Process plants as weapons of war

Malware over the Internet has replaced the large gunboat that was despatched in previous times – say 200 years ago – to send a message to the heart of a rival nation, indicating that relationships were becoming a little frosty. Then submarines and ICBMs were introduced, as less vulnerable to counter-attack – and providing hidden strength to be activated when necessary. The same applies to malware, in that once it is in place the weapon can be hidden and dormant until required. However, with any new missile system or weapon, the routing, targeting and performance of the latest versions have to be tested, and often this testing can be observed and monitored.

For any nation or group with an evil intent against another, this gives a major opportunity to cause chaos or damage to the infrastructure or manufacturing operations of a target country. This was seen in 2010 with Stuxnet, the Malware targeted at Siemens controllers in Iranian nuclear centrifuge installations. The source of the virus (officially) was never traced, but it was thought to have been from Israel, possibly with support from the USA. So Iran saw the effectiveness of this approach, and then developed the Shamoon virus, which caused major damage to all networked PCs at Aramco in Saudi Arabia in 2012. A further variant of Shamoon was unleashed in 2016/17, targeting ordinary computer systems around the Persian Gulf, as well as in Saudi Arabia.

Following these events, many cyber-security service businesses and departments appeared, in addition to those which were developing anti-virus systems to protect computers from hacking by fraudsters and criminals. Both of these types of company monitor any new attacks and intrusions, and normally report that state sponsored hacking is known to have originated from Israel, Iran, Russia, USA, and North Korea. Indeed some of the most active hacking has been from a Russian group known as Sandworm, particularly disrupting networks and systems in the Ukraine starting in 2014. Malware called ‘Industroyer’ was used in 2016 to cause a power blackout in Kiev, by modifying the ABB configuration files in the electricity supply grid network systems.

The latest attack

Two such cyber-security service businesses are FireEye and Dragos, based in the USA. In December 2017 they reported on a new attack (actually seen several months before) delivering malware into an un-named petrochemical plant control system in the Middle East. Others have reported this malware was most likely to have been developed in Iran and targeted at a Saudi Arabian installation. The FireEye investigation team from their Mandiant subsidiary found that the plant safety system, a Triconex SIS, had caused an unexpected safety shut-down. Triconex is a company within Schneider Electric, following their acquisition of the Invensys Group: their triple-redundant safety systems protect major hazardous installations such as petrochemical plants. They also are the ultimate shut-down safety system for many nuclear power plants around the World, including most of those in China.

FireEye called the malware they found “Triton” – it is also known as Trisis. The implication of their report was that the Triton attack framework gained remote access to an SIS engineering workstation, sought out the Triconex controllers, and tried to inject new commands into their operations. It seems that the workstation (on site) was in programme mode at this time, hence opening a potential window. There was no indication that the malware used any vulnerability in the Triconex system or its program code. In fact the triple redundant safety system reacted properly: the new single instruction did not pass the built-in validity checks, and so Triconex shut down the plant operations safely, as is the requirement of such a safety system.

FireEye interprets that this attack, which shows persistence, the lack of any clear monetary goal, and the technical resources necessary to create such an attack framework, as suggesting the origin is a well-resourced ‘nation-state’ actor. Either this current attack is reconnaissance development testing of part of what would need to be a significantly expanded multi-point approach to penetrate and control Triconex, or at a minimum it is designed to be economically disruptive to the target plant. Other commentators have suggested that Triton could prevent the Triconex SIS from carrying out its safety function, and drive the plant to destruction. Whilst this is unlikely, and not supported by current knowledge, the malware is undoubtedly aimed at the safety system, and Triconex is the omnipresent safety system used in most of the hazardous plants across all countries, whatever the origin of the plant control system.

A unique ubiquitous target?

Industrial control systems – for petrochemical plants, nuclear and other power stations, water treatment plants, power grids – are standardised across the World, so that they can accept inputs from equipment from many manufacturers: this is good, because there are no monopolies. It is also bad, because anyone can learn how to access these systems. While there are maybe ten major DCS suppliers worldwide, the SIS supplier base is much smaller – there are two or three suppliers. Of these, Triconex is by far the largest supplier, making them a very tempting target for anyone intent on world domination!

