Get the Best Pipeline Integrity Management System for NPOs with airSlate SignNow

How to create outlook signature

uh welcome everybody it is now the appointed time for the webinar and uh it's interesting that uh the subject today on pipelines was um a subject i'd been thinking about before christmas and into the new year because i had been talking to some clients and they were midstream clients and some of the responses i was getting and and some of the opinions caused me to to look at pipelines a bit more closely because there have been as you will see quite a few incidents and it just so happens that um we had the the colonial pipeline issue as well that came up with the cyber security so the um the subject i think is is pretty relevant and it's all about are we really protecting the pipelines properly so as usual before we get into that some of you are new to exeter let me just explain a little bit about the company and give you a little bit of history again the company exeter was formed about 20 years ago and exeter actually stands for excellence in dependable automation and the reason the company was started was to try and help manufacturers understand what this new standard iec 61508 was all about and how to go about the process of certifying products for safety applications well since then the company's grown exponentially we not only do safety product safety certification we also do cyber security certification for products we also do personnel certification some of you i know are cfses or cfsps some are fsps some are csps so the certification of personnel is also very important coupled with that we've provide full life cycle services for the three main disciplines associated with with pro overall process safety which of course is functional safety cyber security and when we talk about cyber security we're talking about the operational technology side of the firewall we're talking about ot industrial automation cyber security and alarm management and helping people with defining their alarm philosophies and helping with rationalization so we can provide the full life cycle services and to complement that we also have a comprehensive suite of software tools to support the life cycles so we have for functional safety we have alarm management and cyber security we are a global company so since starting with two founders originally we are now well over 120 people worldwide we have offices over the globe we are adding offices we just added the irish office in late 2020 despite the pandemic and we are always considering new locations the nice thing about the the three disciplines the functional safety the alarm management cyber security it's it's pretty industry agnostic to a certain degree so anything any process any application where there's the prospect of having some safety issues some functional safety issues we can apply that and of course more recently we're now dealing with the automotive industries and with robotics some of you probably seen these robots in the supermarkets but they're also larger robots that work in warehouses that could could cause significant injury and possible fatality if they were not properly in control and could run over a person so we're doing a lot more in that arena too as well as the course of traditional oil and gas chemicals steel energy etc how we measure our success is that well we've moved away from being just owned by the the initial two founders to being mostly employee owned now we are the leader when it comes to product certification we're also in not just in terms of the safety side but now in the cyber security side as well we have more than 100 global experts we've done more than a thousand certification projects now and modeled well over 500 000 sifs using the excellencia tool and here again i'm sure some of you are probably familiar with the tool and actually use it the other thing we do is publish a lot of reference materials there are books that you can get through the website and now through amazon as well so you can download them from amazon some of them are electronic some of them you can order through amazon and these cover a wide range of of applications so we have functional safety of course we also provide books on cyber security not just from the the end user side but also from the oem side and last year my book on functional safety for managers what managers needs to know was published we have the safe electrical reliability handbooks which are still available but we will be going probably fully electronic with those these have all the failure rates this is what's built into the excellencia tool to provide failure rate information for doing some of the sif design and the sill verification calculations the other thing we have is free material which you can access through the website the exeter.com website does have a lot of information that's that's very useful we also provide the sael the safe automation equipment list which basically will provide you with a list of of certified devices and you can find more or less most of the devices that you would come across in normal application and you can see which manufacturers devices they are you can look at the certificate and if we're allowed to publish it you can look at the assessment report which tells you how the failure rates for the devices were derived these webinars that we do are also free of charge they're recorded they're available through the website you can go to the resources tab you can look at webinars you can go into the archive webinars and you can look under functional safety certification cyber security alarm management so lots of subjects and these are all 45 minutes to an hour max of youtube videos which are recordings from all the previous webinars there are white papers there too so you can