Microsoft CSP Briefing Pre-Engagement - Questionnaire
Buncefield Explosion
1. An alternative analysis of theAn alternative analysis of the
conclusions of the official investigationconclusions of the official investigation
in to the cause of the Buncefieldin to the cause of the Buncefield
explosion.explosion.
Andrew Coakley
June 2015
Buncefield Aftermath
Buncefield
– Accident orCyberWarfare?
2. Executive Summary
The official investigation into the Oil
Storage Tank explosion at Buncefield
near Hemel Hempstead on 11th
December 2005 finally concluded with
the release of a report in February
2011 by the Control of Major Accident
Hazards (COMAH) from the Health
and Safety Executive (HSE),
Environment Agency, and Scottish
Environment Protection Agency
(SEPA) titled “Buncefield – Why did it
happen?”
The report summarised the findings
of The Major Incident Investigation
Board (MIIB), set up to investigate the
Buncefield explosion and whose work
was completed in 2008 and published
its final report “The final report of the
Major Incident Investigation Board”
The COMAH report also sought to
bring all of this information together
so that everyone in major hazard
industries – not just those involved in
fuel storage – can learn from this
incident, understand what went
wrong, and take away lessons that
are relevant to them.
The reports published and in the
public domain seek to attribute root
cause failures that led directly to the
explosion. These findings are based
upon methodical investigation by MIB
and have found:
• Management failings;
• Operational failings
including;
• Inadequate
documentation;
• Confused reporting;
•Human Operator Overload;
•Inadequate Maintenance;
and as the root cause, safety system failure,
of systems meant to eliminate the possibility
of Storage Tank Overflow through the
combination of manual and automatic
shutdown procedures, specifically the
investigation concluded the failure of:
• Automated Tank Gauging system (ATG)
and
• Independent High Level Switch (IHLS)
Both of these systems were meant to
provide alerts and data to the control room
SCADA monitoring and process control
system. The investigators conclusions are
based on a mix of hypothesis formulated on
previous events, interviews with key
personnel, and some data readings from
the SCADA and ATG databases.
As we shall see, the investigators based
their conclusions on potentially flawed
assumptions, what if using the events to
draw on alternative assumptions, could
alternative conclusions be drawn that might
suggest the potential of a Cyber warfare
attack on the UK Critical National
Infrastructure?
A report published by the US Department of
Homeland Security (DoHS) Control
Systems Security Centre in November
2005, a month before the Buncefield
explosion, provided an analysis of how such
systems are vulnerable to Cyber attack.
None of the officially documented reports
considered or investigated the potential
possibility of a Cyber attack on the control
systems in use at Kingsbury and Buncefield
as detailed in the DoHS study. This paper
considers that possibility.
3. The Official Buncefield Reports, Evidence,
Assumptions and Conclusions
The official investigation into the
Oil Storage Tank explosion at
Buncefield near Hemel
Hempstead on 11th December
2005 finally concluded with the
release of a report in February
2011 by the Control of Major
Accident Hazards (COMAH) from
the Health and Safety Executive
(HSE), Environment Agency, and
Scottish Environment Protection
Agency (SEPA) titled “Buncefield
– Why did it happen?”
This report by COMAH
summarised the findings of The
Major Incident Investigation Board
(MIIB), set up to investigate the
Buncefield explosion and whose
work was completed in 2008 and
published its final report “The final
report of the Major Incident
Investigation Board”
The COMAH report also sought to
bring other information together so
that everyone in major hazard
industries – not just those involved
in fuel storage – can learn from
this incident, understand what
went wrong, and take away
lessons that are relevant to them.
In addition, the COMAH report
detailed the outcomes of criminal
prosecution into the incident and
said that when passing sentence
on the
defendants at St Albans Crown
Court on 16 July 2010, the Judge,
the Hon Mr Justice Calvert-Smith,
commented that cost cutting per
se was not put forward as a major
feature of the prosecution case,
but the failings had more to do
with slackness, inefficiency and a
more-or-less complacent approach
to matters of safety.
He did not specifically mention or
consider any evidence (because
none was put to him) that
extended to the safety of
protecting critical safety systems
from malicious penetration of the
systems that could mean control of
the systems passed to external
enemies or other organisations
intent on inflicting damage to the
UK Critical National Infrastructure.
This can only be because no
evidence or investigation was ever
considered by the investigating
authorities.
