Is Analog the Fix For Cyber Terrorism?

chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests." Or maybe you could isolate control systems from the Internet.

obviously BSG was right

[mindpivot]

the terrorists are like cylons and we need to disconnect all networked computers for humanity!!!

Re:obviously BSG was right

the terrorists are like cylons and we need to disconnect all networked computers for humanity!!!

Analog solutions to perceived terrorism are only as good as the persons trusted for its implementation — 12 Monkeys.

Re:obviously BSG was right

[warpuck]

Operational amplifiers ( analog compter) could easily replace the computer systems that operate the engines and transmissions of automobiles. Problem for the Dealer/manufacturer is they can easily be adjusted by a screw driver and oscilloscope and Digital Voltmeter. After all they cannot supply the puter with data because all the sensors are analog & have to be converted to digital for the computer. Take ____________ out of your car to the dealer for reprogrammiing and they will glad exchange yours for a "new" one. You have to fill in the blank because each manufacturer has a different name for the black box that controls the basic functions.

sure, no problem

[davester666]

>Or maybe you could isolate control systems from the Internet

said the person volunteering to get up at 3 am to go to the office to reset the a/c system.

Re:sure, no problem

Don't worry, Bill Gates says a robot will take that guy's job soon enough.

Re:sure, no problem

Job security! No off-shoring to India. Not sure if it can be done by H1B as I hope this should require a security clearance.

Re:sure, no problem

[TWX]

said the person volunteering to get up at 3 am to go to the office to reset the a/c system.

Sounds to me like you need a better A/C system.

Or you need to not consider an HVAC system to be so critical that it can't be on the network. Or, perhaps you need to design the HVAC system to take only the simplest of input from Internet-connected machines through interfaces like RS-422, and to otherwise use its not-connected, internal network for actual major connectivity. And design it to fail-safe, where it doesn't shut off and leave the data center roasting if there's an erroneous input.

And anything that is monitored three-shifts should not be Internet-connected if it's considered critical. After all, if it's monitored three shifts then it shouldn't have to notify anyone offsite.

Re:sure, no problem

[phantomfive]

said the person volunteering to get up at 3 am to go to the office to reset the a/c system.

I can't speak for everyone, but I would rather pay extra for someone to be willing to do that (or do it myself, it shouldn't be a common situation) before I connect important systems to the internet.

Having an air gap isn't a perfect solution, but it makes things a lot harder for attackers.

Re:sure, no problem

[mlts]

As a compromise, one can always do something similar to this:

1: Get two machines with a RS232 port. One will be the source, one the destination.

2: Cut the wire on the serial port cable so the destination machine has no ability to communicate with the source.

3: Have the source machine push data through the port, destination machine constantly monitor it and log it to a file.

4: Have a program on the destination machine parse the log and do the paging, etc. if a parameter goes out of bounds.

This won't work for high data rates, but it will sufficiently isolate the inner subsystem from the Internet while providing a way for data to get out in real time. Definitely not immune to physical attack, but it will go a long ways to stopping remote attacks, since there is no connections that can be made into the source machine's subnet.

Re:sure, no problem

[phantomfive]

The main use case that causes problems with air gaps (AFAIK) is transferring files to the computer that's hooked up to the heavy machinery. People get tired of copying updates over USB, for example, and hook it up. Or they want to be able to reboot their air conditioner remotely.

And that is the use case that caused problems with for Iran with Stuxnet. They had an airgap, but the attackers infected other computers in the area, got their payload on a USB key, and when someone transferred files to the main target, it got infected. That is my understanding of how that situation went down. But once you start thinking along those lines, you start thinking of other attacks that might work.

Re:sure, no problem

Networked does not imply internet connected. In the same way, if you are using electricity, it does not mean you need to be connected to the electric grid.

There is no reason to going analog IF people are not stupid.

Unfortunately, we have plenty of examples that refute your premise. People ARE stupid, including the people who designed the highly vulnerable smart grid that most of the US is now using for power distribution.

Re:sure, no problem

[richlv]

i remember watching 'nikita' episode where they hacked a computer through its power connection and going "um, that's a bit stretching it..."

then, several years later, some proof of concept attack vector like that was demonstrated. assuming that experts in the field can do much more than public knows, it might have been not that much of a stretch after all.

i would also imagine that attacks for analog systems have been polished quitealot, given that they have been around longer. not that they could not be more secure - but thinking that they are immune might be a dangerous trap.

Re:sure, no problem

[dimko]

And how this solves "digital" issue? :P

Re:sure, no problem

[Jeremi]

That's known as a data diode, and it's a great idea (and can be done at higher speeds than RS232, if necessary; e.g. you can do something similar with an Ethernet cable).

It does have one big limitation, though -- it won't let you control the system from off-site. If that's okay, then great, but often off-site control is something that you want to have, not just off-site monitoring.

Re:sure, no problem

[darkain]

>Or maybe you could isolate control systems from the Internet

Oh, you mean like all those systems Stuxnet infected?

http://en.wikipedia.org/wiki/S...

Re:sure, no problem

Networked does not imply internet connected. In the same way, if you are using electricity, it does not mean you need to be connected to the electric grid. There is no reason to going analog IF people are not stupid.

You may want to be careful using words like "stupid". A reasonably intelligent person would recognize that a purely internal network without internet connectivity is still vulnerable. The internet is just one method of ingress. A malware payload could be introduced through physical media for example.

A lack of internet connectivity may make data theft more difficult however in an industrial control application merely getting into internal network and taking control of machinery is all that is necessary.

Re:sure, no problem

[khasim]

That's part of a larger issue. People will ALWAYS get sloppy and lazy.

Part of the security system has to include a way to check the systems and to check the people.

Security is not an item in itself. It is only a reference point. You can have "better security" than you had at time X or you can have "worse security" than you had at time X (or the same).

Improving security is about reducing the number of people who can EFFECTIVELY attack you.

Once you've gotten that down to the minimum number then you increase the number of people REQUIRED to attack you.

If one guy on the other side of the world can crack you, that's pretty bad.

If that one guy has to be physically at your site, that's better.

If that one guy has to be physically at your site with two other guys providing overwatch and support, that's even better.

Iran needs to learn about superglue on USB ports.

Re:sure, no problem

[CBravo]

And to make it even more simple: Everyone, including smart people, makes mistakes.

Re:sure, no problem

[phantomfive]

Iran needs to learn about superglue on USB ports.

How do you suggest they copy files to the computers then? Type them in by hand?

Re:sure, no problem

[nateman1352]

Or maybe you could isolate control systems from the Internet

You know that stuxnet explicitly targeted a uranium enrichment control system that was NOT Internet connected right?

Re:sure, no problem

[Technician]

A more common control with this type of critical limits is an elevator. The digital controls calls the cars to the floors, opens doors, etc. Between the digital world and electrical/mechanical world is control relays. Limit switches are in pairs. One you are used to. The elevator arrives at a floor and there is a pause while the fine alignment is completed to level with the current floor. The hard limit on the other hand such as exceeding safe space below bottom floor or past the top floor, does interrupt power to the control for the power relays. One drops power to the motor and the other drops the power to the brake pick solonoid. Brakes fail safe in an elevator. Need power to release the brakes.

Yea, it is a pain to reset the elevator at 3 am with someone stuck inside, but that is better than a runaway elevator. And no, there is no software defeat for the hardware limit switches.

Re:sure, no problem

[thegarbz]

This is why security should be a system and not an airgap. The idea that a computer should not be on the internet and patting yourself on the back for the idea and calling it a job well done is almost becoming a slashdot meme.

Never underestimate what bored shift workers do during night shift. We had one group of people figure out how to watch a divx movie on the screen of an ABB Gas Chromatograph.

The problem is more social than technological.

Re:sure, no problem

[AbsGeekNZ]

Not every system is so simple, but this is great in principal.....a machine should not be able to damage itself if something goes wrong, such as a failed limit switch or someone bypassing said limit switch to get the machine to overrun. Human safety is a whole other mess.

Re:sure, no problem

It may be funny, but you do have a serious point to it. Putting a person and physical selective switches makes any computer system hard to hack. I've been saying that for years.

Re:sure, no problem

[RabidReindeer]

And to make it even more simple: Everyone, including smart people, makes mistakes.

Or gets into a Homer Simpson mood and doesn't take the usual amount of care.

Re:sure, no problem

[CGordy]

There's a lot of misconceptions on slashdot about how these "critical infrastructure" plants actually run. I've spent a lot of time working in chemical plants, and these plants are heavily instrumented, with all parameters recorded. These are accessible in real time to the plant engineers, who typically don't sit in the control room, and often aren't in the same state (there's a very limited pool of people available who are "experts" at some of these processes, and when a serious problem occurs companies want the best person to look at the data ASAP).

The guys who sit in the control room are not engineers. They're plant operators, and their job is to keep the plant running as smoothly as possible, and escalate the issue to an engineer if there's a non-standard problem. Most plants these days are so heavily automated that for normal, stable operation only two operators are required on site per say $100 million of plant (as a guesstimate - more during the day when scheduled maintenance is occurring).

The engineers at these sites are actually classed as management. That's because they have ultimate responsibility for the plant when problems happen, although they don't control the day to day operation of the site. Most of an engineer's day on a chemical plant should be spent looking at whether the plant is configured optimally, and trying to troubleshoot longer term problems which require a more theoretical viewpoint. However, they do have to get out of bed at three in the morning if something's gone wrong. They also have to manage the operators, and have a promotion path to "real" management - refinery managers (for example) are usually engineers.

However, what the article totally missed is that these sites already have two layers of control system - the Distributed Control System (DCS), and the Safety Instrumented System (SIS). The wikipedia contains a lot more detail, but essentially these SIS's are hard wired systems that aren't programmable at all, so they are intrinsically resistant to an internet or software based attack. However, they're very expensive (every trip needs to be built as a dedicated circuit), so these systems are only used to ensure that the plant fails in a safe manner, not continued operation. Priority is given to safety of people in the vicinity over integrity of the plant equipment - these systems wouldn't typically be used a stop a pump or centrifuge (for example) from running too fast, unless that could cause some consequential (human) damage.

