The following blog is in response to Abhishek Sharma’s January 2023 blog, “The Wisdom of Correct Pressure Measurements”
On 13 January 2023, Abhishek Sharma wrote the ISA Interchange blog, “The Wisdom of Correct Pressure Measurements.” The blog states:
“Because of faulty installation or variations, remote pressure sensors or local pressure gauges can produce unexpected results. They occasionally perplex the process engineer, such as when downstream pressure exceeds upstream pressure in the flow direction. Here, we will look at all the issues concerning pressure sensors and value discrepancies. This blog will provide knowledge of pressure measurement as well as recommendations.”
I wanted to provide some additional thoughts from my time in nuclear plant instrumentation and control (I&C) and control system cybersecurity that were not addressed in Abhishek’s blog. The cybersecurity issues that affect pressure measurements are common to other process measurements.
Inaccurate pressure sensor measurements have contributed to nuclear plant core melts and other nuclear plant safety issues, explosions in refineries and oil storage tanks, pipeline ruptures, and more. While this blog addresses unintentional issues, it does not address maintenance issues such as miscalibration or pressure sensor cybersecurity.
The blog addressed pressure measurements after a pipeline expander (going from a smaller pipe to a larger pipe), but not the restriction of flow (going from a larger pipe to a smaller pipe) such as with a venturi for measuring flow rate. A venturi flow meter is a type of differential pressure flow meter that generates a flow measurement by measuring the pressure difference at two different locations in a pipe. This pressure difference is created by constricting the diameter of the pipe, which causes an increase in flow velocity and a corresponding pressure drop. It is through these changes in the fluid flow that the flow rate can be deduced.
Why is this important? Nuclear power plants are licensed to a maximum thermal power output. Thermal power is calculated based on measured feedwater flow rate. In the late 1980s while I was at the Electric Power Research Institute (EPRI), I was working on a nuclear plant that was “losing” 10s of megawatts a day due to erroneously high feedwater flow measurements. This was because, over time, the venturi would foul, creating erroneously high pressure drops resulting in erroneously high flow measurements (resulting in erroneously high thermal power calculations).
Consequently, the plant was effectively derated as it reached the maximum licensed thermal power limit because of the erroneously high feedwater flow measurements, even though the actual thermal output was lower, thus losing actual power. To counteract the feedwater fouling issues, the utility switched to strap-on ultrasonic feedwater flow measurements. In non-nuclear power applications that do not have regulatory limits on allowable power, venturi fouling is not an issue.
The blog addressed the plugging of sensing lines. Sensing lines are small diameter lines that enable the pressure transmitter to be located away from the pipeline or vessel being monitored. Sensing line blockages cause errors in process measurements and sluggish responses. Sensing line monitoring is performed using noise analysis. When sensing line plugging starts to occur, the “noise” in the sensor signal increases. However, with Windows human-machine interfaces (HMIs) or digital sensors that filter out the higher frequency noise, the increase in sensor noise from the plugging may not be detected. In one case, a two-unit power plant was automatically shut down when the sensing line plugging caused the pressure sensors to reach their trip setpoint, without any warning that the sensing lines were plugging.
The blog doesn’t address pressure measurement drift, nor incorrect sensor settings. Pressure and differential pressure sensors drift over time and need to be periodically recalibrated. However, there is no cybersecurity in the calibration tools (yet they have Internet connectivity).
There have been numerous documented cases where pressure and other process sensors have been rearranged during maintenance. When pressure sensor settings are changed from their correct settings, whether unintentionally or maliciously, process safety is compromised even though the sensor readings may appear correct. Consequently, the maintenance/calibration process has ramifications for reliability, process safety, and cybersecurity.
Analog pressure and differential pressure measurements, along with other process measurements such as temperature, are inputs for control and safety. For operator information, the signals are converted into Ethernet packets as input to the Windows operator displays and operational technology (OT) monitoring systems. The serial-to-Ethernet conversion process can be susceptible to cyberattacks, such as with the Ukrainian 2015 grid cyberattack.
Industry 4.0, digital transformation, smart grid, and other emerging families of technology utilize pressure sensor readings. However, these advanced technologies only address the Ethernet packets assuming the raw pressure sensor data are uncompromised, authenticated, and correct. This may be why the cybersecurity of pressure sensor (and other process sensor measurements) is generally ignored by the information technology (IT) and OT network cybersecurity communities.
The concern with the lack of pressure sensor authentication can be seen from one engineer in Abu Dhabi who wrote to me, “There are no passwords at all in most of the instruments, even by default. You simply plug in your HART communicator (which has no cybersecurity or authentication) and change whatever you want.”
This should be a clarion call to address the process sensor cybersecurity issue.
ISA84.09 conducted an exercise to determine the relative conformance and applicability of the ISA 62443-4-2 standard's individual cybersecurity requirements to legacy process sensors (what is being built today as well as those already installed in the field). A digital safety pressure transmitter and its ecosystem including the transmitters, host computers, field calibrators, and local sensor networks was selected to determine what, if any, compensating measures might be necessary. The results were that 69 of the 138 individual requirements, including the fundamental requirements, could not be met. The sensors had hardware backdoors that could not be bypassed.
As previously mentioned, the sensor calibration tools have no security, but also have direct connections to the Internet. Without authentication, one does not know if the pressure sensor data providing direct control of the equipment and information to the operators is coming from the process sensors or from operators in Beijing. Neither network monitoring nor threat hunting can address the pressure sensor issues, though compromised sensor readings can affect OT networks and the conclusions from threat hunting.
The blog doesn’t address counterfeit pressure and differential pressure transmitters that have been found in critical applications. Counterfeit process sensors are an ideal vehicle (Trojan horse) to get malware into OT networks as the sensors are 100% trusted. These are safety and cybersecurity concerns.
The lack of understanding process sensor cybersecurity also extends to the engineering community. An acknowledged process industry instrumentation cybersecurity expert once said to me, “I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”
An article in the November 2022 issue of IEEE Computer, “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors,” addresses many misconceptions about process sensor accuracy and cybersecurity. The article was based on the results of a project performed at a large industrial facility. It addressed the operational and cybersecurity limitations of legacy process sensors (pressure, flow, temperature, motor amperage, vibration, and valve position) and how machine learning was used to work around those limitations. One of the key findings of the plant analysis was that more than half of the process sensors were either inoperable or out of calibration, but the Windows-based operator displays did not identify these issues.
Correct pressure, differential pressure, and other process sensor measurements are necessary for reliability, product quality, maintenance, process safety, and cybersecurity. Yet, the sensor measurements and their maintenance tools are generally not cyber secure. These devices can be incorrect for unintentional or malicious reasons. If you can’t trust pressure, differential pressure measurements, and other process measurements, then you have no cybersecurity, safety, reliability, resilience, or situational awareness.