Midstream Cybersecurity Risks
What happens if a hacker takes control remotely of a pump station and spoofs the pressure indicator, so the logic controller can’t shut-down the booster pump, and then closes a discharge valve – blocking the pump in and over-pressuring the downstream piping?
When you are focused on designing safety requirements for industry, it is very hard to ignore the alarms being raised regarding cybersecurity. Especially in the case of where operators loose of control of a process.
We know this has happened in industrial applications and it has resulted in catastrophic problems. We know that the logic controller in safety integrated systems (SIS) have been attacked. Basically, we can’t trust our safety systems, the hacker can override the operator’s actions, and indications can be spoofed.
This may sound like a worst-case scenario out of a movie, but it is exactly what has already occurred. Recently, the oil industry was shocked to discover that a very good SIS was hacked. [i]
As if hacking the SIS isn’t bad enough, operators of the Ukraine power grid had a surprise one day when they lost complete control of their grid. At one point in the article referenced[ii]discusses the operator watching the mouse cursor start moving on its own and disconnecting a substation while the operator tried to seize control to no avail. We know how that ended.
But, I want to get back to minimizing the risks, so a hack becomes an inconvenient problem and we can recover.
Hazards of Operability Studies (HAZOP) and engineering studies like Layer of Protection Analysis (LOPA) and Quantitative Risk Analysis (QRA), are designed to identify initiating events and potential outcomes associated with operating a process and then calculate the risk to people, environment and assets. By looking at the cybersecurity problem from a process safety perspective, we can reduce the infinite potential outcomes and attack vectors allowing us to focus on significant scenarios and design systems so an attacker with complete control of a process can only mess it up, not blow it up.
Returning to that hacker attack on your pump station… If the plant was designed properly, the result of the attack will be a minor business interruption while the control system is reset, and the pump restarted. If the plant was not designed properly, the result could be rupture of the pump discharge piping, fire, and explosion with attendant potential impacts to personnel in the area, environmental damage due to spilled materials, massive equipment damage, and a prolonged business interruption.