Finally, an analog system would be a big step backwards from a safety viewpoint because it wouldn't allow the plants to automatically shut down safely when a problem occurs. Plant shutdowns are typically a multiple step process, and in a refinery (for example), large quantities of high temperature, high pressure flammable gases need to be disposed of, which would simply not be possible to safely "program" in an analog environment. Before digital systems came along, plant trips were "all hands on deck" incidents, with operators frantically adjusting adjusting setpoints on dials to bring the plants down. Of course, the risk of operator error was high, so automated shutdowns were a big step forwards in plant safety.

Re:sure, no problem

[LoRdTAW]

"said the person volunteering to get up at 3 am to go to the office to reset the a/c system."

That is not a realistic scenario. I know what you are saying but an a/c system isn't turned on at 3AM to begin with (unless you like wasting electricity). Most likely you will have these systems in a plant that runs 24/7 with 3 shifts and someone will know how to handle minor breakdowns and press a reset button if need be. A major breakdown can be solved in one of two ways: remotely or someone has to come on site. Guess which one is more convenient?

Case in point: I once designed a small automation system at work for laser welding hermetic connectors to a water meter housing. An employee was assigned to the job and I trained him to handle any problems. After the initial test run and some bug fixes in the first few weeks, there was no need to call me for problems. The only time after that initial break in period where I was needed was to replace a bad sensor. The idea is to make the system as idiot proof as possible.

Re:sure, no problem

[AmiMoJo]

Or, perhaps you need to design the HVAC system to take only the simplest of input from Internet-connected machines through interfaces like RS-422, and to otherwise use its not-connected, internal network for actual major connectivity.

I used to do software for fire alarm systems and heard a story about this. A shopping centre wanted to have a remote monitoring and reset system. All it could do was read the indoor temperature or reset the system. RS-485 link to a dedicated PC, firewalled with just the remote management service exposed to the LAN. Access was by using a VPN connection to the LAN.

One day they noticed that the system was stuck in some kind of reset loop. Seems someone found a way in and caused the machine it was connected to to keep sending reset commands. It must have happened some time in the night, and by the time they figured out what was going on the next day a couple of the motorized vents and one fan had failed due to the motors overheating. Every time the reset command was sent they did a self test where they exercised their motors.

The suspicion was that this was a distraction to cover up whatever else they were doing inside the network. Not being close to it I never found out the fully story, but it just shows that even a simple reset command can cause significant damage if abused.

Re:sure, no problem

[splutty]

No. Said the person who should have known that the Stuxnet attack had an attack vector that didn't have anything to do with the internet.

The actual machines it was aimed against actually weren't connected to the internet at all.

So the comment is just dumb.

Re:sure, no problem

[LoRdTAW]

Stuxnet proved that air gapping isn't enough.

Air gapping is not a 100% fix. Its part wishful thinking and part buzz phrase which gets thrown around carelessly. If someone guarantees nothing will go wrong because of an air gap or one way serial connection then they are full of shit.

Think about it, how many computers have you ever come across that could function on a 100% "air gap"? What about updates or software fixes? You could write a control program and debug the hell out of it to ensure nothing will go wrong but eventually you know something will break and need fixing. And that fixing requires a PC that most likely has seen the internet.

Dont get me wrong, an air gap will reduce your attack surface. But many PAC's made today are running full blown operating systems. And Many of those run Windows XP embedded or Windows 7 embedded with real time subsystems (like TenAsys INtime or IntervalZero RTX). Then add to that the proliferation of ethernet and even wifi in industrial networks coupled with unsecured protocols and you have a nice time bomb. All you need is one infected USB key plugged into a Windows HMI to fix a small glitch or update a recipie and BAM, your air gapped network is now toast.

Re:sure, no problem

[wagnerrp]

Only because no one thought to put some sort of rate limiter on the reset command. If you're continually needing to reset something, clearly there is a serious issue that should warrant a tech or engineer being called out to investigate.

Re:sure, no problem

[Culture20]

Make it a clockwork robot?

Re:sure, no problem

[wagnerrp]

Dataport behind a locked door that only a few select individuals have access to. Industrial systems must be protected against their operators.

Re:sure, no problem

And it doesn't get programmed, no? :P And it wouldn't have input devices? :P

Re:sure, no problem

[Lord+Lemur]

I would imagine that other "critical infrastructure" would also be a valid target for similar treatment then. Thus, the discussion and valid rebuke that air gapping doesn't really secure "critical infrastructure" that is networked.

Re:sure, no problem

The could use a sata drive. That way, the USB device can't mimic a keyboard and start "typing" in the background while files are copied.

Re:sure, no problem

[Lord+Lemur]

Please disregard, I thought you were replying to darkain, never slashdot and drive.

Re:sure, no problem

The wikipedia contains a lot more detail, but essentially these SIS's are hard wired systems that aren't programmable at all, so they are intrinsically resistant to an internet or software based attack.

SIS systems (like Triconex) are certainly programmable, they are usually implemented as PLC's afterall. Sadly there is also pressure from management to get them on the network just like the DCS systems. So far we have successfully resisted this, especially in light of the recent cyber attacks against refineries in the Middle East.

The scenario I fear most is that someone installs a rootkit+keylogger+screen scraper on one of the controls engineer's workstations, which are usually capable of accessing both the external Internet and the process network vlan via RDP. The attacker can then passively watch their work until they get a feel for how the plant operates, and then one evening when the laptop is plugged in they can go to town making small changes that no one will notice until it's too late.

I think the only real solution is going to come from OSHA requiring deliberate control system sabotage as a HAZOP scenario to evaluate, and then the risk reduction factors will drive you to either fully-airgapped SIS (as in you plug a non-networked laptop into a serial port) or analog safety systems.

Re:sure, no problem

[Sockatume]

That's terrible. For research purposes, I'd like to know how he did it.

Re:sure, no problem

[chicksdaddy]

really excellent feedback. appreciated.

Re:sure, no problem

[andyring]

Just don't put your HVAC controls on the same network as your credit card payment devices...

Re:sure, no problem

[mlts]

For offsite control, I've wondered about using a humble POTS line and a 28.8 modem that dials back. After the initial handshake and some form of two factor authentication, the hard part after that would be an encryption protocol (PPP then SSH for example) and then run from there. The downside is that bandwidth will be extremely limited, especially with the encryption overhead, but it will be fairly difficult for an attacker to exploit due to being on a different medium (i.e. not just an IP connection away.)

The problem with what I've seen for data diodes is that they tend to be black boxes. With a serial cable that only has one transmitting wire, it is physically obvious that there is no hanky panky going on. However, when people have information that starts getting past a couple thousand BPS, a data diode is a must because serial just can't keep up, so black box or no, it is a necessary evil at some point.

Re:sure, no problem

[mlts]

I remember in the early 2000s, people playing a MMO via modem on a dedicated POTS line used as a heartbeat monitor between two IBM HA systems.

Airgaps are one tool in the security toolbox, but nothing is 100%. Iran's centrifuges are a testament to that.

Re:sure, no problem

[mlts]

When a local startup went out of business, one of the things the failed startup had at their bankruptcy auction was an electric motor that would spin a crankshaft/flywheel... only for a generator head on the other end to turn the motion back into electricity. I wondered why they had something that inefficient until I found that it was a "power firewall"... i.e. to mitigate attacks via the mains power.

Re:sure, no problem

[mlts]

There are eSATA flash drives, and a number of laptops (Dell comes to mind) have ports that are both USB and eSATA (eSATAp.) That might be a wise idea as well.

Re:sure, no problem

...essentially these SIS's are hard wired systems that aren't programmable at all, so they are intrinsically resistant to an internet or software based attack.

This is inherently false.

How do you define its behavior? How do you load its first program? You have to program the generic hardware for your application. All of the SIS systems we set up have an engineers station to edit and modify the SIS program for maintenance or to tweak parameters. Unless you are using Physical Relays there is programmablilty. At least with a digital system you can verify the integrity of the whole program and track changes kinda like version control.

Air-gapping as much as possible is necessary but it never happens that way. The biz people want to see all the trending of parameters that go through the DCS but the DCS gets at least a serial link via Ethernet from the SIS for status. Where ever there is connection there is possible infiltration.

Re:sure, no problem

That's known as a data diode, and it's a great idea (and can be done at higher speeds than RS232, if necessary; e.g. you can do something similar with an Ethernet cable).

It does have one big limitation, though -- it won't let you control the system from off-site. If that's okay, then great, but often off-site control is something that you want to have, not just off-site monitoring.

If you have off-site control of a programmable computer than no amount security will make you impervious to attack as "remote control" is basicly the same thing as "security vulnerability".

The closest you could come is probably to use ASIC's communicating via encrypted messages on both ends. That way it's impossible to reprogram either unit (soldering irons don't count), and provided the encryption keys remain secret it should be impractically hard to spoof the commands. Then it won't really matter what communication network you rout the traffic over as the on site controller can only receive commands from the off site unit, and faking those commands will be difficult.

Now the reason no one does that is because it's cheaper to use commodity hardware and do the customization in software using common methods, than to build your own non-programmable controller and burn the keys into the silicon. Especially once you account for ongoing maintenance and update costs.

Re:sure, no problem

[AmiMoJo]

Sure, but my point is that merely trying to limit access is never going to be enough on its own.

Re:sure, no problem

That's not necessary, VPNs are secure if the accessing system is secure ... computers are cheap, just give anyone who needs remote access a dedicated computer for it. Locked down both technologically and contractually (ie. use it for something else and you're fired ... if you have a golden parachute in your contract kiss it goodbye).

Re:sure, no problem

Networked does not imply internet connected.

Correct. However, from context, it was clear that we were talking about internet-connected devices. But that'd require some sort of reading comprehension ability on your part.

Re:sure, no problem

[wagnerrp]

True. If you have any form of useful external control, that control can be abused.

