[146821] in North American Network Operators' Group
Re: First real-world SCADA attack in US
daemon@ATHENA.MIT.EDU (Matthew Kaufman)
Tue Nov 22 18:00:47 2011
Date: Tue, 22 Nov 2011 14:59:43 -0800
From: Matthew Kaufman <matthew@matthew.at>
To: Brett Frankenberger <rbf+nanog@panix.com>
In-Reply-To: <20111122135956.GA21368@panix.com>
Cc: NANOG <nanog@nanog.org>
Reply-To: matthew@matthew.at
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 11/22/2011 5:59 AM, Brett Frankenberger wrote:
> The typical implementation in a modern controller is to have a
> separate conflict monitor unit that will detect when conflicting
> greens (for example) are displayed, and trigger a (also separate)
> flasher unit that will cause the signal to display a flashing red in
> all directions (sometimes flashing yellow for one higher volume
> route). So the controller would output conflicting greens if it failed
> or was misprogrammed, but the conflict monitor would detect that and
> restore the signal to a safe (albeit flashing, rather than normal
> operation) state. -- Brett
Indeed. All solid-state controllers, microprocessor or not, are required
to have a completely independent conflict monitor that watches the
actual HV outputs to the lamps and, in the event of a fault, uses
electromechanical relays to disconnect the controller and connect the
reds to a separate flasher circuit.
The people building these things and writing the requirements do
understand the consequences of failure.
Matthew Kaufman
