SlideShare a Scribd company logo

Buncefield Explosion

Download as ODP, PDF
A
Andrew Coakley

Buncefield - Accident or Cyber Attack?

Technology
1 of 14
An alternative analysis of theAn alternative analysis of the conclusions of the official investigationconclusions of the official investigation in to the cause of the Buncefieldin to the cause of the Buncefield explosion.explosion. Andrew Coakley June 2015 Buncefield Aftermath Buncefield – Accident orCyberWarfare?
Executive Summary The official investigation into the Oil Storage Tank explosion at Buncefield near Hemel Hempstead on 11th December 2005 finally concluded with the release of a report in February 2011 by the Control of Major Accident Hazards (COMAH) from the Health and Safety Executive (HSE), Environment Agency, and Scottish Environment Protection Agency (SEPA) titled “Buncefield – Why did it happen?” The report summarised the findings of The Major Incident Investigation Board (MIIB), set up to investigate the Buncefield explosion and whose work was completed in 2008 and published its final report “The final report of the Major Incident Investigation Board” The COMAH report also sought to bring all of this information together so that everyone in major hazard industries – not just those involved in fuel storage – can learn from this incident, understand what went wrong, and take away lessons that are relevant to them. The reports published and in the public domain seek to attribute root cause failures that led directly to the explosion. These findings are based upon methodical investigation by MIB and have found: • Management failings; • Operational failings including; • Inadequate documentation; • Confused reporting; •Human Operator Overload; •Inadequate Maintenance; and as the root cause, safety system failure, of systems meant to eliminate the possibility of Storage Tank Overflow through the combination of manual and automatic shutdown procedures, specifically the investigation concluded the failure of: • Automated Tank Gauging system (ATG) and • Independent High Level Switch (IHLS) Both of these systems were meant to provide alerts and data to the control room SCADA monitoring and process control system. The investigators conclusions are based on a mix of hypothesis formulated on previous events, interviews with key personnel, and some data readings from the SCADA and ATG databases. As we shall see, the investigators based their conclusions on potentially flawed assumptions, what if using the events to draw on alternative assumptions, could alternative conclusions be drawn that might suggest the potential of a Cyber warfare attack on the UK Critical National Infrastructure? A report published by the US Department of Homeland Security (DoHS) Control Systems Security Centre in November 2005, a month before the Buncefield explosion, provided an analysis of how such systems are vulnerable to Cyber attack. None of the officially documented reports considered or investigated the potential possibility of a Cyber attack on the control systems in use at Kingsbury and Buncefield as detailed in the DoHS study. This paper considers that possibility.
The Official Buncefield Reports, Evidence, Assumptions and Conclusions The official investigation into the Oil Storage Tank explosion at Buncefield near Hemel Hempstead on 11th December 2005 finally concluded with the release of a report in February 2011 by the Control of Major Accident Hazards (COMAH) from the Health and Safety Executive (HSE), Environment Agency, and Scottish Environment Protection Agency (SEPA) titled “Buncefield – Why did it happen?” This report by COMAH summarised the findings of The Major Incident Investigation Board (MIIB), set up to investigate the Buncefield explosion and whose work was completed in 2008 and published its final report “The final report of the Major Incident Investigation Board” The COMAH report also sought to bring other information together so that everyone in major hazard industries – not just those involved in fuel storage – can learn from this incident, understand what went wrong, and take away lessons that are relevant to them. In addition, the COMAH report detailed the outcomes of criminal prosecution into the incident and said that when passing sentence on the defendants at St Albans Crown Court on 16 July 2010, the Judge, the Hon Mr Justice Calvert-Smith, commented that cost cutting per se was not put forward as a major feature of the prosecution case, but the failings had more to do with slackness, inefficiency and a more-or-less complacent approach to matters of safety. He did not specifically mention or consider any evidence (because none was put to him) that extended to the safety of protecting critical safety systems from malicious penetration of the systems that could mean control of the systems passed to external enemies or other organisations intent on inflicting damage to the UK Critical National Infrastructure. This can only be because no evidence or investigation was ever considered by the investigating authorities.
HSE Report rr872 In it's research report rr872 the HSE states “The MIIB has officially stated that the reason the overfill occurred was because the level measurement gauge on the tank did not alter in a three-hour period, despite the fact it was being continuously fed unleaded petrol via a pipeline from the Lindsey Oil Refinery in Lincolnshire. The third progress report as presented in The Buncefield Incident 11 December 2005, The Final Report of the Major Incident Investigation Board, Volume 2, stated that findings of the investigation into the instrumentation and controls confirmed this. It emphasised that in the three-hour period prior to the incident, the level gauge of this tank remained static, despite there being a continuous transfer to it. This loss of containment (LOC) incident was in part due to shortcomings in the control and instrumentation, and in particular the failings of the tank gauging system in place on the tank that monitored the level of fuel stored in that tank. “ The report provides a very comprehensive expose on the various types of mechanical and electrical systems available for storage tanks in the UK and beyond. It closes on page 33, at section 6.2.3 where there is a brief discussion on communication system software where it states that the most common software used to bring information from tanks to the control room was ENRAF. ENRAF is a Honeywell Inc product prevalent in the market. The report however whilst acknowledging complexity provides no thought or guidance as to it's potential vulnerabilities to information corruption or usurpation. The core solution at Buncefield was TAV for the Servo Gage and Cobham for the High Level Switch (HLS). Nowhere in the HSE report is system security considered as a factor for HSE concern, in spite of the fact that it is the rules within the system software that determine whether an alarm is triggered, and the vulnerabilities of such systems to malicious penetration are now well publicised.
3rd Progress Report – Instrumentation and Control Systems. At section 1.3 of the 3rd Progress Report titled “Instrumentation and control systems”, a narritive is provided about the control SCADA system in use, it is worth noting what was said:- “13 Tank 912 was fitted with instrumentation that (among other things) measure and monitored levels and temperatures of the liquid in the tank. The instruments were connected to an automatic tank gauging (ATG) system in common with all the other tanks on the site. Tank levels were normally controlled from a control room using the ATG system. 14 A servo level gauge measured the liquid level. The temperature of liquid in Tank 912 was measured using a temperature sensor. 15 The ATG system enabled the operator to monitor levels, temperatures and tank valve positions, and to initiate the remote operation of valves all from the control room on HSOL West site. The ATG system was also able to trend data and had an event logging system, integrated with the alarm system. The ATG contained a large database which recorded levels, temperatures, alarms, valve positions, and other related information indexed against times and dates for a user- configurable period which can be several months. The records from this database are providing valuable information for the investigation. 16 The tank also had an independent safety switch, which provided the operator with a visual and audible alarm in the control room when the level of liquid in the tank reached its specified maximum level (the ‘ultimate’ high level). This alarm also initiated a trip function to close valves on relevant incoming pipelines. The ultimate high level safety switch on the tank sensed when the liquid reached its specified maximum level, should all other alarms and controls fail to prevent this. Its purpose was to provide an alarm to operators in the control room and to initiate automatic shutdown of delivery once the maximum level was reached. The switch was intended to alert the control room operator via a flashing lamp (one for each tank) and an audible buzzer. In addition, the ultimate high level safety switch alarm signal from any overflowing tank in HOSL West would be sent to computer control and instrumentation relating to both the FinaLine and BPA pipelines. Of interest here is the database mentioned in section 15 is never referred to in any of the other documents except in Mr Justice Steels sumization where expert evidence was provided by Samuel Sudler of Total and and Dr Harri Kytomaa a mechanical engineering specialist. What the evidence was is not explained.
3rd Progress Report – Instrumentation and Control Systems Cont. “19 Examination of the records for Tank 912 from the ATG system suggest an anomaly. A little after 03.00 on 11 December, the ATG system indicated that the level remained static at about two thirds full. This was below the level at which the ATG system would trigger alarms. 20 However, the printouts from the BPA SCADA systems indicate that the T/K South line was delivering a batch of 8400 m3 of unleaded petrol, starting around 19.00 the previous evening (10 December). The delivery was being split between Tank 912 at the HOSL West site and BPA’s site at Kingsbury, giving a flow rate to Tank 912 of around 550 m3/hour. These SCADA printouts further indicate that approximately seven minutes before the incident, the Kingsbury line was closed, leading to a sharp increase in the flow rate to Tank 912 to around 890 m3/hour. 21 At the time of the incident, automatic shutdown did not take place. 22 Examination of the valve positions shown by the ATG database confirm that the inlet valve to Tank 912, which was connected to the BPA petrol manifold, was open at the time of the incident. Based on this evidence, it is concluded that Tank 912 was still filling after 03.00. .17 When the BPA site received an alarm/trip signal from the HOSL West site, the BPA computer control system should have closed the relevant pipeline manifold valve feeding in product to the tank(s) on the HOSL West site. BPA also had a high-level supervisory control and data acquisition (SCADA) system, which had the facility for alarm and event logging both locally at Buncefield and remotely at the BPA control centre at Kingsbury, Warwickshire. 18 An override keyswitch in the HOSL West control room could be used to inhibit the alarm/trip signal to BPA during testing of the ultimate high level safety switches. Putting the keyswitch in the override position would illuminate a red lamp on the annunciator panel.” This then should have been the process of control for managing tanks and associated alarms. The report in the next section 1.4 discusses the resulting evidence from those control systems as follows:-
3rd Progress Report – Instrumentation and Control Systems Cont. 23 Temperature records also provide evidence that the inflowing fuel was warmer than the tank contents. Records for Tank 912 show the tank temperature continuing to rise after 03.00, supporting the above conclusion that the product was still feeding into the tank from the pipeline. 24 The evidence to date is consistent with continued filling of Tank 912 after 03.00, despite the ATG system showing a static level reading. On the basis of calculations, Tank 912 would have been completely full at approximately 05.20, overflowing thereafter. This timing is entirely consistent with CCTV evidence and eyewitness accounts reporting on a dense vapour cloud at various times between 05.38 and 06.00. The overflow of unleaded petrol would therefore have been in the order of over 300 tonnes by 06.00. 25 Simulation of the ultimate high level tank alarms (from the relevant electrical substation on site) and tests on the annunciator panel and the link to BPA prove that they worked normally. Tests on the override switch found that it had no effect on the audible and visual alarms from the annunciator, but it did, when switched to override, inhibit the alarm/trip signals being sent to BPA. 26 Information from the BPA SCADA system indicates that no ultimate high level alarm was received from HOSL West, but it has not been possible to test the ultimate high level safety switch or intervening wiring between Tank 912 and the substation, as they have been damaged in the fire. However, the switch has very recently been located, but it has not yet been possible to recover it. When it is, it will be subject to forensic examination.” No evidence or follow-up to this forensic examination has been found in the reports that can determine the validity of the assumption regarding the high level switch operating condition, the reports indicate that it was not paddlocked in position following a recent test however the forensic examination report does not appear anywhere.
Alternative Assumptions forConsideration The official investigation of the Buncefield explosion is predicated on the failure of 3 independent electromechanical and IT systems built to Safety Impact Level (SIL) standards. It is by and large built upon assumptions that 1. The servo level gauge became stuck and continued to send incorrect data to the TAV ATG system showing a static level of tank 912 contents, it is assumed the ATG system was immune from attack; 2. The HLS failed to function correctly – however the switch forensic analysis has not been published in the reports, therefore what if it did work correctly mechanically? 3. The SCADA systems in use at Kingsbury and HOSL were secure and immune from Cyber attacks, however, if the Servo Level Gauge and HLS did actually work correctly one or more of the SCADA systems and or the ATG Data must have been compromised. But how could this have happened? In a report published in November 2005 entitled “Common Control System Vulnerability” the Control Systems Security Center (CSSC) and National SCADA Test Bed (NSTB) programs on behalf of the US Department of Homeland Security advised they had discovered a vulnerability common to control systems in all sectors that allows an attacker to penetrate most control systems, spoof the operator, and gain full control of targeted system elements. This vulnerability has been identified on several systems that have been evaluated at Idaho National Laboratory, and in each case a 100% success rate of completing the attack paths that lead to full system compromise was observed. Since these systems are employed in multiple critical infrastructure sectors, this vulnerability is deemed common to control systems in all sectors. The following information is taken from the DoHS report. Usually, such penetration attacks follow a phased approach including reconnaissance, traffic analysis, profiling of vulnerabilities, launching attacks, escalating privilege, maintaining access, and covering evidence. Once the attacker gains access to the control network through vulnerabilities in the business LAN, another phase of reconnaissance begins with traffic analysis within the control domain. Thus, the communications between the workstations and the field device controllers can be monitored and evaluated, allowing an attacker to capture, analyse, and evaluate the commands sent among the control equipment. Through manipulation of the communication protocols of control systems an attacker can then map out the control system processes and functions. With the detailed knowledge of how the control data functions, as well as what computers and devices communicate using this data,
