Upload
trinhminh
View
214
Download
1
Embed Size (px)
Citation preview
1
Proposed cyber-physical security
system design for a new LNG plant
USC PTE 519
December 2016
Cyrus Ashayeri
2
OUTLINE
SECTION PAGE
Executive summary …………………………………………. 3
Imaginary cyber-attack scenarios …………………………. 4
Introduction …………………………...…………………….. 8
LNG plant overview ………………………………………… 8
Process control of key units in LNG plants ………………. 14
Security assessment ……………………………………….... 18
Security design ……………………………………………… 23
Lessons learned and defense …………………………….…. 26
References …………………………………………………... 29
3
Executive summary
Although the majority of LNG plants across the world share similar fundamentals, there are no
two identical plants. Therefore, every industrial control system is unique in its own right.
Designing a one-size-fits-all cybersecurity system for critical infrastructure is an impossible task,
and any attempt in using this approach is doomed to fail.
In this research, rather than designing a security system for an integrated physical-cyber system, a
methodology is proposed. The approach here is identification of main components in the LNG
operation and breaking those down onto key processes. In the meantime, based on the available
literature, major categories of cyberattacks on industrial systems have been introduced and their
targets are briefly explained. The workflow proposed on page 24 of this report can be used as a
tool to hypothetically impose various magnitudes of cyberattacks on key components of the system
and predict the outcomes.
While a large portion of the report focuses on the LNG plant layout and processes, pages 20 - 22
provide necessary information on industrial scale cyberattacks. This information can be used as
the tool to examine all possible attack consequences in various units of the LNG process.
To help better understanding the procedure, this report begins with three imaginary attack
scenarios. This section aims at inspiring the reader to see less obvious aspects of vulnerabilities in
such cases. Finally, the report ends with a brief section on lessons learned from the proposed
scenarios and basic suggestions on defense mechanisms.
Needless to say, a complete cyber-physical security design as above the scope of this research and
the information provided aim at creating basic thinking tools in tackling such projects.
4
Imaginary cyber-attack scenarios
Cyber-physical systems (CPS) are broadly used in critical infrastructures today. They integrate
sensors, controllers, actuators, computers, communication systems, and physical operations.
Technological advancements in the area of sensing and wireless communication have resulted in
large scale utilization of sensor nodes in industrial plants. In the meantime, the ever growing threat
of cyber-attacks could lead to severe damages to critical infrastructure, financial loss, and above
all, loss of human lives. Needless to say, it is impossible to develop complete immunity towards
such potential attacks, however, by identifying them, we can take major steps in detection and
prevention areas.
Based on the Confidentiality-Integrity-Availability model, cyberattacks target key components in
a system to compromise one, or more, of the mentioned categories. In this section, before starting
the introductions, 3 hypothetical cyberattack scenarios are provided to set background.
Scenario 1. Financial fraud via attack on Measurement System
Iran holds the 2nd largest gas natural gas reserves in the world and currently is the 3rd largest
producer of natural gas in the world. However, almost all of their natural gas production is
consumed domestically and the negligible amounts are exported. However, after the removal of
international nuclear related sanctions they are planning to bring online multiple development
phases in the South Pars gas field (largest non-associated natural gas field in the world) in the
Persian Gulf. Iran does not have any LNG plant, therefore they are planning to sign a 20-year
contract with Qatar to utilize their spare LNG capacity and ship their natural gas to Asian Market.
5
Contractor X which is in charge of constructing the subsea pipeline and deliver the gas to Qatari
side is planning a cyberattack on the LNG plant flow meter systems to manipulate the readings on
received volumes. An error of 1 % in measurements can result in $12 million per year gain to the
company.
Company X has learned, through a leaked vendors’ list, that the Qatari LNG plant has installed
Honeywell’s Experion® Process Knowledge System (PKS), MeterSuite™. The mentioned system
has integrated wireless remote control capabilities that can access the data collection/storage
system.
Figure 1. Honeywell Experion® Mobile Access
The adversary company X has managed to access default authorization codes for the Experion
portable devices (shown above) to access the measurement system and feed false measurement
data into the system. The attacker is implanting malware to inject falsified information into both
receiving and loading (export) measurement devices to completely hide the measurement error
from the LNG facility control system.