This article was written for and first published in my column in the February 2018 issue of the South African journal of Instrumentation and Control, a magazine from www.technews.co.za

Advertisements

Wireless gas detection total system

Yokogawa has announced that the ProSafe-RS SIL2 Wireless Gas Detection System will be released in September 2017. This will offer a total flammable gas detection system solution, using ISA100 wireless communications, and Yokogawa will include the necessary  consulting and engineering.

The ProSafe-RS SIL2 wireless gas detection system will consist of a newly enhanced version of the Yokogawa ProSafe-RS SIL3 safety instrumented system (R4.03.10), Yokogawa field wireless network devices, annunciator panels, and GasSecure (a subsidiary of Drägerwerk AG) wireless gas detectors GS01 or the GS01-EA (this model is equipped with an extension antenna).

For this system, Yokogawa will establish a total solution that will include both consulting and engineering.

Development Background

In energy and basic materials industries such as oil & gas, petrochemicals and chemicals, a safety instrumented system is employed to safely initiate an emergency plant shutdown when a critical failure is detected, and to initiate the operation of facilities that can extinguish or prevent the spread of a fire.

A field wireless system consists of field devices that are able to communicate wirelessly with a monitoring and control system. Wireless devices have a number of advantages such as allowing installation in difficult-to-access locations and the reduction of installation costs, and they are increasingly seen as essential elements in plant safety solutions. This is a particularly important consideration with gas detection systems, as operation can easily be impacted by factors such as installation location and ambient conditions. And even after system installation, ongoing efforts to optimise its overall configuration may necessitate occasional changes in the location and number of detection devices. The use of wireless technology eliminates the need to worry about wiring and thus greatly facilitates the process of moving and/or installing additional detection devices.

To achieve SIL2 level risk reduction when using wireless gas detectors with a safety instrumented system, communication protocols that comply with the functional safety requirements specified in the IEC 61508 international standard are required. A standard for the functional safety of electrical/electronic/programmable safety-related systems. To meet this need, Yokogawa will provide a SIL2 wireless gas detection system based on a new version of the ProSafe-RS safety instrumented system that will link to field devices using an IEC 61508 compliant communication protocol.

Features of the System

The ProSafe-RS SIL2 wireless gas detection system will consist of a new version of the ProSafe-RS safety instrumented system, R4.03.10, that will be enhanced to add support for an IEC 61508 compliant safety communication technology used in distributed automation; annunciator panels; ISA100 Wireless compliant field wireless devices; and GasSecure GS01 or GS01-EA wireless gas detectors, which are the only devices of this type in the industry that achieve SIL2 risk reduction. The ISA100 Wireless network protocol is based on the ISA100.11a wireless communication standard for industrial automation that was developed by the International Society of Automation (ISA), and the applications necessary for its implementation. This was approved as the IEC 62734 international standard in October 2014.

Total system solution including both consulting and engineering

Through the use of wireless technology, the ProSafe-RS SIL2 wireless gas detection system will allow increased flexibility with the configuration of detection devices, and will be suitable for use as a fire & gas system and emergency shutdown system thanks to its achievement of SIL2 risk reduction. Based on its knowledge of each of this system’s components and its expertise in production control, safety instrumentation, and field wireless engineering and consulting, Yokogawa will be able to offer a total system solution that includes customer support.

Enhanced operating efficiency

On their Yokogawa CENTUM VP integrated production control system screens, operators will be able to easily monitor the operation of the ProSafe-RS SIL2 wireless gas detection system as well as that of any conventional wired gas detection system. Since the GasSecure GS01 or GS01-EA wireless gas detector uses the same faceplate as a wired gas detector, operators will have no trouble identifying any changes in the detector’s status, thus helping to prevent errors that can result from the misinterpretation of information.

