First real-world SCADA attack in US

Jussi Peltola pelzi at pelzi.net
Tue Nov 22 05:11:43 UTC 2011


On Mon, Nov 21, 2011 at 11:16:14PM -0500, Jay Ashworth wrote:
> That implies to me that it is *physically* possible to get opposing greens
> (which we refer to, in technical terms as "traffic fatalities") out of the
> controller box... in exactly the same way that it didn't used to be.
 
Not necessarily. Microwave ovens have an interlock system that has 3
sequentially timed microswitches. The first two cut power to the oven,
and the third one shorts out the power supply in case the previous two
failed, blowing a fuse. The switches are operated by 2 "fingers" placed
on the door so that if the door is bent enough to not seal properly, the
switches will be activated in the wrong order causing the shorting
switch to operate. This can also happen if you slam the door closed too
hard.

This is all nice in theory, in practice the microswitches are so flimsy
nowadays that I'd not be too surprised if the shorting switch did not
succeed in blowing a fuse - and the other two will easily weld together
even in normal use (I have seen this happen. Swap the switches and fuse
and the oven works again.)

The traffic lights can also have some kind of fault-detection logic that
sees they are in an illegal state and latches them into a fault mode.

IMHO this is stupid extra complexity when relays are obviously 100%
correct and reliable for this function, but it seems to be all the rage
nowadays to use some kind of "proven correct" software system for safety
critical logic. It is so much sexier than mechanical or
electro-mechanical interlocks.

Anybody who has seen what kind of bizarre malfunctions failed
electrolytics cause in consumer electronics will probably not feel very
comfortable trusting traffic lights whose safety relies on software that
is proven correct.  OTOH, the risk is astronomically small compared to
someone just running the red lights.

Jussi Peltola




More information about the NANOG mailing list