This a repost that was originally posted on :
ICS Cross-Industry Learning: Cyber-Attacks on a Solution Polymer Chemical Process
Authored by robertmlee
Industrial Control System (ICS) is a generic term. Various types of individual systems that impact the process fit into this category such as HMIs, PLCs, SCADA, DCS, RTUs, SIS, and more. But entire system of systems also fit into this categorization such as those automation systemsfor power transportation, chemical processing, oil drilling, and so forth. I often see in SANS classes, conferences, and elsewhere that folks who identify themselves as ICS community members may have decades of experience but only in their industries such as oil, gas, power, water, etc. Yet there are so many lessons to be learned from other industries whether it is in the nature of operations itself or in security. Thus the inspiration behind this new series of blogs: “ICS Cross-Industry Learning”. I have reached out to a number of friends and peers in the community and asked them to write about their industry. The hope is to educate on the ICS itself, the security and networks of those industries, or any other aspect of the industry that might be useful as cross-industry knowledge for the wider community. That also includes understanding where these systems can be attacked. It is in this understanding that they may also be better defended.
I’m very happy to introduce the series with a piece written by Patrick Cole (@pjcoyle) who has worked in the chemical process industry for twenty years. You can also check out his blog here. The following was written by Patrick:
Cyber-Attacks on a Solution Polymer Chemical Process
A couple of weeks ago I was asked to do a blog post on a ‘typical chemical facility’, describing its operation so that cybersecurity experts could have an idea about some of the typical problems that they should be looking for when they come into consult on a control system security program. I agreed and set to work, designing a typical facility for one type of chemical manufacturing. And then I stopped, I realized that I was setting out to write a book, not a blog post.
The problem is, is that there is no such thing as a typical chemical facility. Every facility is unique and changes over time as product lines are expanded and changed, as new process control ideas are instituted, and as new rules and regulations are promulgated. And even if an individual plant design was somehow static, no two chemical facilities, even two making exactly the same products (even by the same company) would be close to the same due to process equipment changes, process lessons learned, and changes in the regulatory environment.
Instead of a chemical plant I am going to look at a single chemical manufacturing process, in a single vessel, and ignore all the equipment on the other ends of the pipes that move things into and out of vessel in question. This will be a simple solution polymerization process with three raw materials; an organic solvent, a vinyl monomer, and an organic peroxide initiator. The vessel in which the reaction takes place will be a stainless steel vessel with internal coils for heating and cooling (same coils for both) equipped with a reflux condenser, a digital pressure sensor, two resistance temperature detectors (RTDs) measurement devices, and a set of load cells. The vessel is pressure rated to 70 psi and it is equipped with pressure release valve (PRV) set to 40 psi. The control system will be a distributed control system (DCS) with limited automation with most of the controls being input by the operator through a dedicated human machine interface (HMI) for that vessel.
A solution polymer is, by definition, a polymer dissolved in a solvent. The solvent is needed because the length of the polymer chains produced would be so long that they would be a solid at room temperature (rubber or hard plastic) or so viscous (think maple syrup on a cold day) that they would be too hard to handle. A free-radical polymerization process is used. Without going into all of the gory details (that people like me build a career upon) there are two important things to note. First the reaction is exothermic; it produces heat in large quantities. Second once the reaction is started it will go to completion – essentially all of the monomer will be converted to polymer and there is no practical way to control the rate of reaction.
First the monomer and solvent are added to the vessel. Typically the operator tares the vessel load cells and inputs the weight to be charged into the DCS. The DCS then opens the appropriate valves and monitors the load cell output until it reaches the designated weight. It then closes the valves and the operation is repeated for the second item.
Since oxygen is an inhibitor of free-radical polymerization, it must be removed from the system. This is typically done by pulling a vacuum on the sealed vessel and then breaking the vacuum with a nitrogen sparge; displacing the dissolved oxygen. The vessel temperature is then adjusted by the operator using steam or chilled water to the initial reaction temperature.
The initiator is then weighed up in a suitable container by the operator and vacuumed into the vessel. The reaction proceeds to completion and the contents are tested by lab personnel to ensure product quality; in most case there are two key qualities, product viscosity and product activity (the amount of polymer in the product), but average molecular weight (MW) is also a common specification. The product is then cooled and removed from the vessel.