 Improved maintenance

With CENTUM VP, operators will have on-screen access to information on the status of all network devices, the charge remaining on the gas detector batteries, and the status of wireless communications, and thus will be able to quickly detect and respond to any abnormality. Thanks to this functionality, more efficient maintenance plans can be drawn up that, for example, will require fewer periodic checks.

yokogawa

About ProSafe-RS

Released in February 2005, the ProSafe-RS safety instrumented system helps prevent accidents by detecting abnormal conditions in plant operations and initiating emergency actions such as a plant shutdown. An independent certification body has certified that ProSafe-RS can be used in SIL3 applications. Unlike conventional safety instrumented systems and distributed control systems, which are regarded as having different roles and functions and operate separately, the operation of ProSafe-RS and the CENTUM integrated control system can be fully integrated. ProSafe-RS is highly regarded by users and has been installed in more than 2,100 projects worldwide (as of June 2017).

Yokogawa’s Commitment to the Field Wireless Business

Yokogawa developed wireless communication technologies for continuous processes that necessitate advanced control and released the world’s first ISA100 Wireless system devices in July 2010, thereby offering its customers a wider range of products to choose from. Currently, Yokogawa offers its customers in the oil & gas, and other industries a wide range of field wireless management stations, field wireless access points, wireless field devices, and wireless adapters for conventional wired devices.

Major Target Markets and Applications

For use in fire and gas systems (FGS) and emergency shutdown systems (ESD) in process industries such as oil, natural gas, petrochemicals, chemicals, pharmaceuticals, electric power, and iron and steel.

Dräger GasSecure

GasSecure AS is a subsidiary of Dräger, and has been a long term partner with Yokogawa in developing the market for wireless gas detectors using ISA100. GasSecure developed, markets and sells the world’s first truly wireless optical gas detector for demanding industrial applications. Representing an evolution in gas detection, the detector is based on innovative ultra-low power MEMS optical technology and has introduced a new level of reliability and flexibility for the detection of gas leaks. The totally wireless detectors increase safety and dramatically reduce costs for the oil & gas, petrochemical, marine, and other process industries. For more information, please visit www.gassecure.com.

False alarms from safety sensors?

So I do know about sensors and control systems, from the supplier point of view. But maybe like many suppliers I’ve only been on site to troubleshoot a sensor that is reported to be giving incorrect data. So someone else made the decision to question the validity of the sensor outputs.

These days, the nearest I get to regular sensor monitoring is at home, typically with smoke alarms, a CO monitor, and a flammable gas alarm. Plus the plant manager, my wife, is always demanding an immediate solution to any alarm system going off, to continue production.

The problem

A flammable gas alarm was positioned above the gas hob: perhaps in retrospect not the best place, as the instructions said humidity and steam should be avoided. But very quickly we realised that the detector was not very tolerant of any wine added to dishes being cooked on the hob. Then, surprisingly, it alarmed whenever we had bread dough baking in the (electric) oven. Since the detector was said to be set to alarm at 25% of the LEL this was surprising.

DSCN6511

The instruction came down – ‘Get me a switch in that alarm circuit, so I can switch the piercing noise of the alarm off!’ So, there was my solution, and a task, so that was done. I did not think it through any further.

Time passes

This system worked well for maybe 3 years. The alarm switch changed power from the alarm to a lamp over the worktop, so we knew to switch it back on after a problem event. But such sensors must have a life, and so when the alarm started going off when the kettle boiled and steam drifted up past the detector, I thought the unit was failing. There were then several late evening alarms, for no apparent reason, and we could not smell any gas (it is difficult to detect these days), nor see anything untoward. Like every engineer I guess, I felt the sensor, to find it very hot. This seemed to confirm the problem, that the sensor was failing, so take the thing out – ‘it was not that hot before!’ Something had changed.

Six months later, this Summer, we had a new gas meter – a Smart unit – installed on the domestic gas supply. Ultrasonic measurement of the flow, wifi connection to the indoor display, and mobile network reporting usage figures to the supplier. That would all be great, except the fitter refused to reconnect the gas to the house, because of a slight leak detected indoors. We had to call out a plumber to deal with our in-house problems. Good job it was Summer, as that took over a week.

