工业控制系统功能安全与信息安全一体化防护措施研究

现代工业控制系统面临着越来越严峻的信息安全问题,因此信息安全措施越来越广泛地应用于工业控制系统当中。然而,这些信息安全措施是否会对原有的功能安全措施产生影响,两者之间是否存在潜在的矛盾和冲突,两者如何有效兼容运行,业内并无公认的、可落地执行的解决方案。为保证工业控制系统安全功能的可靠执行,同时又能有效抵御越来越严重的信息安全攻击,须探索一种适用于工业控制系统的、有效确保信息安全与功能安全措施相互兼容的技术方案。以典型的SIL3和SL3工业控制系统为例,基于功能安全措施,逐一遍历信息安全措施,识别出两者潜在的矛盾问题,采用事件树和风险分析相结合的方法给出功能安全与信息安全协同解决方案,最终得到工业控制系统功能安全与信息安全一体化防护措施。     

Reducing security vulnerabilities for critical infrastructure

In this paper, we show the need for improved Process Control System (PCS) security, and describe some of the promising research areas in PCS security. One implementation of PCS in critical infrastructure and factory automation is a supervisory, control, and data acquisition (SCADA) system, a real-time industrial process control system which centrally monitors and controls remote and/or local processes utilizing plant, equipment, or devices (such as switches, valves, pumps, relays, etc.) while collecting and logging field data. Current SCADA systems are distributed, networked, and dependent on open protocols for the internet, which are exposed to remote cyber terrorism. They are particularly vulnerable to unauthorized access. We give some examples of SCADA processes with natural gas control systems in USA and the Ubiquitous Sensor Network (USN) in Korea. We also examine a representative vulnerability and corresponding measures for security, and present an example of concrete measures for the security of mass transportation as a critical infrastructure.     

Transmission Functions and its application to the analysis of time uncertainties in Protection Engineering

In this paper we explore the concept of transmission Functions and its application to the resolution of the problem posed by the uncertainty in the time to take manual protective actions due for instance to different operator abilities. This time uncertainty is a very special kind of uncertainty with obvious relevance in Protection Engineering problems. Tackling it involves a large amount of simulations of transients associated to sequences of system transitions, resulting from those actions, where the only difference from one simulation to another is the time interval between transitions, the evolution laws being always the same. In order to solve such type of problems, a new formalism is proposed based on the concept of transmission Function. We prove that for a large class of Multiple Input–Multiple Output (MIMO) piecewise linear systems, the output may be obtained as additive contributions of each interval of the sequence, each one characterized via a Transmission Function. We then provide efficient methods to compute Transmission Functions of sequences of canonical Single Input-Single Output (SISO) piecewise systems, and to find the locus of protective action times that lead to damage (damage domain).     

Benefit–cost analysis of lane departure warning and roll stability control in commercial vehicles

Introduction: This paper presents the cost benefits of two different onboard safety systems (OSS) installed on trucks as they operated during normal revenue deliveries. Using a formal economic analysis approach, the study quantified the costs and benefits associated with lane departure warning (LDW) systems and roll stability control (RSC) systems. Methods: The study used data collected from participating carriers (many of these crashes were not reported to state or Federal agencies), and the research team also reviewed each crash file to determine if the specific OSS would have mitigated or prevented the crash. The deployment of each OSS was anticipated to increase the safety of all road users, but impact different sectors of society in different ways. Benefits that were inherent in each group (e.g., industry, society) were considered, and different benefit–cost analyses (BCAs) were performed. Results: This paper presents two BCAs: a BCA focused on the costs and benefits in the carrier industry by implementing each OSS, and a BCA that measured the societal benefits of each OSS. In addition, a BCA for a theoretical mandatory deployment option for each OSS is presented. Conclusions: BCA results for LDW and RSC clearly showed their benefits outweighed their costs for the carrier and society. Practical applications: Cost information is a crucial factor in purchasing decisions in carriers; similarly, regulators must consider the cost burden prior to mandating technologies. The results in this study provide carrier decision makers and regulators with information necessary to make an informed decision regarding RSC and LDW.     

