Tuesday, May 30, 2017

Are embedded software safe enough? or Do you program/configure some of your systems using proprietary wireless programming units?

To day the Danish engineering new site ing.dk reported some experiences of a Norwegian security researcher personally have had with a page pager. Page makers are life saving devices for people with certain hearth faults. How they contain embedded software and wireless interfaces unknown to the patient user. Here is a partial translation of the report from ing.dk:

"The Norwegian security researcher Marie Moe recently talked about "Hacking my own heart" at the Copenhagen Cybercrime Conference. Five years ago she passed out due to a heart failure, and was given a page maker. As an employee at NorCERT in Norway Ms. Moe soon got a interest in her newly implanted device.At the time many she asked many questions of the doctors, including some about the safety of the hardware and software, which then made her heart beat."
"She decided to search for information herself, and found a technical manual on heart hardening using Google. In this she discovered, that the pace maker had two wireless communication options. One was an NFC interface to give programming access to the device, and that one she was aware of. It could be used for diagnosis, and by touching a screen on the programming device a doctor could make the heart go faster or slower or even stop. The second wireless interface could communicate over several meters, and was intended to send telemetric information via a box in the home to a server on the internet. The intended user was the health and pharma industry, but not the patient or her doctor. Ms. Moe remarked, that given the certification process such devices are subject to, then the technology providing the internet connectivity would properly be 15 years old."
"At one point while climbing som stairs Ms. Moe suddenly felt like an 80-year old. She later had the same experience while running for a bus. After several months of pacemaker studies it turned out that there was an error in the pacemaker interface In the default configuration the pacemaker was set to an upper pulse of 160 beats per minute. So men this was reached the pacemaker would change the pulse to just 80 beats per minute. It turned out that the NFC programming device showed a different max-pulse level that what was actually programmed into the pacemaker."
"Ms. Moe had another bug experience last year on the way to a conference in Amsterdam, when she could suddenly see her chest muscles move. It was properly caused by cosmic radiation, which caused bit flips in the memory of the device, so it could not access memory as intended. Since the different pacemaker manufacturers use different and non-compatible devices for programming Ms. Moe had to wait for proper equipment to arrive, to factory reset her pacemaker. That naturally re-introduced the old bug, which Ms. Moe had discovered earlier."
"So how is software on a pacemaker being updated? Well, a USB-key from the provider is inserted in the programming unit, which then uploads the code to the pacemaker.  At the end of the presentation Ms. Moe showed herself in a half marathon, so the pacemaker is working today."
Why is this story relevant for the process safety and control community? Because of the multitude of electronic programmable devices, which have entered the process industry during the past twenty years, and just sit out there in the plants during their thing, without anyone thinking about bugs.

The question, which spring to mind after reading about Ms. Moes experience with radiation influencing her pacemaker, is whether the smart instrumentation in our modern plants can experience similar malfunctions? If or when they do, and we then prepared to deal with them?

Source of original story in Danish here:  https://www.version2.dk/artikel/norsk-sikkerhedsforsker-blev-ramt-pacemaker-fejlkonfiguration-paa-vej-ad-trapperne-1077034 

Saturday, April 15, 2017

CSB is fighting for its life - fight with it!

The new American president have apparently decide in his suggested budget to remove anything, which he don't understand, and use the money on the military - at least that is how I read what has been reported in the media (even though the president want us to believe, that we can't trust the media). One of the things the president don't understand is the role the Chemical Safety Board (CSB) plays in saving Americans by investigating a few of the many accidents, that each year just happens at US chemical and refining facilities.

The CSB has an annual budget of just US$ 11,000,000 which help protect American workers.By comparison the budget for protecting the American people is US$ 580,300,000,000 - or more than US$ 66,000,000 each hour of the year or US$ 11,000,000 every 10 minutes. That is six times the CSB budget. Both the US CSB and tthe US Military help protect Americans, and that is the message, which the US president needs to understand.

I am not always pleased with the focus of the investigation reports and case studies issued by the CSB. Those viewpoints were presented at the 2013 International Symposium on Loss Prevention and Safety Prevention in Florence, Italy in a paper titled "How Could CSB Investigation Reports Be Improved?" (copy can be requested by email to niels.jensen@safepark.dk). However, although there may be things to improve at the CSB is contribute improved process safety for workers and neighbors of chemical facilities. One example of this the CSB investigation of the explosion on August 28th, 2008 at Bayer Crop Sciences in Institute West Virginia. This facility used to be owned by Union Carbide, but was after the 1984 disaster in Bhopal, India involving the release of highly toxic methyl isocyanate acquired by Dow Chemical in 2001. Later the facility in Institute was acquired by Bayer, and at the time of the incident it was part of Bayer's Crop Sciences Division.

However, even in 2008 methyl isocyanate (MIC) was still used at facility in Insittute, and a tank with MIC barely escaped damage in the 2008 explosion. However, today MIC is no longer used at the Institute facility. This in my view can be credited to the CSB investigation report, which was highly critical of the continued use of MIC at the Institute facility. Other companies, such as DuPont, after 1984 moved quickly to eliminate any storage of the intermediate MIC at their facilities worldwide. Dow Chemical and Bayer was slower to do this, but has caught up. Today, thanks in part to the CSB investigation of the 2008 explosion it is safer to live in Institute, West Virginia than it has been for many years.

Institute is in the Khanawha Valley, which in the late eighties and early nineties became very known in international safety community for a local group of volunteers, which forced companies in the area to tell their neighbors - and hence the world about the toxic chemicals at their facilities and the worst case events, which they could cause.  The result was the creation of Local Emergency Planning  Committees, and also in Sarnia's Chemical Valley a similar initiative to have companies tell the public about the impact on the community of possible worst case accidents, and the efforts of industry to avoid such events.

The idea that safety pays is not new. Some years ago the European Process Safety Centre had a video on this subject created, which you can view and order here (watching the video online requires Flash 8, so it won't work in Chrome). I am happy that the CSB now - a bit late - also beet the same drum. Read about that here in CSB's own words. Help save the CSB by sharing messages such as this one in the process safety community - and if you are American maybe also share these messages with your representatives in Congress.

PS: Thanks in part to the European Union in Europe we a different approach to process safety, than the US. Authorities here don't prescribe solutions, just tell companies, that they are not allowed to kill people or pollute the environment if they want to keep their licence to operate.