the attacker can use a well known Man- in-the-Middle attack to perform malicious operations virtually undetected and gain full control of targeted system elements. This method was used by INL to gather enough information about the system to craft an attack that intercepts and changes the information flow between the end devices (controllers) and the human machine interface (HMI and/or workstation). Using this attack, the cyber assessment team has been able to demonstrate complete manipulation of devices in control systems while simultaneously modifying the data flowing back to the operator’s console to give false information of the state of the system (known as “spoofing”) This clearly has the potential to form the basis of an attack at Kingsbury Central SCADA and hence to Buncfield whereby the ATG system could have been corrupted and false data was inserted into network traffic to spoof the SCADA system into believing the tank 912 contents were less than they really were, suppressing any alarms to the SCADA control systems at both Buncefield and hence Kingsbury. Network Reconnaissance and Data Gathering Once access has been obtained on the control system network, be it via the business LAN or some other plausible attack vector (vendor channel, wireless, dial-in access, etc), network reconnaissance is used to gather the information required to develop a plan of attack. By passively scanning, listening, and gathering communication traffic (i.e., protocols), the attacker is able to obtain an initial inventory regarding the architecture components in the control network, as well as direct insight into the communications used by the control devices on the network. After enough information has been gathered, the attacker can begin decoding and assessing the system information flow. This process of passively listening to network traffic is often referred to as ‘sniffing’. In order to communicate with the end- point field devices, the application always communicated directly with the device-specific controllers. This identified a critical path on the flow of system information between the controllers and/or field devices and the workstation. Decoding the communications within this flow of information is the key to understanding the system and more importantly, verifying targets on the control network. In order to break the communication layer, the control network traffic had to be monitored and dissected to develop a greater understanding of how the components communicate. Alternative Assumptions forConsideration (cont)
At Buncefield the SCADA system is connected to each location system by a point-to-point communications circuit. Each circuit is implemented as an analog leased line, with automatic dial- up fallback. Supplementary dial-up circuits are also provided. This could represent a security flaw giving an attacker potential network access via a modem dial in. Reverse Engineering To reverse engineer a protocol, communication packets are captured by the attacker using the compromised machine on the control network and dissected to identify the inner working of the communications. Each packet contains all the required components to operate and control the field devices. The critical aspect of each protocol is to understand how the packet is put together and identify which pieces (bits) within the packet are the commands for controlling the equipment. These pieces are identified through reverse engineering of the protocol, which allows the attacker the ability to manipulate each packet as required. Because Control Systems were historically “closed” data sent to and from control devices and to the operator consoles was usually considered valid. Each control system network component could theoretically communicate with any other component without any verification of sender or receiver, such trust has obvious implications were these systems to be penetrated, new data, with possible harmful instructions, would be accepted by the target resource and command would be executed. This is known a s a “replay attack” The final task of successfully inserting the modified rogue traffic into the data stream requires that the information flow be uninterrupted. In order to use the information and insert the modified packets into the information flow, a Man-in-the-Middle attack must be carried out. Man-in-the-Middle Attack A Man-in-the-Middle attack requires the use of the address resolution protocol (ARP) and an in-depth understanding of the protocol to be manipulated. (In the Buncefield case this would be the TAV ATG system protocols, Allen Bradley PLC’s and I/O’s) The ARP Man-in-the-Middle attack is a popular method used by an attacker to gain access to the network flow of information on a target system. This is done by attacking the network ARP cache tables of the controller and the workstation machines. Using the compromised computer on the control network, the attacker poisons the ARP tables on each host and informs them that they must route all their traffic through a specific internet protocol (IP) and hardware address (i.e., the attacker’s machine). By manipulating the ARP tables, the attacker can insert his machine between the two target machines and/or devices.
The Man-in-the-Middle attack works by initiating gratuitous ARP commands to confuse each host (referred to as ARP poisoning). These ARP commands cause each of the two target hosts to use the Media Access Control (MAC) address of the attacker as the address for the other target host. When a successful Man-in-the-Middle attack is performed, the hosts on each side of the attack are unaware that their network data is taking a different route through the attacker’s computer. The attacker’s computer then needs to forward all packets to the intended host so the connection stays in sync and does not time out. Figure 1 illustrates a typical Man-in-the-Middle attack in the Buncefield scenario. Figure 1. Man in the Middle The Man-in-the-Middle attack is effective against any switched network because it effectively puts the attacker’s computer between the two hosts. This means the hosts send their data to the attacker’s computer, thinking it is the host to which they intended to send the data. After the ARP tables on both target hosts have been successfully poisoned, the program shuttles packets back and forth between the target hosts. This ensures that all of the current applications on the target hosts will continue to work properly. During the shuttling process, every packet destined for either target host is processed through the attacker’s machine and can be manipulated (packet crafting) to send specific commands to each host. In the case of Buncefield, this meant that the ATG system traffic could have been intercepted and replaced with tank level data that did not change even though the actual tank level was rising. The ATG system in the control room would show a consistent level measure, which is in fact what happened. When considering the activities an attacker will perform during a system compromise, one key element is to maintain covert activity and remove evidence of the attack wherever possible. Bearing in mind that cyber- based attacks on control systems are unique in that they are ‘digital’ attacks that manifest themselves in ‘physical’ actions, manipulation of the operator’s information is vital to the success of the attack. Control of the information that is accessible by the operator is required to hide the attack. During the earlier data capture phase of the attack, data reflecting normal operations in the control systems are harvested and can be played back to the operator as required. This will ensure that the operator’s console will appear to be normal and the attack will go unobserved as the information presented to the operator via the HMI.
The design of the BPA SCADA system was undertaken by SC Scicon (a UK company since acquired by EDS) with support from BPA staff. The solution was based on SetPoint Inc SETCON process control software, a proprietary product from SetPoint headquartered in Houston, Texas, (Since acquired by InfoPlus). The core SCADA system was located in Kingsbury , with six location systems installed at the major plant sites along the BPA pipeline, one of which was Buncefield. The SETCON software was hosted on a DEC VAX with VMS operating system. The interface to SETCON processes was via another SETCON product SETCON GCS a graphics based operator interface running on IBM PC’s. In addition to the core pipeline SCADA system, additional BPA pipeline specific applications were written by SC Scicon in Fortran. The DEC VAX was hosted on MicroVax 3500 as a hot standby pair with 4 IBM PS/2 operator terminals. (Kingsbury) At each location a MicroVaxII was installed running SETCON with an operator terminal and an associated data acquisition system (DAS) . The DAS is based on an IBM PC . The core SCADA supervisory system is connected to each location system by a point-to-point communications circuit. Each circuit is implemented as an analog leased line, with automatic dial- up fallback. Supplementary dial-up circuits are also provided. BPA SCADA Functions During normal operation, when the pipeline is controlled by operators at the supervisory system, each location DAS acquires plant data twice a second and passes them to its respective location system, where it is used to update the SETCON data base. The core SCADA supervisory system then receives sets of plant data from all the location systems upwards of every 3 sec to give it a complete picture of the state of the entire pipeline. The SCADA and custom applications software in every computer then acts on the data held in its SETCON data base, exchanging data with other computers as required. Should a location system fail, the local DAS can bypass the location computer and pass the plant data directly to the core SCADA supervisory system, thus enabling the operators to continue to control the pipeline. The only degradation suffered in this case is that the automatic control facilities normally performed by the location system are not available. This could also be a potential safety/security flaw initself were for example the Buncefield SCADA inoperable would the Cobham High level switch work as designed? If for any reason the entire supervisory system is unavailable, fallback operator terminals are provided at Kingsbury for the operators to log on to the location systems via the supplementary dial-up circuits. The BPA SCADA Supervision Control System
This enables them to control the location systems directly. Under these circumstances, the events and alarms detected by all the locations systems are logged on a central printer. The final fallback facility provided for the operators is the ability to connect directly to a DAS from a remote terminal and to examine the plant inputs and issue either single controls or to execute predefined sequences of controls. This ability to connect directly to a DAS from a remote terminal (one which could be controlled potentially by an external aggressor host) could provide another mechanism to insert corrupt data to send to the local and or central SCADA system, and issue spurious control commands. The SCAD A interface itself could also be controlled by a remote host to suppress processes such as visual and audio alarms. At Buncefield no Alarms were raised because it is said the TVA Gauge was stuck - an alternative explanation could be that an attacker either changed data readings of tank levels and or suppressed the SCADA alarm processes then covered their tracks. SC Scicon Provided SCADA applications. In addition to the “out of the box” processes provided by SETCON, SC Scion wrote some custom functions for BPA. Of particular note is the Parcel Tracking function. The parcel-tracking function not only provides graphical displays and reports of the positions of parcels within the pipeline system, but also monitors the actual progress of the batches against the schedule. It then warns the operator of any potential mis-routings and of any differences between scheduled and actual movements, thereby reducing the risk of erroneous movements. When viewed against the 3rd Progress Report findings on page 6, paragraph 20 of this paper, should the central SCADA system have picked up the fact that a parcel delivery had been vastly increased in flow rate into tank 912? Or was this function maliciously suppressed? The system went operational late 1990 well before the internet age when security against intruder penetration was less of a consideration in commercial operations than it is today. By 2005 the architecture of the business LAN and control system could well have been connected although even if it was not vulnerabilities in the DEC VAX operating system could have left the system open to attack from the outside using well publicised hacking techniques.
Conclusion: The Buncefield investigation focused its attention by far on the immediate blast location, and suggested electro-mechanical failure, operator neglect and poor testing procedures. In all probability, the results of the investigation arrived at the correct conclusion. However, should it in fact have focused more effort on the Kingsbury SCADA system, local SCADA and AGT systems for signs of attack even if it was to discount it.? Failure to have done so must leave an element of doubt in the Investigation result, even if such an attack was highly improbable. References: The Buncefield Incident 11 December 2005: Volume 1; The final report of the Major Incident Investigation Board ISBN 978 0 7176 6270 8 (2008) The Buncefield Incident 11 December 2005 The final report of the Major Incident Investigation Board Volume 2 ISBN 978-0-7176-6318-7 (2008) The Buncefield Investigation: Third progress report COMAH Control of Major Accident Hazards: Buncefield: Why did it happen? (February 2011) Identification of instrumented level detection and measurement systems used with Buncefield in-scope substances Research Report 872 Health and Safety Executive. http://www.ogj.com/articles/print/volume-90/issue-13/in-this-issue/general-interest/uk-pr : Oil and Gas Journal 30/03/1992 Beginners Guide to VAX/VMS Hacking: ENTITY / Corrupt Computing Canada (c) September 1989 The High Court Of Justice Queen's Bench Division Commercial Court: Case No: 2007 FOLIO NO 1057 ; 20/03/2009 Mr Justice David Steel : Colour Quest Limited And Others( Claimants) - And - (1) Total Downstream UK PLC (2) Total Uk Limited (3) Hertfordshire Oil Storage (Defendants)

