Cyber-Physical Systems Opportunities in the
Chemical Industry: A Security and Emergency
Management Example
Richard Squirea and Houbing Songb,c
a
Department of Natural Sciences, West Virginia University - Institute of Technology, Montgomery,
WV 25136; richard.squire@mail.wvu.edu (for correspondence)
b
Department of Electrical and Computer Engineering, West Virginia University – Institute of Technology, Montgomery, WV 25136
c
West Virginia Center of Excellence for Cyber-Physical Systems, West Virginia University – Institute of Technology, Montgomery,
WV 25136
Published online 7 April 2014 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11676
The manuscript defines and discusses the products of a
successful cyber-physical system in the chemical industry
using two examples. The first is the ability to make the cor-
rect decision quickly regarding an unforecasted large sale of
a product. The second is the automatic availability of crit-
ically needed information, accessible anywhere in the world
which provides endless possibilities for the chemical industry.
Concerns and some resolutions are also discussed. V C 2014
American Institute of Chemical Engineers Process Saf Prog 33: 329–
332, 2014
Keywords: safety management; emergency response; secu-
rity; risk assessment
INTRODUCTION
A Cyber-Physical System (CPS) is the physical, informa-
tion and program binding of critical computer elements from
various “stand-alone” computers. Helen Gill (National Sci-
ence Foundation) coined the term “cyber-physical systems”
in 2006 [1]. Emerging CPS will be integrated, distributed, and
connected. The CPS of tomorrow will far exceed the systems
of today in capability, adaptability, resiliency, safety, security,
and usability. It will transform the way people interact with
engineered systems, just as the internet transformed the way
people interact with information. Continued investment in
CPS research will occur because of its scientific and techno-
logical importance and its potential impact on sectors critical
to U.S. security and competitiveness [2]. Building effective
CPSs of the future require multidisciplinary skills. In particu-
lar, the confluence of real-time computing, wireless sensor
networks, control theory, and signal processing is required
to create these new skills.
Cross-discipline collaboration regarding CPS is a challenge
due to differences in terminology, education, goals, leader-
ship, and management. Installation and start-up of a CPS
brings these aspects into direct interaction on a project team
but they can become strong attributes with cross-training and
patience. The cooperation and ultimate integration of these
C 2014 American Institute of Chemical Engineers
V attest that several issues can be addressed successfully using
Process Safety Progress (Vol.33, No.4)
two aspects of a business can result in profound improve-
ments in any number of areas typically measured as opera-
tional and strategic performance. What is new is the
continuous reduction of the cost of control elements and the
connectivity of fixed computers, hand-help devices, and the
computational ability of all these devices. There is an
unprecedented ability to receive, connect, and compute
information almost instantaneously at multiple local or global
locations such a warehouse, manufacturing site, and sales
personnel at a customer. A number of key new issues are
raised by implementation of such a system. Two important
ones are (i) security and (ii) the need to change business
and decision making practices, sometimes radically, to maxi-
mize opportunities brought about by the speed and effec-
tiveness of the new system. Security issues of CPS have been
raised by several groups, including Homeland Security (HS)
[3].
The objectives of this manuscript are to:
1. illustrate the potential of the connectivity of a CPS in
the chemical industry
2. raise awareness of previous errors made in past
implementations
3. focus on the questions raised by security issues, and
4. provide answers to some of these questions.
A basic CPS is described for grounding in A Basic CPS
Section. Economic incentives for using a large-scale CPS are
contained in Incentive and Technique for a Business to Con-
struct a Cyber-Physical Connectivity Section, followed by
improvements for the business component. In Emergency
Management Example Section, an emergency scenario with-
out and with CPS technology illustrates the possibilities. Past
implementation errors are discussed for a general CPS and
solutions are provided in The CPS Approach Section. In
Additional Possible Enhancements Section, additional advan-
tages of extended connectivity are discussed. Issues raised
by the HS workshop entitled “Future Directions in Cyber-
Physical Systems Security” are also explored. Last, we
address recommendations expressed in this workshop and
December 2014 329

Figure 1. Simplified Overview of Connectivity of CPS.
Reference structure of a SCADA system. Reproduced with
permission from Dr. C. Codella, IBM. [Color figure can
be viewed in the online issue, which is available at
wileyonlinelibrary.com.]
current technologies in the chemical industry (“Challenges
and Recommendations” (Section 4.3) of HS’s “Future Direc-
tions in Cyber-Physical Systems Security” Report Section). A
summary and conclusion follow (Summary and Conclusion
Section).