基于局域网的安全技术分析

局域网的应用为资源共享、信息交换和分布处理提供了良好的环境 ,但同时也面临严重的安全技术问题。针对局域网中存在数据的可访问性、信息的聚生性和设防的困难性等问题。笔者从保护信息的机密性、完整性和可使用性的角度出发 ,提出应根据局域网的风险评价采用相应的安全技术 ,并论述了相关的安全技术对策。同时还指出仅仅靠单纯的技术措施是远远不够的 ,还应加强在安全监督管理工作和建立完善的应急预案 ,来确保局域网的安全     

What safety models and principles can be adapted and used in security science?

Engineering risk management is comprised of managing operational safety risks on the one hand and managing physical security risks on the other. Although some basic management principles are obviously the same for both safety and security, some important conceptual and calculation differences exist, as is explained in this paper. For instance, safety risk is usually calculated based on the scenarios’ consequences and likelihoods, while security needs to be determined by the assessment of vulnerability, the likelihood of attack and potential consequences. Nonetheless, there are also many similarities. Conceptual models, metaphors and principles that have been elaborated in the safety domain during the past century, many of them based on major accidents and their investigation, can easily be translated to the security domain. In the present study, we will explain how physical security should be seen in relation to safety, and what models and principles, derived from safety science, can be employed to manage the security aspects associated with physical threats.     

Security Risk Assessment Methodology for the petroleum and petrochemical industries

The American National Standards Institute (ANSI)/American Petroleum Institute (API) Standard 780 Security Risk Assessment (SRA) Methodology was published in June 2013 as a U. S. standard for security risk assessments on petroleum and petrochemical facilities. The standard represents a model standard for evaluating all security risks of petroleum and petrochemical infrastructure and operations and assists industries in more thoroughly and consistently conducting SRAs. The 2013 Standard is an update from the previous API/NPRA SRA Methodology (2004) and focuses on expanding functional utility without changing the basic methodology.The methodology can be applied to a wide range of assets even beyond the typical operating facilities of the industry. This includes refining and petrochemical manufacturing operations, pipelines, and transportation operations including truck, marine, and rail, as well as worker and executive security, housing compounds, and remote operational sites. The new standard describes the most efficient and thorough approach for assessing security risks widely applicable to the types of facilities operated by the industry and the security issues they face. It is voluntary but has been adopted by the Kingdom of Saudi Arabia Ministry of Interior High Commission for Industrial Security as the mandatory security risk assessment methodology for industrial facilities.This paper examines the key elements of the ANSI/API SRA process and discusses how forward thinking organizations may use risk-based performance metrics to systematically analyze facility security postures and identify appropriately scaled and fiscally responsible countermeasures based on current and projected threats. The AcuTech Consulting Group developed the methodology under contract to the API, and the author was the project manager for the project.     

Integrating cybersecurity in hazard and risk analyses

As operational and information technologies converge to allow for remote and real-time access to plant operating data and control functions, the process industry could become increasingly susceptible to cyber-attacks. Traditional hazard and risk analysis methods appear inadequate to identify, prevent, and mitigate such attacks. This paper discusses the significance of incorporating cybersecurity vulnerability analysis not just as part of process hazard analysis (PHA), but also in terms of protecting the process control network and implementing adequate safeguards in general against cyber threats. A layer of protection analysis (LOPA) is adapted to evaluate potential weaknesses and ensure safeguards for critical applications would be resistant to cyber-attacks. Integrating cybersecurity into hazard and risk analyses as well as other elements of process safety management (PSM) is demonstrated with examples, making the plant more resilient against both traditional and cyber threats.     

浅谈抚顺石化80万吨/年乙烯装置HSE管理工作

乙烯项目是高投入、高风险的项目。由于技术复杂、多专业、多工种深度交叉作业、施工区域作业空间狭小、施工人员众多,建设周期长等特点,加大了乙烯项目施工组织和安全管理的难度。另外,影响工程安全因素众多,人的不安全行为,物的不安全状态,项目实施的每一环节每一过程监管不到位,都会对现场安全直接或间接产生影响。因此,做好乙烯项目的 HSE管理工作就显得尤为重要。围绕"无安全事故,无人员伤亡,无环境污染"的安全管理目标,介绍抚顺石化80万吨/年乙烯装置HSE管理工作。具体包括:构建健全的组织机构;强化施工过程控制;采用科学的HSE管理方法,加强和各方的沟通与协调等,并结合项目实际,不断完善和创新HSE管理方法,确保抚顺石化80万吨/年乙烯项目施工生产顺利进行,实现工程项目安全受控。     