look at the white papers you can see that those white papers are downloadable so again i encourage people to utilize as much as possible the the website and the free information that's there a little bit about me i've i've coming up to 45 years in industry now my background is in electronic control system design safety system design i used to design esd fire and gas and adjustable fire systems and then moved into the automation world and came back into safety about nine years ago when i when i joined exeter again i have a varied role in exeter i look after the end user business i have some global business development responsibilities and i also teach our functional safety class as well as i can teach the cyber security class so that's the introduction so let's get to the meat of all of this and are you really protected when it comes to pipelines and it's an interesting question because i was quite surprised when i started looking at the incidents that occur with pipelines and it in looking at this the statistics were that since about 2010 there were around 906 incidents through to 2019 that occurred in pipelines that were installed within the decade so that's that's quite alarming because that's that's almost 91 accidents or why 91 incidents a year and when compared to the same the when looking at the same number of incidents compared it to the previous period before that we found that that stretched for 40 years so why the sudden change and increase in such a shorter time so this was a sort of an interesting conundrum and i suppose one could speculate on a number of reasons why that is there could be time pressures to to get the pipes pipelines installed quickly and operating it could be cost driven so that there are shortcuts taken who knows but the statistics are quite alarming and when you look at the cause it's interesting that the the majority of the cases it was equipment failure that caused this absolute approximately 32 percent was due to equipment failure so this is this is new equipment that's going in so again that's sort of puzzling why why would we have equipment failures of that level and again you could speculate you could say well equipment failures could be due to a number of things it could be due to some configuration issues it could be to the fact that we're using the wrong equipment it could be that we're not considering the application properly could be a number of things and then corrosion failure was the second most common reason about 19 was due to corrosion so here again if these are relatively new pipes then why would we we be getting these sorts of problems and interestingly there is a program to replace some of the old cast iron pipes with plastic pipes but that's an ongoing process of course and and there's there's something like 2.8 million miles of pipe pipeline in the in north america at the moment so that's it's um and some of it is considerably older than the last 10 years so you you you'd expect there'd be problems with the older pipes not with the new newer ones so this is this is another interesting area and of course what's been highlighted recently with colonial is that cyber security should also be considered because major pipeline infrastructure is a potential target infrastructure in general we know that from the utility side they've had to tighten up since there have been a number of instances occur probably 10 years or more ago now and of course waste water and water treatment there was the case last year and again earlier this year so these are potential targets for would-be attackers and this group called darkseid claimed responsibility for the colonial uh pipeline hack so if you look at the statistics it's quite quite alarming really with the different types of pipeline incidents hazardous liquids gas transmission and gas gathering and gathering lines gas distribution and you can see that that something like 140 fatalities have occurred and again major major incidences versus minor incidences the major incidences is where we've obviously had the fatalities and the damages were almost five 5.4 billion dollars so it is quite staggering leakage is also an issue apparently 0.35 percent of the volume of gas lost in transmission is mostly due to unintentional leakage about a tenth of it is due to intentional where it's vented or flared so this means that 0.315 percent of the gas is released unintentionally and it may seem like a very small number but again if you put it into perspective if we just consider the atlantic coast pipeline which is scheduled to transmit about one and a half billion cubic feet of natural gas per day the expected leakage is around 4.7 million cubic feet per day and over a year of course that's about 1.7 billion cubic feet and putting it into perspective that's enough gas to provide to all pennsylvania residential consumers for about 13 days in august from just one pipeline so leakage is is another area that that is obviously of concern and of course leakage can lead to the potential for explosions and and major damage plus fatalities coming back to cyber security now so what colonial did of course was highlight the need to adopt cyber security as part of the overall site process safety now it's interesting that there is the the american petroleum institute standard to cover cyber security for scada systems but again does it go far enough and one of the things that we'll look at is could we be looking at a different a different approach in fact the biden administration will now mandate cyber security regulations for the nation's leading pipeline companies up till now it's mostly been following dot or tsa requirements and of course the the department of homeland security now will require pipeline companies to report cyber instances to federal authorities so it