Recommended

A CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management System
A CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management SystemA CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management System
A CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management SystemHashim Badat
 
Thermal Power Plant Hazards
Thermal Power Plant HazardsThermal Power Plant Hazards
Thermal Power Plant HazardsInternational alternate Energy Trust
 
Hazop analysis
Hazop analysisHazop analysis
Hazop analysisAnand Kumar
 
Process Safety
Process SafetyProcess Safety
Process SafetyConsultivo
 
Thermal Power Plant Safety
Thermal Power Plant SafetyThermal Power Plant Safety
Thermal Power Plant SafetySHIVAJI CHOUDHURY
 
LOPA | Layer Of Protection Analysis | Gaurav Singh Rajput
LOPA | Layer Of Protection Analysis | Gaurav Singh RajputLOPA | Layer Of Protection Analysis | Gaurav Singh Rajput
LOPA | Layer Of Protection Analysis | Gaurav Singh RajputGaurav Singh Rajput
 
Process Hazard Analysis
Process Hazard AnalysisProcess Hazard Analysis
Process Hazard AnalysisNGE
 
Atlas Copco - Pitch Presentation
Atlas Copco - Pitch PresentationAtlas Copco - Pitch Presentation
Atlas Copco - Pitch PresentationRahul Thomas
 

Recommended

A CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management System
A CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management SystemA CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management System
A CASE STUDY OF THE BOILER ACCIDENT, Process Safety Management SystemHashim Badat
 