6
Scenario 2. Attack through supply chain through ERP System corruption
This scenario focuses on the possibility of LNG plant being used as means to attack a target which
is in the LNG supply chain (in this case a buyer). Detecting such attacks could be extremely
challenging since usually an LNG buyer, and the regasification destination are thousands of limes
away.
As part of energy diversification plans, India has constructed a solar power plant in a remote desert
area. This solar power plant is an integrated combined cycle which uses natural gas and provides
500 MW to the national power grid. Based on the remote location and lack of natural gas pipeline,
the plant receives its natural gas in form of mini LNG, purchased from Tipu Sultan LNG plant on
a monthly basis.
A new set of temperature sensors have been recently ordered and installed to detect leaks in the
plant pipeline system. New sensors have an automated diagnostic system which communicates
with the vendor. This connection is established through the LNG plant’s business network.
A group of political opposition backed by Pakistani extremists are planning a cyber-attack to shut
down parts of the Indian national power grid. The hacker group have managed to plant their
malware in the sensors and once the sensors access the business network to transmit diagnostics
report to the vendor, corruption of the ERP financial network occurs. The national power company
is connected to the LNG plant’s corporate network for monthly payments and restricted access to
purchase history data. The next data batch to be downloaded by the national power grid company.
7
Scenario 3. Compliance with regulation via attack on Flare Stack Valves
Due to oversupply in global LNG market an Algerian LNG plant is downsizing. An ex-engineer
who has been involved in the design and selection of valves for the new LNG plant has been fired
recently. He is trying to revenge the company. This employee had access to the automated control
system in Fisher Emerson flare stack valves.
Figure 2. Fisher™ 8532 High Performance Butterfly Valve
He has reprogrammed the PLC and has limited the valve’s opening to 50% during the plant startup
creating significant pressure differential, therefore causing supersonic velocity of 1.2 mach. The
operators have not been able to detect the source of vibration yet due to the manipulation and the
resulting vibration and noise have exceeded the national regulation levels and caused legal troubles
for the company with fines up to $500,000.
The motivation behind this attack was simply revenge, however the vulnerability exploited in this
scenario could be used to conduct terrorist attacks since failure to flow gas through flare system
could result in over-pressurized system and serious damages.
8
Introduction
It is important to obtain basic familiarity with physical and chemical properties of LNG. This
section provides some information to help better understand different processes in an LNG plant,
and how the physical and chemical properties of LNG can result in an accident.
The composition of LNG depends on the composition of the field of origin’s natural gas
composition. It consists mostly of methane, with minor fractions of C2 to C4 and trace amounts
of CO2, Sulfur, and Nitrogen. LNG is colorless, odorless, and noncorrosive. LNG on its own is
nontoxic, but in a confined area can be harmful in many ways which will be discussed in following
sections. LNG has an average boiling point of -260 F, and density of 430-470 kg/m3 based on its
composition (Mokhatab, 2013) and the cooling process is done by Joule-Thompson effect. LNG
is a cryogenic liquid that is not flammable in liquid form.
After the arrival of natural gas to the plant, it needs to be purified from water and all other particles
such as Mercury. Different adsorption processes are utilized for removal of water and trace
amounts of other particles. Many other heavy HC molecules such as butane and pentane are also
removed by amine filters. The cooling process to such low levels requires extreme amounts of
energy.
LNG plant overview
An LNG plant, like any other chemical plant consists of thousands of components. In this study a
simplistic approach has been used to identify the general key components of the plant and focus
on their performance to design the appropriate security system. The image below depicts a typical
LNG plant with main components highlighted.
9
Figure 3. Typical LNG facility layout
Physical plant specification Infrastructure
Gas Gate Station
LNG Trains
Flare Stack
LNG production
LNG storage tanks
Pipeline systems
Power
Communication systems
Export facilities
Control room
Maintenance building/Workshop
Administrative building
Physical perimeter
Table 1. Major components in a typical LNG plant
10
For better preparation of the defense system it is beneficial to have an overall understanding of
the financial value of each section in the LNG plant. The chart below illustrates the value chain
breakdown in a typical LNG plant.