Re: sure, no problem

[MrNaz]

Buying junk like that is probably why they failed.

Re:sure, no problem

[budgenator]

My little brother work at a place that shall remain nameless and when he arrived at work they went into the locker room, undressed, showered and then exited to another room where they dressed in company supplied clothing and went to work; at end of shift the process was reversed. Short of daily cavity searches, that's as air-gapped as you can get.

Re:sure, no problem

[phantomfive]

You clearly made the mistake of running your ABB Gas Chromatograph on Windows. That is a design failure right there, for multiple reasons.

Re:sure, no problem

[budgenator]

Depends on the situation, Military Equipment often has a "battle short" switch which overides all safety interlocks and limit switch, for those times when you have to rock-and-roll until it catches fire or blows up.

Re:sure, no problem

[NikeHerc]

After all, if it's monitored three shifts then it shouldn't have to notify anyone offsite.

You obviously never worked in the data center where I worked. It could be (and sometimes was) 90 degrees on the raised floor, yet the ops staff couldn't be bothered to open the door and check.

Re: sure, no problem

[davester666]

it also would provide cleaner power, with less voltage spikes or brownouts, as a big enough unit for the office would have a good amount of inertia to keep it going.

Re:sure, no problem

[Sir_Eptishous]

watch a divx movie on the screen of an ABB Gas Chromatograph.

You mean they watched a movie using the computer connected to the GC...

If you have your acquisition pc network vlan'd AND have that vlan blocked from going to the internet via firewall rules and/or proxy and/or GPO, then they can't be streaming movies.

If the pc in question auto logs on, and the logon account isn't administrator(and this isn't XP), and the usb ports are turned off in BIOS, then they couldn't install DIVX viewer or other such software for watching movies.

But yes, people are ingenious in finding ways to get around rules designed to stop them from having fun.

Re:sure, no problem

Still lacking citation for how one would hack a pc over its power cord which is still in unicorn territory if you ask me..

Re:sure, no problem

[phantomfive]

And Many of those run Windows XP embedded or Windows 7 embedded

Well, that actually is a problem

Re:sure, no problem

[thegarbz]

No we had the problem of being given a vendor box and no further choices.

I have no idea where you get this strange thought that companies have a choice in what OS runs on their equipment.

Re:sure, no problem

My little brother work at a place that shall remain nameless and when he arrived at work they went into the locker room, undressed, showered and then exited to another room where they dressed in company supplied clothing and went to work; at end of shift the process was reversed. Short of daily cavity searches, that's as air-gapped as you can get.

Did they shower on the way out too? Or was that optional? As I see it, if you arrive in dirty clothes, you wouldn't want to shower at the end of day only to put on dirty clothes. If you arrived in clean clothes, that kind of implies you showered at home, went to work, showered at work, worked, showered at work, and returned in clean clothes??

I'm thinking the best thing would be to arrive in dirty clothes but bring clean clothes with you. So you start work clean and leave work clean (in clean clothes too).

Re:sure, no problem

[phantomfive]

ok. They clearly made the mistake of running their ABB Gas Chromatograph on Windows lol

Re:sure, no problem

Sounds like paranoid stupidity. All that would do is function as a mechanical lowpass filter, and putting a transformer with some EMI filters between the device and the mains power would accomplish much the same thing. Using a DC feedthrough UPS (ie. not the cutover type with a transfer switch) would be more effective.

I'm not surprised the startup failed. They sound like a bunch of idiots.

Re:sure, no problem

You are sooo 2013...

It should be a steam driven Steampunk robot!!!

Re:sure, no problem

[thegarbz]

Mistake is an interesting term. You better call up nearly every company out there and let them know what a horrible mistake they are making.

The only cases where I've seen Unix machines in use are from companies which are slow to migrate, and I'm not sure what I think is necessarily worse, the migration from Solaris to Windows by Schneider or the SCO Unix machine that B&K provided us 6 months after SCO went bankrupt.

Windows underpins almost every major control system from every major vendor. Over the years I've seen one major control system vendor after the other migrate from Unix to Windows. In the same time all new vendors which have come to the market have done so on the windows platform. The same goes for creators of small PLC, SCADA systems or even equipment specific control systems like compressor protection systems and turbine governors.

I'm actually quite ready to declare Unix in the process industry dead.

Re:sure, no problem

[phantomfive]

Actually that's an interesting point. I'm not sure why so many companies did the migration to Windows. It's something that somewhat made sense in 1999, following a speed to market argument that it's easier to write software for Windows. But now that argument is definitely not true, MFC is a real pain.

Now I'm having trouble thinking of a single good reason to use Windows for those kinds of devices. There are so many other good options. To fit in with the crowd? Because everyone else is doing it?

Re:sure, no problem

[RockDoctor]

I think the only real solution is going to come from OSHA requiring deliberate control system sabotage as a HAZOP scenario to evaluate

... which will then be done with the usual level of bullshit.

I remember a "security exercise" a few years ago when I was working on an offshore oil production platform - back when we had a real domestic terrorist war going on, before the Americans had their 2001 scare - and it was utter bullshit. Literally a mock bomb which would have looked like a joke in a Disney movie-for-babies, placed where it couldn't have done anything apart from re-arrange the rust flakes. Then I nearly got run off from the installation for deriding the exercise and saying where I'd have planted the same size of bomb to achieve six-months to a year of shutdown of the region.

But hey - I just happen to have given 30 seconds thought to the subject. And we all know that t'rrists congenitally can't think for more than 28.3 seconds at a time. So that's everyone safe, isn't it?

The standard of enemy to consider for a real hazard assessment is an attacker who knows your system and equipment as well as you do. Otherwise, you're depending on the correctly-derided security by obscurity.

Re: sure, no problem

The failure might also have occurred because of the stock market crash of the 20s.

Because no analog system has

ever been compromised :) Physical kill switches, human operated are not simply analog (one might argue they are digital at the switch level). Analog might be the wrong word, since analog systems have been repeatedly compromised (from macrovision, to phreaking boxes, etc, etc). keep it off a communications network, even off local networks if they are uber critical.

Re:Because no analog system has

[phantomfive]

I think his point is that anything that can be accessed remotely by a trusted party can also be accessed remotely by an attacker. The distinction between analog and digital is a red herring.

Maybe that wasn't his point, but it's still a good one. :)

Re:Because no analog system has

[gweihir]

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire. Come on, does not body know basic EE anymore? No wonder all this insecurity and stupidity happens...

What this comment shows nicely is how incompetent CS types are routinely and how far they misunderstand the world.

Re:Because no analog system has

[mysidia]

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire.

Usually the "remote analog" access is through an analog circuit provided by a telecommunications company between two locations called an ISDN circuit.

If the locations are far enough, your so called "dedicated wire" gets muxed, and then transmitted over a digital trunk which may be copper or optical with a bunch of other "dedicared wires"

The communication is subject to possible attack -- interception and insertion of false signals, at any point the line crosses, if compromised physically.

Or theoretically possible by remote attacks, if the Telco becomes compomised.

Re:Because no analog system has

[erice]

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire

And that dedicated wire could control digital circuitry or even a conventional computer running software. So what is your point?

The only advantage of analog is that control methods are generally so limited that doing something stupid like sending a critical control signal over the Internet is not possible. However, the cost is very very high and it doesn't do anything that following a policy of never sending controls over the Internet would not do. Further, without such a policy, the security advantage is lost the first time someone gets the bright idea of inserting a repeater.

Re:Because no analog system has

[phantomfive]

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire. Come on, does not body know basic EE anymore? No wonder all this insecurity and stupidity happens...

It's not clear you even understood the point before replying. Maybe you did, but your comment doesn't make that clear.

Re:Because no analog system has

[Jeremi]

Usually the "remote analog" access is through an analog circuit provided by a telecommunications company between two locations called an ISDN circuit.

What does the "D" in ISDN stand for?

Re:Because no analog system has

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire.......What this comment shows nicely is how incompetent CS types are routinely and how far they misunderstand the world.

And what your comment shows is that you need to go and read up about Electromagnetism and maybe learn the basics of the world you live in. You may want to start with Electromagnetic Induction.

Re:Because no analog system has

[gweihir]

Seriously? Come on, all that basic knowledge cannot have gotten lost.

Re:Because no analog system has

[gweihir]

Bullshit. You still need physical access. Or do you think a B-field has unlimited reach?

Re:Because no analog system has

[gweihir]

Well, come to think of it, if you are the same AC as above, you may also believe in fairies.

Re:Because no analog system has

[Nethead]

What does the "D" in ISDN stand for? "does."

As in It Still Does Nothing.

Old telecom joke.

Re:Because no analog system has

[Charliemopps]

So, I work for an ISP... most major infrastructure already has a dedicated wire. We install them all the time. They are pretty rare. They control Damns, power plants, etc... etc... They usually lead from the facility to a government building in town. Most are very small... 56k or so. The only non-government uses I've seen for them are usually 2 manufacturing plants built close to each other. They run this dedicated line between them.

Of other note, many power plants forbid ANY copper/metal wire from entering the facility. They only allow fiber. I've asked why that is but have gotten so many different answers from the facility staff that I'm not sure what the true reason is.

Re:Because no analog system has

Has nothing to do with the "digital" you're talking about. Seriously. That's just a transport. You could just as easily remote it via a scrambled over the air wireless link and still have an attack face. The remote wire is an attack face. The fact that you have to have access to the physical wire is irrelevant. If I can access it in an insecure manner at a lower cost to me than attacking the system directly, it **WILL** be attacked if it's advantageous to do so. The article author is an idiot that flatly doesn't have the foggiest about what in the hell he's talking about.

You honestly shouldn't join in on his side.

Re:Because no analog system has

[wagnerrp]

Ground loops can be very hazardous. They don't want any hot wires besides the mains they expect to be hot.

Re:Because no analog system has

[Lord+Lemur]

Well played.

Re:Because no analog system has

CS types have no need to understand the kinds of analog systems mentioned in the article. That's all hardware, and it shouldn't be a programmer's job to make sure the hardware stays out of a FUBAR state.

