Re: First real-world SCADA attack in US

[Brett Frankenberger <rbf+nanog () panix com>]

On Tue, Nov 22, 2011 at 10:16:56AM -0500, Jay Ashworth wrote:
> ----- Original Message -----
> > From: "Brett Frankenberger" <rbf+nanog () panix com>
>
> > The typical implementation in a modern controller is to have a separate
> > conflict monitor unit that will detect when conflicting greens (for
> > example) are displayed, and trigger a (also separate) flasher unit that
> > will cause the signal to display a flashing red in all directions
> > (sometimes flashing yellow for one higher volume route).
> >
> > So the controller would output conflicting greens if it failed or was
> > misprogrammed, but the conflict monitor would detect that and restore
> > the signal to a safe (albeit flashing, rather than normal operation)
> > state.
>
> "... assuming the *conflict monitor* hasn't itself failed."
>
> There, FTFY.
>
> Moron designers.

Yes, but then you're two failures deep -- you need a controller
failure, in a manner that creates an unsafe condition, followed by a
failure of the conflict monitor.  Lots of systems are vulnerable to
multiple failure conditions.

Relays can have interesting failure modes also.  You can only protect
for so many failures deep.

     -- Brett