What’s in a name? Drivers’ perceptions of the use of five SAE Level 2 driving automation systems

Introduction: Automobile manufacturers are developing increasingly sophisticated driving automation systems. Currently, the highest level of automation available on the market is SAE Level 2, which provides sustained assistance for both lateral and longitudinal vehicle control. The purpose of this study was to evaluate how drivers’ perceptions of what behaviors secondary to driving are safe while a Level 2 system is operating vary by system name. Methods: A nationally representative telephone survey of 2005 drivers was conducted in 2018 with questions about behaviors respondents perceived as safe while a Level 2 driving automation system is in operation. Each respondent was asked about two out of five system names at random for a balanced study design. Results: The name “Autopilot” was associated with the highest likelihood that drivers believed a behavior was safe while in operation, for every behavior measured. There was less variation observed among the other four SAE Level 2 system names when compared with each other. A limited proportion of drivers had experience with advanced driver assistance systems and fewer of these reported driving a vehicle in which Level 2 systems were available. Drivers reported that they would consult a variety of sources for information on how to use a Level 2 system. Conclusions: The names of SAE Level 2 driving automation systems influence drivers’ perceptions of how to use them, and the name “Autopilot” was associated with the strongest effect. While a name alone cannot properly instruct drivers on how to use a system, it is a piece of information and must be considered so that drivers are not misled about the correct usage of these systems. Practical Applications: Manufacturers, suppliers, and organizations regulating or evaluating SAE Level 2 automated driving systems should ensure that systems are named so as not to mislead drivers about their safe use.     

Environmental evaluation for workplace violence in healthcare and social services

PROBLEM: Federal policy recommends environmental strategies as part of a comprehensive workplace violence program in healthcare and social services. The purpose of this project was to contribute specific, evidence-based guidance to the healthcare and social services employer communities regarding the use of environmental design to prevent violence. METHOD: A retrospective record review was conducted of environmental evaluations that were performed by an architect in two Participatory Action Research (PAR) projects for workplace violence prevention in 2000 and, in the second project in 2005. Ten facility environmental evaluation reports along with staff focus group reports from these facilities were analyzed to categorize environmental risk factors for Type II workplace violence. RESULTS: Findings were grouped according to their impact on access control, the ability to observe patients (natural surveillance), patient and worker safety (territoriality), and activity support. DISCUSSION: The environmental assessment findings reveal design and security issues that, if corrected, would improve safety and security of staff, patients, and visitors and reduce fear and unpredictability. IMPACT ON INDUSTRY: Healthcare and social assistance employers can improve the effectiveness of violence prevention efforts by including an environmental assessment with complementary hazard controls.     

Market basket analysis of safety at active highway-railroad grade crossings

IntroductionData from the Federal Railroad Administration show high numbers of incidents at the approximately 210,446 highway-railroad grade crossings across the United States. One cause for this unsettling trend is the problem of drivers stopping within the dynamic envelope zone (DEZ) of the train while in queue. This research seeks to study DEZ stopping behavior at highway-railroad grade crossings by evaluating regulatory signage and further analyze variables that may affect this behavior. Method: A comparative safety analysis is undertaken to evaluate the effectiveness of the standard “Do Not Stop on Tracks” (R8-8) sign by using percentage change calculations and chi-squared tests. The study then conducts a market basket analysis (MBA) to extrapolate on these results and to identify underlying factors associated with observed driver behavior using variables influenced by visibility, perception, and maneuverability. Results: Rather low reductions in safety violations resulted from the R8-8 installation, including a 2.2% reduction in DEZ stopping behavior and only a slight 3.7% increase in compliance. The results of the MBA identified associations that affirmed assumptions about driver behavior, while other associations were not as direct but altogether helped broaden the understanding of interactions at grade crossings. Conclusions: This study concluded that the R8-8 had a positive but minimal effect on driver behavior at the grade crossings. The MBA successfully demonstrated its value by providing further insight on the safety analysis and by increasing the number of variables that can be analyzed simultaneously. The methodology offers the scientific community an innovative approach to analyzing driver behavior. Practical Applications: The results identified important variables for developing preventive measures, which will ultimately help reduce safety violations at grade crossings. The MBA can provide practical insight for railroad safety professionals and transportation engineers when determining problematic intersections and can be used to improve the education on grade crossing interactions.     