Simplified example: If I have a device that can rotate 90 degrees, and I send it a 180 degree rotation, then I expect: undefined behavior - no rotation, or rotation to the maximum allowed. What I don't expect: undefined behavior resulting in critical failure. Whether that is implemented digitally or through analog makes no difference. The device should be engineered(by EE, CE, or ME types) to withstand erroneous input, or even good input that will put the device in a bad state. You need people who have a good understanding of the physical materials(ME) to relate the maximum stresses allowed to people who have a good understanding of fail-safe techniques(EEs and CEs) who can create the circuitry/devices necessary to ensure the maximum stresses are not exceeded.

In the end, the article talks about analog, but the overarching theme is having fail-safes. Any critical device needs to be made fail-safe from just about everything - from outside input all the way through any internal code inside. Whether the fail-safe is done in code(digital), or through some device(analog or mechanical) makes no difference. If the fail safe is done digitally, you need physical access to change the code running(assuming this code isn't accessible/modifiable from a network...which it shouldn't be...it should be ROM). If the fail safe is done through analog, you need physical access and wires have to be changed. If the fail safe is mechanical, you - again - need physical access to modify the fail safe. The result is the same no matter how you approach it. Don't put your fail-safes in an unsafe environment(remote access), and control access to critical equipment.

Re:Because no analog system has

[budgenator]

Good luck getting a dedicated analog line since the phone companies all went digital. Even if you could there would be no garantee that the line leased to go between two points, only goes between those points.

Re:Because no analog system has

[kimvette]

> Usually the "remote analog" access is through an analog circuit provided by a telecommunications company between two locations called an ISDN circuit.

You're thinking of an alarm loop line, not Integrated Services Digital Network line.

Re:Because no analog system has

[mysidia]

You're thinking of an alarm loop line, not Integrated Services Digital Network line.

It doesn't matter if you pay the high premium for an alarm loop line of like $1500/Month per hundred miles. Still subject to getting hacked by physical intrusion.

If the distance is long enough: you still can't be certain if your line is passing through shared infrastructure or not, or landing on a "man in the middle". The trend is definitely towards services being delivered over IP.

All analog alarm loop really tells you for sure is the telco has arranged for any voltage drop you push out one end to arrive at the other end, etc.

Stuxnet

[scorp1us]

"Or maybe you could isolate control systems from the Internet."
Wasn't Stuxnet partially a sneakernet operation? I can't imagine Iran being so stupid to connect secret centrifuges to the internet.

The only way to win is not to play.

Re:Stuxnet

[NixieBunny]

Yes, it was a USB flash drive with a firmware update.

I work on a telescope whose Siemens PLC is so old that it has a PROM in a 40 pin DIP package for firmware updates. Not that we've touched the firmware in 20 years. After all, it works. And it ought to work for another 20 years, as long as we replace the dried-out aluminum electrolytic capacitors regularly.

Re:Stuxnet

And it ought to work for another 20 years, as long as we replace the dried-out aluminum electrolytic capacitors regularly.

Just don't be tempted to use tag tantalum capacitors for the replacements ... being an annoying source of parasitic oscillations n all.

Re:Stuxnet

[countach]

Yeah, the internet isn't the only way to hack something. And Siemen's patch for their CPUs? Who knows if it isn't an NSA effort to hack Iran's Nuclear program? You wouldn't know, would you.

Re:Stuxnet

Yes, but the rub is, it propagated out past that because of a lacking of airgap proceedures. But...the reason why the sneakernet attack worked like it did had nothing to do with being digital and everything about being a Windows based SCADA system with all of the vulnerabilities that Windows brings from it's ill-advised designs that were ostensibly done for ease of use.

Re:Stuxnet

[lowen]

Make sure you refresh those PROM's if they're EPROM or EEPROM (the absence of a window is no indication that it's a real fusible link PROM; it could be OTP UV EPROM in there). There is a thing called bit rot that occurs with most EPROM/EEPROM/Flash technologies where the isolated gate's charge bleeds off over time; 20 years is fairly normal, but 30 and 40 year old EPROMs (1702, 2708, and 2716 era) are beginning to fail all over. Search through the http://www.vintage-computer.co... forums as well as read the Wikipedia article ( https://en.wikipedia.org/wiki/... ) to learn more.

Mask ROMs are better, but not perfect. If the package is a 40 pin DIP it's almost sure to be flash, and that will bit-rot over time.

One more item on the checklist are those old paper caps that need to be replaced by X-class film on the inputs to power supplies. Again, the Vintage Computer forum is a great resource for information on how these things fail.

Also any batteries for NVRAM, like the ubiquitous Dallas Semiconductor devices, many of which are soldered in place. Or soldered in Lithium primary cells. Or like many older PC motherboards that have NiCd or NiMH cells that are both soldered in and leaking electrolyte. We have some Proteon routers (cisco's competitor back in the day) that have their NVRAM as low-power CMOS statis ram with a large bank of NiMH cells on a multibus card; they've long since lost any ability to retain charge.

As electronics age, lots of issues arise, and anyone who maintains such a system needs to see how others are handling the failures in these sorts of systems; again, the Vintage Computer forum is a great resource of talented people who are dealing with equipment of the same age. I know of many systems, particularly scientific instruments, where the controls are things such as a VAXstation 4000/90 connected to a SCSI CAMAC crate with wirewrapped boards, and VME Sun 2 and 3 series workstations controlling the whole lot. Keeping an aging VAXstation with VMS 5.2 or similar vintage running, with those old DEC StorageWorks 2GB and 4GB narrow SCSI drives, is a bit of a challenge, but when you have custom controls for multimillion-dollar equipment with no spares budget or major research instrumentation upgrade grant you have to get creative. (No, you can't just throw a PC in there, since the entire system's calibration depends upon the whole system timing and not just the actual platform). This system is being upgraded (there was even slashdot story about the upgrade at http://science.slashdot.org/st... ) but it's expensive to do things to the precision required.

Also, if the system uses GAL's or EEPROM-based FPGAs/CPLDs this is also something to make sure you have backups of the logic (JEDEC files, typically). Even fusible link PALs can go south. And be sure to have a stock of replacement chips, since many if not most of those older devices are long out of production.

Lots of test equipment is in this same boat, with expensive instruments like spectrum analyzers and the like running embedded MS-DOS and Windows on hard drives that are going on 20 years old. And, yes, in many cases they are consumer hard drives (I just looked at a very expensive 'multipath fading simulator' device, and it has a 6.4GB Western Digital Caviar drive in it.... you remember those? And one instrument I haven't looked into in a long time uses a 170MB Micropolis 5.25 full height ESDI drive.....

Challenge accepted

[mrmeval]

Digial, analog, trinary, HIKE! You won't safe them without MIKE!

In other words children it's all the humans who're messing up your security chain.

You need better, faster, stronger, smarter people who have a driving need to make your security better from the floor sweep to the ablative meat.

Without it you're just asking for an ass raping.

Isolated?

Didn't Stuxnet target centrifuge controllers that were (designed/thought to be) isolated from the internet?

Re:Isolated?

[Casandro]

Yes it did. It was transmitted via USB stick.

Iran

Iran's centrifuge operation was physically isolated from the Internet. The Americans and/or Israelis broke through via a USB drive. They infected the machines of individuals related to the project and waited until somebody used a USB drive to transfer data. Oops.

If it's digital and not shut-off, it can be hacked remotely.

This is very, very old

[gweihir]

It is called self-secure systems. They have limiters, designed-in limitations and regulators in there that do not permit the systems to blow themselves up and there is no bypass for them (except going there in person and starting to get physical). This paradigm is centuries old and taught in every halfway reasonable engineering curriculum. That this even needs to be brought up shows that IT and CS do not qualify as engineering disciplines at this time. My guess would be that people have been exceedingly stupid, e.g. by putting the limiters in software in SCADA systems. When I asked my EE student class (bachelor level) what they though about that, their immediate response was that this is stupid. Apparently CS types are still ignoring well-established knowledge.

Re:This is very, very old

[DMUTPeregrine]

That's because CS is math, not engineering. Computer Engineering is engineering, Computer Science is the study of the mathematics of computer systems. CE is a lot rarer than CS though, so a lot of people with CS degrees try to be engineers, but aren't trained for it.

Re:This is very, very old

[phantomfive]

Heh, nice try, but you can't blame the programmers for this one. The only thing programmers can do is write software for the device once the engineers have built it. If the engineers build a system that is not self-secure, what do you expect the software guys to do? Pull out the soldering iron?

All blame is on the engineers if they don't build a self-secure system (or management if it's their fault).

Re:This is very, very old

[gweihir]

Management and CS-types that promise things they cannot deliver. The second ting is quite common, actually.

Re:This is very, very old

[vux984]

My guess would be that people have been exceedingly stupid, e.g. by putting the limiters in software in SCADA systems.

Or they just did what they were told by management. After all, software solutions to problems tend to be a fraction of the price of dedicated hardware solutions, and can be updated and modified later.

Apparently CS types are still ignoring well-established knowledge.

You can't build a SCADA system with *just* CS types; so apparently all your 'true engineers' were also all asleep at the wheel. What was their excuse?

Seriously, get over yourself. The CS types can and should put limiters and monitors and regulators in the software; there's no good reason for them not to ALSO be in there; so when you run up into them there can be friendly error messages, logs, etc. Problems are caught quicker, and solved easier, when things are generally still working. This is a good thing. Surely you and your EE class can see that.

Of course, there should ALSO be fail safes in hardware too for when the software fails, but that's not the programmers job, now is it? Who was responsible for the hardware? What were they doing? Why aren't those failsafes in place? You can't possibly put that at the feet of "CS types". That was never their job.

Re:This is very, very old

[ratboy666]

Way to shunt blame!

I design code, your "EEs" design electrical hardware. I have been delivered hardware without such safeties. I could simply refuse to deliver code for the platform -- it will simply be offshored.

