First real-world SCADA attack in US
Brett Frankenberger
rbf+nanog at panix.com
Tue Nov 22 15:30:30 UTC 2011
On Tue, Nov 22, 2011 at 10:16:56AM -0500, Jay Ashworth wrote:
> ----- Original Message -----
> > From: "Brett Frankenberger" <rbf+nanog at panix.com>
>
> > The typical implementation in a modern controller is to have a separate
> > conflict monitor unit that will detect when conflicting greens (for
> > example) are displayed, and trigger a (also separate) flasher unit that
> > will cause the signal to display a flashing red in all directions
> > (sometimes flashing yellow for one higher volume route).
> >
> > So the controller would output conflicting greens if it failed or was
> > misprogrammed, but the conflict monitor would detect that and restore
> > the signal to a safe (albeit flashing, rather than normal operation)
> > state.
>
> "... assuming the *conflict monitor* hasn't itself failed."
>
> There, FTFY.
>
> Moron designers.
Yes, but then you're two failures deep -- you need a controller
failure, in a manner that creates an unsafe condition, followed by a
failure of the conflict monitor. Lots of systems are vulnerable to
multiple failure conditions.
Relays can have interesting failure modes also. You can only protect
for so many failures deep.
-- Brett
More information about the NANOG
mailing list