Figure 4. LNG value chain cost breakdown (from: Lim, 2013, I & EC Research)
As seen above, the liquefaction process is the most important and valuable part of the plant to be
defended against cyber or physical damage.
The core of the LNG plant is the process of cooling and liquefying the natural gas feed. Two of
the common methods globally used for the LNG process are Cascade Liquefaction Process and
Mixed Refrigerant Liquefaction Process. ConocoPhillips Optimized Cascade Process and Air
Products (AP-C3MR) are some famous commercial examples of these two methods.
11
Diagrams below are simplified illustrations of the mentioned processes:
Figure 5. ConocoPhillips Optimized cascade LNG Process
Figure 6. Air Products’ Single Mixed Refrigerant Process
12
Figure 7. AP-C3MR Process
Many large scale LNG plants across the world are operating using the above mentioned methods.
Idku LNG plant in Egypt with 2 trains and 7.2 MTPA capacity, Darwin LNG plant in Australia
with 1 train and 3.7 MTPA capacity, and Malabo LNG plant in Equatorial Guinea with 1 train and
3.7 MTPA capacity are among the examples using ConocoPhillips Cascade process. There are
several examples of Single Mixed Refrigerator such as AP-SMR and Propane Precooled Mixed
Mixed Refrigerant, such as AP-C3MR. Examples of the AP plants are found in Abu Dhabi, Algeria,
Indonesia, and China, utilizing 1 to 6 trains with capacities as high as 12 MTPA.
13
Figure 8. Typical Cascade Liquefaction Process and Important valves
Figure 9. Typical Mixed Refrigerant Liquefaction Process and important valves
14
Process control of key units in LNG plants
Liquefaction system
The liquefaction system is the heart of any LNG plant. Cooling down and condensing the
pretreated natural gas to produce LNG is the main operation here. Heat exchangers have very high
energy consumption, multiple temperature points require constant measurement, turbo-machinery
are used to compress the refrigerants in the system, and many disturbances such as flow rate and
feed gas composition fluctuation can significantly the process.
As mentioned earlier, there are several commercial liquefaction process technologies available on
the market, including APCI mixed refrigerant process (C3MR), Cascade refrigeration process, and
Shell DMR process. Diagram illustrating the flow chart in the first two systems have been provided
in the previous section. Key components of the system that have high security and safety risk and
therefore must be allocated high priority during defense design are briefly described here.
Control of refrigeration processes
A typical single stage refrigeration process normally consists of a chiller, compressor, condenser,
and surge tank. The diagram below is a simplified illustration of the process.
The main item to be controlled in this unit is the cooled outgoing stream’s temperature. The
temperature itself is maintained by controlling the pressure in the chiller, and this property is
controlled by manipulation of the compressor speed.
15
Figure 10. Control scheme for a typical single-stage refrigeration process. (Mokhatab, 2013)
Control of liquefaction unit
The main item to be controlled at this unit is to ensure that the condensing of natural gas to form
LNG and sub cooling of LNG. Maintaining the optimal plant capacity is another equally crucial
objective at this unit. The two mentioned are achieved by rejecting disturbances such as ambient
temperature and feed composition fluctuations.
For the Mixed Refrigerant processes, the LNG temperature is controlled by the manipulation of
production rate, and the unit capacity is controlled by adjusting the compressor speeds and JT
valve positions (Mandler, 1998).
Compressor and gas turbine control
As discussed above, the capacity control for refrigeration is conducted by this unit. It is either done
by the plant DCS system or by embedded compressor control package available from different
vendors. The second option interacts with the anti-surge control and helps improve the process.
16
Figure 11.Typical compressor-gas turbine string control scheme (Mokhatab, 2013)
Aside from the capacity control, several important capabilities that are required in a well-designed
compressor-driver such as: Antisurge control, Load balancing, Loop-decoupling, Override control,
and Load-limiting control.
Anti-surge control systems
This unit is of great importance from both safety and operation efficiency point of view.
Compressor operation in the marginal surge region can lead to severe damages such as flow
reversals. Also, Operating the compressor within the acceptable speed range helps avoiding
unplanned shutdowns which cause financial loss. The control system must be designed, based on
the physical properties of the system, to ensure flow rates higher than the surge line, and maintain
the designed surge margin as well. The simplified diagram below depicts the required capabilities
in this unit’s control system.