hasn't really been a mandatory thing to to do that but now they're going to push to have this done and the white house has also launched a new strategy to tackle the growing threat to the critical infrastructure beyond what's been done before because critical infrastructure is an obvious target for external potential nation-state attacks and for example with the dark side it's suspected that they are a based in russia although it so far to my knowledge anyway it hasn't been proved that but i mean it all points i think the um i think the federal government is convinced that's where it's coming from so what are the consequences of this attack well they they mandated that within 30 days and then this was from i believe the end of april they were to take steps to do an assessment as to how current practices line up against the current pipeline guidelines and now companies have to identify gaps and establish a timeline for red for remedying these potential gaps up till now it's been basically voluntary to do that but now they're going to enforce it and the tsa has committed to conducting 52 pipeline assessments in this fiscal year last report they'd done about 23 so they are definitely digging in and looking at this so what are the relevant standards that that are applying and mostly it's the american petroleum institute range of standards api issued two standards in 2020 one was the recommended practice 1182 which was the construction operation maintenance of large diameter rural gas gathering lines and then the second edition of rp-80 which is the definition of onshore gas gathering lights so the purpose of these two were to enhance safety and operational efficiency to meet state and federal rules for ensuring safe operation of these pipelines api 1160 is the overall standard to cover all pipeline integrity so there's a range of of standards that we'll we will see that cover certain parts of it but the overall is 1160 and then you have api 2350 that covers storage facilities and automated overflow protection systems so all of this is is great but the thing about these these api standards this yes they do they talk about addressing risk but they really work on a plan do check act process and this really comes down to culture and of course the leadership and management commitment to do this right however even though they talk about risk and and it is it is a form of ragged gap recognized and generally accepted good engineering practice there are things that that you could do or could be done better if we took a more risk-based approach yes they address risk but not to the levels of for example the way iec 61511 does or iec 62443 for the functional safety and the cyber security as well as the alarm management so api 1130 looks at design and implementation of leak detection systems api 11409 is the theoretical calculation of possible leak detection performance 1164 is pipeline addresses the pipeline scada security and 1165 is testing verification of scada hmi displays and designs and 1175 is the standard for the selection operation maintenance continuous improvement of leak detection systems so all of these cover various aspects of of the requirements but it's interesting because and as i said one of the reasons why i i started thinking about this and decided to do a webinar on this was from some of the conversations that i've been having and most midstream operators will say yes we have protection pressure protection we do valve misalignment protection systems we have leak detection systems we have vibration detection systems for pumps and compressors we have fire and gas detection we have seal leak detection so why do we need to to think about a iec 61511 and putting in safety instrumented systems well the thing is that all of these are in the bpcs and the basic process control system is not required to have the level of rigor applied to it that you would with a safety instrumented system yet most of these systems are there to help provide safety pressure protection if we have an over pro over pressure situation we need to know that our pressure protection is going to work reliably so this is really where there's a false sense of security the same with with pipeline monitoring systems that are looking at the thickness the philadelphia energy service explosion in 2000 i think it was to january 2020 they found that the the point where the fracture occurred which caused the the massive leak and an ultimate explosion the pipe thickness was less than that of the credit card and yet they had a pipeline monitoring system the problem was that it didn't cover that particular section of pipe so again these things can sort of lull you into a false sense of security and as you saw the the majority of incidents were equipment failure so if we're getting a large amount of equipment failure then maybe we should be looking at how we specify the equipment and maybe we should take a more risk-based approach and utilize the approach defined in ie 615-11 to take a life cycle approach rather than just the the the normal approach of plan do check and act so when it comes to looking at 1511 for example and pipeline safety so if we've got a high integrity pressure protection system that's employed then typically this will be considered as as part of a or or will be considered for a safety instrumented system requirement so ragged get techniques are required for risk reduction mitigation this means that we should be carrying out hazard and risk assessments and doing layer protection analysis to make sure that we've got sufficient protection or if we haven't that we define the additional protection and if those if that additional protection requires a safety instrumented system with safety instrumented functions for given sill targets then that's what we