Just costs me work.

Re:This is very, very old

[phantomfive]

Management and CS-types that promise things they cannot deliver.

CS types aren't building the hardware. That's on the engineers.

Re:This is very, very old

[hjf]

Your "EEs" actually "code" too, but in disguise. PLCs are programmed, just (usually) not in written code, but rather, in Ladder Diagram or Function Blocks. But you know that, right?

I'm a programmer, but also a hobby electronics guy. And I've worked with PLCs. And I know for sure that "CS" types are never involved in these projects. The programming required is minimal (as usual with "elegant" engineering solutions), so a CS degree isn't required. It's much more about the hardware than software.

A CS guy usually doesn't even know what SCADA is, and would think LD is for retards.

And also: come on, EE guy, your kind is moving into "programming"... Seen enough people thinking "since now we have really fast and cheap embedded CPUs like ARM that are 32-bit, run at 80mhz, and cost cents, we might as well use that instead of a dedicated PWM chip for SMPS". Call me old fashioned, but I really think those things (SMPS control) should always be analog. Even with the annoyance of stabilizing that damn feedback loop that starts oscillating.

Re:This is very, very old

[ttucker]

It is amazing how fast we have forgotten the Therac 25....

Re:This is very, very old

[ttucker]

Hardware fail-safes protect from so called, "never events". They are an added layer of protection beyond the software level, and should never be depended upon by the SCADA system.

Re:This is very, very old

[stenvar]

This paradigm is centuries old and taught in every halfway reasonable engineering curriculum. That this even needs to be brought up shows that IT and CS do not qualify as engineering disciplines at this time

Any halfway reasonable engineering curriculum also teaches that engineering is all about tradeoffs, and that safety and security are variables like any other. Hardware based safety and security features are expensive, costs that aren't made up for by reductions in risk in many applications.

Furthermore, software developers usually don't even get to make these calls anyway. Engineers and system designers decide how safety and security is to be handled and software developers then do the best they can under the given constraints. That is, the people responsible for how things get divided between hardware/software are engineers, not software developers, and if they make the wrong calls, don't blame the software developers.

My guess would be that people have been exceedingly stupid, e.g. by putting the limiters in software in SCADA systems.

In many cases, dangerous regimes cannot be excluded by simple limits on individual variables, so hardware limiters are not even an option. Even if they are, they are not automatically safer or more secure.

When I asked my EE student class (bachelor level) what they though about that, their immediate response was that this is stupid. Apparently CS types are still ignoring well-established knowledge.

Sounds like your EE student class is getting some bad instruction by someone who likes simplistic answers and who likes to engage in unproductive blame shifting.

Re:This is very, very old

[gweihir]

Indeed. I did learn about it in the mandatory software engineering lecture that was part of my CS course program, but that was a while ago. Wonder how many more people these idiots that do not know the basics have killed by now.

Re:This is very, very old

[AK+Marc]

At Texas A&M, the choice was Computer Engineering, or Computer Science Engineering. Both were under the Electrical Engineering department. There was no computer science that wasn't managed by the EE department, and all were proper engineering courses.

Re:This is very, very old

[thegarbz]

Yep I'll be the first to call you old fashioned. Just like I would also call the article ridiculous. Digital positioners as well as advanced digital electronics in field instrumentation has been one of the best things to come to process industry. Your old analogue valve may be unhackable, but it will also be unable to report advanced diagnostic data such as torque, stiction, and won't be able to report stroke test results, or alarm on deviations from normal performance parameters.

So pat yourself on the back, you've prevented blowing up your plant due to cyber criminals. Instead it melted down because of a stuck valve, which if I recall correctly was the root cause of TMI.

Re:This is very, very old

[dkf]

That's because CS is math, not engineering.

There are rather more disciplines than that. Theoretical CS is definitely towards the math side of things, but that's really at one end of the spectrum. The study of how people and computers interact is definitely part of CS, but isn't either engineering or math; it's closer to psychology. On the other hand, Computer Engineering is definitely an engineering discipline (as you'd expect with anything doing construction of physical objects on a mass scale).

Software Engineering is unusual though, as the costs of things there are very different to when you're working with the physical. For example, the cost of mass production is functionally zero and it is actually possible to modify things in service, so there's much more of a focus on the production of market-ready prototypes. (That would never work with physical entities, of course.) Applying the same level of control regulation to software systems as in physical systems is possible, but pushes up the cost so much that hardly anyone working that way can turn a profit.

Re:This is very, very old

And, I've seen a lot of EE's and CE's desperately try to be CE's and fail MISERABLY at it, not being able to find their *ss with both hands, a map, and a locator beacon. I've worked with that type off and on for the last three decades of being a non-degreed (but highly successful and capable) Computer Engineer. (Even now at the current job...)

It's a completely differing thing than what most think and your mind has to move in the right ways, regardless of the "training" you get- it has very, very little to do with CS/CE/EE/whatever and everything to do with a mix of the nature and nurture (do they have what it takes and do they get taught the right things however it is.)

If you think that a sheep's skin in CE is going to magically make you a better software/systems engineer, I've got this bridge to sell you in NYC...

Re:This is very, very old

[Kagger007]

Pretty much. Computer Science was it's own department in the College of Engineering. You could actually do four things:

Electrical Engineering degree, with one of your depth tracks in Computer Engineering - This gave you advanced hardware without any programming beyond the intro class. Always seemed useless when you could do CE-EE. Taking the class where you programmed Linux drivers for the FPGA device you created seemed like it would require knowledge of both.
Computer Engineering-Electrical Engineering track - Run out of the Electrical Engineering department. 2/3 EE 1/3 CS
Computer Engineering-Computer Science Track - Run out of Computer Science department - 2/3 CS 1/3 EE
Computer Science - Run out of Computer Science department.

Re:This is very, very old

I take it you work exclusively in Academia. Otherwise you would know that the people who promise shit no one can deliver are the sales people.

Management is just the bastard who makes you work weekends, and the developers are typically far more willing to raise flags when something can't actually be done.

But seriously, PP is correct, you can't blame the developers if the engineers built shitty hardware. Just because you can build something to blow up or do something stupid does not mean you should build it so that it is actually able to do so.

Re:This is very, very old

At Tennessee Tech (and many of the schools I looked at when applying) CSC is under the Engineering Department.

Also, you need to account for the fact that undergrad CS is no longer CS. It's programming.

Re:This is very, very old

OP is a moron.

>> My guess would be that people have been exceedingly stupid, e.g. by putting the limiters in software in SCADA systems.
>In many cases, dangerous regimes cannot be excluded by simple limits on individual variables, so hardware limiters are not even an option. Even if they are, they are not automatically safer or more secure.

You put limits that make the plant BREAK or BLOW UP in hardware. You put operational limits (e.g. does the power stay on?) in software. It's all about cost. Hard limits that the plant can't be made to do without hurting something are in hardware. If you bump into them, you know you need new equipment because you're into a zone of danger. Limits for things that might shut the plant down, but don't result in physical damage(depending on device. COTS cpus are cheap. 55 MW turbines aren't) or safety issues (explosions etc) are in software. These limits need to be changed because they are usually tradeoffs. Like amount of heat one cabinet can produce before we have to turn it off. It's not a hard limit. Run it hotter for more uptime, but risk extra wear and tear on parts. This needs to be adjustable to account for market conditions, fluctuating price of replacement, or just emergency situations. If it was hardware, it couldn't be changed. /DANGER ZONE

Re:This is very, very old

[hjf]

I was talking about lower-level control. The kind of control that happens in the "megahertz" domain, like the feedback loop of a switch mode power supply, which should be done, IMO, in an analog domain.

It was meant to be an analogy. Using a microcontroller to control a SMPS is the same as using a PC to control industrial processes.

But what would you know about that? Filthy electrician. Don't you have some wires to splice?

Re:This is very, very old

[Lord+Lemur]

It is much harder to charge for hardware as a service, then it is to charge for software updates.

Re:This is very, very old

[ChrisC1234]

No, "We", have not forgotten. This was the FIRST THING on my mind when I read the post. The problem is the "they" who HAVE forgotten and design all of these other systems that we rely on.

Re:This is very, very old

[lowen]

According to the ACM (you know, the experts in this topic), there are five basic courses of study:
Computer Engineering (making the hardware)
Computer Science (designing the algorithms)
Software Engineering (release processes, patch management, etc)
Information Systems (translating business processes to code)
Information Technology (putting all the pieces of the system together an maintaining the whole lot).

You can read more at the ACM (Association for Computing Machinery) at http://www.acm.org/education/c...

Re:This is very, very old

[InvalidError]

Most computers use digital PWM control for CPU power these days and the reason for that is because the CPU knows how much current and voltage it needs for a given workload and can set its VID to control the PWM directly instead of relying only on slow analog feedback. This allows much faster ramp up/down on load changes because the CPU can tell the PWM about load changes before they happen. You aren't going to see microsecond-scale large transient response with pure-analog like you do with digital since analog feedback bandwidth is limited by the need to scrub noise off the feedback signal, keep the filter's response time fast enough to minimize overshoots yet make it slow enough to retain enough phase margin for stable operation.

As for computers in process controls, they have been everywhere for a long time already. PLCs may be able to handle immediate control but most complex processes require large-scale monitoring, control, coordination, data recording, trend analysis, etc. to detect and correct overall process variations that fall beyond individual PLCs' ability to monitor and correct. For operators, computers are used all the time to organize thousands of parameters in a handful of computer displays that can be easily re-arranged either to the operator's preferences, overview, operating/troubleshooting themes, subsystems, etc. instead of entire walls and consoles of manual controls, easily duplicate controls and displays for multiple operators, remote troubleshooting, etc.

Re:This is very, very old

[ttucker]

It is distressing how many people the Therac 25 killed before the FDA finally put their foot down.

Re:This is very, very old

[gweihir]

Your world-view is flawed. The ACM is not the authority on what CS is. (Incidentally, I have been a member for 15 years....)