4. HSE Report rr872
In it's research report rr872 the HSE
states “The MIIB has officially stated
that the reason the overfill occurred
was because the level measurement
gauge on the tank did not alter in a
three-hour period, despite the fact it
was being continuously fed unleaded
petrol via a pipeline from the Lindsey
Oil Refinery in Lincolnshire.
The third progress report as presented
in The Buncefield Incident 11
December 2005, The Final Report of
the Major Incident Investigation Board,
Volume 2, stated that findings of the
investigation into the instrumentation
and controls confirmed this.
It emphasised that in the three-hour
period prior to the incident, the level
gauge of this tank remained static,
despite there being a continuous
transfer to it.
This loss of containment (LOC) incident
was in part due to shortcomings in the
control and instrumentation, and in
particular the failings of the tank
gauging system in place on the tank
that monitored the level of fuel stored in
that tank. “
The report provides a very
comprehensive expose on the various
types of mechanical and electrical
systems available for storage tanks in
the UK and beyond.
It closes on page 33, at section 6.2.3
where there is a brief discussion on
communication system software where
it states that the most common
software used to bring information from
tanks to the control room was ENRAF.
ENRAF is a Honeywell Inc product
prevalent in the market. The report
however whilst acknowledging
complexity provides no thought or
guidance as to it's potential
vulnerabilities to information corruption
or usurpation. The core solution at
Buncefield was TAV for the Servo Gage
and Cobham for the High Level Switch
(HLS).
Nowhere in the HSE report is system
security considered as a factor for HSE
concern, in spite of the fact that it is the
rules within the system software that
determine whether an alarm is
triggered, and the vulnerabilities of
such systems to malicious penetration
are now well publicised.
5. 3rd Progress Report – Instrumentation and
Control Systems.
At section 1.3 of the 3rd
Progress
Report titled “Instrumentation and
control systems”, a narritive is
provided about the control SCADA
system in use, it is worth noting what
was said:-
“13 Tank 912 was fitted with
instrumentation that (among other
things) measure and monitored levels
and temperatures of the liquid in the
tank. The instruments were connected
to an automatic tank gauging (ATG)
system in common with all the other
tanks on the site. Tank levels were
normally controlled from a control
room using the ATG system.
14 A servo level gauge measured the
liquid level. The temperature of liquid
in Tank 912 was measured using a
temperature sensor.
15 The ATG system enabled the
operator to monitor levels,
temperatures and tank valve
positions, and to initiate the remote
operation of valves all from the control
room on HSOL West site. The ATG
system was also able to trend data
and had an event logging system,
integrated with the alarm system. The
ATG contained a large database
which recorded levels, temperatures,
alarms, valve positions, and other
related information indexed against
times and dates for a user-
configurable period which can be
several months.
The records from this database are
providing valuable information for the
investigation.
16 The tank also had an independent
safety switch, which provided the
operator with a visual and audible alarm
in the control room when the level of
liquid in the tank reached its specified
maximum level (the ‘ultimate’ high level).
This alarm also initiated a trip function to
close valves on relevant incoming
pipelines. The ultimate high level safety
switch on the tank sensed when the
liquid reached its specified maximum
level, should all other alarms and
controls fail to prevent this. Its purpose
was to provide an alarm to operators in
the control room and to initiate
automatic shutdown of delivery once the
maximum level was reached. The switch
was intended to alert the control room
operator via a flashing lamp (one for
each tank) and an audible buzzer. In
addition, the ultimate high level safety
switch alarm signal from any overflowing
tank in HOSL West would be sent to
computer control and instrumentation
relating to both the FinaLine and BPA
pipelines.
Of interest here is the database
mentioned in section 15 is never
referred to in any of the other
documents except in Mr Justice Steels
sumization where expert evidence was
provided by Samuel Sudler of Total and
and Dr Harri Kytomaa a mechanical
engineering specialist. What the
evidence was is not explained.
6. 3rd Progress Report – Instrumentation and Control
Systems Cont.
“19 Examination of the records for Tank
912 from the ATG system suggest an
anomaly. A little after 03.00 on 11
December, the ATG system indicated
that the level remained static at about
two thirds full. This was below the level
at which the ATG system would trigger
alarms.