A BASIC CPS
Below is an overview of a CPS, the synergy of cyber
(computing, communication, control) and physical compo-
nents which goes beyond supervisory control and data
acquisition (SCADA) [4,5]. SCADA systems were a major
improvement in the chemical industry connection to the
“physical world”: pipes, reactors, heat exchangers, distillation
columns, etc.
Many companies use “PLC’s” (Programmable Logic Con-
troller) or “RTU’s” (Remote Telemetry/Terminal Unit) which
are different in size and capability Figure 1. An RTU is larger
and has more local processing power to work with collected
data before it sends alerts to a central console for Human
Manual Interface (HMI) The power to modify data needs to
be carefully monitored and controlled, since it can be an
asset if done properly. If not, it can also lead to erroneous
correlations because of distorted or inaccurate data. In the
CPS world the loops and ration parameters, etc. would be
routinely checked for deviations, caused by either human or
mechanic sources. High “change design” and change man-
agement standards need to be maintained and documented,
especially as concerns process safety data. If the system is
connected to a CPS, a change can be recognized quickly;
manual changes require human analysis and correction.
Assuming manual changes are controlled, the data quality
that is collected across the entire CPS is excellent and the
confidence in the system will grow and it will soon become
part of the functioning culture.
INCENTIVE AND TECHNIQUE FOR A BUSINESS TO CONSTRUCT A CYBER-PHYSICAL
CONNECTIVITY
The integrated system installed was not titled a CPS, but
the “manager/subject matter expert” clearly recognized the
value of the integration all aspects of a global business with
330 December 2014 Published on behalf of the AIChE
a computer system. Contained within this system was con-
nectivity from strategic to operational (top to bottom) and
from suppliers to customers for multiple supply chains. After
mapping of all business activities and information flows, the
entire process was streamlined. It became driven by custom-
ers’ demands which the system “pushed” backward through
the supply chain to generate multiple sets of plans consisting
of materials, acquisition dates; time-value of the expenditures
versus risk factors, etc. Once internal agreement was
reached, the plan was set in motion which allowed custom-
ers to obtain the product they requested in its correct final
state on time in the proper locations, packaged with proper
labels, and instructions for the intended markets. Costs and
times for each were recorded on a unique material indexing
number and communicated to whoever had need of the
data.
The beauty of such a system became evident when a
competitor’s product could not be delivered; “How quickly
could we supply a very large amount of our newly intro-
duced product? A response is needed in 3 days.” The busi-
ness plan was revamped within an hour and the time-
consuming step was the approval to proceed. This rate-
determining step was caused by the lack of discussion and
understanding of the system and its capabilities with decision
makers (See “Challenges and Recommendations” (Section
4.3) of HS’s “Future Directions in Cyber-Physical Systems
Security” Report Section, Challenge 4: “Human in the Loop”).
Many current managers were accustom to receiving inaccu-
rate numbers which turned a decision making process into
an experienced-based guess. Other possible plans were
quickly evaluated by the cyber-system, but the original plan
was executed. We became an agile, highly profitable busi-
ness in a fast changing marketplace. Yet, the reaction to
making such a “quick” decision and the resulting success
was not all positive. Confidence in the accuracy of the num-
bers used had not been completely established in the
middle-level managers who enjoyed the success but were
clearly concerned about their futures.
EMERGENCY MANAGEMENT EXAMPLE
A typical “safety incident” can illustrate the opportunity of
today’s cheap electronics to enhance the computer-physical
integration.
Out-Dated Response
A key to any emergency is rapidly knowing where per-
sonnel are positioned in an incident [2–5]. Radio contact has
been used for this purpose for some time, but it can be a
slow process of establishing the locations of personnel. A
faster method to obtain personnel location and other vital
incident information is clearly needed.
A Typical Incident Scenario [6–9]
First Five Minutes
You are the designated incident commander; set the clock
to zero when the incident begins. Unless there is an auto-
matic alarm (sensor or other device), it can be up to 5 min
before an alarm is sounded. There can be very good reasons
for this: tending to injured personnel injured and/or nearby
personnel in shock. The response time varies because: a
debate about whether the “perceived” event is worthy of an
alarm; attending to the needs of injured personnel first; per-
sonnel close to the event may be unable to turn in an alarm
(alarm location, etc.)