Re:This is very, very old

[servant]

As a grey hair CS type, that has an engineering degree (not software engineering), some of us do understand that 'if it has a wire going to it, it is vulnerable'. This includes power wires, not just digital wires. All wires act as antennas, and even many receivers transmit in 'sympathy' to what they receive. To many CompSci types live in academic ivory towers, and IT types believe their own hype that THEIR NETWORK is 'secure'. Doing just analog doesn't keep hackers from doing their thing, it just means they need different skill sets. The spook communities were snooping long before everything went digital. Digital has just made their task easier. Being cognisant of shielding, network (an non-network) designs, keeping 'outside media' (USB sticks are horrible security issues) from individual machings as well as networks. Remote controls of any kind, even without 'backdoors' no matter how 'secure' we are told they were, are bad ideas if we really mean secure. Islands of computing still seems like a good thing for secure needs. No connections in or out. Even power should not be directly connected, run it through gen-sets (to convert 'power available' to 'more-secure power', even if UPS's are used 'inside' the gensets. All this does isolation. Make every computer and computing area Faraday cages. Even at that someone will find a way to spoof or snake their way in. The more secure, the higher the value of information, the more effort the 'bad guys' are willing to spend to acquire it or at least a copy.
.
Sucksnet (and similar) was an 'injection' scheme, to put 'bad stuff' on particular devices. This is blackhat hacker kind of things (destructive). Greyhats (white collar crime - even 'exploratory hacking' like many of us did back in the day) are not necessarily physically destructive but they sure take the financial and emotional tolls. All of it is 'bad stuff'.
.
Even my broker and father in law wonders why I want paper copies of statements (at least year end). All this discussion says why. Paranoid? Possibly, but just because you are paranoid doesn't mean they are NOT out to get you. :)

Replace with a human

Yes, sure disconnect critial systems from a network, no brainer right? They don't because the systems allow one remote operator to control what it took hundreds of employees to do/monitor previously.

A product is made in America, it costs $5 to make, and they sold it for $10(or more). China opens up, can make the same product there for $0.05 each, they import it and sell it for $10(or more) making incredible profits... This works for years(80-90s), anything that can be 'exported' is. Years later, inflation and a dwindling middle-class the price come down through 3rd parties bringing in the same products and selling for less than $10 each. China now controls all manufacturing for the products, instead of us setting terms on deadlines, they do, they increase prices...So we have a nation that makes very little, w/o majority of the jobs not actually doing anything but killing time(move vapor around). The rich sill get rich tho, so all is fine, go about your business, don't vote for a 3rd party candidate or anything, your happy, have some bread, enjoy the clowns.

analog vs digital isnt the problem

[Osgeld]

analog is actually more suceptable to interference generated by rather simple devices, as there is no error checking on whats being fed to the system

the problem is your reactor is for some fucking reason hooked to the same network as facebook and twitter

Re:analog vs digital isnt the problem

Correct. Anyone who has studied analog control systems knows that they can be inherently unstable and proving otherwise is MUCH harder than in the digital domain.

Re:analog vs digital isnt the problem

[Tablizer]

the problem is your reactor is for some fucking reason hooked to the same network as facebook and twitter

Rats, I knew I shouldn't have "liked" nuclear meltdown.

Re:analog vs digital isnt the problem

the problem is your reactor is for some fucking reason hooked to the same network as facebook and twitter

That's a point too, but not THE point .

I studied reactor design in a decade when it looked as if there still was a future in that (it turned out there wasn't, so I ended up working with computers).
Back in those days, even analog electronics were shunned in reactor design (or better, design of reactor control and safety systems).
The issue was RELIABILITY.

Re:analog vs digital isnt the problem

My emo nuclear reactor keeps on posting suicidal updates on twitter - should I be worried?

Case Study

[Tablizer]

Fred Flintstone never had unexpected brake failures...at least none without a known cause.

Good idea

[Animats]

There's a lot to be said for this. Formal analysis of analog systems is possible.The F-16 flight control system is an elegant analog system.

Full authority digital flight control systems made a lot of people nervous. The Airbus has them, and not only do they have redundant computers, they have a second system cross-checking them which is running on a different kind of CPU, with code written in a different language, written by different people working at a different location. You need that kind of paranoia in life-critical systems.

We're now seeing web-grade programmers writing hardware control systems. That's not good. Hacks have been demonstrated where car "infotainment" systems have been penetrated and used to take over the ABS braking system. Read the papers from the latest Defcon.

If you have to do this stuff, learn how it's done for avionics, railroad signalling, and traffic lights. In good systems, there are special purpose devices checking what the general purpose ones are doing. For example, most traffic light controllers have a hard-wired hardware conflict checker. If it detects two green signals enabled on conflicting routes, the whole controller is forcibly shut down and a dumb "blinking red" device takes over. The conflict checker is programmed by putting jumpers onto a removable PC board. (See p. 14 of that document.) It cannot be altered remotely.

That's the kind of logic needed in life-critical systems.

Re:Good idea

[countach]

That's interesting they have a different system cross checking. But what happens when they are in disagreement? Who wins? There might not be time for the pilots to figure it out.

Re:Good idea

[phantomfive]

For example, most traffic light controllers have a hard-wired hardware conflict checker. [pdhsite.com] If it detects two green signals enabled on conflicting routes, the whole controller is forcibly shut down and a dumb "blinking red" device takes over.

That's really cool

Re:Good idea

[pipedwho]

It's not that the secondary system is 'cross checking' or comparing results. They are really just monitoring circuits with a particular set of rules embedded in separate circuitry that just makes sure the primary system never breaks those rules. It is effectively the master control and will always 'win' if there is a problem. They are designed to be simple, robust and if possible, completely hardware based.

Some other examples are 'jabber' control hardware lockouts to stop a radio transmitter from crashing and permanently keying active; the watchdog timers in critical systems that will reset the system if it isn't periodically reset; power control systems that shutdown power domains if an overload is detected; etc.

Something like a nuclear power station should have more complex monitoring systems, but the rules are similar. In modern critical system design, the rules are generally set up to require a sanitising channel between the 'internet' and the control network. That channel may be some simple UART to UART based control logic that allows the a subset of general control commands to be issued without the ability to override the primary safety lockouts. If you want to override those, you have to turn up in person.

This type of security has been standard practice for years by the embedded systems engineers. Once people started shoehorning inappropriate solutions into critical system control, that's where it went belly up. That's where you end up with glorified 'web coders' writing what should be done by someone that understands the pitfalls. Sometimes, it's because 'management' has decided to requisition and install something beyond the design parameters set by the engineers.

Re:Good idea

[KingOfBLASH]

That's interesting they have a different system cross checking. But what happens when they are in disagreement? Who wins? There might not be time for the pilots to figure it out.

Then the minority report is filed in the brain of the female, who is obviously the smarter one. Duh. Didn't you see the movie?

Re:Good idea

[AchilleTalon]

...Full authority digital flight control systems made a lot of people nervous. The Airbus has them, and not only do they have redundant computers, they have a second system cross-checking them which is running on a different kind of CPU, with code written in a different language, written by different people working at a different location. You need that kind of paranoia in life-critical systems.

Code written in a different language is totally helpless here. Unless you believe the avionics is running on an interpreter instead of compiled code. Once compiled, the code is dialect free. An even if it is not my field, I doubt any sane designer will design avionics to run on a interpreter. We are talking about realtime systems here. A different kind of CPU makes sense if you want to isolate the system from bugs in hardware that may be specific to a kind of CPU.

Re:Good idea

[thegarbz]

There's a lot to be said for this.

There's a lot to be said against this as well. Digital process control has opened up a whole world of advanced diagnostics which are used for protecting against critical process excursions. Most industrial accidents had failed instrumentation as a contributing factor. Most instrumentation these days have so much internal redundancy and checking that you're missing out on a whole world of information in the analogue realm. So you got a pressure reading on the screen is that number the actual pressure or is the pipe blocked? A modern digital transmitter can tell the difference. Is that valve that hasn't moved in a year still working, or is it stuck? A modern digital positioner with PST can tell you.

We're now seeing web-grade programmers writing hardware control systems. That's not good.

You don't seem to understand how hardware control systems are written. 99% of them have no coding what so ever. By using really high level function block languages or ladder code that would make any "real programmer" brain melt from boredom there's very little room for error. The web-grade programmers aren't manually writing PID control loops, they are dragging a block said PID onto a screen and drawing the control system together Visio style. No literally I mean one of the vendor's systems is built on the MS Visio engine for drawing blocks together. Then it's just a case of tuning the parameters.

Comparing the programming of control systems in process plants to any other form of programming is disingenuous at best.

Re:Good idea

[Viol8]

"Code written in a different language is totally helpless here"

No it isn't. Some languages have different pitfalls to others eg, C code often has hidden out of bounds memory access issues , Ada doesn't because checking these is built into the runtime. Also different languages make people think in slightly different ways to solve a problem which means the chances of them coming up with exactly the same algorithm - and hence possibly exactly the same error - is somewhat less.

Re:Good idea

Exactly, it is the fact that using a different language makes it almost certain that the teams are working completely separately on the problem and very unlikely to cross-pollinate each others code with the exact same bugs.

Re:Good idea

[Alioth]

Compiled code that's functionally identical will differ depending on the language, though. It'll even differ when the same language is used but you merely change the compiler (or merely even change some options to the same compiler - for example, a latent bug may manifest itself by merely changing the compiler's optimization setting) To see this happen just compile to assembler a simple "Hello world" program using GCC, then do the same with the LLVM compiler. The outputs will look different even though the resulting executables do the same thing.

Re:Good idea

[GuB-42]

- There may be third, possibly simplified system to make a 2 vs 1 situation.
- Ridiculous values (out of bounds, ...) can be checked and the faulty system disabled.
- When it is not clear who the winner is, the pilot is shown an alert and can manually select the correct system. If you look closely in a cockpit, you'll probably find several "1-N-2" switches for this.

Re:Good idea

[drinkypoo]

Hacks have been demonstrated where car "infotainment" systems have been penetrated and used to take over the ABS braking system. Read the papers from the latest Defcon.