20 However, the printouts from the BPA
SCADA systems indicate that the T/K
South line was delivering a batch of
8400 m3 of unleaded petrol, starting
around 19.00 the previous evening (10
December). The delivery was being
split between Tank 912 at the HOSL
West site and BPA’s site at Kingsbury,
giving a flow rate to Tank 912 of around
550 m3/hour. These SCADA printouts
further indicate that approximately
seven minutes before the incident, the
Kingsbury line was closed, leading to a
sharp increase in the flow rate to Tank
912 to around 890 m3/hour.
21 At the time of the incident, automatic
shutdown did not take place.
22 Examination of the valve positions
shown by the ATG database confirm
that the inlet valve to Tank 912, which
was connected to the BPA petrol
manifold, was open at the time of the
incident. Based on this evidence, it is
concluded that Tank 912 was still filling
after 03.00.
.17 When the BPA site received an
alarm/trip signal from the HOSL
West site, the BPA computer
control system should have closed
the relevant pipeline manifold
valve feeding in product to the
tank(s) on the HOSL West site.
BPA also had a high-level
supervisory control and data
acquisition (SCADA) system,
which had the facility for alarm and
event logging both locally at
Buncefield and remotely at the
BPA control centre at Kingsbury,
Warwickshire.
18 An override keyswitch in the
HOSL West control room could be
used to inhibit the alarm/trip signal
to BPA during testing of the
ultimate high level safety switches.
Putting the keyswitch in the
override position would illuminate
a red lamp on the annunciator
panel.”
This then should have been the
process of control for managing
tanks and associated alarms. The
report in the next section 1.4
discusses the resulting evidence
from those control systems as
follows:-
7. 3rd Progress Report – Instrumentation and Control
Systems Cont.
23 Temperature records also provide
evidence that the inflowing fuel was
warmer than the tank contents.
Records for Tank 912 show the tank
temperature continuing to rise after
03.00, supporting the above conclusion
that the product was still feeding into
the tank from the pipeline.
24 The evidence to date is consistent
with continued filling of Tank 912 after
03.00, despite the ATG system showing
a static level reading. On the basis of
calculations, Tank 912 would have
been completely full at approximately
05.20, overflowing thereafter. This
timing is entirely consistent with CCTV
evidence and eyewitness accounts
reporting on a dense vapour cloud at
various times between 05.38 and
06.00. The overflow of unleaded petrol
would therefore have been in the order
of over 300 tonnes by 06.00.
25 Simulation of the ultimate high level
tank alarms (from the relevant electrical
substation on site) and tests on the
annunciator panel and the link to BPA
prove that they worked normally. Tests
on the override switch found that it had
no effect on the audible and visual
alarms from the annunciator, but it did,
when switched to override, inhibit the
alarm/trip signals being sent to BPA.
26 Information from the BPA SCADA
system indicates that no ultimate high
level alarm was received from HOSL
West, but it has not been possible to
test the ultimate high level safety switch
or intervening wiring between Tank 912
and the substation, as they have been
damaged in the fire. However, the
switch has very recently been
located, but it has not yet been
possible to recover it. When it is, it
will be subject to forensic
examination.”
No evidence or follow-up to this
forensic examination has been found in
the reports that can determine the
validity of the assumption regarding the
high level switch operating condition,
the reports indicate that it was not
paddlocked in position following a
recent test however the forensic
examination report does not appear
anywhere.
8. Alternative Assumptions forConsideration
The official investigation of the
Buncefield explosion is predicated on
the failure of 3 independent
electromechanical and IT systems built
to Safety Impact Level (SIL) standards.
It is by and large built upon
assumptions that
1. The servo level gauge became
stuck and continued to send
incorrect data to the TAV ATG
system showing a static level of
tank 912 contents, it is assumed
the ATG system was immune
from attack;
2. The HLS failed to function correctly
– however the switch forensic
analysis has not been published
in the reports, therefore what if it
did work correctly mechanically?
3. The SCADA systems in use at
Kingsbury and HOSL were
secure and immune from Cyber
attacks, however, if the Servo
Level Gauge and HLS did
actually work correctly one or
more of the SCADA systems
and or the ATG Data must have
been compromised.
But how could this have happened?
In a report published in November 2005
entitled “Common Control System
Vulnerability” the Control Systems
Security Center (CSSC) and National
SCADA Test Bed (NSTB) programs on
behalf of the US Department of
Homeland Security advised they had
discovered a vulnerability common to
control systems in all sectors that
allows an attacker to penetrate most
control systems, spoof the operator,
and gain full control of targeted system
elements. This vulnerability has been
identified on several systems that have
been evaluated at Idaho National
Laboratory, and in each case a 100%
success rate of completing the attack
paths that lead to full system
compromise was observed. Since
these systems are employed in multiple
critical infrastructure sectors, this
vulnerability is deemed common to
control systems in all sectors.
