Tuesday, April 5, 2011

Cyber Safety Systems and Storage Tanks

Last week I wrote a posting on cyber security issues for storage tanks that generated an interesting discussion on Twitter® (stuxnet420, tmdheard, and SCADAhacker). That conversation dealt with an issue that I did not address in the earlier blog; the use of cyber safety systems with storage tanks.

Cyber Safety Systems

Generally speaking a cyber safety system is a computer system that executes pre-defined actions to prevent catastrophic consequences from process upsets. Developed in response to a HAZOP review, the system includes sensors that detect the process upset and controls that are, in turn, operated by the system. Ideally, the system is a stand alone, high-reliability system that uses separate sensors and controls from the control system that operates the system. These systems are generally separate from other emergency systems like fire suppression systems and pressure relief devices.

For example if a HAZOP determines that when a process reaches a certain temperature a chemical reaction begins that cannot be stopped that would be expected to generate temperatures and pressures that would result in a catastrophic failure (ChemEngineering Speak for a pressure explosion) of the process vessel. To prevent that from occurring the safety system would take actions to prevent that temperature from being reached. For example at some pre-set lower temperature the heating to the vessel would automatically be turned off and at some slightly higher temperature cooling would automatically be started. At a yet higher temperature some chemical might be added to the process to prevent the runaway reaction from proceeding.

Beyond perhaps being turned on at the start of a particular process a cyber safety system operates independently of human operators. In fact, once the system is turned on the operator is not typically able to affect the operation of the safety system. Someone in management or engineering may be able to interrupt the system, but there would typically be administrative controls in place to limit that ability.

Storage Tanks

One of the reasons that I didn’t include these safety systems in my discussion of cyber vulnerabilities of storage tanks is that none of the HAZOPS that I participated in during my twelve years in industrial process chemistry determined a need for such a system. Basically we did not have chemicals stored on site that could cause catastrophic failure of their storage tanks. That explains my blind spot.

In my discussion about cyber attacks manipulating measurement device outputs I mentioned temperature controls and I noted that:

“In some chemicals, however, the temperature is monitored for safety reasons; too high a temperature and chemical reactions start that can lead to uncontrollable chemical reactions that could produce toxic gasses or overpressure situations that could explosively destroy the storage tank.”
In this situation there should be a safety system in place to prevent the contents of the storage tank from reaching that critical temperature. This could be an old fashioned hard wired system that does not require a cyber component or it could be a cyber safety system.

None of the other attack vectors that I described in that blog post would typically involve a safety system.

Common Platform Problems

The other issue that was covered in the Twitter discussion was the use of the ICS platform for the cyber safety system. I noted that many facilities have taken to using the parts of the ICS for the safety system. This could be using the same computer or software for both the ICS and the safety system or using the same sensors or controls, or all of the above. Typically the reason that this is done is to save money. This can be done to save the cost of the extra equipment or software, or of the cost of programming or maintaining that extra system.

Part of the safety justification for the combining of the two systems is that putting the two systems together allows the programmer to prevent the two systems from working at cross purposes in a critical situation. In other words, the safety programming can over-ride the control system in both the physical and cyber realms. In addition, the increased reliability of modern control systems mitigates the old system failure argument for a separate system.

Still, from a security perspective, putting both of the systems, control and safety, on the same platform makes it easier for a cyber attacker to successfully cause catastrophic failure of a storage tank or other chemical system. Ideally, a safety system should be totally separate from the control system and air gapped from every other form of access to the system. This won’t provide a 100% guarantee of prevention of an attack, there is still the possibility of an insider attack, but it will reduce the probability of a successful attack substantially.

No comments:

 
/* Use this with templates/template-twocol.html */