SIS Firewall

I got an interesting email from Eric Byres, CTO of Byres Security Inc, last week about their recent release of a ‘Modbus Read-only Firewall for Safety Systems’. According to Eric this Tofino based ‘Honeywell Modbus Read-only Firewall (HMRF)’ has been tested to work on many major brands of safety integrated systems (SIS).

Now I am not anywhere near technically qualified enough to evaluate the claims that Eric is making for this new security tool. And no one in their right mind would make a purchase of any kind of cybersecurity tool based solely upon my recommendation. So, why am I mentioning this here? Well, it allows me to talk about two things that I have previously only mentioned in passing, first safety integrated systems and second the use safety systems as a security tool.

Safety Integrated Systems

In case anyone has not noticed, chemicals are potentially dangerous. Some of them can kill directly through their toxic effects on the human body. Others will burst into flames with only minor provocation and yet others will explode if not handled properly. These chemical properties make many of them extremely dangerous and potential terrorist targets for release, theft, or sabotage.

What professionals in the chemical process industry don’t talk about too much in public is the fact that the manufacturing processes for a completely different array of frequently innocuous chemicals may pose a threat of a different sort of chemical catastrophe. There are a variety of different ways that mistakes in the chemical manufacturing process can turn the facility into a very large bomb.

Now these are not bombs in the military sense, but rather something that goes wrong in the process that produces a sudden large increase in pressure in a closed system that causes a catastrophic failure in the equipment. While this is not technically an explosion (I prefer the term over-pressure event), the consequences are very similar; a shock wave that can cause extensive damage over a wide area and bits of flying metal that can kill people and damage nearby equipment. Resulting fires may or may not be associated with this type of incident.

For an example of this type of event and its deadly consequences read my blog post describing the December 19th, 2007 T2 Laboratories explosion in Jacksonville, FL or the more detailed report on the causes of that incident by the Chemical Safety Board. That incident killed four employees, injured 28 people in surrounding businesses and threw large pieces of metal over a mile away from the scene.

One of the ways that chemical process professionals prevent this kind of situation is through the use of a Safety Integrated System (SIS). In its purest application, a SIS is essentially a stand-alone industrial control system. It is fully automatic, watching a manufacturing process for certain clearly defined parameters of measured temperature and pressure. When specified limits are exceeded the system automatically takes pre-programmed steps to make the process safe; all of this takes place without (and often in spite of) operator oversight or control.

The sensors it monitors and the controls that it manipulates are completely separate from the ones used by the normal process control system. There are multiple redundancies designed into the system and the components are the typically the most reliable (read expensive), failure free components available.

Now, don’t get me wrong. Chemical processes designers include a number of other controls to prevent such process catastrophes. You design equipment to withstand normal process pressures and temperatures and you provide reasonable pressure relief systems. You have operators and process control systems working hard to keep manufacturing processes within their optimum limits. That’s the only way you can make money in chemical manufacturing.

But, stuff happens. People make mistakes or deliberately try to damage processes, equipment fails, or utilities are disrupted. In the end the SIS stands as the last line of defense to prevent the catastrophic destruction of a chemical manufacturing facility and preventing potential damage to the surrounding community.

But, what happens if the SIS is subverted? What happens if someone changes the parameters that initiate the protective response? What happens if the SIS is re-programmed to ignore the safety critical inputs? What happens if the SIS is re-programmed to cause a safety critical upset? That unauthorized re-programming is what Eric’s firewall is designed to prevent. How well it works; I just don’t know. You need to talk to Eric or his people about that.

Safety as Security

Safety programs and systems are an integral part of modern manufacturing processes. One would like to think that management would view these as a key component of operating a money making concern. Just in case that message has not gotten through, there are a number of federal, State and local safety laws that must be complied with to avoid fines and other sanctions.

For high-risk chemical facilities there are a number of specific chemical safety and process safety rules that may apply to a facility. Many of the systems put into place to comply with these rules should also be considered to be an integral part of the facility security program. OSHA and EPA process safety programs will help to prevent attackers from using chemical processes as weapons. Community right-to-know and hazard communications (HAZCOM) rules will ensure that emergency response personnel will understand the chemical hazards that they might be faced with in the event of a terrorist attack.

In my opinion a facility with an inadequate safety program cannot be a well secured facility. Poor safety programs allow for too many areas where even a well designed security program can be subverted or fail. Protecting your storage tanks from terrorist attack will do little good if a process vessel explodes because of a runaway reaction. Calling on local law enforcement to respond to a potential terrorist intrusion is useless if those responders are inadequately protected from the chemical hazards on-site.

Let’s face it; a terrorist attack on a high-risk chemical facility is a low probability event. In fact, if we just rely on historical extrapolation there is no risk of terrorist attack since there hasn’t been one to date. We do have a well documented history of chemical process accidents causing death and economic disruption. Any reasonable person would be more concerned about the potential for a process accident than a terrorist attack having an effect on the community around a chemical facility.