Alarm Sounds After Five Minutes
An incident alarm provides very little information. The ini-
tial alarm may be a surprise to the local Central Control
DOI 10.1002/prs Process Safety Progress (Vol.33, No.4)
Room (CCR) operator. Confusion usually reigns in this sce-
nario, and usually there is a near complete lack of any “real”
information for 5 or 10 min more.
Fifteen Minutes from the Start
Head count information comes pouring in from all areas.
There may be mobile work groups spread across the entire
site, creating more confusion. Pertinent incident information
finally begins to arrive; “we have injuries and need an
ambulance.” Are there other flammables involved? Has the
fire brigades been fully assembled; where is their location? A
plan is quickly needed.
THE CPS APPROACH
Benefit of New Technology
In today’s world a head count is antiquated; the individ-
ual person and their location will be continuously monitored
by carrying a device that will provide a three-dimensional
grid location on all personnel. Suppose two specific people
are on a roof and do not know they are trapped; they may
not know they are in need of assistance. A check of the
building blueprint electronic file is used to expedite their res-
cue by the fire brigade commander who has the ladder
truck. The locator system can provide instant information
about all personnel. The personnel locator could also be
equipped with a personal alarm; if an employee was injured
or in a threatening situation (security issue), they could trip
the device with “two pushes of a button” or some other
signal.
Artificial Intelligence Opportunities
Practice drills, especially “live” drills as opposed to “table
drills” can help improve the emergency plan and its execu-
tion, especially if they are directed toward an incident
involving “highest probability incidents” with a “highly haz-
ardous chemical.” If there are “worst case” or “more
probable” scenarios that may have been used as a drill, these
can be quickly reviewed as guides to gain a better under-
standing of the actual incident.
Inputting the data from a drill–listing times for each func-
tion such as how long it took an alarm to sound to how fast
an Material safety data Sheet (MSDS) sheet, In-Depth Process
Hazards Review (IDPHR), building blueprints, piping blue-
prints, operating directions, shutdown information, etc. The
shutdown information could be displayed to show fast it
took to empty vessels in a facility so this information can
become a useful metric that can be incorporated into the
emergency response. This can provide “institutionalism” of a
well-established process not only for emergency response,
but of overall training in other functions. This process can
help build trust in the system.
ADDITIONAL POSSIBLE ENHANCEMENTS
One is limited by one’s imagination and experience as to
what crucial information from the various process areas is
needed at the command center (which may be mobile). This
information has been identified for some time in the chemi-
cal industry’s comprehensive safety reviews called In-Depth
Hazard Reviews (IDPHR), required by law to be performed
periodically. Key parameters that are actively discussed and
the reasons for all crucial control limits are documented
along with corrective action. A plant could have an instanta-
neous report generated which listed all crucial parameters
out of control, in control, etc. (perhaps another “Challenges
and Recommendations” (Section 4.3) of HS’s “Future Direc-
tions in Cyber-Physical Systems Security” Report Section:
Challenge 4 issue). In an emergency the machine controlling
the process could report the out of control information so if
Process Safety Progress (Vol.33, No.4) Published on behalf of the AIChE
there is a fire, spill, etc. the incident commander instantane-
ously knows whether to send resources into the area or iso-
late it.
Plant drawings are also electronically stored, they can be
accessed to “remind” emergency personnel about building
access and egress, location of tanks internal and external to
a building, etc. The MSDS sheets are also stored electroni-
cally; they list what decontamination procedures need to be
readied for the fastest and safest treatment.
“CHALLENGES AND RECOMMENDATIONS” (SECTION 4.3) OF HS’S “FUTURE
DIRECTIONS IN CYBER-PHYSICAL SYSTEMS SECURITY” REPORT
Recommendations 1 and 3 (Challenge 1. Risk Assessment)
are closely related. The first suggests a “comprehensive risk
assessment” tool is needed suitable for the entire facility; this
tool is in place since the probability of risk for the entire
chemical facility is essentially the sum of the risks for each
individual operation since most are separated by some dis-
tance. The notion that a separate assessment is needed for
antiterrorism is redundant; the major difference between the
two is the probability of the event taking place. Safety and
security are inextricably linked.
Challenge 2: Design and evaluation of ICS security meas-
ures contains two items that we believe are covered by
today’s practices: (1) the environment impact of a release to
the air, soil, and water or any combination of these. The
IDPHR “most probable” events discussed above certainly
contain the basis for this assessment as the quantities of
material likely to be discharged are the basis. An air release
can be well described by commercially available computer
models with input from monitors around the facility. Most
IDPHR’s review the individual materials and their various
combinations for reactivity (a reactivity matrix). This is done
to avoid a chemical reaction taking place in a common vent
or waste tank, etc. “Highly hazardous materials” equipment
is periodically tested to insure that it meet specifications.