17
Storage and loading
The main objective of the process control system in the storage unit is to maintain the storage tank
pressure at safe levels to prevent any flaring due to over-pressuring of the tank. The vapors from
the tank are fed to the BOG compressor, to be used again in the liquefaction process. The tank
pressure has to be controlled by manipulating the flow of BOG vapors.
LNG storage is either underground or above the ground. Multiple design variations such as single
containment tank, double containment tank, and full containment tank exist based on the plant
specification and each type have their own safety criteria. Design specification items to look for
here are: maximum design pressure, Vacuum design pressure, Norman operating pressure,
minimum operating pressure, and maximum operating pressure.
Anti-surge control system
Normal Proportional-
Integral (PI) controlDerivative response
Recycle trip response
Surge counter reset.
Figure 12. Required control capabilities in an Anti-surge unit
18
Security assessment
Methodology
Digital risk identification and classification for the proposed LNG plant is conducted in the
following steps. First, the key physical process in the plant are identified. The selection criteria
here is both cost value of the units, their role in the plant operation, and their contribution in
production. Once these top priority components are identified, their function is studied to discover
physical or digital vulnerabilities.
Figure 13.Physical and security design steps
Cyber-attacks come in various forms and target different sections in an industrial plant. Based on
the attackers’ motivation, different degrees of damage can occur to the control systems, IT
network, physical devices, computers, or even further damages such is human safety are also
possible. In this research main forms of cyberattacks have been introduced and some of the top
frequent target in the industrial infrastructures are listed to facilitate the security assessment and
design.
For ICS security risk assessments, it is important to understand the interdependency of physical
and cyber security. The physical impacts of a cyber-attack can result in large scale damage to the
control system itself, the physical components of the facility, and potential human safety and
environmental damages. A security assessment must investigate the possible impacts of
Introduction to major control components
Priority protection
layers Defense strategy
Cost & value analysis
19
cyberattacks on the performance of digital and physical components of the operation such as
sensors, actuators, valves, pumps, etc. Such damages can lead to short term or long term outage in
the plant process.
Business Case for Security
After conducting the security risk assessment at different levels, a business case must be prepared
for the organization which addresses the management concerns. Financial justification of the
security program is a key component in the successful implementation of an integrated cyber-
physical security design. In this research, four stages have been proposed to consider while
presenting a cyber security plan to upper management:
1) In case of LNG plants, based on the long term nature of the contracts and the level of
international competitiveness, it is crucial to include benefits of security systems in the
improvement of reliability and availability of the operation.
2) Damage scenarios in case of information or digital security breach.
3) Overview of the process for assessment, design, implementation, monitoring, maintaining
and updating the security system.
4) Costs and resources imposed on the management to develop the security plan.
Detailed study of physical, economic, and social impacts of cyberattacks helps evaluating and
defining the organization’s risk tolerance.
Cost has a big impact on management decision-making, however in case
of LNG infrastructure, investments needs to be considered as insurance
for a 25-year project. The long lifetime of the plant justifies significant
investment in utilization and constant upgrades in security systems.
20
The table below shows various impacts of cyberattacks on industrial control systems (both tables
from Handbook of liquefied natural gas, Mokhatab, 2013).
Incident Type Potential Impact
Change in a system, operating
system, or application configuration
• Command and control channels introduced into otherwise secure
systems
• Suppression of alarms and reports to hide malicious activity
• Alteration of expected behavior to produce unwanted and
unpredictable results
Change in programmable logic in
PLCs, RTUs, or other controllers
• Damage to equipment and/or facilities
• Malfunction of the process (shutdown)
• Disabling control over a process
Misinformation reported to operators • Inappropriate actions taken in response to misinformation that could
result in a change to operational parameters
• Hiding or obfuscating malicious activity, including the incident itself
or injected code
Tampering with safety systems or
other controls
Preventing expected operations, fail safes, and other safeguards with
potentially damaging consequences
Malicious software (malware)
infection
• Initiation of additional incident scenarios
• Production impact resulting from assets taken offline for forensic
analysis, cleaning, and/or replacement
• Assets susceptible to further attacks, information theft, alteration, or
infection
Information theft Leakage of sensitive information such as a recipe or chemical formula
Information alteration Alteration of sensitive information such as a recipe or chemical formula in
order to sabotage or otherwise adversely affect the manufactured product
21
The next table, has a more detailed approach and specifically shows the main targets of
cyberattacks on different control system components and the consequences of each category of
such attacks.