Thermal Power Plant Hazards
Thermal Power Plant HazardsThermal Power Plant Hazards
Thermal Power Plant HazardsInternational alternate Energy Trust
 
Hazop analysis
Hazop analysisHazop analysis
Hazop analysisAnand Kumar
 
Process Safety
Process SafetyProcess Safety
Process SafetyConsultivo
 
Thermal Power Plant Safety
Thermal Power Plant SafetyThermal Power Plant Safety
Thermal Power Plant SafetySHIVAJI CHOUDHURY
 
LOPA | Layer Of Protection Analysis | Gaurav Singh Rajput
LOPA | Layer Of Protection Analysis | Gaurav Singh RajputLOPA | Layer Of Protection Analysis | Gaurav Singh Rajput
LOPA | Layer Of Protection Analysis | Gaurav Singh RajputGaurav Singh Rajput
 
Process Hazard Analysis
Process Hazard AnalysisProcess Hazard Analysis
Process Hazard AnalysisNGE
 
Atlas Copco - Pitch Presentation
Atlas Copco - Pitch PresentationAtlas Copco - Pitch Presentation
Atlas Copco - Pitch PresentationRahul Thomas
 
Hazop Hazard and Operability Study
Hazop Hazard and Operability StudyHazop Hazard and Operability Study
Hazop Hazard and Operability StudyAnand kumar
 
Cement industries EHS consideration
Cement industries EHS considerationCement industries EHS consideration
Cement industries EHS considerationArvind Kumar
 
EIP
EIPEIP
EIPPANNALAL SONI
 
HZOP-HAZID Presentation by Tony
HZOP-HAZID Presentation by TonyHZOP-HAZID Presentation by Tony
HZOP-HAZID Presentation by TonyAnthony Izegaegbe
 
A report on accident scenarios in process plants & how hazop can take lead ro...
A report on accident scenarios in process plants & how hazop can take lead ro...A report on accident scenarios in process plants & how hazop can take lead ro...
A report on accident scenarios in process plants & how hazop can take lead ro...Ravi chandra kancherla
 
Thermal power plant pollution control
Thermal power plant pollution controlThermal power plant pollution control
Thermal power plant pollution controlMithun Mohan
 
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANT
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANTROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANT
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANTGaurav Rai
 
training report on thermal power plant & thermal power generation by sagar me...
training report on thermal power plant & thermal power generation by sagar me...training report on thermal power plant & thermal power generation by sagar me...
training report on thermal power plant & thermal power generation by sagar me...Sagar Mehta
 
Safety health and environment aspects in thermal power plants
Safety health and environment aspects in thermal power plantsSafety health and environment aspects in thermal power plants
Safety health and environment aspects in thermal power plantsVudugundla Kodandapani
 
14 Tips for Process Safety Management
14 Tips for Process Safety Management14 Tips for Process Safety Management
14 Tips for Process Safety ManagementVerde Ventures Pvt. Ltd.
 
Report of undergraduate training at ceylon electricity board
Report of undergraduate training at ceylon electricity boardReport of undergraduate training at ceylon electricity board
Report of undergraduate training at ceylon electricity boardKulendran Anujan
 
SITARA Chemicals Internship Report_Electronics Department
SITARA Chemicals Internship Report_Electronics DepartmentSITARA Chemicals Internship Report_Electronics Department
SITARA Chemicals Internship Report_Electronics DepartmentCh Aamir
 
Presentation hazop introduction
Presentation hazop introductionPresentation hazop introduction
Presentation hazop introductionSundararajan Thangavelu
 
Hazop analysis complete report
Hazop analysis complete reportHazop analysis complete report
Hazop analysis complete reportRavi chandra kancherla
 
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial Report
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial ReportELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial Report
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial ReportUtkarsh Chaubey
 
LG polymers gas leak disaster
LG polymers gas leak disasterLG polymers gas leak disaster
LG polymers gas leak disasterSai Bhaskar Reddy Nakka
 
On site and offsite emergency plans on chemical
On site and offsite emergency plans on chemicalOn site and offsite emergency plans on chemical
On site and offsite emergency plans on chemicalShahrukh Vahora
 
Bhopal gas tragedy(1 5)
Bhopal gas tragedy(1 5)Bhopal gas tragedy(1 5)
Bhopal gas tragedy(1 5)Prafulla Tekriwal
 
Industrial Training Report-II-DIMO
Industrial Training Report-II-DIMOIndustrial Training Report-II-DIMO
Industrial Training Report-II-DIMOThushan Sivalingam
 
Internship Report at Fatima Fertilizer Company Limited -3-
Internship Report at Fatima Fertilizer Company Limited -3-Internship Report at Fatima Fertilizer Company Limited -3-
Internship Report at Fatima Fertilizer Company Limited -3-Muhammad Mudasser
 
David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...
David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...
David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...Global Risk Forum GRFDavos
 
IOC jaipur
IOC jaipurIOC jaipur
IOC jaipurSameer Sharma
 

More Related Content

What's hot

Hazop Hazard and Operability Study
Hazop Hazard and Operability StudyHazop Hazard and Operability Study
Hazop Hazard and Operability StudyAnand kumar
 
Cement industries EHS consideration
Cement industries EHS considerationCement industries EHS consideration
Cement industries EHS considerationArvind Kumar
 
HZOP-HAZID Presentation by Tony
HZOP-HAZID Presentation by TonyHZOP-HAZID Presentation by Tony
HZOP-HAZID Presentation by TonyAnthony Izegaegbe
 
A report on accident scenarios in process plants & how hazop can take lead ro...
A report on accident scenarios in process plants & how hazop can take lead ro...A report on accident scenarios in process plants & how hazop can take lead ro...
A report on accident scenarios in process plants & how hazop can take lead ro...Ravi chandra kancherla
 
Thermal power plant pollution control
Thermal power plant pollution controlThermal power plant pollution control
Thermal power plant pollution controlMithun Mohan
 
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANT
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANTROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANT
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANTGaurav Rai
 
training report on thermal power plant & thermal power generation by sagar me...
training report on thermal power plant & thermal power generation by sagar me...training report on thermal power plant & thermal power generation by sagar me...
training report on thermal power plant & thermal power generation by sagar me...Sagar Mehta
 
Safety health and environment aspects in thermal power plants
Safety health and environment aspects in thermal power plantsSafety health and environment aspects in thermal power plants
Safety health and environment aspects in thermal power plantsVudugundla Kodandapani
 
Report of undergraduate training at ceylon electricity board
Report of undergraduate training at ceylon electricity boardReport of undergraduate training at ceylon electricity board
Report of undergraduate training at ceylon electricity boardKulendran Anujan
 
SITARA Chemicals Internship Report_Electronics Department
SITARA Chemicals Internship Report_Electronics DepartmentSITARA Chemicals Internship Report_Electronics Department
SITARA Chemicals Internship Report_Electronics DepartmentCh Aamir
 
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial Report
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial ReportELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial Report
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial ReportUtkarsh Chaubey
 
On site and offsite emergency plans on chemical
On site and offsite emergency plans on chemicalOn site and offsite emergency plans on chemical
On site and offsite emergency plans on chemicalShahrukh Vahora
 
Industrial Training Report-II-DIMO
Industrial Training Report-II-DIMOIndustrial Training Report-II-DIMO
Industrial Training Report-II-DIMOThushan Sivalingam
 
Internship Report at Fatima Fertilizer Company Limited -3-
Internship Report at Fatima Fertilizer Company Limited -3-Internship Report at Fatima Fertilizer Company Limited -3-
Internship Report at Fatima Fertilizer Company Limited -3-Muhammad Mudasser
 

What's hot (20)

Hazop Hazard and Operability Study
Hazop Hazard and Operability StudyHazop Hazard and Operability Study
Hazop Hazard and Operability Study
 
Cement industries EHS consideration
Cement industries EHS considerationCement industries EHS consideration
Cement industries EHS consideration
 
EIP
EIPEIP
EIP
 
HZOP-HAZID Presentation by Tony
HZOP-HAZID Presentation by TonyHZOP-HAZID Presentation by Tony
HZOP-HAZID Presentation by Tony
 
A report on accident scenarios in process plants & how hazop can take lead ro...
A report on accident scenarios in process plants & how hazop can take lead ro...A report on accident scenarios in process plants & how hazop can take lead ro...
A report on accident scenarios in process plants & how hazop can take lead ro...
 
