First real-world SCADA attack in US
Matthew Kaufman
matthew at matthew.at
Tue Nov 22 22:59:43 UTC 2011
On 11/22/2011 5:59 AM, Brett Frankenberger wrote:
> The typical implementation in a modern controller is to have a
> separate conflict monitor unit that will detect when conflicting
> greens (for example) are displayed, and trigger a (also separate)
> flasher unit that will cause the signal to display a flashing red in
> all directions (sometimes flashing yellow for one higher volume
> route). So the controller would output conflicting greens if it failed
> or was misprogrammed, but the conflict monitor would detect that and
> restore the signal to a safe (albeit flashing, rather than normal
> operation) state. -- Brett
Indeed. All solid-state controllers, microprocessor or not, are required
to have a completely independent conflict monitor that watches the
actual HV outputs to the lamps and, in the event of a fault, uses
electromechanical relays to disconnect the controller and connect the
reds to a separate flasher circuit.
The people building these things and writing the requirements do
understand the consequences of failure.
Matthew Kaufman
More information about the NANOG
mailing list