NOTE: Depending on the specific product being manufactured, the specific type of monomer or blend of monomers being used there may be additional steps taken before and after the polymerization process, but this is the basic free-radical solution-polymer process.
There are four process variables that affect product quality:
Solvent:monomer weight ratio (SMw);
Initiator:monomer weight ratio; (IMw)
Oxygen content during polymerization; and
Temperature at the initiation of polymerization
There are three process variables that could adversely affect process safety:
Solvent:monomer weight ratio;
Total monomer weight; and
Temperature at the initiation of polymerization
If the monomer weight is correct, but the solvent weight is off, the resulting problem can usually be corrected by post additions of solvent or distillation of solvent. The former results in a minor increase in processing time and costs. The latter is somewhat more time consuming and thus costly, especially if the amount of excess solvent is large.
If the monomer weight is high the chain length will be larger than normal which results in increased viscosity. The simple way to fix this is to add additional solvent, but this may drive the product activity low out-of-spec (OOS). Blending the batch off in subsequent batches may be an option as long as molecular weight (MW — a measure of chain length) is not a specification. If the monomer weight is low the average chain length will be shorter resulting in lower viscosity. Distilling off solvent may be used to correct this but could result in high OOS product activity. If there is a MW spec this cannot be corrected except by blend-off.
The initiator:monomer ratio will also have an effect on MW. Since the operator weighs up the initiator off-line (and never makes mistakes for the purpose of this discussion) the control system effect will be seen when there is a change to the amount of monomer added to the system. The result would be to exacerbate the SMw problems described above. Less monomer will mean shorter polymer chains and lower MW. Excess monomer will mean longer polymer chains and higher MW.
Excess oxygen left in the system or introduced to the system during polymerization will result in decreased chain length and lower MW. This variable will become more important as the MW variability tolerance decreases. In those instances samples will be obtained from the vessel before the reaction is initiated and the dissolved oxygen content will be measured off-line.
Higher initial temperature for the start of polymerization will increase the maximum temperature reached in the process. A significantly higher temperature (10 to 20 °C) can lead increased rates of side reactions including:
Polymer branching (increase viscosity and potentially change the performance characteristics of the polymer);
Autopolymerization (increase in the number and decrease in the length of polymer chains), decreasing viscosity; and
Potential reactions with the solvent (product contamination and lower MW)
There are three basic process safety concerns with this type of process:
Spill due to overfilling vessel;
Flash fire in vessel; and
The typical organic solvents used in this type of reaction are flammable or combustible liquids. Almost all vinyl monomers have some level of toxicity associated with them. This means that as a general rule, bulk spills of these materials are safety issues. Vessels are typically vented to a scrubber system during charging (loading). Those scrubber systems are typically intended to handle vapors not liquids so the overfill will move quickly through these systems and onto the ground somewhere. If the flow rate for charging exceeds the maximum liquid flow rate for the scrubber system (very typical) there could be a pressure buildup in the vessel resulting in a release through the PRV. The operation of a PRV is typically considered an internally reportable safety incident in most organizations. Reporting of spills may be required to the Federal (EPA), State and local governments depending on the material and quantity involved.
Most organic solvents used in these processes are flammable or combustible liquids and will typically be at or above their flash points at some point during the polymerization process. Fortunately, we try to run these reactions in an oxygen free environment and the vessel is typically purged with nitrogen before the solvents are charged so flash fires are extremely rare. There is, however, typically an airline plumbed to the vessel to use to control a polymerization reaction that is running too hot. Opening this valve could potentially result in a sufficiently oxygen rich atmosphere to allow for a flash fire due to static discharge (moving air or falling organic liquids from condenser). These are typically self-extinguishing as the oxygen is consumed quickly but may result in the operation of the PRV to release excess pressure caused by the combustion gasses.
Over-pressurization events are the worst case events associated with solution polymerization reactions. They can be caused by a loss of cooling leading to excess heat produced by polymerization raising the solvent vapor pressure in the vessel above the pressure rating of the vessel. The result can be a catastrophic failure of the vessel; non-technical people would call the result an explosion even though a fire may not be involved. Slightly less severe over-pressurization events can also damage other piping and equipment attached to the vessel.
