Sensor-y Overload: Cyber Risk and the Merrimack Valley Gas Explosions

Let’s be clear: the natural gas explosions that rocked the Merrimack Valley north of Boston in September weren’t the result of a cyber attack. Unfortunately: well known vulnerabilities affecting the security of remote sensors and industrial control system software mean they easily could have been.  (Note: this article first appeared on RSA.com’s web site. You can read it in its entirety there.)

On the afternoon of September 13, just after 4 PM, 9-1-1 emergency response lines lit up in three communities north of Boston. Seemingly out of nowhere, residents in the towns of Lawrence, Andover and North Andover reported a strong gas odor, homes on fire and even strong explosions in their homes and neighborhoods.

In a matter of minutes, chaos erupted as dozens of structures burst into flames over a 2 square mile area, overwhelming the local fire response. In all, 131 structures were damaged by gas leaks and fires. Five homes were destroyed in natural gas explosions and 28 people were hospitalized. One man died, when a chimney from a burning building collapsed on the parked car he was sitting in.

See also: Pipeline Attacks highlight Third Party Threat to Critical Infrastructure

Gas Explosions Lawrence MA
Gas explosions rocked Lawrence, Massachusetts in September, 2018.

Cyberattack? Thankfully, no. A preliminary analysis by the National Transportation Safety Board, released in October, pointed to human error by a work crew hired by Columbia Gas – the local provider. Specifically: a crew replacing a cast iron natural gas distribution main in South Lawrence disconnected a pressure sensor designed to monitor gas pressure in the distribution main, but forgot to disable the sensor first. The disconnected sensor, monitoring gas pressure in a disconnected section of gas main, prompted system regulators to open, pushing high pressure gas into a low-pressure distribution system that served the affected neighborhoods. The result was a deadly conflagration that has left scores of residents homeless for months.

See also: FBI, DHS warn Russian Dragonfly Group Still Targeting US Critical Infrastructure

I bring up the Lawrence gas explosions of 2018 not because they are examples of a cyber-physical attack, but because they easily could have been. Increasingly, critical infrastructure like the Columbia Gas network is monitored and controlled by wireless, digital sensors, regulators, actuators and other devices. These interface with industrial control system (ICS) software using (often) proprietary or ICS-specific protocols and regulate discrete parts of vast networks. Throughout the U.S., wireless sensors today provide real-time data to SCADA and ICS systems on variables like temperature, pressure, flow, vibrations and more.

[Read more about the lessons of the Columbia Gas explosions at RSA.com]

Spread the word!

One Comment

  1. Pingback: Secrecy Reigns as NERC Fines Utilities $10M citing Serious Cyber Risks | The Security Ledger

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.