should be doing because here again at some of the some of the the counter arguments i've had when talking to some midstream companies is that well we don't we don't need to put safety instrumented systems in we don't have any we don't need the cost yet when you talk to them about okay how many shutdowns do you have how many failures are you getting and and there are significant number of trips failures due to to equipment so here again the short-sightedness is that it's going to cost me a lot of money if i do this but actually if you do this yes all right there might be an initial expense to do it but over the longer term you'll get the gains of having less trips or less failures less problems less likely to have incidents because you know dear old trevor kletz he used to say if you think safety is expensive try an accident and if they do have a major pipeline incident that with an explosion and fatalities then yes it's going to be extremely expensive so why not consider taking a risk-based approach around a life cycle to ensure because again these systems that get put in how well are they maintained do they are they regularly tested do they do some form of proof testing or not how often do they look at the useful life of the devices and either refurbish or replace them before they fail rather than have a run to fail policy all of these things can be considered so safety instrumented systems with safety instrumented functions would give them that level of risk reduction and of course if we follow the life cycle then we will make sure that we continue to achieve the level of performance that's desired same thing when it comes to the security api 1164 covers the pipeline scada security but we could apply iec 62443 because again following the life cycle approach this is where we would do our risk assessments we'd look at our critical infrastructure the critical equipment what happens if that equipment is compromised or if it can be disabled as a result of a cyber incident then we can look and see okay what counter measures do we currently have what can we do to improve that what security level requirements are there so again taking a risk-based approach using a performance based standard means that we can utilize technology we don't we're not hamstrung by a prescriptive approach that says you have to do this this and this and we can we can utilize the latest techniques however being a risk-based approach we would have to have key performance indicators to be identified for tracking that's not a big deal we could do that so this again would ensure that it's not a once and done and the problem is a lot of people think that okay i've got the system in i'm protected well that might be fine from day one but over time that's going to change as we all know so the life cycle approach means that we continually ensure by tracking monitoring the data monitoring incidents looking at failures and alarms trips etc we can monitor that we can improve it if we're finding we're getting a lot of these occurring so this brings us back to the good old question of why do companies have to manage risk because the simple answer is there's a legal a moral and a financial obligation to do that now with pipelines these those can be running through the suburbs through fairly densely populated areas so there is definitely a moral obligation to make sure that we limit the risk posed by this so of course if you look at it in each each one in its own merits when it comes to moral we should make it as safe as possible irregardless of any cost if it comes to regulations in the legal side of it we have to comply with regulations as written regardless of cost to actual level of risk and here again when i talk to some of these these mid-stream companies they say well we follow dot and tsa requirements so we don't need to worry about anything else so again this could be lulling them into a false sense of security because meeting a standard doesn't necessarily mean meeting your objectives and here again from a financial point of view of course you want to build it as cheaply as possible and run it as cheaply as possible so clearly these this would be in conflict with the other two so we have to find a balance and that's where the three overlap so this is the important thing so where's the current focus then right now we know that the most companies that are in the process industry the typical refineries etc those would be looking at complying with the raga gap requirements because here again a lot of the midstream guys say well we don't come under the osha psm requirements but yes if you're storing and and certain size facilities might actually come under that but in general yes they they don't necessarily meet need to meet the osha requirements however api is also ragged gap and so you need to do the recognized and generally accepted good engineering practice 1511 of course is recognized as raga gap and with the changes that came in 2016 now we have to consider cyber security and even there in discussions with clients we found that not everybody is embracing this a lot of people still have this well we've never had a problem before why should we worry about it now type approach but it only takes one if you get because you haven't got sufficient protection and somehow somebody introduces accidentally malware it doesn't have to be a nation-state attack could just be a simple mistake made by an employee who's using an infected device could be because they were doing some social media posting or whatever downloading and there was something in there and inadvertently they've now provided the opportunity for exploitation especially if it's ransomware and then that can cost you millions if depending on the size of course and what it is you're doing so here again adopting