expect, the bulk of the Honeywell white paper looks at the control system requirements for the prevention of overfilling fuel tanks. There is an extensive discussion about the separation of safety systems from control systems and the importance of redundant detection methods to assure the reliability of the safety systems. As far at that goes this looks to be a very reasonable and useful discussion. I do have to take objection to the fact that there is no discussion about protecting either control systems or more importantly safety systems from attack. There is a nice description of the importance of PLCs in automated safety systems, but there is no mention of the recently released warning about the vulnerability of a popular PLC programming language. Since there is not a date on this white paper, I assume that it predates the warning. Even so, the reliability of safety systems is of even greater importance than the reliability of industrial control systems. After all, the safety systems backstop the control system and should prevent a control system compromise from initiating a catastrophic event. In today’s cyber security environment the failure to even mention the need to isolate safety systems from any outside communications is extremely negligent and does a severe disservice to the control system community. Major control system vendors need to be leaders in the field of cyber security. They have a major responsibility to educate their customers about the emerging threats to control systems and advocate for the routine application of security measures to those systems. I understand that the security add-ons take money to develop. Companies cannot afford to undertake those added costs unless the customers are willing to pay the price. But, no one, certainly not customers, should know more about cyber security issues than the developers and vendors. There needs to be a routine, clear and continuous communication from the control system suppliers about the threats to control systems and the ways to mitigate the resultant risks.