Firefighters returned to an east Tulsa, OK, chemical business Thursday morning after a blaze that damaged the building Wednesday night reignited.
Fire crews arrived about 2:30 a.m. at Sabre Chem Inc., to put out several hot spots that flared inside the structure, said Tulsa Fire Department spokesman Stan May.
May said it is likely chemicals inside the business that contributed to the continuation of hot spots.
No injuries ended up reported early Thursday, even though the building’s roof collapsed while crews were on the scene, he said.
The owner of the chemical business said Thursday he knows what sparked the blaze.
“I know exactly what caused it,” owner Scott Bever said of the fire that started about 8:20 p.m. Wednesday. “It was a static charge that sparked it.”
Bever said the charge quickly ignited nearby industrial materials and fluids.
“It’s cool, low humidity in there,” he said. “I don’t know why it happened.”
An official cause of the fire, which led to several explosions at the business, is still under investigation, May said.
Bever said he was pouring gasoline into a can when it sparked, creating the fire — a plausible occurrence, May said.
Sabre Chem has been in business for 35 years, 20 of which were at the east Tulsa location that burned.
Bever dealt mostly in lubricating oils for everything from race cars to maintenance chemicals for oil fields.
About 75 firefighters battled the first blaze, fire officials said. Several explosions ended up reported around 8:30 p.m. Wednesday. The fire ended up quickly contained and all employees accounted for.
Officials say one person suffered minor injuries but refused to go to the hospital.
While the evacuation order surrounding a liquefied natural gas plant ended up lifted Tuesday after an explosion Monday morning, the gas tank punctured in the blast continued to leak.
The explosion injured five workers at the Williams Northwest Pipeline facility in Plymouth, WA, Monday, a company spokeswoman said the subsequent fire finally burned itself out 18 hours later.
The blast likely occurred in a pump house at the plant at 8:30 a.m. Monday. Shrapnel punctured a liquefied natural gas tank, which sent out plumes of white vapor. The gas tank was still leaking Tuesday night.
Hundreds of people evacuated within a 2-mile radius of the plant and taken across the Columbia River to Umatilla, OR. Late Tuesday afternoon, authorities had lifted the evacuation orders.
The Benton County Sheriff’s Department said Tuesday the gas was blowing away with the wind. Access to the plant remains restricted as investigators look into what caused the blast.
The fire burned itself out at about 3 a.m. Tuesday, said Williams Partners spokeswoman Michele Swaner.
She said remote devices travelled went into the scene Monday in an attempt to figure out what happened. Investigators at the scene Tuesday morning were working to isolate the damage and assess the level of repairs.
Four of the people hurt in the explosion went to the Hermiston hospital for treatment. The fifth, 61-year-old Mike Yunker of Echo, OR, went to the burn unit at Legacy Emanuel Medical Center in Portland, where he is in good condition.
A large explosion hit a natural gas processing plant on the Washington-Oregon border Monday, injuring five workers, causing about 400 people to evacuate from nearby farms and homes, officials said.
The 8:20 a.m. blast at the Williams Northwest Pipeline facility near the Washington town of Plymouth, WA, along the Columbia River, sparked a fire and punctured one of the facility’s two giant storage tanks for liquefied natural gas.
Benton County Sheriff Steven Keane said a relatively small amount of gas leaked from the tank to the ground in a moat-like containment area. But it then evaporated, blowing away to the northeast, he said.
“I think if one of those huge tanks had exploded, it might have been a different story,” Keane said.
The fire at the facility about 4 miles west of Plymouth was out within a couple of hours.
One of the injured workers went to a Portland, OR, hospital specializing in burns, he said.
Benton Fire District 1 Capt. Jeff Ripley said another four people went to local medical facilities. None of the injuries were life-threatening, he said.
Deputies went door to door to homes and farms within a 2-mile radius, evacuating about 400 residents as a precaution.
By Monday night, the evacuation zone reduced down to a 1-mile radius, the Benton County Emergency Management agency said. Road and river restrictions ended up lifted.
About 75 people checked into a shelter set up in Oregon at the Umatilla County Fairgrounds, but emergency officials said they expected few to stay the night.
The facility provides supplemental gas during times of high demand for a 4,000-mile pipeline stretching from the Canadian border to southern Utah. Its two storage tanks for liquefied natural gas each have a capacity of 1.2 billion cubic feet, Williams spokeswoman Michele Swaner said. The one that punctured was about a third full.
