OT: Traffic Light Control (was Re: First real-world SCADA attack in US)

Jay Hennigan jay at west.net
Wed Nov 23 04:29:46 UTC 2011


On 11/22/11 8:16 AM, Jay Ashworth wrote:
> ----- Original Message -----
>> From: "Owen DeLong" <owen at delong.com>
> 
>> As in all cases, additional flexibility results in additional ability
>> to make mistakes. Simple mechanical lockouts do not scale to the
>> modern world. The benefits of these additional capabilities far
>> outweigh the perceived risks of programming errors.
> 
> The perceived risk in this case is "multiple high-speed traffic fatalities".
> 
> I believe we rank that pretty high; it's entirely possible that a traffic
> light controller is the most potentially dangerous artifact (in terms of 
> number of possible deaths) that the average citizen interacts with on a 
> daily basis.

I'm familiar with this.  The modern Safetran brand of traffic light
controllers are indeed microprocessor based and networked for time sync,
although they can also use local GPS.  Network is typically radio or
twisted pair modem.  McCain, BiTran, etc. are similar.

The master controllers do run IP so the risk is there that they can be
either deliberately or accidentally exposed to the Internet.  Before
this they typically had a dial-up modem and could be accessed by anyone
war-dialing with a VT-100 emulator and some password guessing.  Many are
still this way.

Within each intersection controller is a PC board with a diode matrix
called a "conflict monitor".  It has inputs from all of the green and
yellow phases including pedestrian walk signals, turn arrows, etc.

It's the job of the traffic engineer installing the system to program
the conflict monitor for that intersection.  By default they're
programmed for a simple North-South vs. East-West intersection of
two-way streets with pedestrian controls.  If anything different, the
conflict monitor is reprogrammed in the field to match the intersection.

In the event of a conflict, defined as green, yellow or walk signals
that would cause conflicting traffic being allowed, the conflict monitor
forces the intersection into red flashing in all directions and
disconnects control from the microprocessor until manually reset
on-site.   If networked, it also sends a conflict alarm.  If the
conflict monitor is removed, the intersection goes to flash.

Conflicting green is only possible if the conflict monitor is
mis-programmed or the external connections to the signal heads are
mis-wired.  Even a short-circuit in the external wiring between two
green phases would be detected unless the feed wires of the conflicting
phases are cut to the signal box.

In the real world, "Stuff happens".  Trucks cut corners and turn the
traffic heads to point the wrong way.  Controllers get replaced with a
stock unit after a failure or accident knocking down the signal box
without being properly set up for that intersection.

But, an external cracker even with full access won't be able to cause a
conflict.  Massive traffic jams by messing with the timing, short or
long cycles, etc. but not a conflict.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV




More information about the NANOG mailing list