If you can issue commands on the CAN bus you can do pretty much anything you like, if you know the right codes. A lot of the interesting codes will refuse to issue while moving down the road, though; indeed, they won't work unless you're in park (or the P/N switch says so.) The big exception is rebooting the PCM, which most will permit without a password even while running. Taking over the ABS is a lot of work when you can just detect when the car is in a big turn with a lot of power on and then cut the engine.

Re:Good idea

I've not seen ladder logic used in many of those spaces in years. They've moved to systems that were "easier" to use (Hello...Stuxnet wouldn't be possible if they were using PLCs with ladder logic programming...).

Re:Good idea

I'm sorry John, but you're gonna have to run again.

yes isolate

[globaljustin]

Or maybe you could isolate control systems from the Internet.

Unkown Lamer has it.

tl;dr - using analog in security situations would be obvious if "computer security" wasn't so tangled in abstractions

Sure someone may point out that the "air gap" was overcome by BadBios http://it.slashdot.org/story/1... but that requires multiple computers with speakers and microphones connected to an infected system

IMHO computer security (and law enforcement/corrections) has been reduced to hitting a "risk assessment" number, which has given us both a false sense of security & a misperception of how our data is vulnerable to attack

100% of computers connected to the internet are vulnerable...just like 100% of lost laptops with credit card data are vulnerable

Any system can have a "vulnerability map" illustrating nodes in the system & how they can be comprimised. I imagine it like a Physical Network Topology map for IT networking only with more types of nodes.

This is where the "risk assessment" model becomes reductive...they use statistics & infer causality...the statistics they use are historical data & they use voodoo data analysis to find **correlations** then produce a "risk assessment" number from any number of variables.

If I'm right, we can map every possible security incursion in a tree/network topology. For each node of possible incursion, we can identify every possible vulnerability. If we can do this, we can have alot more certainty than an abstract "risk assessment" value.

Analog comes into play thusly: if you use my theory, using **analog electronics** jumps out as a very secure option against "cyber" intrusions. Should be obvious!

"computer security"....

Re:yes isolate

hello all I am 66 years old ,and able to type .
I will say in the 1990 the companys were told the dangers using the internet connected to the outside world without encripton. So the folks that did not oh my.
and oops If I do not type well, Old telcom guy.

besides digital or analog, for safety, use physics

[raymorris]

Analog vs. digital, fully connected vs less connected - all can fail in similar ways. If it's really critical, like nuclear power plant critical, use simple, basic physics. The simpler the better.

You need to protect against excessive pressure rupturing a tank. Do you use a digital pressure sensor or an analog one? Use either, but how also add a blowout disc made of metal 1/4th as thick as the rest of the tank. An analog sensor may fail. A digital sensor may fail. A piece of thin, weak material is guaranteed to rupture when the pressure gets to high.

Monitoring temperature in a life safety application? Pick analog or digital sensors, ei ther one, but you better have something simple like the vials used in fire sprinklers, or a wax piece that melts, something simple as hell based on physics. Ethanol WILL boil and wax WILL melt before it gets to be 300 F. That's guaranteed, everytime.

New nuclear reactor designs do that. If the core gets to hot, something melts and it falls into a big pool of water. Gravity is going to keep working when all of the sophisticated electronics doesn't work because "you're not holding it right".

No, it's education

[Casandro]

Such systems are not insecure because they are digital or involve computers or anything. (seriously I doubt the guy even understands what digital and analog means) Such systems are insecure because they are unnecessarily complex.

Let's take the Stuxnet example. That system designed to control and monitor the speed at which centrifuges spin. That's not really a complex task. That's something you should be able to solve in much less than a thousand lines of code. However the system they built had a lot of unnecessary features. For example if you inserted an USB stick (why did it have USB support) it displayed icons for some of the files. And those icons can be in DLLs where the stub code gets executed when you load them. So you insert an USB stick and the system will execute code from it... just like it's advertised in the manual. Other features include remote printing to file, so you can print to a file on a remote computer, or storing configuration files in an SQL database, obviously with a hard coded password.

Those systems are unfortunately done by people who don't understand what they are doing. They use complex systems, but have no idea how they work. And instead of making their systems simpler, they actually make them more and more complex. Just google for "SCADA in the Cloud" and read all the justifications for it.

Re:No, it's education

Why did it have USB support?

Ease of firmware upgrade. Quite simply put, most PC's no longer have serial ports on them, etc. At this point, you either have to do the upgrade in some manner like this, or have your device act as a USB MSD or an MTP device with limited capabilities and drag-and-drop from a thumb or the like or from the PC to the device.

The problem wasn't so much that it had USB upgrade capability, it was that it used Windows and you used drag-and-drop from a USB thumb with an OS that automagically runs stuff when it finds an executable on a USB storage device or CD/DVD-ROM. The problem wasn't so much the ease of upgrade, as it was the ease of upgrade without having thought the rest of the things through. First problem is that they used Windows in the first place. Second was that they didn't really do the upgrade scheme right. It should have been a scheme unto which the system doesn't recognize "firmware" and won't run/install anything on the provided storage except that which was provided by the vendor (And it's actually a lot easier to do than most would think on that score...).

You actually fingered the root cause of the problems. You've got marketing wonks making design decisions on products to "differentiate" the products from competitor's solutions. They don't get that something like Windows is ill-advised...even really on desktops. The people deploying the SCADA systems are looking for "easier" and trust that the vendors "got it" on safety, security, and stability. Never mind that they typically don't put a lot of thought into that themselves as evidenced with using Windows instead of some other embedded or hardenable OS that's more suited to the task.

Re:No, it's education

I don't know a lot about centrifuges but I know have worked on other industrial systems. The ones I worked on allowed USB drives so they could download firmware updates (frequently needed because of the low quality of the firmware overall) and download new control programs (the objectives of the systems I worked on changed gradually over time, necessitating periodic changes in procedure).

The Stuxnet centrifuges were designed to be controlled by computers running Windows XP. From the sound of it, they were programmable; I don't know what kind of programs you write for something like that, but maybe there's a series of different spinning speeds that needs to run that varies by the material used. They probably allowed USB drives to download new programs and firmware as needed. The computers were apparently not on the public network (but networked together perhaps?). For some reason, having USB drives there did not seem to be unusual; the Stuxnet authors wrote the software knowing well in advance how to get it to spread to the internal control computers. Given the amount of information they had, they probably either had an inside source or gained access to some data that spelled out procedures informally (like employee emails).

'every digital system has a vulnerability'?

There are plenty of secure digital systems. Its not hard to make them, intact its quite easy. Trivial non networked systems are often secure. There is no need to go to analog, simple digital circuits are fine. I don't care how good your leet hacking skills are, I can make a single digital control system thats perfectly secure that sets line C high in line A and B are high. You can't hack an AND gate. There are plenty of places one can use provably correct digital control systems.

The idea is not that you need to put "Analog" in there somewhere, but rather that you should have simple things that are easy to secure, and design such that they are in the critical path for attacking. Ex: the Linux kernel is rather large (~15 million LOC). While its nice, you don't really want to rely on all that being secure. If you want security, you reduce the surface area exposed to attackers. If you are worried about incoming attacks over the network, air-gap = 0 area to attack. If you still need to allow come input, you can squeeze the threat through something simple which could be some analog mess as implied by the article, but more realistically would be a simple digital system, either hardware, or carefully validated (trivial) software, or both.

If you are willing to expose a bit more and get a real general purpose OS, you can opt for something like genode thats much more practical to design secure software for, and to validate the security of the OS itself.

TFA seems to be advocating using analog control systems to avoid things like cross site scripting attacks. Maybe drop the "site" and "scripting" before dropping the idea of digital control systems. If you don't care about putting your junk on the internet, and air gap will fix most of that crap, and if you do want it on the internet, too bad, IP is a digital protocol, and the analog version won't be able to work with it. Besides, those attacks are client side, so maybe just not exposing important infrastructure controls capable of wrecking everything if messed with to people using web browsers to edit them in a non-secure environment is enough.

Re:'every digital system has a vulnerability'?

[AK+Marc]

I can make a single digital control system thats perfectly secure that sets line C high in line A and B are high. You can't hack an AND gate. There are plenty of places one can use provably correct digital control systems.

You are assuming physical security. You also didn't mention testing. Did you verify that the gate is an AND, and not an OR?

Recently saw him speak...

Just last week, I saw this man speak at the Johns Hopkins University Applied Physics Laboratory. He had given his whole presentation, and at the end someone had asked him if analog systems could be an answer to protecting critical infrastructure. His response was that yes, it would help, but nobody wants "that old shit" (in this case he was paraphrasing what he feels the industry thinks of analog systems). He also asserted that the main reason that digital systems were popular and on the internet was because companies were focused on the cost savings of having remote access to these systems.

Battlestar Galactica

[sg_oneill]

Reminds me a bit of one of the tropes from battlestar galactica. Adama knew from the previous war that the cylons where master hackers and could disable battlestars by breaking into networks via wireless and then using them to disable the whole ship, leaving them effectively dead in the water, so he simply ordered that none of his ship ever be networked and that the ship be driven using manual control. Later on they meet the other surviving battleship, the pegasus, and it turns out that only survived because its network was offline due to maintainance. Its not actually a novel idea in militaries. I remember in the 90s doing a small contract for a special forces group I can't name, and asked them about their computer network. He said they used "Sneaker-net", which is that any info that needed transfer was put on a floppy and walked to its destination, thus creating an air gap between battlefield systems.

I guess this isn't quite that, but it certainly seems to be a sort of variant of it.

Re:besides digital or analog, for safety, use phys

[jrumney]

In other words, it is nothing to do with analog vs digital, but about having failsafe mechanisms that contain the damage when all your control systems go wrong. Failsafe mechanisms tend to be "analog", as they need to be effective even when the electricity and anything else that can fail has failed.

isolate control systems from the Internet.

