Re: First real-world SCADA attack in US

[Jimmy Hess <mysidia () gmail com>]

On Tue, Nov 22, 2011 at 5:23 PM, Brett Frankenberger
<rbf+nanog () panix com> wrote:
> On Tue, Nov 22, 2011 at 06:14:54PM -0500, Jay Ashworth wrote:
> in a manner that removes voltage from the relays).  It doesn't protect
> against the case of conflicting output from the controller which the
> conflict monitor fails to detect.  (Which is one of the cases you
> seemed to be concerned about before.)

Reliable systems have triple redundancy.
And indeed... hardwired safety is a lot better than relying on software.
But it's not like transistors/capacitors don't fail either,  so
whether solid state or not, a measure of added protection is in order
beyond a single monitor.

There should be a "conflict monitor test path"  that involves  a third
circuit intentionally
creating a  safe  "test"  conflict at pre-defined sub-millisecond
intervals,  by generating a
conflict  in a manner the monitor is supposed to detect  but won't
actually produce current
through the light, and  checking for absence of a test signal on
green;  if the test fails, the
test circuit should intentionally blow a pair of fuses,  breaking the
test circuit's  connections to the
controller and conflict monitor.

In addition the 'test circuit'  should generate a pair of clock
signals of its own, that is a side effect
and only possible with correct test outcomes and will be verified by
both the conflict monitor
and the controller;  if the correct clock indicating successful test
outcomes is not
detected  by  either  the conflict monitor  or by the controller, both
systems should
independently force a fail,  using different methods.


So you have  3 circuits, and any one circuit can detect the most
severe potential failure of  any pair of the other circuits.



>     -- Brett
--
-JH