1,721,099 research outputs found

    A Bayesian-network approach for assessing the probability of success of physical security attacks to offshore Oil&Gas facilities

    No full text
    Offshore Oil&Gas facilities are attractive targets of intentional malicious attacks (security attacks) that may trigger cascading events (e.g., the release and dispersion of hazardous material and/or energy, fires, explosions) with consequences on people, environment, and assets. The severity of these consequences is potentially similar to those arising from major accident scenarios originated by conventional safety-related causes. Current practice in managing the risk of security attacks mostly relies on qualitative or semi-quantitative procedures developed over the years in the offshore Oil&Gas industry. In the present study, a systematic quantitative procedure is developed, based on a Bayesian Network (BN) approach, for calculating the probability of success of physical security attacks, taking into account both preventive and mitigative security intervention strategies. The procedure addresses the specific framework of the offshore Oil&Gas industry. A case study concerning an offshore fixed Oil&Gas platform allowed us to demonstrate the quality of the results that can be achieved and their potential towards the improvement of the security of the installations considered

    Identification of reference scenarios for security attacks to the process industry

    No full text
    The possibility of inducing severe security-related events with damage to people, property, and the environment by deliberate malicious attacks to chemical and process plants handling large quantities of hazardous materials received an increasing attention in recent years. The identification of the credible security scenarios is required by Security Vulnerability/Risk Assessment (SVA/SRA) methodologies. However, the current availability of supporting tools is limited. This may hinder a proper management of the risks, especially in the European context where security threats are only marginally recognized under the Seveso legislation. The present study aims at supporting a harmonized identification of the scenarios triggered by deliberate malicious physical attacks to chemical and process plants. An approach based on Bow-Tie formalism is proposed to identify reference security scenarios. The Bow-Tie diagram is used to link the attack modes (Attack Tree) to the relevant release scenarios (Security Events) and to the physical damage scenarios (Event Tree). Reference Bow-Tie diagrams were defined considering substances commonly present in process plants (e.g. flammable substances and oxidizing solids). The validation of the reference scenarios (both attack scenarios and physical damage scenarios) was provided by the analysis of more than 20 security-related incidents that occurred in chemical and process facilities worldwide in the last 50 years. Application to a case-study proved the effectiveness of the results achieved in supporting SVA/SRA studies and in promoting integration among safety and security management.(c) 2022 Institution of Chemical Engineers. Published by Elsevier Ltd. All rights reserved

    Analysis of system resilience in escalation scenarios involving LH2 bunkering operations

    No full text
    In the context of global energy transition and decarbonization efforts, resilience emerges as a critical factor in ensuring the reliability and adaptability of industrial infrastructure systems. This paper introduces a novel model rooted in Dynamic Bayesian Networks (DBNs) for the quantitative assessment of the resilience of engineered systems in the event of escalation scenarios triggered by domino effect. The model is integrated into a systematic, step-by-step procedure capable of evaluating the ability of complex systems to recover functionality from subsequent disruptions occurring at different times throughout the operational lifecycle. Leveraging DBNs, the methodology captures the dynamic interactions and feedback among subsystems or components, overcoming the limitations associated with conventional methods. The innovative methodology has been applied to a case study involving a liquid hydrogen (LH2) bunkering system, illustrating its effectiveness in assessing resilience amidst evolving accident scenarios. The results demonstrate the significant impact of escalation scenarios on system resilience and underscore the importance of proper implementation and management of safety measures and mitigation strategies. The proposed approach provides a valuable insight into system performance and empowers proactive risk management in the face of escalation scenarios, ensuring the continued operation and success of industrial operations in an uncertain and interconnected reality

    Risk Identification for Cyber-Attacks to the Control System in Chemical and Process Plants

    No full text
    Cyber-attacks are becoming a growing concern for process facilities that highly rely on Operational Technology (OT) systems for the potential severity of the consequences on humans, assets, and the environment that can be generated. The study is based on the development of synergic tools aimed at filling the gap in the availability of specific approaches to support cyber risk identification phase required by Security Vulnerability/Risk Assessment methodologies and the cybersecurity risk assessment proposed by ISA/IEC 62443 series of standards on cybersecurity of Industrial Automation and Control Systems (IACS)

    A Bow-Tie Approach for the Identification of Scenarios Induced by Physical Intentional Attacks to Chemical and Process Plants

    No full text
    The possibility of inducing major accident scenarios by physical intentional attacks (e.g. terrorist attacks) to chemical and process plants processing and storing hazardous substances, has been increasingly recognized in the last decades. The identification of the credible security scenarios (chain from attack scenarios to major accident scenarios) is required by Security Vulnerability/Risk Assessment (SVA/SRA) methodologies, but an evident lack of supporting tools is present in the literature. The present study proposes a Bow-Tie approach for the identification of reference security scenarios to support hazard identification phase in SVA/SRA. The potential use of the results is demonstrated on a test case (industrial atmospheric tank storing a flammable liquid)