Swaner said the 14 employees working at the time were all safe. At least 18 people work at the facility.
She added it was too early to determine the extent of the damage or the cause of the explosion. The pipeline shut down in the area of the storage facility, but was still carrying gas on other stretches.
Video taken by a Washington State Patrol bomb squad robot was under review.
Emergency crews and Williams personnel entered the hazard area to assess the situation Monday night, the emergency management agency said in a statement.
A pipeline engineer with the Washington Utilities and Transportation Commission will investigate the cause of the explosion and communicate with the western region of the U.S. Department of Transportation Pipeline and Hazardous Materials Safety Administration, the commission said.
Workplace safety investigators from the Washington Department of Labor & Industries will join the investigation, department officials said.
The state Pipeline Safety Program regulates 28 pipeline companies and inspects more than 24,000 miles of natural gas and hazardous-liquid pipelines in Washington.
Williams operates about 15,000 miles of interstate natural gas pipelines, according to its website.
Williams Partners’ subsidiary Northwest Pipeline LLC owns the liquefied natural gas facility.
There was no pipeline rupture, and no customers suffered a lack of service, company officials said.
A failed gasket above ground resulted in cleanup workers containing about 34,000 gallons of leaking crude from a broken oil pipeline in northwestern North Dakota, a state officials said Friday.
The pipeline breach occurred Thursday morning on Hiland Crude LLC’s pipeline about 6 miles northeast of Alexander, said North Dakota Water Quality Director Dennis Fewless. A gasket on the above-ground pipeline appears to have failed near a compressor station, spewing about 800 barrels of crude, Fewless said. A barrel holds 42 gallons.
About half the oil migrated off the site but has been contained and no water sources are in danger, Fewless said. Hiland gave a lower estimate than state inspectors did for how much oil escaped the site, saying in a statement that “approximately 100 barrels of crude left the location, with an undetermined amount contained on location.”
The Enid, OK-based company said the environmental impact “is limited to contaminated soil, which is being removed from the site.”
Fewless said the cleanup likely will continue for a few days. The McKenzie County Sheriff’s Department said a road to the spill site will remain closed until they complete the work.
The spill occurred about 5 a.m. Thursday and Hiland notified North Dakota regulators about six hours later, Fewless said. State health inspectors have been on the scene since Thursday.
Hiland’s statement said its workers “immediately began emergency response activities” after detecting the spill. It said specialized cleanup contractors were at the site before 6:30 a.m. Thursday, and the flow of crude oil was “substantially controlled” at that time.
“They called in all the necessary forces to get it cleaned up,” Fewless said Friday. “They worked all night, got the leak stopped and got it contained. They are in cleanup mode right now.”
Fewless said oil migrated into a dry drainage that has been “diked off, contained and boomed.” But he said if a heavy spring rain hit during cleanup, oil could leach from the site.
“If we were to get a rainstorm, you would have potential for oil to make it to water,” Fewless said.
Hiland Partners LP, which owns Hiland Crude, reported two other incidents to North Dakota regulators in recent months.
In November, the company reported a 500-barrel crude oil spill near Trenton at a rail transfer facility. Last month, an above-ground natural gas pipeline owned by the company caught fire in rural Williams County, touching off explosions that could be felt miles away.
Hiland Crude began courting oil producers this week to reserve space on a new oil pipeline that would run from Dore and Sydney, MT, to an oil storage facility in Guernsey, WY. The company said it expects to transport up to 100,000 barrels per day of crude on the pipeline later this year.
Pipelines continue their spilling, leaking ways this time in a stream and marshy pond in a nature preserve in Colerain Township, Ohio, federal officials said.
Around 10,000 gallons of crude oil ended up discovered spilled from an underground pipeline into the stream and marshy pond Monday night and will be “tricky” to clean up, U.S. Environmental Protection Agency (EPA) officials said Tuesday.
The spill didn’t injure anyone and remained contained to the spill site by Tuesday afternoon, said state and federal EPA officials.
To clean up the spill crews will need to “build a road” to get heavy machinery into the spill area, a part of the Oak Glen Nature Preserve, to vacuum up the oil and dig up contaminated soil. With rain in the forecast, they will have to build a containment structure to capture oil and keep it from reaching the Great Miami River, just 500 feet away, or spreading out on the site, said Heather Lauer, a spokeswoman for the Ohio EPA.
