There are dozens of ways to overpressure a distillation column…

You can increase the heat input, drop out the cooling, flood the column with liquid, and on and on.  Yet, well designed distillation columns are almost never equipped with any safety instrumented functions that protect against overpressure, and are almost never over-pressured.  Given the ubiquitous use of distillation columns in the process industries and the plethora of causes of overpressure, it would seem that more accidents would have occurred on these unit operations and that they would be a higher profile attack target.

There is a very simple reason why distillation columns have such a great safety record and are virtually impervious to cyber attack – mechanical safeguards.  Each distillation column, as per the ASME Boiler and Pressure Vessel Code, must be equipped with mechanical relief valves that are capable of venting any conceivable cause of overpressure – from blocked outlets to excessive heat input.  These safeguards are entirely mechanical in nature.  In their most basic design a spring holds down a disc.  When the force of pressure in the vessel overcomes the force of the spring, the disc pops open, venting the contents of the vessel to a safe location.  This simply reliable system is completely impervious to cyber attack.  As far as I know, no virus, worm, or Trojan horse application is capable of changing the physical properties of a spring…

Relief valves are only one example of a mechanical safeguard.  Others include mechanical overspeed trips on turbines and mechanical minimum stops on valves.  These safeguards cannot be compromised through cyber-attack, and as such form an important tool in safeguarding a facility against cyber attack.  Of course, in order to apply this type of logic in selection of safeguards and countermeasures, your cyber-security team must include members who have familiarity with the processes and equipment that are under control of the ICS, which is extremely rare for most of the companies that provide consulting and design services for cyber security.

Consider using this best practice at your facility to enhance cyber-security.  After a PHA is performed at your facility, consider all of the high consequence scenarios.  These scenarios are usually separate out for separate LOPA analysis.  Go through each scenario and determine if the initiating event, or cause, of the scenario can be generated by a failure of the automatic control system (which could then be maliciously generated).  For each of these scenarios, review all of the safeguards (also called “independent protection layers (IPL)”) inside of a LOPA analysis.  For each scenario, at least one of the safeguards should be mechanical in nature, and not subject to cyber attack.  If no mechanical safeguards are present, consider recommending the addition of a mechanical safeguards or addition of other risk reduction measures (e.g., secondary containment) that can prevent or mitigate the hazard.