The need for correct, authenticated pressure measurements for reliability, safety, and cyber security
January 13, 2023, Abhishek Sharma published the ISA blog – “The wisdom of correct pressure measurements” - https://blog.isa.org/the-wisdom-of-correct-pressure-measurements. The blog states: “Because of faulty installation or variations, remote pressure sensors or local pressure gauges can produce unexpected results. They occasionally perplex the process engineer, such as when downstream pressure exceeds upstream pressure in the flow direction. Here, we will look at all the issues concerning pressure sensors and value discrepancies. This blog will provide knowledge of pressure measurement as well as recommendations.” It is a good blog but doesn’t address “all of the issues.” Consequently, I wanted to provide some additional thoughts from my time in nuclear plant Instrumentation and Control (I&C) and control system cyber security that were not addressed in Abhishek’s ISA blog. The cyber security issues that affect pressure measurements are common to other process measurements.
Pressure sensor measurements
Inaccurate pressure sensor measurements have contributed to a nuclear plant core melt and other nuclear plant safety issues, explosions in refineries and oil storage tanks, pipeline ruptures, and more. The ISA blog addresses unintentional issues. It doesn’t address maintenance issues such as miscalibration or pressure sensor cyber security.
The blog addressed pressure measurements after a pipeline expander (going from a smaller pipe to a larger pipe) but not the restriction of flow (going from a larger pipe to a smaller pipe) such as with a venturi for measuring flow rate. A venturi flow meter is a type of differential pressure (dp) flow meter that generates a flow measurement by measuring the pressure difference at two different locations in a pipe. This pressure difference is created by constricting the diameter of the pipe, which causes an increase in flow velocity and a corresponding pressure drop. It is through these changes in the fluid flow that the flow rate can be deduced. Why is this important? Nuclear power plants are licensed to a maximum thermal power output. Thermal power is calculated based on measured feedwater flow rate. In the late 1980’s, while at EPRI, I was working on a nuclear plant that was “losing” 10’s of Megawatts a day due to erroneously high feedwater flow measurements. This was because, over time, the venturi would foul creating erroneously high pressure drops resulting in erroneously high flow measurements resulting in erroneously high thermal power calculations. Consequently, the plant was effectively derated as it reached the maximum licensed thermal power limit because of the erroneously high feedwater flow measurements even though the actual thermal output was lower, thus losing actual power. To counteract the feedwater fouling issues, the utility switched to strap-on ultrasonic feedwater flow measurements. In non-nuclear power applications that do not have regulatory limits on allowable power, venturi fouling is not an issue.
The blog addressed plugging of sensing lines. Sensing lines are small diameter lines that enable the pressure transmitter to be located away from the pipeline or vessel being monitored. Sensing line blockages cause errors in process measurements and sluggish response. Sensing line monitoring is performed using noise analysis. When sensing line plugging starts to occur, the “noise” in the sensor signal increases. However, with Windows HMIs or digital sensors that filter out the higher frequency noise, the increase in sensor noise from the plugging may not be detected. In one case, a two-unit power plant was automatically shut down when the sensing line plugging caused the pressure sensors to reach their trip setpoint without any warning that the sensing lines were plugging.
Pressure sensor maintenance
The blog doesn’t address pressure measurement drift nor incorrect sensor settings. Pressure and dp sensors drift over time and need to be periodically recalibrated. However, there is no cyber security in the calibration tools, yet they have Internet connectivity. There have been numerous documented cases where pressure and other process sensors have been reranged during maintenance. When pressure sensor settings are changed from their correct settings, whether unintentionally or maliciously, process safety is compromised even though the sensor readings may appear correct. Consequently, the maintenance/calibration process has ramifications for reliability, process safety, and cyber security.
Pressure sensor cyber security
The analog pressure and dp measurements, along with other process measurements such as temperature, are inputs for control and safety. For operator information, the signals are converted into Ethernet packets as input to the Windows operator displays and Operational Technology (OT) monitoring systems. The serial-to-Ethernet conversion process can be susceptible to cyberattacks like the Ukrainian 2015 grid cyberattack. Industry 4.0, digital transformation, Smart Grid, and other emerging families of technology utilize pressure sensor readings. However, these advanced technologies only address the Ethernet packets assuming the raw pressure sensor data are uncompromised, authenticated, and correct. This may be why the cyber security of pressure sensor (and other process sensor measurements) is generally ignored by the IT and OT network cyber security communities.
The concern with lack of pressure sensor authentication can be seen from an engineer in Abu Dhabi who wrote: “there are no passwords at all in most of the instruments, even by default. You simply plug in your HART communicator (which has no cyber security or authentication) and change whatever you want.” This should be a clarion call to address the process sensor cyber security issue. In addition, ISA84.09 conducted an exercise to determine the relative conformance and applicability of the ISA 62443-4-2 Component Cyber Security Specification’s individual cyber security requirements to legacy (what is being built today as well those already installed in the field) process sensors. A digital safety pressure transmitter and its ecosystem including the transmitters, host computers, field calibrators, and local sensor networks was selected to determine what, if any, compensating measures might be necessary. The results were that 69 of the 138 individual requirements, including the fundamental requirements, could not be met. The sensors had hardware backdoors that could not be bypassed. As previously mentioned, the sensor calibration tools have no security but also have direct connections to the Internet. Without authentication, you don’t know if the pressure sensor data providing direct control of the equipment and information to the operators is coming from the process sensors or from operators in Beijing. Neither network monitoring nor threat hunting can address the pressure sensor issues though compromised sensor readings can affect OT networks and the conclusions from threat hunting.
The blog doesn’t address counterfeit pressure and dp transmitters that have been found in critical applications. Counterfeit process sensors are an ideal vehicle (Trojan horse) to get malware into OT networks as the sensors are 100% trusted. These are safety and cyber security concerns.
The lack of understanding process sensor cyber security also extends to the engineering community. An acknowledged process industry instrumentation cyber security expert stated: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”
The article in the November issue of IEEE Computer: “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors” (https://www.computer.org/csdl/magazine/co/2022/11/09928204/1HJuIVVEBWM) addresses many misconceptions about process sensor accuracy and cyber security. The paper was based on the results of a project performed at a large industrial facility. It addressed the operational and cybersecurity limitations of legacy process sensors (pressure, flow, temperature, motor amperage, vibration, and valve position) and how machine learning was used to work around those limitations. One of the key findings of the plant analysis was that more than half of the process sensors were either inoperable or out of calibration, but the Windows-based Operator displays did not identify these issues.
Summary
Correct pressure, dp, and other process sensor measurements are necessary for reliability, product quality, maintenance, process safety, and cyber security, yet the sensor measurements and their maintenance tools are generally not cyber secure. These devices can be incorrect for unintentional or malicious reasons. If you can’t trust pressure, dp measurements, and other process measurements, you have no cyber security, safety, reliability, resilience, or situational awareness.
Joe Weiss
Leaders relevant to this article: