First real-world SCADA attack in US
Jimmy Hess
mysidia at gmail.com
Wed Nov 23 02:51:46 UTC 2011
On Tue, Nov 22, 2011 at 5:23 PM, Brett Frankenberger
<rbf+nanog at panix.com> wrote:
> On Tue, Nov 22, 2011 at 06:14:54PM -0500, Jay Ashworth wrote:
> in a manner that removes voltage from the relays). It doesn't protect
> against the case of conflicting output from the controller which the
> conflict monitor fails to detect. (Which is one of the cases you
> seemed to be concerned about before.)
Reliable systems have triple redundancy.
And indeed... hardwired safety is a lot better than relying on software.
But it's not like transistors/capacitors don't fail either, so
whether solid state or not, a measure of added protection is in order
beyond a single monitor.
There should be a "conflict monitor test path" that involves a third
circuit intentionally
creating a safe "test" conflict at pre-defined sub-millisecond
intervals, by generating a
conflict in a manner the monitor is supposed to detect but won't
actually produce current
through the light, and checking for absence of a test signal on
green; if the test fails, the
test circuit should intentionally blow a pair of fuses, breaking the
test circuit's connections to the
controller and conflict monitor.
In addition the 'test circuit' should generate a pair of clock
signals of its own, that is a side effect
and only possible with correct test outcomes and will be verified by
both the conflict monitor
and the controller; if the correct clock indicating successful test
outcomes is not
detected by either the conflict monitor or by the controller, both
systems should
independently force a fail, using different methods.
So you have 3 circuits, and any one circuit can detect the most
severe potential failure of any pair of the other circuits.
> -- Brett
--
-JH
More information about the NANOG
mailing list