The following information is taken from
the DoHS report.
Usually, such penetration attacks follow
a phased approach including
reconnaissance, traffic analysis,
profiling of vulnerabilities, launching
attacks, escalating privilege,
maintaining access, and covering
evidence.
Once the attacker gains access to the
control network through vulnerabilities
in the business LAN, another phase of
reconnaissance begins with traffic
analysis within the control domain.
Thus, the communications between the
workstations and the field device
controllers can be monitored and
evaluated, allowing an attacker to
capture, analyse, and evaluate the
commands sent among the control
equipment. Through manipulation of
the communication protocols of control
systems an attacker can then map out
the control system processes and
functions. With the detailed knowledge
of how the control data functions, as
well as what computers and devices
communicate using this data,
9. the attacker can use a well known Man-
in-the-Middle attack to perform
malicious operations virtually
undetected and gain full control of
targeted system elements.
This method was used by INL to gather
enough information about the system to
craft an attack that intercepts and
changes the information flow between
the end devices (controllers) and the
human machine interface (HMI and/or
workstation). Using this attack, the
cyber assessment team has been able
to demonstrate complete manipulation
of devices in control systems while
simultaneously modifying the data
flowing back to the operator’s console
to give false information of the state of
the system (known as “spoofing”)
This clearly has the potential to form
the basis of an attack at Kingsbury
Central SCADA and hence to
Buncfield whereby the ATG system
could have been corrupted and false
data was inserted into network traffic
to spoof the SCADA system into
believing the tank 912 contents were
less than they really were,
suppressing any alarms to the
SCADA control systems at both
Buncefield and hence Kingsbury.
Network Reconnaissance and Data
Gathering
Once access has been obtained on the
control system network, be it via the
business LAN or some other plausible
attack vector (vendor channel, wireless,
dial-in access, etc), network
reconnaissance is used to gather the
information required to develop a plan
of attack. By passively scanning,
listening, and gathering communication
traffic (i.e., protocols), the attacker is
able to obtain an initial inventory
regarding the architecture components
in the control network, as well as direct
insight into the communications used
by the control devices on the network.
After enough information has been
gathered, the attacker can begin
decoding and assessing the system
information flow. This process of
passively listening to network traffic is
often referred to as ‘sniffing’.
In order to communicate with the end-
point field devices, the application
always communicated directly with the
device-specific controllers. This
identified a critical path on the flow of
system information between the
controllers and/or field devices and the
workstation. Decoding the
communications within this flow of
information is the key to understanding
the system and more importantly,
verifying targets on the control network.
In order to break the communication
layer, the control network traffic had to
be monitored and dissected to develop
a greater understanding of how the
components communicate.
Alternative Assumptions forConsideration (cont)
10. At Buncefield the SCADA system is
connected to each location system by a
point-to-point communications circuit.
Each circuit is implemented as an
analog leased line, with automatic dial-
up fallback. Supplementary dial-up
circuits are also provided. This could
represent a security flaw giving an
attacker potential network access
via a modem dial in.
Reverse Engineering
To reverse engineer a protocol,
communication packets are captured
by the attacker using the compromised
machine on the control network and
dissected to identify the inner working
of the communications. Each packet
contains all the required components to
operate and control the field devices.
The critical aspect of each protocol is to
understand how the packet is put
together and identify which pieces (bits)
within the packet are the commands for
controlling the equipment. These
pieces are identified through reverse
engineering of the protocol, which
allows the attacker the ability to
manipulate each packet as required.
Because Control Systems were
historically “closed” data sent to and
from control devices and to the
operator consoles was usually
considered valid. Each control system
network component could theoretically
communicate with any other
component without any verification of
sender or receiver, such trust has
obvious implications were these
systems to be penetrated, new data,
with possible harmful instructions,
would be
accepted by the target resource and
command would be executed. This is
known a s a “replay attack”
The final task of successfully inserting
the modified rogue traffic into the data
stream requires that the information
flow be uninterrupted.
In order to use the information and
insert the modified packets into the
information flow, a Man-in-the-Middle
attack must be carried out.