Finding the gas leak

The leak was located as somewhere in the piping to the gas hob. The plumber tightened up the connections under the hob, and repeated the pressure loss checks. Still a slight leak, but within allowable tolerances. OK, so he checks once more, to be sure, and starts his paperwork. A last twist of the 90 degree bend directly on the hob (supplied by the Chinese supplier) produced an interesting result: the threaded part of this connector sheared off, almost in two half-round pieces. It looks like steel, but low grade steel, and showed a brittle type fracture all around the fitting.

Presumably the crack that had been there before, allowing a slow leak, had led to the fracture on tightening the connection. That was installed 10 years before, and no-one had done any checks of that or the system post installation. OK, I had never had the systems tested for gas leaks.

What had happened?

The conclusion at this point was that the slow leak presumably collected gas in the lower cupboards, and when this escaped it combined with the wine vapours to trip the alarm. Possibly the steam from the kettle just accelerated the rise of the gas past the detector. The detector was presumably a Pellistor, and got hot because it was burning the gas off. The dough rising in the oven? I don’t know much about bread and dough – but the leak was directly above the oven, so maybe the gas and air, warmed from the sides of the oven, helped the gas rise up past the detector. If that fitting had actually failed totally one night, there would have been a major blast, as I had removed the gas detector.

We now have installed a new detector, further from the cooking (3 metres). Plus the old one is re-installed, as a back-up unit: it is working OK still, next to the boiler. The bad news: the new alarm went off last weekend, when simmering a Paella laced with white wine….

Yesterday the plant manager produced a batch of dough and made bread. Both flammable gas alarms went off, first the unit 3 metres away then the old reserve unit, now even further away in the utility room, with the boiler.

Legislation

In any rented accommodation the landlord has to have a gas system safety check once a year. Because we own our own house there is no such requirement, and the boiler service man, who checks the gas boiler and heating system once a year, is not required to, and does not include, a system gas leak test in his inspection.

Product or system failure?

The gas hob was made by Proline, and installed around 8 years ago by a registered installer. It was a Chinese manufactured unit supplied by Comet as a low-cost own-brand hob to many retail outlets in the UK. The 90 degree bend that failed was supplied as a part of the hob, the gas inlet port. It is not steel, it could be an aluminium or zinc alloy. It appears the design was such that this port could be stressed during installation or tightening, as the bend itself would not rotate to suit the angle of the delivery pipework. It seems the break was on the hob side of the fitting. A combination of a poor quality fitting and a poor design.

The flammable gas alarm seems to work OK in detecting natural gas, but is even more sensitive to alcohol vapours, bread and dough making, and using any window cleaning spray that has any hydrocarbons in the fluid. So beware of using them in a brewery, distillery, bakery, bread shop, pub, restaurant and so on!

There was undoubtedly a small gas leak, around the hob, which has now stopped. Possibly this was from the 90 degree bend fitting, which then completely broke apart on tightening the joint. It remains possible that this failure was an accident waiting to happen.

The domestic plant manager is none too pleased at the moment. So do I leave the sensors installed, take both or one of them away, or fit switches to suppress the noise and turn off the alarm(s)?

Postscript

The supplier of the unit is surprised and upset. He considers these sensors do not give false alarms, when exposed to wine fumes from simmering a paella, or from baking bread in the oven. He has asked me to return the newest one to allow him to test it.

This has been done so we will see what results!

UV keeps bottled water safe

Hanovia UV has supplied Cott Beverages UK, based in Derby, with a PureLine intelligent UV system to keep its production process water pure.

PureLine range

In an increasingly regulated and safety-conscious market, legislation such as the EU Directive for Bottled Water 98/88/EC (1998) drives the beverage industry to meet ever more stringent standards of quality. Microbial growth due to contaminated water or ingredients can cause discolouration, off flavours and shortened shelf-life. The threat of contamination is further increased as manufacturers respond to demands for less chemical additives and preservatives. Effective microbial disinfection of the whole process is therefore essential.

To meet this requirement, Cott Beverages has been using Hanovia UV disinfection technology to treat process water used in the production process. The company decided to use UV technology to ensure final product security prior to mixing and bottling and has been very satisfied with the performance of the UV systems.

“The Hanovia UV systems have been easy to integrate, maintain and operate,” said Chris Prentice, site service engineer at Cott Beverages. “They provide us with absolute insurance before bottling by making sure that we are producing and maintaining a high-quality product, which is essential for our brand.”

