First real-world SCADA attack in US

• Previous message (by thread): First real-world SCADA attack in US
• Next message (by thread): First real-world SCADA attack in US
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 22, 2011 at 10:16:56AM -0500, Jay Ashworth wrote:
> ----- Original Message -----
> > From: "Brett Frankenberger" <rbf+nanog at panix.com>
> 
> > The typical implementation in a modern controller is to have a separate
> > conflict monitor unit that will detect when conflicting greens (for
> > example) are displayed, and trigger a (also separate) flasher unit that
> > will cause the signal to display a flashing red in all directions
> > (sometimes flashing yellow for one higher volume route).
> > 
> > So the controller would output conflicting greens if it failed or was
> > misprogrammed, but the conflict monitor would detect that and restore
> > the signal to a safe (albeit flashing, rather than normal operation)
> > state.
> 
> "... assuming the *conflict monitor* hasn't itself failed."
> 
> There, FTFY.
> 
> Moron designers.

Yes, but then you're two failures deep -- you need a controller
failure, in a manner that creates an unsafe condition, followed by a
failure of the conflict monitor.  Lots of systems are vulnerable to
multiple failure conditions.

Relays can have interesting failure modes also.  You can only protect
for so many failures deep.

     -- Brett

• Previous message (by thread): First real-world SCADA attack in US
• Next message (by thread): First real-world SCADA attack in US
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]