Man-in-the-Middle Attack
A Man-in-the-Middle attack requires the
use of the address resolution protocol
(ARP) and an in-depth understanding
of the protocol to be manipulated. (In
the Buncefield case this would be the
TAV ATG system protocols, Allen
Bradley PLC’s and I/O’s) The ARP
Man-in-the-Middle attack is a popular
method used by an attacker to gain
access to the network flow of
information on a target system. This is
done by attacking the network ARP
cache tables of the controller and the
workstation machines. Using the
compromised computer on the control
network, the attacker poisons the ARP
tables on each host and informs them
that they must route all their traffic
through a specific internet protocol (IP)
and hardware address (i.e., the
attacker’s machine). By manipulating
the ARP tables, the attacker can insert
his machine between the two target
machines and/or devices.
11. The Man-in-the-Middle attack works by
initiating gratuitous ARP commands to
confuse each host (referred to as ARP
poisoning). These ARP commands
cause each of the two target hosts to
use the Media Access Control (MAC)
address of the attacker as the address
for the other target host. When a
successful Man-in-the-Middle attack is
performed, the hosts on each side of
the attack are unaware that their
network data is taking a different route
through the attacker’s computer. The
attacker’s computer then needs to
forward all packets to the intended host
so the connection stays in sync and
does not time out. Figure 1 illustrates a
typical Man-in-the-Middle attack in the
Buncefield scenario.
Figure 1. Man in the Middle
The Man-in-the-Middle attack is
effective against any switched network
because it effectively puts the
attacker’s computer between the two
hosts. This means the hosts send their
data to the attacker’s computer,
thinking it is the host to which they
intended to send the data. After the
ARP tables on both target hosts have
been successfully poisoned, the
program shuttles packets back and
forth between the target hosts.
This ensures that all of the current
applications on the target hosts will
continue to work properly. During the
shuttling process, every packet
destined for either target host is
processed through the attacker’s
machine and can be manipulated
(packet crafting) to send specific
commands to each host. In the case of
Buncefield, this meant that the ATG
system traffic could have been
intercepted and replaced with tank level
data that did not change even though
the actual tank level was rising.
The ATG system in the control room
would show a consistent level measure,
which is in fact what happened.
When considering the activities an
attacker will perform during a system
compromise, one key element is to
maintain covert activity and remove
evidence of the attack wherever
possible. Bearing in mind that cyber-
based attacks on control systems are
unique in that they are ‘digital’ attacks
that manifest themselves in ‘physical’
actions, manipulation of the operator’s
information is vital to the success of the
attack. Control of the information that is
accessible by the operator is required
to hide the attack. During the earlier
data capture phase of the attack, data
reflecting normal operations in the
control systems are harvested and can
be played back to the operator as
required. This will ensure that the
operator’s console will appear to be
normal and the attack will go
unobserved as the information
presented to the operator via the HMI.
12. The design of the BPA SCADA system
was undertaken by SC Scicon (a UK
company since acquired by EDS) with
support from BPA staff.
The solution was based on SetPoint Inc
SETCON process control software, a
proprietary product from SetPoint
headquartered in Houston, Texas,
(Since acquired by InfoPlus).
The core SCADA system was located
in Kingsbury , with six location systems
installed at the major plant sites along
the BPA pipeline, one of which was
Buncefield.
The SETCON software was hosted on
a DEC VAX with VMS operating
system. The interface to SETCON
processes was via another SETCON
product SETCON GCS a graphics
based operator interface running on
IBM PC’s. In addition to the core
pipeline SCADA system, additional BPA
pipeline specific applications were
written by SC Scicon in Fortran.
The DEC VAX was hosted on MicroVax
3500 as a hot standby pair with 4 IBM
PS/2 operator terminals. (Kingsbury)
At each location a MicroVaxII was
installed running SETCON with an
operator terminal and an associated
data acquisition system (DAS) . The
DAS is based on an IBM PC .
The core SCADA supervisory system is
connected to each location system by a
point-to-point communications circuit.
Each circuit is implemented as an
analog leased line, with automatic dial-
up fallback. Supplementary dial-up
circuits are also provided.
BPA SCADA Functions
During normal operation, when the
pipeline is controlled by operators at the
supervisory system, each location DAS
acquires plant data twice a second and
passes them to its respective location
system, where it is used to update the
SETCON data base.
