The Columbia Gas natural gas pipeline ruptures were process sensor-related and there is still little understanding

Oct. 14, 2018
The September 13, 2018 Columbia Gas Low-pressure Natural Gas Distribution System pipeline explosions killed one-person, injured 28, and damaged 131 structures. This was not a malicious control system cyber event (though it could have been) but a tragic comedy of errors, lack of appropriate process sensor monitoring, lack of SCADA control, and lack of understanding of similar events that have already occurred.

The preliminary National Transportation Safety Board (NTSB) report on the Pipeline Over-pressure of a Columbia Gas of Massachusetts Low-pressure Natural Gas Distribution System Merrimack Valley, Massachusetts September 13, 2018 was issued October 13, 2018. The explosions killed one-person, injured 28, and damaged 131 structures. This was not a malicious control system cyber event (though it could have been especially with the on-going labor unrest) but a tragic comedy of errors, lack of appropriate process sensor monitoring, lack of SCADA control, and lack of understanding of similar events that have already occurred.

Prior to the over-pressure event, a Columbia Gas-contracted work crew, which included a Columbia Gas inspector, was performing a Columbia Gas-designed and approved pipe-replacement project at a nearby intersection in South Lawrence. The contracted crew was working on a tie-in project of a new plastic distribution main and the abandonment of a cast-iron distribution main. The distribution main that was abandoned still had the regulator sensing lines that were used to detect pressure in the distribution system and provide input to the regulators to control the system pressure. Once the contractor crews disconnected the distribution main that was going to be abandoned, the section containing the sensing lines began losing pressure (similar to the 2005 Taum Salk dam failure with erroneous level readings).  As the pressure in the abandoned distribution main dropped, the regulators responded by opening further, increasing pressure in the distribution system. Since the regulators no longer sensed system pressure they fully opened allowing the full flow of high-pressure gas to be released into the distribution system supplying the neighborhood, exceeding the maximum allowable pressure (similar to the 2010 Pacific Gas & Electric San Bruno natural gas pipeline rupture). The work package did not account for the location of the sensing lines or require their relocation to ensure the regulators were sensing actual system pressure (again, similar to the 2010 San Bruno natural gas pipeline rupture). The monitoring center had no control capability to close or open valves; its only capability was to monitor pressures on the distribution system and advise field technicians accordingly (similar to the 1999 Olympic Pipeline Company gasoline pipeline rupture).

This event was not a network monitoring problem, but an engineering and “people” problem. Existing sensor monitoring would not have detected the sensor issues as they were not sensor failures but process anomalies. There is little technical guidance to prevent issues like this from recurring. Consequently, October 26th, I will be presenting at the ISA Process Measurement and Control Division conference in Montreal to process sensor vendors and end-users. October 23rd, I will be giving the keynote at EnergyTech in Cleveland on the need for engineering participation in control system cyber security. October 31st, I will be presenting at the ISA Safety and Security Symposium on the need to address sensors for security and safety.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.