PureLine UV from Hanovia is an intelligent system that is optimised for the beverage industry to simplify the treatment of water, sugar syrup, brine and even reducing chlorine and ozone. Critically, there are no microorganisms known to be resistant to UV – this includes pathogenic bacteria such as listeria, legionella and cryptosporidium (and its spores, which are resistant to chlorination). Unlike chemical treatment, UV does not introduce toxins or residues into process water and does not alter the chemical composition, taste, odour or pH of the fluid being disinfected.

UV is used for both primary disinfection or as a back-up for other purification methods such as carbon filtration, reverse osmosis or pasteurisation. Because UV has no residual effect, the best position for a treatment system is immediately prior to the point of use. This ensures incoming microbiological contaminants are destroyed and there is a minimal chance of post-treatment contamination.

UV disinfection systems are easy to install, with minimum disruption to the plant. They need very little maintenance, the only requirement being the replacement of the UV lamps every 9-12 months, depending on use. This is a simple operation that takes only a few minutes and can be carried out by trained general maintenance staff. The Hanovia UVCare training programme supports businesses like Cott Beverages to make sure servicing is carried out by certified engineers at all UK production sites.

Yokogawa EPMS and SCADA for the UK’s BPAL pipeline system

Yokogawa has received an order from the British Pipeline Agency Limited (BPAL) to supply a management and control system for one of the UK’s major multi-product fuel pipeline systems, to replace the current BPAL pipeline management and SCADA systems.

The BPAL UK pipeline system consists of three integrated multi-product fuel pipelines that link two, refineries, one at Ellesmere port on the Mersey near Liverpool and the other on the Thames in Essex, to inland distribution terminals. These pipelines, operational since 1969, meet over 50% of the jet fuel needs at London’s Heathrow and Gatwick airports, and are altogether some 650 km in length. BPAL, jointly owned by Shell and BP, are the operators of these pipeline systems (known as UKOP and WLWG), which are owned by a consortium of partners.

This order is for Yokogawa’s Enterprise Pipeline Management Solution (EPMS), which will manage functions such as delivery scheduling and oil storage, and their Fast-Tools SCADA software, to monitor and control the oil pipelines and related equipment such as compressors. The EPMS uses specific gas and liquid applications that enable a pipeline operator to manage delivery contracts in a time and energy efficient manner. With the SCADA system covering monitoring and control, the EPMS will integrate the management of the SCADA data. Delivery of these systems will be completed by March 2018.

Further order for UAE Power and Desalination Station

Yokogawa also recently received its first ever DCS order for a power and desalination plant in the UAE. The company is to supply the Sharjah Electricity & Water Authority (SEWA) with control and safety systems, plus field equipment, for Units 7 and 8 at the Layyah Power and Desalination Station.

Each unit comprises a 75 MW oil and gas-fired thermal power plant and a 27,000 m3 per day multi-stage flash (MSF) desalination plant: a technology that involves the heating and evaporation of seawater in multiple vacuum distillation tanks to produce steam, which is then condensed to produce fresh water. Such systems are energy-efficient because they use the heat from the steam that is created in the vacuum distillation tanks.

Yokogawa Middle East & Africa will deliver the CentumVP integrated production control system for the boiler, turbine governor, turbine protection system and the desalination plant at each of these units, as well as the ProSafe-RS safety instrumented system for burner management and boiler protection. The field instruments will include Yokogawa products such as the DPharp EJA series differential pressure and pressure transmitters, continuous emission monitoring systems (CEMS), and steam and water analysis systems (SWAS). In addition to being responsible for engineering, the company will provide support for the installation and commissioning of these systems, with all work scheduled for completion by September 2017.

Demand for electricity and water is soaring throughout the Middle East due to their rapid economic growth. Power and desalination plants that rely on the region’s abundant oil and gas resources make up an important part of this region’s infrastructure.

Regular educational reading?

The regular eNewsletter from the UK journal HazardEx should be compulsory reading for any process engineer: it always restores your faith in the incompetence of the human race when doing any project, and confirms that if anything will go wrong, it will do! There must have been someone’s law that said that.