Target Attack Vectors Possible Attack Methods Possible Consequences
SCADA servers - Non-SCADA client
applications
- Application integration
communication channels
- Data historian
- Engineering Workstation
- Control network
- Software vendor support
portal
- Exploitation of unpatched applications
- Installation of malware via unvalidated
vendor software
- Remote access via “interactive” accounts
- Installation of malware via removable
media
- Exploitation of trusted connections within
control network
- Authorization to ICS applications without
sufficient access control mechanisms
- Plant upset / shutdown
- Delay plant startup
- Mechanical damage / sabotage
- Unauthorized manipulation of operator
graphics - inappropriate response to
process action
- Unauthorized modification of ICS
database(s)
- Unauthorized modification of critical
status / alarms
- Unauthorized startup / shutdown of ICS
devices
Controller (PLC) - Engineering workstation
- Operator HMI
- Standalone engineering
tools
- Rogue device in Control
Zone
- USB / removable media
- Controller network
- Controller (device)
network
- Engineer / technician misuse
- Network exploitation of industrial protocol -
known vulnerability
- Network exploitation of industrial protocol -
known functionality
- Network replay attack
- Network DoS via communication buffer
overload
- Direct code / malware injection via USB
- Direct access to device via rogue network
(local / remote) PC with appropriate tools /
software
- Manipulation of controlled process(es)
- Controller fault condition
- Manipulation / masking of input / output
data to / from controller
- Plant upset / shutdown
- Command-and-control
Engineering
workstations
- Engineering tools and
applications
- Exploitation of unpatched applications
- Installation of malware via unvalidated
vendor software
- Plant upset / shutdown
- Delay plant startup
- Mechanical damage / sabotage
22
- Non-engineering client
applications
- USB / Removable media
- Elevated privileges
(engineer / administrator)
- Control network
- Software vendor support
portal
- Installation of malware via removable
media
- Installation of malware via keyboard
- Exploitation of trusted connections across
security perimeters
- Authorization to ICS applications without
sufficient access control mechanisms
- Unauthorized manipulation of operator
graphics - inappropriate response to
process action
- Unauthorized modification of ICS
database(s)
- Unauthorized modification of critical
status / alarms
- Unauthorized distribution of faulty
firmware
- Unauthorized startup / shutdown of ICS
devices
Fire detection and
suppression system
- Fire alarm / evaluation
- Fire suppressant system
- Building management
network
- Software vendor support
portal
- Exploitation of unpatched application
(building management system)
- Installation of malware via unvalidated
vendor software
- Network access through unprotected access
points
- Network pivoting through unregulated
network boundaries
- Unauthorized release of suppressant
- Equipment failure / shutdown
Perimeter protection
(firewall/IPS)
- Trusted connections
(Business-to-Control)
- Local user account
database
- Signature / rule updates
- Untested/unverified rules
- Exploitation of unnecessary / excessive
openings on perimeter defense (firewall)
- Insecure office and industrial protocols
allowed to cross security perimeter
- Reuse of credentials across boundary
- Unauthorized access to business network
- Unauthorized access to DMZ network
- Unauthorized access to control network
- Local credential leakage
- Unauthorized modification of rulesets /
signatures
- Communication disruption across
perimeter / boundary
23
Security design
Security zones
Zoning and segregation is one of the most effective defense mechanisms in protecting industrial
networks. In the assessment of the potential zones for an LNG plant, all physical assets (equipment,
devices, computers, etc.), systems (controllers, sensors, logical devices, software), human interface
users, and all other components must be included. It is important to understand that there will be
overlaps in different zones, either in physical form or data network. Another issue is
implementation of zoning without influencing the efficient functionality of sub-systems.
Considering different means and protocols of communication among control systems and other
components help in dividing zones with minimal impact on process flow.