Thermal power plant pollution control
Thermal power plant pollution controlThermal power plant pollution control
Thermal power plant pollution control
 
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANT
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANTROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANT
ROLE OF CONTROL AND INSTRUMENTATION IN THERMAL POWER PLANT
 
training report on thermal power plant & thermal power generation by sagar me...
training report on thermal power plant & thermal power generation by sagar me...training report on thermal power plant & thermal power generation by sagar me...
training report on thermal power plant & thermal power generation by sagar me...
 
Safety health and environment aspects in thermal power plants
Safety health and environment aspects in thermal power plantsSafety health and environment aspects in thermal power plants
Safety health and environment aspects in thermal power plants
 
14 Tips for Process Safety Management
14 Tips for Process Safety Management14 Tips for Process Safety Management
14 Tips for Process Safety Management
 
Report of undergraduate training at ceylon electricity board
Report of undergraduate training at ceylon electricity boardReport of undergraduate training at ceylon electricity board
Report of undergraduate training at ceylon electricity board
 
SITARA Chemicals Internship Report_Electronics Department
SITARA Chemicals Internship Report_Electronics DepartmentSITARA Chemicals Internship Report_Electronics Department
SITARA Chemicals Internship Report_Electronics Department
 
Presentation hazop introduction
Presentation hazop introductionPresentation hazop introduction
Presentation hazop introduction
 
Hazop analysis complete report
Hazop analysis complete reportHazop analysis complete report
Hazop analysis complete report
 
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial Report
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial ReportELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial Report
ELECTRICAL ENGINEERING THERMAL POWER PLANT Industrial Report
 
LG polymers gas leak disaster
LG polymers gas leak disasterLG polymers gas leak disaster
LG polymers gas leak disaster
 
On site and offsite emergency plans on chemical
On site and offsite emergency plans on chemicalOn site and offsite emergency plans on chemical
On site and offsite emergency plans on chemical
 
Bhopal gas tragedy(1 5)
Bhopal gas tragedy(1 5)Bhopal gas tragedy(1 5)
Bhopal gas tragedy(1 5)
 
Industrial Training Report-II-DIMO
Industrial Training Report-II-DIMOIndustrial Training Report-II-DIMO
Industrial Training Report-II-DIMO
 
Internship Report at Fatima Fertilizer Company Limited -3-
Internship Report at Fatima Fertilizer Company Limited -3-Internship Report at Fatima Fertilizer Company Limited -3-
Internship Report at Fatima Fertilizer Company Limited -3-
 

Viewers also liked

David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...
David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...
David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...Global Risk Forum GRFDavos
 
Case study mantralaya
Case study mantralayaCase study mantralaya
Case study mantralayaAmit Prakash
 
Case study: Fire in IOC terminal Jaipur & IOC terminal Hazira
Case study: Fire in IOC terminal Jaipur & IOC terminal HaziraCase study: Fire in IOC terminal Jaipur & IOC terminal Hazira
Case study: Fire in IOC terminal Jaipur & IOC terminal HaziraAbhishant Baishya
 
Industrial Disaster Management
Industrial Disaster ManagementIndustrial Disaster Management
Industrial Disaster ManagementPsunita Rao
 
INDUSTRIAL ACCIDENTS
INDUSTRIAL ACCIDENTSINDUSTRIAL ACCIDENTS
INDUSTRIAL ACCIDENTSkarniksingh
 
Disaster management ppt
Disaster management pptDisaster management ppt
Disaster management pptAniket Pingale
 

Viewers also liked (8)

David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...
David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...
David Alexander - The Impact on Business Continuity of Buncefield and Eyjafja...
 
IOC jaipur
IOC jaipurIOC jaipur
IOC jaipur
 
Jaipur Fire
Jaipur FireJaipur Fire
Jaipur Fire
 
Case study mantralaya
Case study mantralayaCase study mantralaya
Case study mantralaya
 
Case study: Fire in IOC terminal Jaipur & IOC terminal Hazira
Case study: Fire in IOC terminal Jaipur & IOC terminal HaziraCase study: Fire in IOC terminal Jaipur & IOC terminal Hazira
Case study: Fire in IOC terminal Jaipur & IOC terminal Hazira
 
Industrial Disaster Management
Industrial Disaster ManagementIndustrial Disaster Management
Industrial Disaster Management
 
INDUSTRIAL ACCIDENTS
INDUSTRIAL ACCIDENTSINDUSTRIAL ACCIDENTS
INDUSTRIAL ACCIDENTS
 
Disaster management ppt
Disaster management pptDisaster management ppt
Disaster management ppt
 

Similar to Buncefield Explosion

Planning to Avoid Failure Storage Tanks
Planning to Avoid Failure Storage TanksPlanning to Avoid Failure Storage Tanks
Planning to Avoid Failure Storage TanksOrlando Costa
 
Costs of the French PWR
Costs of the French PWRCosts of the French PWR
Costs of the French PWRmyatom
 
Process safety risk analysis of a gas compression plant in Brindisi, Italy.
Process safety risk analysis of a gas compression plant in Brindisi, Italy.Process safety risk analysis of a gas compression plant in Brindisi, Italy.
Process safety risk analysis of a gas compression plant in Brindisi, Italy.Justice Okoroma
 
INSTRUMENT FOR AIR OVER PRESSURE MONITORING
INSTRUMENT FOR AIR OVER PRESSURE MONITORINGINSTRUMENT FOR AIR OVER PRESSURE MONITORING
INSTRUMENT FOR AIR OVER PRESSURE MONITORINGGAGAN GUPTA
 
OSIsoft White Paper "Impacting the Bottom Line" in O&G
OSIsoft White Paper "Impacting the Bottom Line" in O&GOSIsoft White Paper "Impacting the Bottom Line" in O&G
OSIsoft White Paper "Impacting the Bottom Line" in O&GTjeerd Zwijnenberg
 
Bat for emission of refineries
Bat for emission of refineriesBat for emission of refineries
Bat for emission of refineriesbiondimi
 
Regulatory Update 2015
Regulatory Update 2015Regulatory Update 2015
Regulatory Update 2015Jane Besch
 
Health and safety training standards and requirements for personnel in the o...
Health and safety training standards and requirements for personnel in the o... Health and safety training standards and requirements for personnel in the o...
Health and safety training standards and requirements for personnel in the o...Torben Haagh
 
Application of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsApplication of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsBelilove Company-Engineers
 
Simplifying Plant Safety Instrumentation
Simplifying Plant Safety InstrumentationSimplifying Plant Safety Instrumentation
Simplifying Plant Safety InstrumentationMiller Energy, Inc.
 
Fault tree analysis semiar report
Fault tree analysis semiar reportFault tree analysis semiar report
Fault tree analysis semiar reportAnusha Chethana
 
Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...
Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...
Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...Mersie Amha Melke
 
Port Security_Anderson_Richard
Port Security_Anderson_RichardPort Security_Anderson_Richard
Port Security_Anderson_RichardRichard Anderson
 

Similar to Buncefield Explosion (20)

HIPPS
HIPPSHIPPS
HIPPS
 
Planning to Avoid Failure Storage Tanks
Planning to Avoid Failure Storage TanksPlanning to Avoid Failure Storage Tanks
Planning to Avoid Failure Storage Tanks
 
Costs of the French PWR
Costs of the French PWRCosts of the French PWR
Costs of the French PWR
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Process safety risk analysis of a gas compression plant in Brindisi, Italy.
Process safety risk analysis of a gas compression plant in Brindisi, Italy.Process safety risk analysis of a gas compression plant in Brindisi, Italy.
Process safety risk analysis of a gas compression plant in Brindisi, Italy.
 
INSTRUMENT FOR AIR OVER PRESSURE MONITORING
INSTRUMENT FOR AIR OVER PRESSURE MONITORINGINSTRUMENT FOR AIR OVER PRESSURE MONITORING
INSTRUMENT FOR AIR OVER PRESSURE MONITORING
 
OSIsoft White Paper "Impacting the Bottom Line" in O&G
OSIsoft White Paper "Impacting the Bottom Line" in O&GOSIsoft White Paper "Impacting the Bottom Line" in O&G
OSIsoft White Paper "Impacting the Bottom Line" in O&G
 
Volume 5 safety
Volume 5 safetyVolume 5 safety
Volume 5 safety
 
Bat for emission of refineries
Bat for emission of refineriesBat for emission of refineries
Bat for emission of refineries
 
Regulatory Update 2015
Regulatory Update 2015Regulatory Update 2015
Regulatory Update 2015
 
Health and safety training standards and requirements for personnel in the o...
Health and safety training standards and requirements for personnel in the o... Health and safety training standards and requirements for personnel in the o...
Health and safety training standards and requirements for personnel in the o...
 
