OT: Traffic Light Control (was Re: First real-world SCADA attack in US)

Jay Ashworth jra at baylink.com
Tue Nov 22 13:26:34 CST 2011

> Relay logic has the potential for programming (i.e. wiring) errors
> also.

Yes, but the complexity of a computerized controller is 3-6 orders of
magnitude higher, *and none of it is visible*

> It's not fair to compare "conflict monitor" to "properly programmed
> relay logic". We either have to include the risk of programming
> failures (which means "improper wiring" in the case of relay logic) in
> both cases, or exclude programming failures in both cases.

See above, and note that there are at least a couple orders of magnitude 
more possible failure modes on a computerized controller as well.

> Some other things to consider.
> Relays are more likely to fail. Yes, the relay architecture was
> carefully designed such that the most failures would not result in
> conflicting greens, 

My understanding was that it was completely impossible.  You could 
fail dark, but you *could not* fail crossing-green.

>                      but that's not the only risk. When the traffic
> signal is failing, even if it's failing with dark or red in every
> direction, the intersection becomes more dangerous. Not as dangerous
> as conflicting greens, 

By 2 or 3 orders of magnitude, usually; the second thing they teach you
in driver ed is "a dark traffic signal is a 4-way stop".

>                         but more dangerous than a properly operating
> intersection. If we can eliminate 1000 failures without conflicting
> greens, at the cost of one failure with a conflicting green, it might
> be a net win in terms of safety.

The underlying issue is trust, as it so often is.  People assume (for
very good reason) that crossing greens is completely impossible.  The
cost of a crossing-greens accident is *much* higher than might be
imagined; think "new Coke".
> Modern intersections are often considerably more complicated than a
> two phase "allow N/S, then allow E/W, then repeat" system. Wiring relays
> to completley avoid conflict in that case is very complex, and,
> therefore, more error prone. Even if a properly configured relay
> solution is more reliable than a properly configured solid-state
> conflict-monitor solution, if the relay solution is more likely to be
> misconfigured, then there's not necessarily a net win.

Sure.  But we have no numbers on either side.

> Cost is an object. If implementing a solid state controller is less
> expensive (on CapEx and OpEx basis) than a relay-based controller, then
> it might be possible to implement traffic signals at four previously
> uncontrolled intersections, instead of just three. That's a pretty big
> safety win.

See above about whether people trust green lights to be safe.

> And, yes, convenience is also an objective. Most people wouldn't want
> to live in a city where the throughput benefit of modern traffic
> signalling weren't available, even if they have to accept a very, very
> small increase in risk.

Assuming they knew they were accepting it.

But if it amounts to "Well, it's going to cost you more if we do it
[right]", well, look out for #OccupyMainStreet.

"We can fake it cause it's cheaper" is pretty close to a dead approach,
I suspect.

-- jra
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

More information about the NANOG mailing list