Zone 0: Field process zone
Zone 1: Basic control zone
Zone 2: Supervisory control zone
Zone 3: Plant operational control zone
Zone 4: Corporate and business zone
24
WHAT CAN GO WRONG?
Control of refrigeration
processes
Control of liquefaction
unit
Compressor and gas turbine
control
Anti-surge control systems
Storage and loading
Change in a system, operating system, or application configuration
Change in programmable logic in PLCs, RTUs, or other controllers
Misinformation reported to operators
Malicious software (malware) infection
Tampering with safety systems or other controls
Information theft or alteration
25
The design below (diagram created using the free version of Edraw software) show segregation of
major filed units, control systems, business network, emergency systems and their connection.
This is an over-simplification of the LNG plant operation and networks. Numerous types of
architecture in both operation and control process could impact the defense layers and priorities.
However, the detailed design of such system is not the goal of this research, and the proposed
methodology provides the tools to approach large scale designs.
Figure 14. Plant zoning design
26
Lessons learned from hypothetical attack scenarios
The methodology explained in the previous section could be applied two different sectors of the
LNG plant. By listing the key control functions in each unit’s process, and imposing the impacts
of potential cyber-attacks, the security manager can first predict the failures created in the system
as a result of cyberattack, and then design defense mechanisms for prevention. Based on the three
different imaginary attack scenarios, and identified vulnerabilities, some basic defense
mechanisms are suggested here:
Scenario 1.
Remote access problem
Remote access to control system devices, if it is provided, should be controlled via specialized
virtual private networks (VPNs) or remote access servers (RAS), and should only allow explicitly
defined, point-to-point connections from known entities, over secure and encrypted channels.
User access problem
For human interaction, such as an operator accessing an HMI to control a process, it is just as
important to define which users should legitimately be communicating with which devices. This
requires a degree of Identity and Access Management (IAM), which defines users, their devices,
and their roles. Role-based access control (RBAC) on the other side, allows segregating employees
by allocating different groups. For example, upon termination of some employee’s contact which
included control system access, the plant is at risk. By placing a human operator in a functional
group with limited devices that he/she should be using, further suspicious activity could be
detected and potentially prevented. In the similar manner users from a business network endpoint
27
may require access to field data coming from within a SCADA system. Needless to say, such
behavior could expose the integrity and confidentiality of the system to great danger. Hence, the
use of demilitarize zone (DMZ) is recommended, as well as utilization of conduits such as one-
way communications between field and business users. Then assessment must be conducted for
all users within each security level zone (or layer).
Scenario 2.
Firewall/Network security problem
At a basic level, some sort of network firewall is required when field systems are connecting to a
network which has access to internet. Additional security such as Unified Threat Management
(UTM) devices, Network Whitelisting devices, Application Monitors, and Industrial Protocol
Filters, depending on the specific situation and budget can improve the reliability. The security
level of the zone in which control systems are operating dictates the degree of security that is
required, but in this scenario, the ultimate goal was corrupting the ERP system and eventually
attack some remote facility. In such cases, limited encryption of communication data helps
preventing unmonitored communication between field devices and business network.
Embedded corruption in purchased devices
Having a trusted internationally reputable vendor list eliminates many risks related to installing
pre-corrupted devices in the critical infrastructure. However, usually such risks are unknown to
the vendors as well. Therefore, having a 3rd party partner testing control devices prior to large scale
field implementation helps detecting some level of anomaly in the system.
28
Scenario 3.
The human (employee) role problem
This scenario shares the human interaction component in the first scenario. The role of human
operators is by far the most important link in the cyberattack chain. A large portion of such attacks
include direct or indirect interference of an insider employee. This could be an intentional act of
sabotage, or in many cases, employees unintentionally cause severe damage to a critical system.
Therefore, constant training and education of the organization is one of the most crucial aspects of
defense mechanism. The certificate and standards listed below are some of the available means of
improving the employee knowledge:
- Certificate 1: ISA/IEC 62443 Cybersecurity Fundamentals Specialist
- Certificate 2: ISA/IEC 62443 Cybersecurity Risk Assessment Specialist
- Certificate 3: ISA/IEC 62443 Cybersecurity Design Specialist
- Certificate 4: ISA/IEC 62443 Cybersecurity Maintenance Specialist
- ISA/IEC 62443 Cybersecurity Expert: Individuals who achieve Certificates 1, 2, 3,
and 4 are designated as ISA/IEC 62443 Cybersecurity Experts.
