The preliminary National Transportation Safety Board (NTSB) report on the Pipeline Over-pressure of a Columbia Gas of Massachusetts Low-pressure Natural Gas Distribution System Merrimack Valley, Massachusetts September 13, 2018 was issued October 13, 2018. The explosions killed one-person, injured 28, and damaged 131 structures. This was not a malicious control system cyber event (though it could have been especially with the on-going labor unrest) but a tragic comedy of errors, lack of appropriate process sensor monitoring, lack of SCADA control, and lack of understanding of similar events that have already occurred.
Prior to the over-pressure event, a Columbia Gas-contracted work crew, which included a Columbia Gas inspector, was performing a Columbia Gas-designed and approved pipe-replacement project at a nearby intersection in South Lawrence. The contracted crew was working on a tie-in project of a new plastic distribution main and the abandonment of a cast-iron distribution main. The distribution main that was abandoned still had the regulator sensing lines that were used to detect pressure in the distribution system and provide input to the regulators to control the system pressure. Once the contractor crews disconnected the distribution main that was going to be abandoned, the section containing the sensing lines began losing pressure (similar to the 2005 Taum Salk dam failure with erroneous level readings). As the pressure in the abandoned distribution main dropped, the regulators responded by opening further, increasing pressure in the distribution system. Since the regulators no longer sensed system pressure they fully opened allowing the full flow of high-pressure gas to be released into the distribution system supplying the neighborhood, exceeding the maximum allowable pressure (similar to the 2010 Pacific Gas & Electric San Bruno natural gas pipeline rupture). The work package did not account for the location of the sensing lines or require their relocation to ensure the regulators were sensing actual system pressure (again, similar to the 2010 San Bruno natural gas pipeline rupture). The monitoring center had no control capability to close or open valves; its only capability was to monitor pressures on the distribution system and advise field technicians accordingly (similar to the 1999 Olympic Pipeline Company gasoline pipeline rupture).
This event was not a network monitoring problem, but an engineering and “people” problem. Existing sensor monitoring would not have detected the sensor issues as they were not sensor failures but process anomalies. There is little technical guidance to prevent issues like this from recurring. Consequently, October 26th, I will be presenting at the ISA Process Measurement and Control Division conference in Montreal to process sensor vendors and end-users. October 23rd, I will be giving the keynote at EnergyTech in Cleveland on the need for engineering participation in control system cyber security. October 31st, I will be presenting at the ISA Safety and Security Symposium on the need to address sensors for security and safety.
Joe Weiss