The core SCADA supervisory system
then receives sets of plant data from all
the location systems upwards of every 3
sec to give it a complete picture of the
state of the entire pipeline. The SCADA
and custom applications software in
every computer then acts on the data
held in its SETCON data base,
exchanging data with other computers
as required.
Should a location system fail, the local
DAS can bypass the location computer
and pass the plant data directly to the
core SCADA supervisory system, thus
enabling the operators to continue to
control the pipeline. The only
degradation suffered in this case is that
the automatic control facilities normally
performed by the location system are
not available. This could also be a
potential safety/security flaw initself
were for example the Buncefield SCADA
inoperable would the Cobham High level
switch work as designed?
If for any reason the entire supervisory
system is unavailable, fallback operator
terminals are provided at Kingsbury for
the operators to log on to the location
systems via the supplementary dial-up
circuits.
The BPA SCADA Supervision Control System
13. This enables them to control the
location systems directly.
Under these circumstances, the events
and alarms detected by all the locations
systems are logged on a central printer.
The final fallback facility provided for
the operators is the ability to connect
directly to a DAS from a remote
terminal and to examine the plant
inputs and issue either single controls
or to execute predefined sequences of
controls.
This ability to connect directly to a DAS
from a remote terminal (one which
could be controlled potentially by an
external aggressor host) could provide
another mechanism to insert corrupt
data to send to the local and or central
SCADA system, and issue spurious
control commands. The SCAD A
interface itself could also be controlled
by a remote host to suppress
processes such as visual and audio
alarms. At Buncefield no Alarms
were raised because it is said the TVA
Gauge was stuck - an alternative
explanation could be that an attacker
either changed data readings of tank
levels and or suppressed the SCADA
alarm processes then covered their
tracks.
SC Scicon Provided SCADA
applications.
In addition to the “out of the box”
processes provided by SETCON, SC
Scion wrote some custom functions for
BPA.
Of particular note is the Parcel Tracking
function.
The parcel-tracking function not only
provides graphical displays and reports
of the positions of parcels within the
pipeline system, but also monitors the
actual progress of the batches against
the schedule. It then warns the operator
of any potential mis-routings and of any
differences between scheduled and
actual movements, thereby reducing
the risk of erroneous movements.
When viewed against the 3rd Progress
Report findings on page 6, paragraph
20 of this paper, should the central
SCADA system have picked up the fact
that a parcel delivery had been vastly
increased in flow rate into tank 912? Or
was this function maliciously
suppressed?
The system went operational late 1990
well before the internet age when
security against intruder penetration
was less of a consideration in
commercial operations than it is today.
By 2005 the architecture of the
business LAN and control system
could well have been connected
although even if it was not
vulnerabilities in the DEC VAX
operating system could have left the
system open to attack from the outside
using well publicised hacking
techniques.
14. Conclusion:
The Buncefield investigation focused its attention by far on the immediate blast
location, and suggested electro-mechanical failure, operator neglect and poor
testing procedures. In all probability, the results of the investigation arrived at the
correct conclusion. However, should it in fact have focused more effort on the
Kingsbury SCADA system, local SCADA and AGT systems for signs of attack
even if it was to discount it.? Failure to have done so must leave an element of
doubt in the Investigation result, even if such an attack was highly improbable.
References:
The Buncefield Incident 11 December 2005: Volume 1; The final report of the Major
Incident Investigation Board ISBN 978 0 7176 6270 8 (2008)
The Buncefield Incident 11 December 2005 The final report of the Major Incident
Investigation Board Volume 2 ISBN 978-0-7176-6318-7 (2008)
The Buncefield Investigation: Third progress report
COMAH Control of Major Accident Hazards: Buncefield: Why did it happen?
(February 2011)
Identification of instrumented level detection and measurement systems used with
Buncefield in-scope substances Research Report 872 Health and Safety
Executive.
http://www.ogj.com/articles/print/volume-90/issue-13/in-this-issue/general-interest/uk-pr
: Oil and Gas Journal 30/03/1992
Beginners Guide to VAX/VMS Hacking: ENTITY / Corrupt Computing Canada (c)
September 1989
The High Court Of Justice Queen's Bench Division Commercial Court: Case No:
2007 FOLIO NO 1057 ; 20/03/2009 Mr Justice David Steel : Colour Quest Limited
And Others( Claimants)
- And -
(1) Total Downstream UK PLC
(2) Total Uk Limited
(3) Hertfordshire Oil Storage (Defendants)