While such training is extremely helpful, it is not enough and defense must be embedded in various
components of the physical and cyber systems.
Monitoring and detection problem
In the critical operation areas, application-layer session monitoring provides a valuable level of
protection, as it is able to detect low level protocol anomalies and application policy violations
(such as an unauthorized attempt to write a new configuration to a PLC).
29
References:
1. Mokhatab, Saeid, et al. Handbook of liquefied natural gas. Gulf Professional Publishing, 2013.
2. Jang, Woosik, Seung Heon Han, and Heedae Park. "A stage-gate integrated risk control system for LNG
plant projects: focusing on the design phase." Journal of Natural Gas Science and Engineering 22 (2015):
437-446.
3. Cleaver, Phil, Mike Johnson, and Ben Ho. "A summary of some experimental data on LNG safety." Journal
of hazardous materials 140.3 (2007): 429-438.
4. Rathnayaka, Samith, Faisal Khan, and Paul Amyotte. "Accident modeling approach for safety assessment in
an LNG processing facility." Journal of Loss Prevention in the Process Industries 25.2 (2012): 414-423.
5. Tanabe, Masayuki, and Atsumi Miyake. "Approach enhancing inherent safety application in onshore LNG
plant design." Journal of Loss Prevention in the Process Industries 25.5 (2012): 809-819.
6. Lim, Wonsub, Kwangho Choi, and Il Moon. "Current status and perspectives of liquefied natural gas (LNG)
plant design." Industrial & engineering chemistry research 52.9 (2013): 3065-3088.
7. SAP Cybersecurity for Oil and Gas, Alexander Polyakov - CTO, ERPScan, Mathieu Geli - Head of SAP
Threat Intelligence, ERPScan
8. Koopman, Ronald P., and Donald L. Ermak. "Lessons learned from LNG safety research." Journal of
Hazardous Materials 140.3 (2007): 412-428.
9. Bernatík, Aleš, P. Senovsky, and Martin Pitt. "LNG as a potential alternative fuel–safety and security of
storage facilities." Journal of Loss Prevention in the Process Industries 24.1 (2011): 19-24.
10. EPA’s Liquefied Natural Gas Regulatory Roadmap, 2016
11. Tanabe, Masayuki, Cesare Turco, and Atsumi Miyake. "Management system for enhancing chances to take
inherently safer design options in LNG plant projects." Journal of Loss Prevention in the Process Industries
(2016).
12. Vinnem, Jan Erik. "Risk analysis and risk acceptance criteria in the planning processes of hazardous
facilities—A case of an LNG plant in an urban area." Reliability Engineering & System Safety 95.6 (2010):
662-670.
30
13. Raj, Phani K., and Theodore Lemoff. "Risk analysis based LNG facility siting standard in NFPA 59A."
Journal of Loss Prevention in the Process Industries 22.6 (2009): 820-829.
14. Tanabe, Masayuki, and Atsumi Miyake. "Risk reduction concept to provide design criteria for Emergency
Systems for onshore LNG plants." Journal of Loss Prevention in the Process Industries 24.4 (2011): 383-
390.
15. CRS Report for Congress, Liquefied Natural Gas (LNG) Infrastructure Security: Issues for Congress,
Updated May, 13, 2008, Paul W. Parfomak.
16. Mokhatab, Saeid, et al. Handbook of liquefied natural gas. Gulf Professional Publishing, 2013.
17. Knapp, Eric D., and Joel Thomas Langill. Industrial Network Security: Securing critical infrastructure
networks for smart grid, SCADA, and other Industrial Control Systems. Syngress, 2014.
18. Pillarella, Mark, et al. "The C3MR liquefaction cycle: versatility for a fast growing, ever changing LNG
industry." Fifteenth International Conference on LNG, Barcelona, Spain. 2007.
19. Mandler, J. A., et al. "New control strategies for the LNG process." Proceedings of the LNG 12 Conference.
1998.
20. Joint Task Force Transformation Initiative. Security and privacy controls for federal information systems and
organizations. 2013.