In his testimony Friday July 23, 2010 , Michael Williams, the chief electronics technician aboard the Transocean-owned Deepwater Horizon, said that the rig's safety alarm had been habitually switched to a bypass mode to avoid waking up the crew with middle-of-the-night warnings. Williams also said that five weeks before the April 20 explosion, he had been called to check a computer system that monitored and controlled drilling. The machine had been locking up for months, Williams said, producing what he and others on the crew called a "blue screen of death." "It would just turn blue. You'd have no data coming through," Williams said today, according to the New York Times' story. With the computer frozen, the driller would not have access to crucial data about what was going on in the well.
I have added BP to my August 25, 2009 blog and you can see how BP is similar to the Bellingham, WA gasoline pipeline rupture, the DC Metro Train crash, and the Air France crash:
In the control systems community, the primary focus is on safety and reliability while the most frequent cyber risks are unintentional. As Walt Boyes phrases it, the control systems community needs to focus on functional security. Functional security addresses the ability of systems to perform their functions in the face of intentional or unintentional cyber threats while assuring fail-safe operation. Functional security requires not just control systems domain expertise, but looking at system design and policies from a different perspective. The lack of functional security has led to control system cyber incidents in electric, water, oil/gas, chemicals, and transportation including several with fatalities. Air France (aircraft) and the Washington DC Metro (rail rapid transit) apparently involved cyber control system failures; the Olympic Pipeline Company – Bellingham (gasoline pipeline) did suffer from cyber control system failures; and now the Deepwater Horizon oil platform suffered from known computer failures affecting the control systems.
Common issues in Air France, DC Metro, Olympic, and BP Deepwater Horizon were:
- Reliance on remote (automated) system control
- Previous failures with control systems and components
- Logic that did not provide for “fail-safe” conditions
- Operator confusion due to “inaccurate” operator displays
- Violation of the NIST Confidentiality/Integrity/Availability criteria
Modern communications and control system technologies are making systems more productive, but are reducing robustness. Many control system cyber incidents did not violate IT security policies as they were control system design or operation issues. And, yes, they could have been intentionally caused. The Smart Grid will further blur the lines between IT and control systems making functional security even more important. However, control system domain expertise is lacking. It’s time to address functional security of control systems before more people die.
Details on these incidents are provided in my book, Protecting Industrial Control Systems from Electronic Threats and will be discussed at the September 21-23 Applied Control Solutions Control System Cyber Security Conference in Rockville, MD.
Joe Weiss