Cyber components and the assembled systems undergo a
“functional check” of the inputs and expected outputs on a
routine basis.
Challenge 3: Cyber intrusions as well as physical process
area intrusion are important security and safety issues. An
external physical intrusion is usually avoided by a fence with
visual detected by cameras and periodic patrols. Cyber incur-
sion can be treated similarly, that is, with a physical barrier.
A CPS can be interrogated by an external source if they meet
the security checks. No external command inputs to the ICS
or DCS should be allowed. A standard chemical practice to
positively avoid backflow in a pipe such as cooling water is
to provide a “physical disconnect,” that is, the water drops
out the end of a pipe into a storage tank where it is then
pumped to wherever it is needed; a “check-value” is clearly
not adequate. This concept can be useful in a physical-cyber
system for protection from external sources as there are sev-
eral ways to implement this idea.
Challenge 4: The Human in the Loop. This is the most
challenging issue in this report. The issue is broader than
listed in the HS report, ranging from substance abuse to
mental illness to disgruntle employee to poorly trained or
inexperienced operators and/or mechanics. The current
safety statistics suggest that most injuries are the result of
serious violent incidents in the workplace.
SUMMARY AND CONCLUSIONS
A simplified approach to the integration of the physical
world and computers (CPS) has been presented. There are
obvious lapses such as the recent Texas ammonium nitrate
explosion. If the materials and their properties are unknown,
employees, first responders, and others in the community
are at high risk. But a cyber-system at the manufacturing site,
DOI 10.1002/prs December 2014 331
and the shipping site would provide important location
information if they were connected. Hopefully small quanti-
ties need registered buyers whose names and addresses
could be uploaded, especially when a pickup truck can carry
a dangerous quantity. Then, a connected CPS could list the
contents and quantities of a location for first responders.
One last comment seems appropriate: the chemical indus-
try has experienced chemical process operation evolving
from manuals controls, though electronic and pneumatic
stages to microprocessor control to primitive DCS controls to
full sophisticated DCS process control and so on. That being
said, one could not help but think about the conclusion of
one contributing factor in a recent airplane crash. The pilots
had relied so heavily on their automated system, that when
some instruments provided false information, they could not
analyze which readings were inaccurate and respond in the
5 min they had. Learning from this experience could a CPS
have sorted out the error to suggest a crash prevention strat-
egy? The airline stated that their pilots would spend more
time on a manual simulator, but perhaps a combination of
human and CPS would have corrected the situation.
LITERATURE CITED
1. H. Gill, “NSF perspective and status on cyber-physical
systems,” National Workshop on Cyber-physical Systems,
Austin, TX, October 16–17, 2006.
332 December 2014 Published on behalf of the AIChE
2. President’s Council of Advisors on Science and Technol-
ogy, Designing a Digital Future: Federally Funded
Research and Development in Networking and Informa-
tion Technology, Washington, DC, December 2010.
3. N. Adam, Workshop on Future Directions in Cyber-
Physical Systems Security, Final Report, Infrastructure and
Geophysical Division Science and Technology Director-
ate, January 2010.
4. National Meeting on Beyond SCADA: Networked Embed-
ded Control for Cyber Physical Systems, Pittsburg, PA,
November 8–9, 2006.
5. H. Gill, Cyber-Physical Systems: Beyond Embedding Sys-
tems: Sensor Networks, and SCADA, SEI TCES Workshop,
Pittsburgh, PA November 9–10, 2010.
6. R.H. Squire, “Safety of large ammonia storage tanks,”
Ammonia Plant Safety, Vol. 30, American Institute of
Chemical Engineers, New York, New York, 1990, p. 89.
7. J.R. Tilton, R.H. Squire, C.S. Saffle, and C.R. Atkins,
“Ammonia storage tank safety study, Part II,” Ammonia
Plant Safety, Vol. 32, American Institute of Chemical Engi-
neers, 1992, p. 63.
8. R.H. Squire, “Zero period safety process,” Ammonia
Safety Symposium Series, Vol. 41, American Institute of
Chemical Engineers, 2001.
9. R.H. Squire, Zero period process–A description of a
process to zero injuries, Process Saf Prog 20 (2001), 17–
28.
DOI 10.1002/prs Process Safety Progress (Vol.33, No.4)