OT: Traffic Light Control (was Re: First real-world SCADA attack in US)

Brett Frankenberger rbf+nanog at panix.com
Tue Nov 22 19:13:04 UTC 2011


On Tue, Nov 22, 2011 at 11:16:54AM -0500, Jay Ashworth wrote:
> ----- Original Message -----
> > From: "Owen DeLong" <owen at delong.com>
> 
> > As in all cases, additional flexibility results in additional
> > ability to make mistakes. Simple mechanical lockouts do not scale
> > to the modern world.  The benefits of these additional capabilities
> > far outweigh the perceived risks of programming errors.

Relay logic has the potential for programming (i.e. wiring) errors
also.

It's not fair to compare "conflict monitor" to "properly programmed
relay logic".  We either have to include the risk of programming
failures (which means "improper wiring" in the case of relay logic) in
both cases, or exclude programming failures in both cases.

> The perceived risk in this case is "multiple high-speed traffic fatalities".

Some of the benefits of the newer systems are safety related also.
 
> I believe we rank that pretty high; it's entirely possible that a traffic
> light controller is the most potentially dangerous artifact (in terms of 
> number of possible deaths) that the average citizen interacts with on a 
> daily basis.

Some other things to consider.

Relays are more likely to fail.  Yes, the relay architecture was
carefully designed such that the most failures would not result in
conflicting greens, but that's not the only risk.  When the traffic
signal is failing, even if it's failing with dark or red in every
direction, the intersection becomes more dangerous.  Not as dangerous
as conflicting greens, but more dangerous than a properly operating
intersection.  If we can eliminate 1000 failures without conflicting
greens, at the cost of one failure with a conflicting green, it might
be a net win in terms of safety.

Modern intersections are often considerably more complicated than a two
phase "allow N/S, then allow E/W, then repeat" system.  Wiring relays
to completley avoid conflict in that case is very complex, and,
therefore, more error prone.  Even if a properly configured relay
solution is more reliable than a properly configured solid-state
conflict-monitor solution, if the relay solution is more likely to be
misconfigured, then there's not necessarily a net win.

Cost is an object.  If implementing a solid state controller is less
expensive (on CapEx and OpEx basis) than a relay-based controller, then
it might be possible to implement traffic signals at four previously
uncontrolled intersections, instead of just three.  That's a pretty big
safety win.

And, yes, convenience is also an objective.  Most people wouldn't want
to live in a city where the throughput benefit of modern traffic
signalling weren't available, even if they have to accept a very, very
small increase in risk.
  
     -- Brett




More information about the NANOG mailing list