[146771] in North American Network Operators' Group
Re: First real-world SCADA attack in US
daemon@ATHENA.MIT.EDU (Brett Frankenberger)
Tue Nov 22 10:31:46 2011
Date: Tue, 22 Nov 2011 09:30:30 -0600
From: Brett Frankenberger <rbf+nanog@panix.com>
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: <20364217.3717.1321975016306.JavaMail.root@benjamin.baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Nov 22, 2011 at 10:16:56AM -0500, Jay Ashworth wrote:
> ----- Original Message -----
> > From: "Brett Frankenberger" <rbf+nanog@panix.com>
>
> > The typical implementation in a modern controller is to have a separate
> > conflict monitor unit that will detect when conflicting greens (for
> > example) are displayed, and trigger a (also separate) flasher unit that
> > will cause the signal to display a flashing red in all directions
> > (sometimes flashing yellow for one higher volume route).
> >
> > So the controller would output conflicting greens if it failed or was
> > misprogrammed, but the conflict monitor would detect that and restore
> > the signal to a safe (albeit flashing, rather than normal operation)
> > state.
>
> "... assuming the *conflict monitor* hasn't itself failed."
>
> There, FTFY.
>
> Moron designers.
Yes, but then you're two failures deep -- you need a controller
failure, in a manner that creates an unsafe condition, followed by a
failure of the conflict monitor. Lots of systems are vulnerable to
multiple failure conditions.
Relays can have interesting failure modes also. You can only protect
for so many failures deep.
-- Brett