Emic
EmicEmic
Emic
 
Application of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsApplication of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented Systems
 
Inspection of-pressure-vessels
Inspection of-pressure-vesselsInspection of-pressure-vessels
Inspection of-pressure-vessels
 
Ops Research_Narcam_1993-FAA-DOT
Ops Research_Narcam_1993-FAA-DOTOps Research_Narcam_1993-FAA-DOT
Ops Research_Narcam_1993-FAA-DOT
 
Simplifying Plant Safety Instrumentation
Simplifying Plant Safety InstrumentationSimplifying Plant Safety Instrumentation
Simplifying Plant Safety Instrumentation
 
Long form final
Long form finalLong form final
Long form final
 
Fault tree analysis semiar report
Fault tree analysis semiar reportFault tree analysis semiar report
Fault tree analysis semiar report
 
Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...
Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...
Fuel tank enhancements as a means to decrease risk of fuel tank explosion on ...
 
Port Security_Anderson_Richard
Port Security_Anderson_RichardPort Security_Anderson_Richard
Port Security_Anderson_Richard
 

Recently uploaded

CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 

Recently uploaded (20)

CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 

Buncefield Explosion

  • 1. An alternative analysis of theAn alternative analysis of the conclusions of the official investigationconclusions of the official investigation in to the cause of the Buncefieldin to the cause of the Buncefield explosion.explosion. Andrew Coakley June 2015 Buncefield Aftermath Buncefield – Accident orCyberWarfare?
  • 2. Executive Summary The official investigation into the Oil Storage Tank explosion at Buncefield near Hemel Hempstead on 11th December 2005 finally concluded with the release of a report in February 2011 by the Control of Major Accident Hazards (COMAH) from the Health and Safety Executive (HSE), Environment Agency, and Scottish Environment Protection Agency (SEPA) titled “Buncefield – Why did it happen?” The report summarised the findings of The Major Incident Investigation Board (MIIB), set up to investigate the Buncefield explosion and whose work was completed in 2008 and published its final report “The final report of the Major Incident Investigation Board” The COMAH report also sought to bring all of this information together so that everyone in major hazard industries – not just those involved in fuel storage – can learn from this incident, understand what went wrong, and take away lessons that are relevant to them. The reports published and in the public domain seek to attribute root cause failures that led directly to the explosion. These findings are based upon methodical investigation by MIB and have found: • Management failings; • Operational failings including; • Inadequate documentation; • Confused reporting; •Human Operator Overload; •Inadequate Maintenance; and as the root cause, safety system failure, of systems meant to eliminate the possibility of Storage Tank Overflow through the combination of manual and automatic shutdown procedures, specifically the investigation concluded the failure of: • Automated Tank Gauging system (ATG) and • Independent High Level Switch (IHLS) Both of these systems were meant to provide alerts and data to the control room SCADA monitoring and process control system. The investigators conclusions are based on a mix of hypothesis formulated on previous events, interviews with key personnel, and some data readings from the SCADA and ATG databases. As we shall see, the investigators based their conclusions on potentially flawed assumptions, what if using the events to draw on alternative assumptions, could alternative conclusions be drawn that might suggest the potential of a Cyber warfare attack on the UK Critical National Infrastructure? A report published by the US Department of Homeland Security (DoHS) Control Systems Security Centre in November 2005, a month before the Buncefield explosion, provided an analysis of how such systems are vulnerable to Cyber attack. None of the officially documented reports considered or investigated the potential possibility of a Cyber attack on the control systems in use at Kingsbury and Buncefield as detailed in the DoHS study. This paper considers that possibility.
  • 3. The Official Buncefield Reports, Evidence, Assumptions and Conclusions The official investigation into the Oil Storage Tank explosion at Buncefield near Hemel Hempstead on 11th December 2005 finally concluded with the release of a report in February 2011 by the Control of Major Accident Hazards (COMAH) from the Health and Safety Executive (HSE), Environment Agency, and Scottish Environment Protection Agency (SEPA) titled “Buncefield – Why did it happen?” This report by COMAH summarised the findings of The Major Incident Investigation Board (MIIB), set up to investigate the Buncefield explosion and whose work was completed in 2008 and published its final report “The final report of the Major Incident Investigation Board” The COMAH report also sought to bring other information together so that everyone in major hazard industries – not just those involved in fuel storage – can learn from this incident, understand what went wrong, and take away lessons that are relevant to them. In addition, the COMAH report detailed the outcomes of criminal prosecution into the incident and said that when passing sentence on the defendants at St Albans Crown Court on 16 July 2010, the Judge, the Hon Mr Justice Calvert-Smith, commented that cost cutting per se was not put forward as a major feature of the prosecution case, but the failings had more to do with slackness, inefficiency and a more-or-less complacent approach to matters of safety. He did not specifically mention or consider any evidence (because none was put to him) that extended to the safety of protecting critical safety systems from malicious penetration of the systems that could mean control of the systems passed to external enemies or other organisations intent on inflicting damage to the UK Critical National Infrastructure. This can only be because no evidence or investigation was ever considered by the investigating authorities.
  • 4. HSE Report rr872 In it's research report rr872 the HSE states “The MIIB has officially stated that the reason the overfill occurred was because the level measurement gauge on the tank did not alter in a three-hour period, despite the fact it was being continuously fed unleaded petrol via a pipeline from the Lindsey Oil Refinery in Lincolnshire. The third progress report as presented in The Buncefield Incident 11 December 2005, The Final Report of the Major Incident Investigation Board, Volume 2, stated that findings of the investigation into the instrumentation and controls confirmed this. It emphasised that in the three-hour period prior to the incident, the level gauge of this tank remained static, despite there being a continuous transfer to it. This loss of containment (LOC) incident was in part due to shortcomings in the control and instrumentation, and in particular the failings of the tank gauging system in place on the tank that monitored the level of fuel stored in that tank. “ The report provides a very comprehensive expose on the various types of mechanical and electrical systems available for storage tanks in the UK and beyond. It closes on page 33, at section 6.2.3 where there is a brief discussion on communication system software where it states that the most common software used to bring information from tanks to the control room was ENRAF. ENRAF is a Honeywell Inc product prevalent in the market. The report however whilst acknowledging complexity provides no thought or guidance as to it's potential vulnerabilities to information corruption or usurpation. The core solution at Buncefield was TAV for the Servo Gage and Cobham for the High Level Switch (HLS). Nowhere in the HSE report is system security considered as a factor for HSE concern, in spite of the fact that it is the rules within the system software that determine whether an alarm is triggered, and the vulnerabilities of such systems to malicious penetration are now well publicised.
  • 5. 3rd Progress Report – Instrumentation and Control Systems. At section 1.3 of the 3rd Progress Report titled “Instrumentation and control systems”, a narritive is provided about the control SCADA system in use, it is worth noting what was said:- “13 Tank 912 was fitted with instrumentation that (among other things) measure and monitored levels and temperatures of the liquid in the tank. The instruments were connected to an automatic tank gauging (ATG) system in common with all the other tanks on the site. Tank levels were normally controlled from a control room using the ATG system. 14 A servo level gauge measured the liquid level. The temperature of liquid in Tank 912 was measured using a temperature sensor. 15 The ATG system enabled the operator to monitor levels, temperatures and tank valve positions, and to initiate the remote operation of valves all from the control room on HSOL West site. The ATG system was also able to trend data and had an event logging system, integrated with the alarm system. The ATG contained a large database which recorded levels, temperatures, alarms, valve positions, and other related information indexed against times and dates for a user- configurable period which can be several months. The records from this database are providing valuable information for the investigation. 16 The tank also had an independent safety switch, which provided the operator with a visual and audible alarm in the control room when the level of liquid in the tank reached its specified maximum level (the ‘ultimate’ high level). This alarm also initiated a trip function to close valves on relevant incoming pipelines. The ultimate high level safety switch on the tank sensed when the liquid reached its specified maximum level, should all other alarms and controls fail to prevent this. Its purpose was to provide an alarm to operators in the control room and to initiate automatic shutdown of delivery once the maximum level was reached. The switch was intended to alert the control room operator via a flashing lamp (one for each tank) and an audible buzzer. In addition, the ultimate high level safety switch alarm signal from any overflowing tank in HOSL West would be sent to computer control and instrumentation relating to both the FinaLine and BPA pipelines. Of interest here is the database mentioned in section 15 is never referred to in any of the other documents except in Mr Justice Steels sumization where expert evidence was provided by Samuel Sudler of Total and and Dr Harri Kytomaa a mechanical engineering specialist. What the evidence was is not explained.