Right now, they estimate the process will take at least a week.
The incident is at least the third time in the last decade that oil has leaked in the Greater Cincinnati and Northern Kentucky region from this pipe, owned by Sunoco Logistics and operated by Mid-Valley Pipeline Co., both subsidiaries of Sunoco. It is the 40th incident since 2006 along the pipeline, which stretches 1,100 miles from Texas to Michigan, according to the U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration.
The cause of this most recent leak remains under investigation by the U.S. EPA.
After leaking from the pipeline, the oil ran about half of a mile down a stream into a marshy pond, just west of East Miami River Road.
Even if some of the “sweet crude” – a lighter, thinner oil than sour crude – makes its way into the nearby Great Miami, regional drinking water will not end up threatened because water treatment plants are upstream on the Great Miami in Fairfield and upstream on the Ohio River, said Greater Cincinnati Water Works spokeswoman Michele Ralston.
Communities downstream, including Lawrenceburg and Louisville, also have nothing to worry about at this time, said Jerry Schulte, a manager involved in water protection and emergency response for the Ohio River Valley Water Sanitation Commission.
Federal records show inspectors last checked the pipeline in 2011; the records do not include any current or ongoing inspections.
A system-wide inspection of the 1,119-mile-long pipeline in 2009 resulted in the company paying a $48,700 fine in 2012 for failing to address corrosion problems in the pipeline at the Oregon refinery for three years.
In addition, the operator received three warnings stemming from the 2009 inspection. One of them was for failing to inspect the pipeline crossing under the Ohio River between Addyston and Hebron for more than five years. Pipelines that go beneath bodies of navigable water must get additional scrutiny under federal regulation. The pipeline did not undergo an inspection by running a device through it from May 2004 until August 2009.
In addition, the federal records show Mid-Valley received a warning in 2006 for not having pipeline route markers along a pipeline section in Hebron where people could reach it. And it received a fine of $35,000 in 2006 for a 2002 inspection where the operator received a citation for failing to run a proper program of continuing education reminding people that the pipeline runs through parts of Kentucky and Ohio. The operator had sent calendars to residents living near the pipeline, but didn’t include any public agencies or excavation services in the program.
From 2006 to 2013, leaks and spills from the pipeline caused $7.5 million in property damage, $1.3 million done in 2008 in Burlington. In the previous 39 accidents, workers recovered 88 percent of the oil spilled.
The pipeline starts in Longview, TX (about 125 miles east of Dallas), and ends in Samaria, MI, about 12 miles north of Toledo and about 53 miles southwest of Detroit. Its size varies depending on the location from 8 inches in diameter to 22 inches in diameter. It only carries crude oil, with destinations in Ohio that include a Husky refinery in Lima and a BP refinery in Oregon (suburban Toledo).
Containment booms surrounding a flooded oil well near the confluence of the Missouri and Yellowstone rivers appear to be holding back oil that leaked from a tank from flowing into the rivers, the North Dakota Department of Health said Saturday.
Crews used two boats to deploy about 6,200 feet of absorbent booms Friday evening to contain oil from a well site owned by Zavanna that had breached the dike.
“They believe they got all the oil contained,” said Kris Roberts, environmental response team leader with the Health Department’s Division of Water Quality.
The oil leaked from a tank that had floated and piping attached to the tank broke, causing oil to spill and breach the dike, said Travis Pfaff, production manager for Zavanna. The oil did not reach the actual river channel, Pfaff said.
The tank contained an estimated 33 barrels of oil, or 1,386 gallons, but crews don’t believe that entire amount released, Roberts said. “We’re pretty certain it was a lot less than that,” Roberts said.
Pfaff said the tank still has a volume of oil in it, but they haven’t been able to determine how much. Another tank at that same location tipped over but did not spill, Pfaff said.
Zavanna, with headquarters in Denver, has three cleanup crews working in the area, coordinated by a production supervisor who works in Williston, Pfaff said.
Crews have surrounded three additional wells with absorbent booms as a precaution, and none had released oil past their dikes as of Saturday afternoon, Pfaff said.
One of the flooded wells had booms surrounding it because it still has a workover rig on the location.
Crews didn’t have time to remove it because they focused on removing chemicals from the well locations, Pfaff said.