this approach taking this life cycle approach taking a performance based approach will give you that opportunity to define what you need to do based upon how much risk you're willing to accept and as long as that risk is within societal norms of what is expected that's fine same with alarm management alarm management is not always considered when even when implementing 1511 but it is required in api 1165. so having properly rationalized alarms so that your operators are trained and understand and know what to do and will see the alarms coming in their priority order and we'll have time to deal with them and it that in itself because there have been incidents as we shall see in a moment with alarms or the way that the alarms were treated causing a problem so we need to consider all three life cycles if we're going to properly contain and mitigate the risk so if we look at this from an operating landscape point of view of course what surrounds all of this is culture the culture meaning that what is the culture of the company what is the management culture is it to make sure we can do as much as we can to protect and safeguard not just our employees the public at large and obviously protect our shareholders so this requires that we have properly trained people who are competent to be able to do the work it also means that we need to be careful about the equipment we use to make sure that we have reliable equipment and it also can be robust against any potential cyber security threats so if we look at these together the consequences of inaction or deviation if the if the operator cannot see the wood for the trees because he's getting flooded with all this information and he can't pick out the key alarms he has to deal with that can use up vital minutes and could lead to a very poor decision or worse still could lead to the ultimate consequence which is an explosion then there's the consequences of failure on demand so here again if the equipment if we have protection systems in place but they're not designed to provide the level of risk reduction we need the performance we need if they fail on demand that's another problem and of course consequences of compromise whereby both a safety instrumented system and a basic process control system or scada system is compromised and disabled through cyber a cyber malware incident then of course we've got another potential major problem there are independencies between these and these are indicated by the little house symbols if you like between the circles so we have the standards themselves 1508 and 62443 for the equipment the certification side would be cfse or cac for safety and cyber and alarm management and then we would have the 62682 for the alarm side also covered under isa 18 2 you have 15 11 for the consequences of failure on demand for the safety instrumented system 62443 would cover the consequences of compromise from the cyber security and of course these interceding points is where we can use policies and procedures and tools to help us so taking a systematic approach towards it using a performance-based life cycle approach will yield benefits in the longer term yes short term it may cost a bit more because we have to we have to spend more on the equipment and on training and on these other things but in the longer term it will save us money so from a practical point of view successful implementation obviously requires a thoughtful approach you've got to think of it carefully just complying with a a standard doesn't necessarily mean we're going to reach a goal so we need to understand the structure tailor the processes to meet the needs of the sites and the capabilities required so this requires us to understand what is the competency of the people we have what equipment do we have in place what do we need to have in place and what are the metrics that we have to have in place to be able to measure some of you been on my webinars before and and heard me teach and i'm always going on about this point you've got to have the right culture otherwise it's going to be very difficult for the people that are trying to implement this because it'll be like pushing on a rope with management pushing back every time you need to spend money and do things to ensure that we're meeting the requirements having an open and learning culture is very important because the whole point of this is that we want to learn from the the operational side of things so if we are getting a large number of incidents or equipment failures we need to understand why we need to take steps to fix that if we see that operational processes are being short cut or procedures are not being followed properly then people should be able to speak up and say that without fear of any retribution which can happen so doing things right and doing the right thing should be the mantra so we make sure that the o m people are properly trained follow procedures we're doing the mechanical integrity we do inspections we do the testing correctly we use metrics to help us with this and we document everything whether we use software tools to help with the documentation or not we need to do that if it's done right as i've said it will save time and money and it is a long-term investment with some short-term gains that can be got so if you look at all three life cycles as i've said you've got the functional safety side the cyber security and the alarm management they all have the same three phases which is that you need to do some form of assessment to look at the risk identify what needs to be done design your mitigation and then put it into operation and maintain it and of course this is governed by having the right policies procedures in place and a plan to deal with it i mentioned earlier that we'd look at an incident here's an incident