Let’s be clear: the natural gas explosions that rocked the Merrimack Valley north of Boston in September weren’t the result of a cyber attack. Unfortunately: well known vulnerabilities affecting the security of remote sensors and industrial control system software mean they easily could have been. (Note: this article first appeared on RSA.com’s web site. You can read it in its entirety there.)
On the afternoon of September 13, just after 4 PM, 9-1-1 emergency response lines lit up in three communities north of Boston. Seemingly out of nowhere, residents in the towns of Lawrence, Andover and North Andover reported a strong gas odor, homes on fire and even strong explosions in their homes and neighborhoods.
In a matter of minutes, chaos erupted as dozens of structures burst into flames over a 2 square mile area, overwhelming the local fire response. In all, 131 structures were damaged by gas leaks and fires. Five homes were destroyed in natural gas explosions and 28 people were hospitalized. One man died, when a chimney from a burning building collapsed on the parked car he was sitting in.
I bring up the Lawrence gas explosions of 2018 not because they are examples of a cyber-physical attack, but because they easily could have been. Increasingly, critical infrastructure like the Columbia Gas network is monitored and controlled by wireless, digital sensors, regulators, actuators and other devices. These interface with industrial control system (ICS) software using (often) proprietary or ICS-specific protocols and regulate discrete parts of vast networks. Throughout the U.S., wireless sensors today provide real-time data to SCADA and ICS systems on variables like temperature, pressure, flow, vibrations and more.