“When the ice jam came in, it flooded the area within a couple of hours,” Pfaff said. “The timing just ran out on us and we couldn’t operate in the middle of the night.”
Zavanna crews began securing wells and taking precautions at 10 p.m. Wednesday, Pfaff said.
Lynn Helms, director of the state Department of Mineral Resources, said his office issued a warning several days earlier to owners of about 50 wells in the area that ice jams downstream were causing flooding. Operators received word to shut down the wells and secure their tanks to prevent them from floating, Helms said.
“They were told well before the 12th that there were problems coming,” Helms said.
A Zavanna crew suffered mechanical issues on their boat and ended up stranded Friday, which hindered some of their efforts, Pfaff said. One of the crew members was there for seven hours, he said.
“It became a safety issue, trying to get our individuals safely out of the area,” Pfaff said.
Roberts said he noticed other wells during his aerial tour Friday that had equipment on site, including a Bobcat and sensitive electronic equipment, that crews didn’t have time to remove.
“Water levels come up very, very quickly. You can’t take your time. Some crews got caught,” Roberts said.
The Missouri River at Williston was at just under 26 feet late Saturday afternoon, which is considered major flood stage, the National Weather Service said.
After Monday, the river was going to start trending down, said meteorologist Bill Abeling with the weather service in Bismarck.
However, ice on the Yellowstone or Missouri rivers could create ice jams and cause fluctuations that are difficult to forecast, Abeling said.
During the aerial tour Friday, state officials counted 38 oil wells that have potential for flooding and nine that ended up inundated with water, the Health Department said.
Savanna crews continue to monitor 12 wells in the area, Pfaff said. As waters recede, they will remove any remaining chemicals or crude oil from the well sites, he said.
As a result of the flooding, Savanna officials are considering shutting down the wells during certain times of year, Pfaff said.
By Gregory Hale
Safety and security work hand in hand in the manufacturing automation arena. As cyber attacks get more sophisticated and costly, there is a growing need to elevate security awareness to the same level as safety – ensuring not only a safe, but also a secure manufacturing environment.
Let’s face it, security awareness today suffers from an identity crisis at manufacturing facilities across the globe. Big, small or anything in between, there is a general lack of understanding of security best practices.
With reported cyber attacks growing by 600 percent since 2010, according to NSS Labs, security awareness amongst manufacturing organizations needs to grow to the point where best practices end up ingrained in workers’ minds. That only makes sense as safety protects man against machines, while security protects machines against man.
Well-known within security circles, cyber security awareness in the manufacturing enterprise remains nascent and needs to bust out and go mainstream within each organization.
But where does that awareness begin and how can a manufacturer get started on the journey toward security?
A decade ago when most systems and business networks remained isolated from one another security was relatively simple. The enterprise stayed connected to the Internet, but focused on keeping its network up, running and protected, while process control and safety systems remained isolated and really did not have to worry about web connections. However, in the name of progress and efficiency, over time the two networks became interconnected – a true sensor to boardroom communication. By the early 2000s, and especially after September 11, 2001, security professionals saw that safety systems and the control network, previously unguarded from any kind of security measures, needed protection. But getting industry leaders to understand and grasp that concept was akin to rolling a boulder up hill.
Stronger Safety Emphasis
The idea of safety, on the other hand, generated a strong following especially after the disaster in Bhopal, India when a methyl isocyanate gas leak occurred on the night of December 2 and early in the morning December 3, 1984 at the Union Carbide India Limited pesticide plant leaving 3,787 dead and 558,125 injured, according to the India government.
In the years since Bhopal, process safety gained corporate importance and all manufacturers understood and respected all safety initiatives. Yes, manufacturers had to look at cost, but it was imperative that companies targeted safety. “Safety First” initiatives began in full force.
Process safety programs focus on design and engineering of facilities, maintenance of equipment, effective alarms, effective control points, procedures and training. It was, and still remains, a vital area to protect a company, its people and the surrounding area from any kind of potential disaster.