  • 6. 3rd Progress Report – Instrumentation and Control Systems Cont. “19 Examination of the records for Tank 912 from the ATG system suggest an anomaly. A little after 03.00 on 11 December, the ATG system indicated that the level remained static at about two thirds full. This was below the level at which the ATG system would trigger alarms. 20 However, the printouts from the BPA SCADA systems indicate that the T/K South line was delivering a batch of 8400 m3 of unleaded petrol, starting around 19.00 the previous evening (10 December). The delivery was being split between Tank 912 at the HOSL West site and BPA’s site at Kingsbury, giving a flow rate to Tank 912 of around 550 m3/hour. These SCADA printouts further indicate that approximately seven minutes before the incident, the Kingsbury line was closed, leading to a sharp increase in the flow rate to Tank 912 to around 890 m3/hour. 21 At the time of the incident, automatic shutdown did not take place. 22 Examination of the valve positions shown by the ATG database confirm that the inlet valve to Tank 912, which was connected to the BPA petrol manifold, was open at the time of the incident. Based on this evidence, it is concluded that Tank 912 was still filling after 03.00. .17 When the BPA site received an alarm/trip signal from the HOSL West site, the BPA computer control system should have closed the relevant pipeline manifold valve feeding in product to the tank(s) on the HOSL West site. BPA also had a high-level supervisory control and data acquisition (SCADA) system, which had the facility for alarm and event logging both locally at Buncefield and remotely at the BPA control centre at Kingsbury, Warwickshire. 18 An override keyswitch in the HOSL West control room could be used to inhibit the alarm/trip signal to BPA during testing of the ultimate high level safety switches. Putting the keyswitch in the override position would illuminate a red lamp on the annunciator panel.” This then should have been the process of control for managing tanks and associated alarms. The report in the next section 1.4 discusses the resulting evidence from those control systems as follows:-
  • 7. 3rd Progress Report – Instrumentation and Control Systems Cont. 23 Temperature records also provide evidence that the inflowing fuel was warmer than the tank contents. Records for Tank 912 show the tank temperature continuing to rise after 03.00, supporting the above conclusion that the product was still feeding into the tank from the pipeline. 24 The evidence to date is consistent with continued filling of Tank 912 after 03.00, despite the ATG system showing a static level reading. On the basis of calculations, Tank 912 would have been completely full at approximately 05.20, overflowing thereafter. This timing is entirely consistent with CCTV evidence and eyewitness accounts reporting on a dense vapour cloud at various times between 05.38 and 06.00. The overflow of unleaded petrol would therefore have been in the order of over 300 tonnes by 06.00. 25 Simulation of the ultimate high level tank alarms (from the relevant electrical substation on site) and tests on the annunciator panel and the link to BPA prove that they worked normally. Tests on the override switch found that it had no effect on the audible and visual alarms from the annunciator, but it did, when switched to override, inhibit the alarm/trip signals being sent to BPA. 26 Information from the BPA SCADA system indicates that no ultimate high level alarm was received from HOSL West, but it has not been possible to test the ultimate high level safety switch or intervening wiring between Tank 912 and the substation, as they have been damaged in the fire. However, the switch has very recently been located, but it has not yet been possible to recover it. When it is, it will be subject to forensic examination.” No evidence or follow-up to this forensic examination has been found in the reports that can determine the validity of the assumption regarding the high level switch operating condition, the reports indicate that it was not paddlocked in position following a recent test however the forensic examination report does not appear anywhere.
  • 8. Alternative Assumptions forConsideration The official investigation of the Buncefield explosion is predicated on the failure of 3 independent electromechanical and IT systems built to Safety Impact Level (SIL) standards. It is by and large built upon assumptions that 1. The servo level gauge became stuck and continued to send incorrect data to the TAV ATG system showing a static level of tank 912 contents, it is assumed the ATG system was immune from attack; 2. The HLS failed to function correctly – however the switch forensic analysis has not been published in the reports, therefore what if it did work correctly mechanically? 3. The SCADA systems in use at Kingsbury and HOSL were secure and immune from Cyber attacks, however, if the Servo Level Gauge and HLS did actually work correctly one or more of the SCADA systems and or the ATG Data must have been compromised. But how could this have happened? In a report published in November 2005 entitled “Common Control System Vulnerability” the Control Systems Security Center (CSSC) and National SCADA Test Bed (NSTB) programs on behalf of the US Department of Homeland Security advised they had discovered a vulnerability common to control systems in all sectors that allows an attacker to penetrate most control systems, spoof the operator, and gain full control of targeted system elements. This vulnerability has been identified on several systems that have been evaluated at Idaho National Laboratory, and in each case a 100% success rate of completing the attack paths that lead to full system compromise was observed. Since these systems are employed in multiple critical infrastructure sectors, this vulnerability is deemed common to control systems in all sectors. The following information is taken from the DoHS report. Usually, such penetration attacks follow a phased approach including reconnaissance, traffic analysis, profiling of vulnerabilities, launching attacks, escalating privilege, maintaining access, and covering evidence. Once the attacker gains access to the control network through vulnerabilities in the business LAN, another phase of reconnaissance begins with traffic analysis within the control domain. Thus, the communications between the workstations and the field device controllers can be monitored and evaluated, allowing an attacker to capture, analyse, and evaluate the commands sent among the control equipment. Through manipulation of the communication protocols of control systems an attacker can then map out the control system processes and functions. With the detailed knowledge of how the control data functions, as well as what computers and devices communicate using this data,
  • 9. the attacker can use a well known Man- in-the-Middle attack to perform malicious operations virtually undetected and gain full control of targeted system elements. This method was used by INL to gather enough information about the system to craft an attack that intercepts and changes the information flow between the end devices (controllers) and the human machine interface (HMI and/or workstation). Using this attack, the cyber assessment team has been able to demonstrate complete manipulation of devices in control systems while simultaneously modifying the data flowing back to the operator’s console to give false information of the state of the system (known as “spoofing”) This clearly has the potential to form the basis of an attack at Kingsbury Central SCADA and hence to Buncfield whereby the ATG system could have been corrupted and false data was inserted into network traffic to spoof the SCADA system into believing the tank 912 contents were less than they really were, suppressing any alarms to the SCADA control systems at both Buncefield and hence Kingsbury. Network Reconnaissance and Data Gathering Once access has been obtained on the control system network, be it via the business LAN or some other plausible attack vector (vendor channel, wireless, dial-in access, etc), network reconnaissance is used to gather the information required to develop a plan of attack. By passively scanning, listening, and gathering communication traffic (i.e., protocols), the attacker is able to obtain an initial inventory regarding the architecture components in the control network, as well as direct insight into the communications used by the control devices on the network. After enough information has been gathered, the attacker can begin decoding and assessing the system information flow. This process of passively listening to network traffic is often referred to as ‘sniffing’. In order to communicate with the end- point field devices, the application always communicated directly with the device-specific controllers. This identified a critical path on the flow of system information between the controllers and/or field devices and the workstation. Decoding the communications within this flow of information is the key to understanding the system and more importantly, verifying targets on the control network. In order to break the communication layer, the control network traffic had to be monitored and dissected to develop a greater understanding of how the components communicate. Alternative Assumptions forConsideration (cont)
