[146831] in North American Network Operators' Group
Re: First real-world SCADA attack in US
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Tue Nov 22 21:52:50 2011
In-Reply-To: <20111122232337.GA26405@panix.com>
Date: Tue, 22 Nov 2011 20:51:46 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Brett Frankenberger <rbf+nanog@panix.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Nov 22, 2011 at 5:23 PM, Brett Frankenberger
<rbf+nanog@panix.com> wrote:
> On Tue, Nov 22, 2011 at 06:14:54PM -0500, Jay Ashworth wrote:
> in a manner that removes voltage from the relays). =A0It doesn't protect
> against the case of conflicting output from the controller which the
> conflict monitor fails to detect. =A0(Which is one of the cases you
> seemed to be concerned about before.)
Reliable systems have triple redundancy.
And indeed... hardwired safety is a lot better than relying on software.
But it's not like transistors/capacitors don't fail either, so
whether solid state or not, a measure of added protection is in order
beyond a single monitor.
There should be a "conflict monitor test path" that involves a third
circuit intentionally
creating a safe "test" conflict at pre-defined sub-millisecond
intervals, by generating a
conflict in a manner the monitor is supposed to detect but won't
actually produce current
through the light, and checking for absence of a test signal on
green; if the test fails, the
test circuit should intentionally blow a pair of fuses, breaking the
test circuit's connections to the
controller and conflict monitor.
In addition the 'test circuit' should generate a pair of clock
signals of its own, that is a side effect
and only possible with correct test outcomes and will be verified by
both the conflict monitor
and the controller; if the correct clock indicating successful test
outcomes is not
detected by either the conflict monitor or by the controller, both
systems should
independently force a fail, using different methods.
So you have 3 circuits, and any one circuit can detect the most
severe potential failure of any pair of the other circuits.
> =A0 =A0 -- Brett
--
-JH