When it comes to safety, in order to contain a complex process (such as an oil/gas operation, refinery, chemical plant, steel plant, and automobile manufacturing to name a few), a manufacturer must design and implement management systems to:
• Understand the risk, which involves predicting problems, including predicting the risk of possible accident/loss scenarios, establish the appropriate design and the right layers of protection to control risk to a tolerable level
• Control risk factors every day, which involves controlling the original design by maintaining the established layers of protection and managing changes to the design using integrated management systems
• Analyze actual problems and determine weaknesses in the system, which involves identifying weaknesses in design and management systems and weaknesses in risk understanding through root cause analysis of actual problems (losses and near-losses)
Lagging Security Adoption
At a basic level, security follows those same set of guidelines. Why, then, are more organizations not implementing security into their daily mindset as they are safety? Some of the top internal reasons are: People, training, no real corporate mandate, and no business return on investment.
With security being the new kid on the block for process control, getting people to embrace how to integrate security into their everyday work life is an ongoing education process. Teaching workers to not plug a thumb drive into a computer before checking to make sure it is free of any virus is just one example.
In essence, the lack of ongoing training is also a culprit of not having automation professionals think of security on an every day basis. In safety, manufacturers have ongoing training and standard operating procedures, but in security, there is not enough emphasis placed on total security worker education.
To talk security, there must be a solid business proposition behind why a manufacturer would decide to make the investment. Bringing the idea up to the executive suite that security is more of a business enabler that keeps the network and system up and running and productive and not just an insurance policy is important to generate awareness and send a strong message out to the company. After all, security is going to be an ongoing expenditure, not a one time expense. Initially, there needs to be a risk analysis; what do you need to protect, what is the cost, what is the risk? Then there needs to be a way to quantify those numbers to assess the true benefit.
One of the advantages safety has that is not as prevalent in security is the concept of levels. With safety you have a very clear definition of a safety integrity levels. A system must meet SIL 1 which there is safety, but at a basic level, through SIL 2, SIL 3 and SIL 4, which would be the most dependable. While with security, there is the security assurance levels (SL) but it is not as prevalent and not commonly used throughout the industry. Manufacturers are not yet demanding a security protection that guarantees a SL 3.
Essentially, SL 1 would protect against a casual or coincidental attack and SL 4 would protect against an intentional attack using sophisticated means and extended resources. There are several values of SL within a solution. There is a targeted SL, which is where the user wants to be. Then there is an actual SL which is the user’s current status based on the existing implementation. There is a maximum attained, which is the maximum attainable SL with your current technology. The ideal situation is your targeted SL and your actual SL end up equal. SL levels are a part of the ISA99 security standard specification, which the international industrial control committee defined and accepted.
The problem is a SL is harder to determine than a SIL because of the ever changing threat scenario. The idea of a SL could be a positive in that it can make a security program much simpler. SL remains relatively new, however, and there will need to be some time for industry to let it marinate have it become part of its imbedded culture.
Technology will not fix a problem unless the right processes and the right best practices are in place. Technology will help enable people to make the right decision. But the security culture has to be on a par with the safety culture in order to protect against a cyber attack. Even with multiple technology protective layers, users need to enforce a strong security culture that reaches every level – and it has to start at the top.
That is evolving. In the early 2000s, people were starting to become aware of the entire idea of security and by around the 2005 timeframe, people talked about devices like firewalls that could protect them. But from that timeframe until now, there has been an increase in awareness. The thought process is changing about installing applications and users are starting to think more about security. Within the rank and file, you are starting to hear more about security. But is that happening quick enough?
It is easy to understand that manufacturers’ mindset is one of “we were never hit with a security breach before, so why should I install this complicated solution?” That mindset, while still common today, is starting to change the idea of security being complicated and confusing is evolving into users knowing they need to learn the basics to protect themselves without breaking the bank.
One of the basic areas of uncertainty is manufacturers not understanding what they need to protect. While safety is very specific in what needs protecting, security has vast areas to safeguard. Attackers today are not necessarily looking for destruction. In quite a few cases, they were working in stealth mode in an effort to steal a company’s intellectual property.
Take “Night Dragon.” For well over two years, hackers were surreptitiously able to access oil companies’ systems and steal information including financial documents related to oil and gas field exploration and bid negotiations, in addition to operational details on oil and gas field production Supervisory Control and Data Acquisition (SCADA) systems. That attack emphasized security needed to be strong from the field all the way through the enterprise.
In Night Dragon, attackers compromised the perimeter security through SQL injection attacks on extranet web servers; targeted spear-phishing attacks aimed at mobile workers’ laptops, and took control of corporate VPN accounts. Several major oil companies were exploited by Night Dragon.