Effects of lane departure warning on police-reported crash rates

ObjectiveTo evaluate the effects of lane departure warning (LDW) on single-vehicle, sideswipe, and head-on crashes.MethodPolice-reported data for the relevant crash types were obtained from 25 U.S. states for the years 2009–2015. Observed counts of crashes with fatalities, injuries, and of all severities for vehicles with LDW were compared with expected counts based on crash involvement rates for the same passenger vehicles without LDW, with exposure by vehicle series, model year, and lighting system standardized between groups. For relevant crashes of all severities and those with injuries, Poisson regression was used to estimate the benefits of LDW while also controlling for demographic variables; fatal crashes were too infrequent to be modeled.ResultsWithout accounting for driver demographics, vehicles with LDW had significantly lower involvement rates in crashes of all severities (18%), in those with injuries (24%), and in those with fatalities (86%). Adding controls for driver demographics in the Poisson regression reduced the estimated benefit of LDW only modestly in crashes of all severities (11%, p < 0.05) and in crashes with injuries (21%, p < 0.07).ConclusionsLane departure warning is preventing the crash types it is designed to address, even after controlling for driver demographics. Results suggest that thousands of lives each year could be saved if every passenger vehicle in the United States were equipped with a lane departure warning system that performed like the study systems.Practical applicationsPurchase of LDW should be encouraged, and, because drivers do not always keep the systems turned on, future efforts should focus on designing systems to encourage greater use and educating consumers about the benefits of using the systems.     

Intersection characteristics that influence collision severity and cost

Introduction: Traffic engineers require robust tools to assist with their day-to-day decision making, and there is no better example of this than traffic signal warrants. North American traffic signal warrant systems are lacking in how they incorporate motor-vehicle collisions from both a severity and prediction perspective. The objective of this study was to produce reliable collision costs for the development of improved traffic signal warrants that accounted for the variations in severity that practitioners should expect based on the characteristics of the intersection being studied. Method: The primary data used for this analysis were from the National Automotive Sampling System (NASS) Crashworthiness Data System, with adjustments from the NASS General Estimates System and Fatality Accident Reporting System. Generalized ordered logit models were used to identify the most significant intersection characteristics, which were then used to segregate the data to determine expected the collision severity profiles and average costs of both casualty and total collisions at intersections. Results: The average collision at a signalized intersection was found have a lower severity than the average collision at a stop-controlled intersection. A combination of posted speed limit, urban/rural, and divided/undivided were identified as the most significant intersection characteristics in most cases and were used to delineate the data for developing collision cost estimates. Conclusions: Posted speed limit, rural/urban land use, and the presence of divided approaches are intersection characteristics that traffic engineers can readily determine and/or control for that have significant effects on intersection collision severity. Practical applications: The collision costs produced through this process give traffic engineers a reliable estimate that can provide a more substantial foundation for justifying a proposed change in intersection traffic control.     

Design and implementation of a parent guide for coaching teen drivers

IntroductionTeens beginning to drive independently are at significant increased risk of motor-vehicle crashes relative to their other life stages. There is, however, little guidance for parents as to how best to supervise learning to drive.MethodThis study sought to undertake an informed approach to development and implementation of a Parent Guide. We included a multi-stage development process, using theory, findings from a Delphi-study of young driver traffic-safety experts, and parent focus groups. This process informed the development of a Guide that was then evaluated for feasibility and acceptability, comparing a group that received the Guide with a control group of parent and teen dyads. Both members of the dyads were surveyed at baseline, again at the approximate time teens would be licensed to drive independently (post-test), and again three months later.ResultsWe found no difference in the proportion of teens who became licensed between those given the new Guide and control teens (who received the state-developed booklet); that is the Guide did not appear to promote or delay licensure. Teens in the Guide group reported that their parents were more likely to use the provided resource compared with control teens. Responses indicated that the Parent Guide was favorably viewed, that it was easy to use, and that the logging of hours was a useful inclusion. Parents noted that the Guide helped them manage their stress, provided strategies to keep calm, and helped with planning practice. In contrast, control parents noted that their booklet helped explain rules. Among licensed teens there was no significant difference in self-reported risky driving at the three-month follow-up. We discuss the challenges in providing motivation for parents to move beyond a set number of practice hours to provide diversity of driving practice.     

