Re: First real-world SCADA attack in US

[Brett Frankenberger <rbf+nanog () panix com>]

On Tue, Nov 22, 2011 at 06:14:54PM -0500, Jay Ashworth wrote:
> ----- Original Message -----
> > From: "Matthew Kaufman" <matthew () matthew at>
>
> > Indeed. All solid-state controllers, microprocessor or not, are required
> > to have a completely independent conflict monitor that watches the
> > actual HV outputs to the lamps and, in the event of a fault, uses
> > electromechanical relays to disconnect the controller and connect the
> > reds to a separate flasher circuit.
> >
> > The people building these things and writing the requirements do
> > understand the consequences of failure.
>
> If you mean "an independent conflict monitor which, *in the event
> there is NO discernable fault*, *connects* the controller to the lamp
> outputs... so that in the event the monitor itself fails, gravity or
> springs will return those outputs to the flasher circuit", than I'll
> accept that latter assertion.

That protects against a conflicting output from the controller at the
same time the conflict monitor completely dies (assuming its death is
in a manner that removes voltage from the relays).  It doesn't protect
against the case of conflicting output from the controller which the
conflict monitor fails to detect.  (Which is one of the cases you
seemed to be concerned about before.)

     -- Brett