Standards Set the Tone
While it did take a long time to finalize them, safety often relies upon adhering to a company’s standards or industry standards like IEC’s 61508 and 61511. What is interesting to note and something most manufacturers should keep a vigilant eye on is just about 66 percent of safety instrumented systems in use today predate these standards. The same is true about security, as most control systems on the plant floor today were in existence long before cyber security became an issue.
While the U.S. implementation of IEC 61511 includes a “grandfather clause” for older systems, its insistence that operating companies ensure safety systems end up “designed, maintained, inspected, tested, and operating in a safe manner” leaves no room for less-than-rigorous safety system discipline. The same needs to be true for cyber security.
Even though the IEC Safety Instrumented Systems (SIS) standards are not legal requirements, their growing acceptance as descriptors of industry best practices means that non-compliance may have very real liability implications in the event of an incident. And in some regions and industries, compliance already carries the force of law.
Purposely non-prescriptive in nature, the IEC safety standards outline a holistic methodology for managing every stage of a safety systems’ lifecycle from risk analysis and design engineering through operations, management of change and decommissioning.
Elements relevant to safety systems performance assessment include adherence to accepted risk evaluation and mitigation methodologies such as process hazards analysis (PHA), hazards and operability (HAZOP) analysis, and layers of protection analysis (LOPA).
Industry and government absolutely mandate safety. Practitioners have to adopt safety under penalties or potential fines if they don’t. In addition, in most cases standards are international, so in a global manufacturing environment manufacturers have to adhere to them. In theory, that means solid safety practices should be the same in the U.S. as they are in Europe, Asia, Australia, South America and Africa. Everyone understands the standards and everyone ends up measured against the same standards and there are penalties if they don’t meet those standards.
These types of standards for cyber security could help drive awareness and implementation. Security standards are a big deal. In a world where attacks are fluid and changing, standards give a level of consistency. They are something you can measure against, especially if they undergo an external verification and end up certified.
In the security environment, there are a number of evolving standards with some more prevalent than others like IEC 62443 (ISA99) and the WIB standard. The IEC 62443 (ISA99) series of standards has been in development for over 10 years and some parts are final. But there are other parts that are still a work in progress. The WIB standard, approved in 2010 is a standard that outlines a set of specific requirements focusing on cyber security best practices for suppliers of industrial automation and control systems.
Unlike safety, penalties for not adhering to security standards are non-existent, nor are there rewards for following them. Right now, with the exception of the North American Electric Reliability Corporation (NERC) in the power industry, there is no real reporting requirement for security as there is for safety. NERC requires companies to follow their standards and if not, there can be significant financial penalties for noncompliance.
An overall movement toward reporting requirements could be coming in the form of the Executive Order 13636—Improving Critical Infrastructure Cybersecurity signed by President Barack Obama in February 2013. The Executive Order calls for the government to develop a voluntary framework to reduce cyber risks, recognizing U.S. national and economic security depends on the reliable functioning of critical infrastructure.
The National Institute of Standards and Technology (NIST) is in the process of drafting the framework and collecting comments to incorporate into the final draft to come out in February 2014.
In the end, just how can the government end up helping ensure the critical infrastructure remains secure?
Other than the framework, legislation has failed in the past. As a matter of fact, the Executive Order was in response to failed legislation. Government does have some options like not renewing operating permits until companies meet the requirements.
One fear from all ends of the manufacturing automation industry is there has to be some major incident, much like what happened in Bhopal, which will force companies to focus on and ensure their systems remain secure.
There have been quite a few incidents since 2010 – Stuxnet, which brought down an Iranian nuclear facility; Night Dragon; Flame, which was a cyber espionage malware program targeting Middle East countries; Duqu, a computer worm discovered in September 2011 and related to Stuxnet, and Shamoon, a virus that wiped out 40,000 hard drives at one oil company last August – that have come in and knocked off various networks and inflicted damage. While those incidents are just a few that raised awareness, the level of urgency to get manufacturers thinking about security on the same level as safety is lacking.