    Identification of cyber-risks for the control and safety instrumented systems: a synergic framework for the process industry

    No full text
    Malicious interferences to Industrial Automation and Control Systems (IACS) such as the Basic Process Control System (BPCS) and the Safety Instrumented System (SIS) of chemical and process facilities may initiate events with severe consequences such as major accident scenarios (e.g., loss of containment of hazardous substances) and production outages. Existing security vulnerability and risk assessment (SVA/SRA) methodologies, as well as the cyber-risk assessment approach proposed by ISA/IEC 62443 series of standards, do not provide any practical method or guideline supporting cyber-risk identification. Moreover, an evident lack of procedures addressing the concrete connection between malicious manipulations of the BPCS and SIS and the impacts on the physical process system that can be initiated, is present in the scientific literature. Given the outlined gap, in the present study, a synergic framework of tools is described and applied to a case study (offshore Oil&Gas platform for gas compression), supporting the systematic identification of the risks that can originate as a result of a malicious interference to the BPCS and SIS. The framework consists of a past incident analysis (PIA) and of two rigorous methodologies, PHAROS, focused on major accident hazards, and POROS, addressing also operability issues. The concept of cyber-attack credibility is here introduced to identify the most credible sets of manipulations based on the score of the plant knowledge level required by the attacker and that of the cyber complexity of the attack pattern, allowing to provide valuable information on how to effectively allocate resources for a more secure network architecture

    Cyber Threats Affecting the Process Industry and Similar Sectors

    No full text
    Cyber threats are becoming a growing concern for industrial facilities characterized by a high degree of automation, especially those that highly rely on Operational Technology (OT) systems such as process facilities. Fixed installations where chemical and petroleum products are manufactured and stored (e.g. Seveso sites in EU) are of primary concern since attackers may exploit their inherent hazardous conditions and trigger events with severe consequences on workers, population, the environment, and the company itself (e.g. major accidents). The study is based on the development of a database of 82 cybersecurity-related incidents (CSIs) and its analysis using Exploratory Data Analysis (EDA). Time-trend (from 1975 to 2020), geographical distribution, distribution among the industrial sectors, impacts of the incidents, and type of attackers (intentional external / intentional internal / accidental) were investigated, evidencing important findings. The attacks resulted to be able to affect not only the company Information Technology (IT) system, which is a threat common to several business sectors, but also to manipulate the control and safety systems (OT). Finally, the analysis of a sub-set of incidents with more detailed information allowed to identify the general phases of a cyber-attack to IT-OT systems of a process facility. The information obtained can be used to support the application of the techniques commonly used to handle security-risks in process facilities, such as Security Vulnerability Assessment (SVA) methodologies

    Process hazard and operability analysis of BPCS and SIS malicious manipulations by POROS 2.0

    No full text
    The increasing interconnectivity with external networks and the higher reliance on digital systems make the facilities of the chemical, process, and Oil&Gas industry more vulnerable to cyber-attacks. These attacks have the potential of causing events with severe consequences on property, people, and the surrounding environment such as major event scenarios. The application of the currently available methodologies for cyber risk identification to complex plants with a large number of units may be demanding and cumbersome. The present study proposes an updated methodology, named POROS 2.0, that allows reducing time and effort in application by limiting the scope of the analysis to relevant cybersecurity scenarios. The latter are identified by investigating the potential escalation of consequences propagating among process and/or utility nodes of the manipulations of BPCS and SIS, similar to what is done in the HazOp technique in the safety domain. POROS 2.0 was demonstrated by the application to a case study addressing a fixed offshore platform for gas exploitation

    Critical Cybersecurity Scenarios in Drinking Water Treatment Plants

    No full text
    The increasing interconnectivity with external networks and the higher reliance on digital systems make chemical and process industries, including waste and drinking water treatment plants, more vulnerable to cyberattacks. Historical evidence shows that these attacks have the potential to cause events with severe consequences on property, people, and the surrounding environment, posing a serious threat. While the risks deriving from the malicious manipulation of the Basic Process Control System (BPCS) and the Safety Instrumented System (SIS) in chemical and Oil&Gas facilities have been systematically analysed in the available literature, including previous works of the Authors, the analysis of the consequences of cyber-attacks to drinking water treatment plants has not been conducted to date. To fill this gap, in the present study the methodology POROS 2.0 (Process Operability Analysis of Remote manipulations through the cOntrol System) developed by the Authors was applied to a drinking water treatment plant, providing valuable insights on possible critical scenarios originated by cyber-attacks in these facilities
    corecore