Choose a relevant report to your industry from the fascinating selection in the current January 2017 issue, available from www.hazardexonthenet.net:

  1. A Tesoro Logistics oil pipeline spilled 20,600 barrels of oil back in 2013, at a site near Tioga, North Dakota. Four years later the clean-up is still continuing, and it is likely to go on throughout 2017. Another spill of shale oil was discovered on December 5th by a landowner near Bellfield, North Dakota. There’s a lot of space in North America, but this bit seems to have collected 4200 barrels of oil, apparently from a pipeline owned by Belle Fourche, part of True Companies of Wyoming. The relevant Administration has issued a corrective notice, lets hope that will be completed inside five years!
  2. In Shaanxi province, China, a public toilet in Yulin City exploded on January 1st, killing one person and injuring seven others. Presumably someone lit a cigarette, and ignited an explosive build-up of sewer gas present in the building, which collapsed following the explosion.
  3. An explosion at the Airgas plant near Pensacola, Florida last August unfortunately killed one worker: the explosion destroyed two tankers and a large tank storing nitrous oxide. The unexpected consequence was a country-wide shortage of canned whipped cream and other popular toppings over the Christmas break – obviously much more important to the US public! (These cans use N2O as a propellant and preservative)
  4. The explosion at the GlaxoSmithKline Irvine plant in Scotland in July 2013 injured two employees: SmithKline Beecham Ltd pleaded guilty to H&S failings and was fined £55,000 in court in December 2016.

P+F buys ecom to complete hazardous area capability with mobile devices

Ecom instruments from Assamstadt in Germany was established 30 years ago, and has specialised in portable equipment suitable for use in the most hazardous areas of a plant, ie Zone 1 rated explosion hazard areas on a petrochemical plant, etc. This extends from a torch, through to a mobile phone, PDA, laptop etc, as well as measuring instruments and calibration equipment. They recently developed into providing similar barcode scanner systems, plus intelligent software and applications.

At the end of October it was announced that Pepperl + Fuchs of Mannheim, also in Germany, a family-owned company well known for industrial sensor systems and explosion protection in general, had acquired the whole business of ecom instruments GmbH. In this way P+F adds to their existing (static) explosion protection portfolio and know-how offering by including mobile devices and solutions.

Dr Gunther Kegel, CEO of P+F, commented “In ecom instruments we found an industry pioneer with 15% growth rate lately who, for decades, proved and strengthened his technology leadership in mobile explosion protection and now complements our offering with a competitive portfolio reaching far into the future”.

“Besides the expanded product portfolio we can see new opportunities arising along the entire value added chain. With this we can not only strengthen our offering in the field of explosion protection, but we can achieve a much better market position – with a partner from our region – and consequently generate new solutions around the complex of Industrie 4.0”.

Rolf Neid, the Founder and Managing Partner of ecom Instruments, commented: “The expertise in explosion protection and the wide-spread international sales force of Pepperl+Fuchs made them our favourite partner from the very beginning. Our innovative devices do not only fill a gap in their portfolio, but allow ecom instruments and Pepperl+Fuchs to develop future business models and solutions at the Center of Competence at Assamstadt to gain access to the enormous growth potential of the ongoing digitalization of industry”.

P+F hazardous area business

The P+F Process Automation Division is world-market leader in the field of explosion protection in hazardous areas using intrinsic safety. Furthermore, the Division offers large varieties of application-oriented system solutions for process industries. The portfolio consists of analogue isolation barriers, fieldbus topology systems, remote I/O systems, HART interfaces, level control sensors, purge systems, HMI devices, as well as power supplies and signalling devices.

The P+F UK factory in Wednesbury, in the Midlands, produces Exd and Exe junction boxes, cabinets and control panels and switching systems for hazardous area use, plus accessories such as light fittings, floodlights and beacons for hazardous areas. The factory, originally known as Walsall Ltd, was acquired by P+F in 2009, and a visit to see the expanded operation in 2012 was reported on Processingtalk.info – see the story “P+F invests in factory for Exd, Exe housings