Security Best Practices
• Assess Existing Systems: Understand what you have and your exposure
• Document Policies and Procedures: Know what you have to do and when you have to do it
• Train Personnel and Contractors: Everyone has to be on the same page
• Segment the Control System Network: Zones and conduits
• Control Access to the System: Allow certain access privileges
• Harden the Components: Lock down functionality of components
• Monitor, Maintain System Security: Remain vigilant
Security protection is still in its infancy. But that does not mean the industry gets a free pass to ignore or hold off on securing their systems. The list of attacks and potential exposure goes on. Corporate data losses hit the highest levels this year since 2008 as companies need to improve data security strategies against a greater variety of more sophisticated IT attacks, according to one KPMG report.
Former Homeland Security Department Director Michael Chertoff told oil and gas industry executives in Houston this fall the top threat their businesses face is from cyber attacks. Most companies, he said, experienced some type of cyber security event whether they know it or not. Energy companies are clearly in the cross hairs of cyber criminals as more than 40 percent of all reported malicious cyber attacks in 2012 ended up directed at them.
The risk is there for everyone, but by following a guide of best practices, mandatory personnel training and starting the task of undergoing risk assessments, manufacturers big and small can ward off intruders to keep their systems up and running so they can remain a profitable enterprise.
The basic need for security is to:
• Increase plant safety
• Reduce downtime
• Reduce environmental and financial risk
• Meet regulatory compliance
• Connect the plant to the enterprise
In the end, manufacturers’ main goal is to make product and not deal with anything that throws them off track. That is why they have to demand security in the products they buy. They have to make those demands to force vendors to certify the products in an accepted standard, but be willing to pay extra for a more secure solution. After all, if a vendor invests in security for their products and no one will pay for it, then it will be a slow roll out. In safety, it is clear manufacturers will invest in higher safety compliant systems that have a SIL certified rating.
Security, like safety was, is a culture change. Technology must include security and people have to embrace it. Security must start at vendors and work its way through the product lifecycle and it has to continue once it gets up and running at the manufacturer. It is a huge job and the industry is moving in a positive direction, but there is a long way to go.
As Mike Baldi, chief cyber security architect at Honeywell Process Solutions said, “Safety requires investing in resources to achieve it. Security is exactly the same. Security takes money and people to manage it, to implement it and to verify it is working. It is an accepted practice for safety. It is becoming an accepted practice for security.”
Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (ISSSource.com)
It wasn’t that long ago on a cold January night when a chemical spilled into West Virginia’s Elk River and contaminated the drinking water for 300,000 residents.
There is now a movement to unravel the fundamental chemical and health properties of the chemical that contaminated the drinking water for the residents of West Virginia.
The researcher team from Virginia Tech will work to understand the properties of a chemical mixture called crude 4-methylcyclohexane methanol (MCHM), said study leader Andrea Dietrich, a professor of civil and environmental engineering. A $50,000 National Science Foundation Rapid Research grant is helping to fund the study.
The research team is determining the long-term fate of the chemicals in the drinking water distribution system and the environment.
This industrial chemical mixture mainly sees use during the separation and cleaning of coal products. On January 9, more than 10,000 gallons of 4-methylcyclohexane methanol leaked into Charleston’s water supply from a Freedom Industries storage tank. The drinking water of more than 300,000 West Virginians ended up contaminated.
Water restrictions began lifted on Jan. 13 but residents are still detecting the telltale odors of MCHM.
“Residents were alerted by a strong licorice odor that led many people to think at first that the air was polluted,” Dietrich said. “In that respect, consumers are important sentinels for exposure to low levels of MCHM. As is typical of chemicals that were grandfathered under the Toxic Substances Control Act, not a lot of data exists about the product.”
Dietrich said knowledge gaps exist about the short- and long-term fate of the chemical in water systems. The research will provide fundamental chemical properties that can end up used to estimate human exposure through drinking water and indoor air pollution.
Other parameters will evaluate if MCHM interacts with plastic pipe and epoxy liners in water tanks. This research will help determine long-term remediation measures for the water distribution system.
Graduate students in Dietrich’s Civil and Environmental Engineering Techniques for Environmental Analysis class developed analytical chemical techniques that isolated the six major components in the crude mixture and identified their chemical structures.
After identifying the chemicals, they scoured government and industrial databases and realized what little they know about the properties of the compounds. This forced them to master modeling techniques to estimate toxicity and interaction with drinking water pipes and plumbing.
“This is one of the largest human-made environmental disasters in this century. In instances such as this, where the situation is still developing and public health is involved, timing is everything,” said William Cooper, a program director in NSF’s division of Chemical, Bioengineering, Environmental and Transport Systems.