  • 10. At Buncefield the SCADA system is connected to each location system by a point-to-point communications circuit. Each circuit is implemented as an analog leased line, with automatic dial- up fallback. Supplementary dial-up circuits are also provided. This could represent a security flaw giving an attacker potential network access via a modem dial in. Reverse Engineering To reverse engineer a protocol, communication packets are captured by the attacker using the compromised machine on the control network and dissected to identify the inner working of the communications. Each packet contains all the required components to operate and control the field devices. The critical aspect of each protocol is to understand how the packet is put together and identify which pieces (bits) within the packet are the commands for controlling the equipment. These pieces are identified through reverse engineering of the protocol, which allows the attacker the ability to manipulate each packet as required. Because Control Systems were historically “closed” data sent to and from control devices and to the operator consoles was usually considered valid. Each control system network component could theoretically communicate with any other component without any verification of sender or receiver, such trust has obvious implications were these systems to be penetrated, new data, with possible harmful instructions, would be accepted by the target resource and command would be executed. This is known a s a “replay attack” The final task of successfully inserting the modified rogue traffic into the data stream requires that the information flow be uninterrupted. In order to use the information and insert the modified packets into the information flow, a Man-in-the-Middle attack must be carried out. Man-in-the-Middle Attack A Man-in-the-Middle attack requires the use of the address resolution protocol (ARP) and an in-depth understanding of the protocol to be manipulated. (In the Buncefield case this would be the TAV ATG system protocols, Allen Bradley PLC’s and I/O’s) The ARP Man-in-the-Middle attack is a popular method used by an attacker to gain access to the network flow of information on a target system. This is done by attacking the network ARP cache tables of the controller and the workstation machines. Using the compromised computer on the control network, the attacker poisons the ARP tables on each host and informs them that they must route all their traffic through a specific internet protocol (IP) and hardware address (i.e., the attacker’s machine). By manipulating the ARP tables, the attacker can insert his machine between the two target machines and/or devices.
  • 11. The Man-in-the-Middle attack works by initiating gratuitous ARP commands to confuse each host (referred to as ARP poisoning). These ARP commands cause each of the two target hosts to use the Media Access Control (MAC) address of the attacker as the address for the other target host. When a successful Man-in-the-Middle attack is performed, the hosts on each side of the attack are unaware that their network data is taking a different route through the attacker’s computer. The attacker’s computer then needs to forward all packets to the intended host so the connection stays in sync and does not time out. Figure 1 illustrates a typical Man-in-the-Middle attack in the Buncefield scenario. Figure 1. Man in the Middle The Man-in-the-Middle attack is effective against any switched network because it effectively puts the attacker’s computer between the two hosts. This means the hosts send their data to the attacker’s computer, thinking it is the host to which they intended to send the data. After the ARP tables on both target hosts have been successfully poisoned, the program shuttles packets back and forth between the target hosts. This ensures that all of the current applications on the target hosts will continue to work properly. During the shuttling process, every packet destined for either target host is processed through the attacker’s machine and can be manipulated (packet crafting) to send specific commands to each host. In the case of Buncefield, this meant that the ATG system traffic could have been intercepted and replaced with tank level data that did not change even though the actual tank level was rising. The ATG system in the control room would show a consistent level measure, which is in fact what happened. When considering the activities an attacker will perform during a system compromise, one key element is to maintain covert activity and remove evidence of the attack wherever possible. Bearing in mind that cyber- based attacks on control systems are unique in that they are ‘digital’ attacks that manifest themselves in ‘physical’ actions, manipulation of the operator’s information is vital to the success of the attack. Control of the information that is accessible by the operator is required to hide the attack. During the earlier data capture phase of the attack, data reflecting normal operations in the control systems are harvested and can be played back to the operator as required. This will ensure that the operator’s console will appear to be normal and the attack will go unobserved as the information presented to the operator via the HMI.
  • 12. The design of the BPA SCADA system was undertaken by SC Scicon (a UK company since acquired by EDS) with support from BPA staff. The solution was based on SetPoint Inc SETCON process control software, a proprietary product from SetPoint headquartered in Houston, Texas, (Since acquired by InfoPlus). The core SCADA system was located in Kingsbury , with six location systems installed at the major plant sites along the BPA pipeline, one of which was Buncefield. The SETCON software was hosted on a DEC VAX with VMS operating system. The interface to SETCON processes was via another SETCON product SETCON GCS a graphics based operator interface running on IBM PC’s. In addition to the core pipeline SCADA system, additional BPA pipeline specific applications were written by SC Scicon in Fortran. The DEC VAX was hosted on MicroVax 3500 as a hot standby pair with 4 IBM PS/2 operator terminals. (Kingsbury) At each location a MicroVaxII was installed running SETCON with an operator terminal and an associated data acquisition system (DAS) . The DAS is based on an IBM PC . The core SCADA supervisory system is connected to each location system by a point-to-point communications circuit. Each circuit is implemented as an analog leased line, with automatic dial- up fallback. Supplementary dial-up circuits are also provided. BPA SCADA Functions During normal operation, when the pipeline is controlled by operators at the supervisory system, each location DAS acquires plant data twice a second and passes them to its respective location system, where it is used to update the SETCON data base. The core SCADA supervisory system then receives sets of plant data from all the location systems upwards of every 3 sec to give it a complete picture of the state of the entire pipeline. The SCADA and custom applications software in every computer then acts on the data held in its SETCON data base, exchanging data with other computers as required. Should a location system fail, the local DAS can bypass the location computer and pass the plant data directly to the core SCADA supervisory system, thus enabling the operators to continue to control the pipeline. The only degradation suffered in this case is that the automatic control facilities normally performed by the location system are not available. This could also be a potential safety/security flaw initself were for example the Buncefield SCADA inoperable would the Cobham High level switch work as designed? If for any reason the entire supervisory system is unavailable, fallback operator terminals are provided at Kingsbury for the operators to log on to the location systems via the supplementary dial-up circuits. The BPA SCADA Supervision Control System
  • 13. This enables them to control the location systems directly. Under these circumstances, the events and alarms detected by all the locations systems are logged on a central printer. The final fallback facility provided for the operators is the ability to connect directly to a DAS from a remote terminal and to examine the plant inputs and issue either single controls or to execute predefined sequences of controls. This ability to connect directly to a DAS from a remote terminal (one which could be controlled potentially by an external aggressor host) could provide another mechanism to insert corrupt data to send to the local and or central SCADA system, and issue spurious control commands. The SCAD A interface itself could also be controlled by a remote host to suppress processes such as visual and audio alarms. At Buncefield no Alarms were raised because it is said the TVA Gauge was stuck - an alternative explanation could be that an attacker either changed data readings of tank levels and or suppressed the SCADA alarm processes then covered their tracks. SC Scicon Provided SCADA applications. In addition to the “out of the box” processes provided by SETCON, SC Scion wrote some custom functions for BPA. Of particular note is the Parcel Tracking function. The parcel-tracking function not only provides graphical displays and reports of the positions of parcels within the pipeline system, but also monitors the actual progress of the batches against the schedule. It then warns the operator of any potential mis-routings and of any differences between scheduled and actual movements, thereby reducing the risk of erroneous movements. When viewed against the 3rd Progress Report findings on page 6, paragraph 20 of this paper, should the central SCADA system have picked up the fact that a parcel delivery had been vastly increased in flow rate into tank 912? Or was this function maliciously suppressed? The system went operational late 1990 well before the internet age when security against intruder penetration was less of a consideration in commercial operations than it is today. By 2005 the architecture of the business LAN and control system could well have been connected although even if it was not vulnerabilities in the DEC VAX operating system could have left the system open to attack from the outside using well publicised hacking techniques.
  • 14. Conclusion: The Buncefield investigation focused its attention by far on the immediate blast location, and suggested electro-mechanical failure, operator neglect and poor testing procedures. In all probability, the results of the investigation arrived at the correct conclusion. However, should it in fact have focused more effort on the Kingsbury SCADA system, local SCADA and AGT systems for signs of attack even if it was to discount it.? Failure to have done so must leave an element of doubt in the Investigation result, even if such an attack was highly improbable. References: The Buncefield Incident 11 December 2005: Volume 1; The final report of the Major Incident Investigation Board ISBN 978 0 7176 6270 8 (2008) The Buncefield Incident 11 December 2005 The final report of the Major Incident Investigation Board Volume 2 ISBN 978-0-7176-6318-7 (2008) The Buncefield Investigation: Third progress report COMAH Control of Major Accident Hazards: Buncefield: Why did it happen? (February 2011) Identification of instrumented level detection and measurement systems used with Buncefield in-scope substances Research Report 872 Health and Safety Executive. http://www.ogj.com/articles/print/volume-90/issue-13/in-this-issue/general-interest/uk-pr : Oil and Gas Journal 30/03/1992 Beginners Guide to VAX/VMS Hacking: ENTITY / Corrupt Computing Canada (c) September 1989 The High Court Of Justice Queen's Bench Division Commercial Court: Case No: 2007 FOLIO NO 1057 ; 20/03/2009 Mr Justice David Steel : Colour Quest Limited And Others( Claimants) - And - (1) Total Downstream UK PLC (2) Total Uk Limited (3) Hertfordshire Oil Storage (Defendants)