for around the columbia gas pipeline rupture and this is specifically around alarms because what happened here was that the the again because of the fact that corrosion had reduced the thickness to 0.078 inches it caused the the rupture and the explosion there was a delay in turning off the gas so the gas was feeding this for almost an hour and of course the impact on this was homes that were lost to fire there was damage to a highway the pipeline repairs were about 2.9 million updating the inline inspection system cost around five and a half million and of course the the loss of the gas itself was about 285 000. so this was a significant incident there was no automatic shutoff valves or remote control valves they had not been installed the alarm screen itself had been divided into three sections for alarms alerts and communication outages and there were numerous pressure deviations alerts being generated the delta the delta pressure was about plus or minus 10 psig and the problem was that the controller didn't recognize what it indicated he couldn't figure it out so why didn't he take the right action well first and foremost there was incorrect diagnosis he didn't realize that the rapture had taken place until after being called by another controller there was no documentation or training on the expected response to alerts there was a lack of situation awareness as well the alerts weren't configured to provide specific meaning and of course time scale for response the alert display showed the value of the change the delta p but didn't indicate whether it was increasing or decreasing nor the actual value of the pressure so what is the difference then in this cognitive load on the operator so to reduce the frequency of nuisance alarms what they did was they defined the scada system with alarms and alerts and only the alarms were counted in the kpis so for example two per hour now if they're outside of safety related parameters but the alerts were 95 per hour outside of operator defined controlling parameters so again per the 18-2 standard you should have no more than six to twelve alarms per hour this is considered manageable in other words no more than than really one or two well one alarm every 10 minutes for example so these alarms were seemingly recategorized as alerts simply to meet performance requirements so there was a a playing if you like with how the alarms were defined which caused the problems because they weren't properly defined and they because they were nuisance alarms they were just recategorized as alerts without really looking at why are we getting there so clearly we need to be able to measure performance if we're going to take this approach which to me seems to be a sensible approach to take by implementing performance-based standards that are not prescriptive defining what the the risk is assessing that risk implementing the correct mitigation steps to reduce that risk to tolerable levels so we need to be able to measure the performance of these when applied to either the safety instrument system the bpcs and any scada applications so we've got to have these metrics in place and we could use leading and lagging indicators of course but there are other metrics that can be used the point is we should be measuring so this means we should be following this life cycle approach in my my estimation i believe that if we do this we can we could help reduce pipeline incidents by taking a more performance-based risk-based holistic approach to understand what the hazardous risks are and the associated consequences and then what we can do to mitigate that in a cost-effective manner that meets the company's requirements and also provides a safe operating environment we know cyber security is a real threat to infrastructure it can't be ignored and of course now it's not going to be ignored it's going to be pushed from the federal point of view so cyber security coupled with proper alarm management and functional safety processes procedures will definitely help us improve our performance and if we have the learning environment where we can utilize the results from the metrics we can help improve how we manage risk and maintain it throughout the lifetime of the systems pipeline equipment failures therefore could can be managed and reduced by following safety life cycles as defined within 15 11. so again where we need to identify safety critical applications then we should be considering the use of a safely instrumented system and the iec 61511 approach and i know a lot of the midstream guys say well that's just process and that doesn't apply to us but it could be applied and it could be applied intelligently and it could reap benefits if it's done properly because proper mechanical inspection maintenance and monitoring systems can help with reducing the impact of leaks mechanical inspection is you know visual inspections looking for signs of corrosion yes you can have the the pipeline monitoring systems but again those should be maintained and we should make sure that that we're applying it correctly understanding these interdependencies between the three helps us make sure or will help us to ensure overall pipeline safety and risks are managed and maintained within those acceptable levels and nurturing the right culture is very very important it's vital to the successful implementation of any of this having right matrix as we've said to be able to measure and assess performance is also very important and how often we choose to do that is important too if we're having quite a few incidents then we should be doing this more often than if we're not and then making sure that our employees are properly assessed that we have a competency assessment program and a training program in place to keep them up to speed we should be