First real-world SCADA attack in US

[matthew at matthew.at (Matthew Kaufman)]

On 11/22/2011 5:59 AM, Brett Frankenberger wrote:
> The typical implementation in a modern controller is to have a 
> separate conflict monitor unit that will detect when conflicting 
> greens (for example) are displayed, and trigger a (also separate) 
> flasher unit that will cause the signal to display a flashing red in 
> all directions (sometimes flashing yellow for one higher volume 
> route). So the controller would output conflicting greens if it failed 
> or was misprogrammed, but the conflict monitor would detect that and 
> restore the signal to a safe (albeit flashing, rather than normal 
> operation) state. -- Brett 

Indeed. All solid-state controllers, microprocessor or not, are required 
to have a completely independent conflict monitor that watches the 
actual HV outputs to the lamps and, in the event of a fault, uses 
electromechanical relays to disconnect the controller and connect the 
reds to a separate flasher circuit.

The people building these things and writing the requirements do 
understand the consequences of failure.

Matthew Kaufman