双机热备计算机联锁控制系统的安全性和可用性分析

从现场的实际情况出发 ,笔者研究了双机热备计算机联锁控制系统的安全度和可用度指标。对实际应用中双机热备计算机联锁控制系统的失效情况进行了分析 ,其结果表明双机热备计算机联锁控制系统出现直接导致系统完全失效的故障概率很小 ,因此 ,引入了系统的故障可用系数 ,并研讨了故障可用系数对系统的可靠度、安全度和可用度的影响。通过双机热备计算机联锁控制系统的安全度和可用度的分析和仿真计算结果表明 ,引入故障可用系数后系统的安全性不变 ,系统的可靠度和可用度有显著提高。     

The management of process control deployment using interactions in risks analyses

The purpose of this article is to present the concept of risk typology and its use in the management of process control deployment at a fab-wide level. This research provides a comprehensive method based on Failure Mode Effect and Criticality Analysis to control failures that count throughout an organization.The method employed in this research uses a model of risk analysis and typology to operate a demonstration and to infer management practices.It results from this model: (1) the demonstration of equalities among some typologies and (2) a practical manner to use it to manage the deployment of controls and feedbacks throughout an entire manufacturing system. A four years observation of process control deployment underlines the potential of this method to remove silos-effects among risks analyses.To conclude, the concept of typology can sustain process control management and especially the deployment of controls and feedbacks. An industrial observation evaluates its potential of development.     

Motor-vehicle drivers’ behavioral response to increased bicycle traffic

Introduction: This paper investigates whether motor-vehicle driver behavior changes when there are more bicycles on the road. Method: Data on trips on a rapidly expanding public bike share scheme in Chicago are combined with speed violations captured by a network of 79 cameras. Using weekly data from July 2014 to December 2016, violations at 26 sites where there was a considerable increase in bicycle traffic are compared with a control group of 53 locations where rental bicycles are not available. Results: An increase in rental bicycle usage is statistically related to a reduction in the number of speeding violations, with an estimated elasticity of −0.04. Conclusion: The increased presence of bicyclists makes at least some motorists drive more cautiously. Practical Application: This research provides some insight into the mechanism behind the observed reduction in crash rates as bicyclists become more numerous. Some motorists moderate their speeds allowing more time to avoid collisions and a reduction in the severity of the vehicle-bicyclist collisions that still occur.     

An imprecise Fault Tree Analysis for the estimation of the Rate of OCcurrence Of Failure (ROCOF)

The paper proposes an imprecise Fault Tree Analysis in order to characterize systems affected by the lack of reliability data. Differently from other research works, the paper introduces a classification of basic events into two categories, namely Initiators and Enablers. Actually, in real industrial systems some events refer to component failures or process parameter deviations from normal operating conditions (Initiators), whereas others refer to the functioning of safety barriers to be activated on demand (Enablers). As a consequence, the output parameter of interest is not the classical probability of occurrence of the top event, but its Rate of OCcurrence (ROCOF) over a stated period of time. In order to characterize the basic events, interval-valued information supplied by experts are properly aggregated and propagated to the top. To this purpose, the Dempster–Shafer Theory of evidence is proposed as a more appropriate mathematical framework than the classical probabilistic one. The proposed methodology, applied to a real industrial scenario, can be considered a helpful tool to support risk managers working in industrial plants.     

Site security for chemical process industries

Chemical process industries such as oil refineries, fertiliser plants, petrochemical plants, etc., which handle hazardous chemicals, are potential targets for deliberate actions by terrorists, criminals and disgruntled employees. Security risks arising out of these threats are real and must be assessed to determine whether the security measures employed within the facility are adequate or need enhancement. The essential steps involved are threat analysis, vulnerability analysis, security countermeasures, and emergency response. Threat analysis involves the study of identifying sources, types of threats, and their likelihood. Vulnerability analysis identifies the weaknesses in a system that adversaries can exploit. Depending on the threat likelihood and vulnerabilities, various security countermeasures are suggested to improve the plant security. Appropriate emergency response measures that could mitigate the consequences of a successful attack and concepts of inherently safer processes in the light of process security are also discussed in the paper. It is recognised that serious terrorist threats exist to the transport system of hazardous chemicals (by road, rail cars, ships, pipelines, etc.). However, that is not a part of this study, which concentrates on process plants and hazardous materials within immovable boundaries. A case study of a fertiliser plant is used to show the application of ideas presented.