The amount of heat generated by the polymerization reaction is a known value. The maximum temperature rise (without applied cooling) that would result in in the process vessel can be calculated (usually ignoring heat transfer to the environment). From that temperature the maximum possible pressure in the vessel can be calculated. If that pressure exceeds either the PRV setting or the maximum pressure rating of the vessel, then safety measures will (SHOULD) be put in place to prevent that uncontrolled temperature rise. More safety measures would be required if the maximum possible pressure were greater than the pressure rating of the vessel.
Preventive measures include the use of a reflux condenser to return some of the vapor to the liquid phase (both lowering the temperature and pressure) and of course using internal cooling coils to remove some of the heat. An air sparge can also be used to reduce the presence of free radicals in the vessel limiting the progress of the reaction. Some companies will take the inherently safer route and increase the amount of solvent in the system to avoid this potential problem. This will increase the heat sink (lowering the maximum temperature and pressure) and effectively decreasing the amount of monomer in the system.
From the above discussion it would seem obvious to me that there are two points that this process is vulnerable to control system attacks that would have serious quality impacts on the company owning the facility. The same points would be attacked to try to effect a catastrophic attack on the process, but the success of that attack would depend in large part in how well the facility safety systems were designed and installed.
The two attack points would be the solvent:monomer weight ratio and the initial polymerization temperature. Both attacks would be most effective if executed as a man-in-the-middle attack between the HMI and the relative measuring devices (load cells for the weight ratio and the RTDs for the temperature).
An increase in the amount charged for either (or both) the solvent or the monomer, if it was larger than the process headspace (empty space above the liquid level in the vessel), could result in a vessel overfill with a subsequent spill. The result of this attack would be immediately identified and would require an in-house investigation.
A more circumspect attack would increase the monomer charge and decrease the solvent charge by an equal weight amount. A small overcharge (2 to 5%) done repeatedly would have long term effect on product quality and profitability as monomer costs increased. A somewhat larger monomer overcharge (5 to 10%) would certainly result in an off-spec batch that would have cost effects on the company.
A larger overcharge (>15%) would increase the possibility of having a minor overpressure event (PRV release) in addition to making off-spec material that probably could not be salvaged. Expensive vessel cleanout could also be required. Determining how much excess monomer would be needed for a catastrophic overpressure event (or if such an event was even possible) would require some fairly detailed process knowledge and the ability to overcome safety systems.
For a process that included a pressure relief system designed to handle a worst case pressure increase a sufficiently high SMw could result in a release of a significant portion of the solvent through the pressure relief system. This would result in the formation of a polymer in the vessel that if allowed to cool would become a solid. Most facilities would not have systems in place to safely handle the high-temperature liquid polymer before it cooled to the point that it would not flow out of the vessel. It is very likely that this would result in a situation where the vessel would have to be removed from the facility due to the high cost of removing the solid polymer.
A man-in-the-middle attack on the RTD outputs reported to the DCS would allow the higher temperature set-point to be applied to vessel during heat up. Maintaining the reporting at fixed percentage below the actual temperature throughout the polymerization process would ensure that the operator would not take any action to correct the problem.
To prevent any process personnel from suspecting a control system attack, the attacker would need to control what information was reported to the Data Historian (DH) for the DCS, as it will be this data that is checked first during an incident investigation. On the weight ratio attack, reporting the actual weight charged to the DH will make it look like an operator error that caused the mischarge making a detailed look at the control system unlikely. This is necessary because there are independent checks of charge weights that could identify a charging discrepancy.
In the temperature probe attack reporting the same temperature to both the DH and DCS would make it almost impossible to identify the root cause of the incident as a cyber-attack as long as both of the vessel RTD readings were in sync. If a temperature measurement error was suspected the maintenance folks would look at the RTD calibration not the DCS.
From this quick look at a very simple process we can see that there are multiple points of attack upon a control system that could have effects on the quality and efficiency of the output of a chemical facility. The ability to initiate and attack with catastrophic consequences is complicated by the fact that the facility management is already required to address catastrophic process failures and have multiple layers of protections in place to prevent their occurrence. This would require a much more complex attack and a more detailed understanding of both the process and the safety systems involved.
Bio: Patrick Coyle is a fifteen year veteran of the US Army and has worked for 20 years in the chemical process industry; twelve years as a process chemist and four as a QA Manager. He has taught industrial safety and been a freelance writer since 2006. For the last 8 years he has used this unique background to write a chemical security blog; the Chemical Facility Security News.