OT: Traffic Light Control (was Re: First real-world SCADA attack in US)

• Previous message (by thread): OT: Traffic Light Control (was Re: First real-world SCADA attack in US)
• Next message (by thread): OT: Traffic Light Control (was Re: First real-world SCADA attack in US)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 22, 2011 at 02:26:34PM -0500, Jay Ashworth wrote:
>
> Yes, but the complexity of a computerized controller is 3-6 orders of
> magnitude higher, *and none of it is visible*
 
You can't see the electrons in the relays either.

> > Some other things to consider.
> > 
> > Relays are more likely to fail. Yes, the relay architecture was
> > carefully designed such that the most failures would not result in
> > conflicting greens, 
> 
> My understanding was that it was completely impossible.  You could 
> fail dark, but you *could not* fail crossing-green.

If properly wired, maybe.  But probably not.  I'd have to see the
architecture, but, for example, is there any risk of a power surge at
the wrong time welding the green contacts togethor and resulting in a
permanent green in one direction that doesn't lock the other direction
out?  (Maybe not.  But I'm confident that some failure could be
contrived with a detailed explanation of a real system.)

> >                      but that's not the only risk. When the traffic
> > signal is failing, even if it's failing with dark or red in every
> > direction, the intersection becomes more dangerous. Not as
> > dangerous as conflicting greens,
> 
> By 2 or 3 orders of magnitude, usually; the second thing they teach you
> in driver ed is "a dark traffic signal is a 4-way stop".

Of course, not everyone follows the rules.  People learn "red means
stop" well before driver ed, but sometimes they don't stop, even at a
red.

Traffic Signal Out cases are often a mess, because you have a
relatively complicated or busy intersection, and a collection of
drivers only 95% of which (for example) actually know how to handle the
case, and even many of those 95% are very tentative because they know
that not all the other drivers know the rules.  The upside is that most
of the collisions that result are low speed.

> >                         but more dangerous than a properly operating
> > intersection. If we can eliminate 1000 failures without conflicting
> > greens, at the cost of one failure with a conflicting green, it might
> > be a net win in terms of safety.
> 
> The underlying issue is trust, as it so often is.  People assume (for
> very good reason) that crossing greens is completely impossible.  The
> cost of a crossing-greens accident is *much* higher than might be
> imagined; think "new Coke".

New Coke was imposed on all coke drinkers, though.  A better analogy is
airline plane crashes.  They are exceedingly rare, but when they
happen, almost everyone knows about them.  Yet people still fly.  Even
immediately after the crash.  (And a modern airplane is orders of
magnitude more complicated than a solid state conflict monitor.)

Conflicting greens are also exceedingly rare, and it's not nationwide
or worldwide news when they occur. 

If conflicting greens start occuring routinely, yeah, people are going
to lose confidence in the system.  But we could likely withstand a
couple orders of magnitude increase in the number of green-on-green
incidents without any meaningful reduction in confidence in traffic
signals.

Still, obviously, the point isn't to keep increasing the frequency of
conflicting green incidents until people start to lose confidence.  The
point is that there's no evidence of any meaningful increase in risk
with electronic controllers.

> > Modern intersections are often considerably more complicated than a
> > two phase "allow N/S, then allow E/W, then repeat" system. Wiring relays
> > to completley avoid conflict in that case is very complex, and,
> > therefore, more error prone. Even if a properly configured relay
> > solution is more reliable than a properly configured solid-state
> > conflict-monitor solution, if the relay solution is more likely to be
> > misconfigured, then there's not necessarily a net win.
> 
> Sure.  But we have no numbers on either side.

Yeah, and I looked.  There's nothing I could find.  But ... I'd be
shocked to find evidence of a statistically higher risk of conflicting
greens in electronic conflict-monitor implementations over relay-based
systems of comparable intersection complexity.

Vital electronics is a well-established industry.

We all work in a bug-of-the-week industry, where we demand more speed,
more features, and so on, and accept quite a bit of risk associated
with that.  Even the careful networks that nominally place a high value
on stability don't have a reliability comparable to a traffic signal or
an airplane.  But that doesn't mean reliable electronic systems can't
be built.  Just that you have to prioritize that over other things if
that's what you want.  And that's what the vital electronics industry
does.

     -- Brett

• Previous message (by thread): OT: Traffic Light Control (was Re: First real-world SCADA attack in US)
• Next message (by thread): OT: Traffic Light Control (was Re: First real-world SCADA attack in US)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]