recording all the maintenance activities accurately and faithfully and we can then use this information during the hazard and risk assessment revalidation because clearly statistics are showing that there is not enough being done to prevent pipeline incidents even though there are all these api standards it's still not enough okay so that's the end i see that there are some questions popping up let me see what all right so do you have any experience with pipelines where flowing blend of natural gas and hydrogen if yes which additional requirements should be taken well as i've said throughout i think again if you're going to do this properly then it should be following a a performance-based standard so you should do a risk analysis you should look at what are the risks associated with this and again rank the consequences and the likelihoods and look at the worst case the most severe consequence and likelihoods and address those first so i would suggest that's the approach that should be taken because as i said the api does talk about managing risk but really and truthfully if you want to do this properly my suggestion would be to follow the 1511 standard to do this because it's a methodical life cycle based approach where we properly assess the hazards and the risks associated with that the consequences the current layers of protection we have in place and what we need to do further to address that to mitigate the risk to within acceptable levels so of course this means that the the company has to have some form of defined overall risk tolerance any other questions okay have you come across cic ci2 and h2 pipeline incidents me personally no but again if you want to you can go to the femsa website this is the the pipeline and hazardous materials safety you can have a look at that website the femsa website is a good source they they've done a very good job of listing particular incidents against particular applications and they don't they don't just look at the pipelines they look at rail they look at air they look at road they're looking at all of these potential incidents so i i would point you there to go and have a look any other questions okay well again if you do have questions that you think of afterwards feel free to to drop us a line you've got my email address um again follow us on the usual social media we're always looking to get feedback and you can email me at skandy at exeter.com if you have any further questions that you think about it looks like somebody does can you share some information on what happened to the colonial pipeline what type of attacks well it was a ransomware attack um there aren't that at least i've not seen too many further details on that i'm sure that eventually it will come out and this is part the problem is when when companies get compromised they don't necessarily want to share that they don't necessarily want to wash their dirty laundry in public and to a certain degree i i don't blame them but the thing is unless we know how these incidents occur when it comes to cyber security and how people are compromised how does ransomware get in there how did they exploit a weakness and one of the things that we talk about when we we do the cyber security training is to highlight the fact that of the incidents that occur most of the time about 80 of the time it's because of what we call the stumbling fumbling and bumbling if you like it's the basic awareness cyber hygiene because people don't think about certain things you know social media people you've only got to go any anywhere these days and and people are on their phones they're they're texting they're doing social media they're posting whatever they're doing so there's an awful lot that goes on through social media and a lot of these hacks can come through social media they can embed ransomware or they can embed malware they can target certain companies that way and if the employees are not up to up to speed on this the same thing with phishing emails you know i've i had a couple myself this week where it looked like microsoft was sending me a no all through my office 365 it was sending me a note to say oh i needed to update my password and i needed to click this link to do that and i i thought why would i need to do that and so when you look carefully at the email address you can see it's not coming from where you expect it to come so of course delete it immediately don't don't click on any links because otherwise this is how people inadvertently get and of course from a company point of view if you don't have the proper procedures or the training in place to alert employees about things they should and shouldn't do for example if they're if they need to change their or to charge their phone they they plug it into their laptop to charge it that's not a good move either because again if there's any any malware that's been managed to get in the phone through social media for example then it can easily be transferred into the to the laptop or the machine that you're using and once it's in there it could start to to infiltrate depending upon how good your firewalls are and and everything else so a lot of the times it's through awareness making sure employees are properly trained and aware of the do's and the don'ts if you do that you can probably protect yourself quite well initially and then of course you need to look at the the infrastructure of the network and when i talk about the network i'm talking about the industrial controls network or the process control network is sometimes called the pcn okay i think that's it i don't see any more questions i thank you all for attending and i hope you will attend future presentations with that i shall bid you farewell and enjoy the rest of your day or evening or wherever you are in the world thanks