[manu0601]

Editor or submitter said

isolate control systems from the Internet.

Stuxnet has shown that it is not enough. You can still be infected by an USB key.

What a pathetic uninformed crock of sh artic

[Rosco+P.+Coltrane]

Analog vs digital has nothing to do with "cyberterrorism". Analog refers to systems with an infinite number of states, digital refers to systems with a finite number of states. If properly designed, both are perfectly safe.

Cyber security has nothing to do with digital or analog, and everything to do with software and networking. Which have nothing whatsoever to do with the analog vs digital design choices.

TFA reads like a science essay from a 3rd grader who write with technical words to look smart, but doesn't actually understand any of what they're writing about...

Maybe you could

[Jeremi]

>Or maybe you could isolate control systems from the Internet.

Yes, maybe is the keyword there. Set up everything to be nice and air-gapped, and maybe some joker won't bring in his malware-infected laptop the next day and temporarily hook it up to your "secure network" in order to transfer a file over.

Or then again, maybe he will. Who knows?

This fixes it as a side effect

[gman003]

The core problem is that "data" and "code" are being sent over the same path - the reporting data is being sent out, and the control "data" is being sent in, but it's over a two-way Internet connection. If you had an analog control system that was openly accessible in some way, you'd have the exact same problems. Or you could have a complete separate, non-public digital control connection that would be secure. But nobody wants to lay two sets of cable to one device, and there's a convenience factor in remote control. So since security doesn't sell products*, but low price and convenience features do, we got into our current situation. It's not "digital"'s fault. It's not "analog"'s fault. It probably would have happened even if all our long-range communication networks were built of hydraulics and springs.

* For those who are about to point out how much money antivirus software makes, that's fear selling, not security. Fear moves product *very* well.

"Isolate from the Internet" is hard

[roca]

Air-gap alone is not enough. Stuxnet travelled via USB sticks. And if your hardware (or anything connected to it) has a wireless interface on it (Bluetooth, Wifi, etc), you have a problem ... an operator might bring a hacked phone within range, for example.

Simplifying the hardware down to fixed-function IC or analog reduces the attack surface much more than attempts to isolate the hardware from the Internet.

Re:"Isolate from the Internet" is hard

[TubeSteak]

Air-gap alone is not enough. Stuxnet travelled via USB sticks.

The Stuxnet attack was (for the Iranians) a failure of operational security.
The attackers knew exactly what hardware/software was being used and how it was set up.
If the Iranians had one less centrifuge hooked up, or a different SCADA firmware version, the worm would have never triggered.

There is such a thing as security through obscurity.
It's never a complete solution, but it should always be your first line of defense.

Re:"Isolate from the Internet" is hard

There is such a thing as security through obscurity.

No.

Re:"Isolate from the Internet" is hard

[thegarbz]

Simplifying the hardware down to fixed-function IC or analog reduces the attack surface much more than attempts to isolate the hardware from the Internet.

It also dramatically reduces the functionality. You've saved yourself from hackers only to get undone by dangerous undetected failure of instrumentation. Anyone who boils a security argument down to stupefying everything has missed a world of advancements which have come from the digital world. Thanks but no thanks. I'm much more likely to blow up my plant due to failed equipment than due to some hacker playing around.

local network

these reactors would be run in a local environment you'd think. essentially away from cyberspace /.

Perhaps analog isn't the right term

[sjames]

The key is hard stop rather than analog. For a simple example, imagine 3 machines that draw a great deal of inrush current using typical start/stop controls. Since we're in the digital age, we put them under computer control. The controller can strobe the start or stop lines for the 3 machines.

Now, they must not all be started at once or they'll blow out everything back to the substation. We know they must be started 10 seconds apart at least. Doing it the "digital way" we program the delay into the controller software and call it good. Then someone hacks the firmware and does a great deal of damage power cycling the units rapidly until kaboom.

Or we do it the 'analog way'. When a start line is strobed, a PLC with no connectivity of any kind locks out the other two and starts a ten second timer. The firmware can't touch the timer. The attacker annoys but does no real damage due to the hard stop.

Re:Perhaps analog isn't the right term

The key is hard stop rather than analog. For a simple example, imagine 3 machines that draw a great deal of inrush current using typical start/stop controls. Since we're in the digital age, we put them under computer control. The controller can strobe the start or stop lines for the 3 machines.

Now, they must not all be started at once or they'll blow out everything back to the substation. We know they must be started 10 seconds apart at least. Doing it the "digital way" we program the delay into the controller software and call it good. Then someone hacks the firmware and does a great deal of damage power cycling the units rapidly until kaboom.

Or we do it the 'analog way'. When a start line is strobed, a PLC with no connectivity of any kind locks out the other two and starts a ten second timer. The firmware can't touch the timer. The attacker annoys but does no real damage due to the hard stop.

That's not really correct usage of "analog" as the PLC is likely a digital system as well. Actually you'd ideally want a non programable Application Specific Integrated Circuit, rather than a Programmable Logic Circuit, since the goal is to make it impossible for software to bypass the lockout, but yes the core concept here is design teh hardware to be failsafe so that no matter what shenanigans the firmware/software tries to pull the end result will be a safe failure mode.

Really it';s juts the hardware level application of the old security principle: "Assume that every single person who uses your system is a malicious hacker"

Re:Perhaps analog isn't the right term

[sjames]

Yes, that's why I say analog may not be the right term and I make use of quotes.

I think the PLC is OK as long as it is not connected to anything but the lines it is locking out. You'd have to get at the physical hardware to reprogram it and at that point, you could disable a physical circuit as well. Even better, some devices have a fuse you can blow to prevent re-programming.

Better design and discipline

[WaffleMonster]

Whether it is a series of mechanical cogs or a digital controller problem in abstract seems not so much selection of technology as it is proliferation of "nice to have" yet possibly unnecessary capabilities.. widgets which may not offer significant value after closer inspection of all risks. Is remote management really a must have or can you live without? Perhaps read-only monitoring (cutting rx lines) is a good enough compromise... perhaps not all systems need network connections, active USB ports..etc

Then we get to process questions.. can system be designed and isolated in such a way any manipulation is subject to local safety constraints which cannot be remotely bypassed or influenced/tricked?

It is problematic control people have not sufficiently cared about security in terms of product development, deployment and operation.

Also at some level operators must be trusted to not be stupid or evil.... To some extent this means knowing when to ignore the security/bureaucratic guy endlessly pulling what-ifs and CYAs out of their asses and focus on what in the bigger context is actually important.

Obvious solution is obvious

[Karmashock]

The hubris of some thinking that everything can be linked to the internet while maintaining acceptable security is ignorant.

Some systems need to be air gapped. And some core systems just need to be too simple to hack. I'm not saying analog. Merely so simple that we can actually say with certainty that there is no coding exploit. That means programs short enough that the code can be completely audited and made unhackable.

Between airgapping and keeping core systems too simple to hack... we'll be safe from complete infiltration.

Re:Obvious solution is obvious

[thegarbz]

The hubris of some thinking that everything can be linked to the internet while maintaining acceptable security is ignorant.

Actually I find the entire debate boiling down to one side thinking everything is completely open directly connected to the internet almost as laughable as the other side thinking air gapping is the answer.

I'll meet you in the middle. Air-gapping is not a solution in many cases. You simply can't run many modern plants without the ability to get live data out of the system and whisk it across the world. Does that mean your control system has an ADSL modem attached? Hell no. But there are many ways to network computers together in a secure way. There are also many ways your airgapped simple system can be "hacked", say from a state funded inside job like stuxnet?

Speaking of inside job once you're in the gate at a plant, any plant in the world, I pretty much guarantee you can figure out a way to cause damage without ever touching a computer.

Re:Obvious solution is obvious

[Karmashock]

As to modern plants requiring remote control, I would look at that very carefully and do my best to limit it.

Most plants are manned 24/7. There's no reason those plants couldn't take directions from grid operators and manually throttle the plant up or down. Sure, the standby diesel plants might throttle up and down a lot but most of the large coal, hydro, etc plants tend to hold a given output.

As to insiders hacking the system, there is no solution to that issue so that's a bullshit counter argument. An inside man can always screw anything up. An inside man could murder anyone in the world. The best protected world leader in the world... dead to a bullet to the brain. So you know what, if the inside man can do that, then I'm not going to worry too much about that because that's clearly just about impossible to solve.

What I am going to worry about is if some jackass in Croatia can remote into my utility and tell the damn thing to play the theme for starwars by rapidly throttling the generator up and down.

Sort of like this...
http://www.youtube.com/watch?v...

Only with brown outs.

The automation and remoting is nice. But it often isn't worth the risk. For major multi billion dollar power facilities they can afford to have ONE person there on staff that manually throttles the system. That doesn't sound unreasonable.

Re:Obvious solution is obvious

[tibit]

That's why I'm always smiling when people smirk at me when I tell them that a lot of firmware that I develop runs on devices with 64kb or less total memory (code + data, since it's Harvard). I'm not using frameworks with tens of thousands of lines of code, I can actually tell exactly how the whole thing works, top-to-bottom, and it can be explained in detail in about 150 pages of prose. A lot of that code is written in functional style (side-effect-free functions) and can be formally proven to agree with the specs. When you've got a lot more than that, it gets very, very costly to have formal proofs of anything, much less even formal specifications (formal not as in bureaucratic, formal as in using the language of mathematics).

Re:Obvious solution is obvious

[Karmashock]

Exactly. That's the only sort of digital system I would trust to run something like a core banking system or a power grid.

I am familiar with the computers that handle credit transfers at banks. Very very simple machines. Very powerful but very simple. They can process millions of transactions very easily but that is the ONLY thing they do... nothing else. They can't get viruses. Their programming is hardcoded. They can't even get stuxnet. Too simple.

That is how you do it.

Re:Obvious solution is obvious

[thegarbz]

Most plants are manned 24/7. There's no reason those plants couldn't take directions from grid operators and manually throttle the plant up or down. Sure, the standby diesel plants might throttle up and down a lot but most of the large coal, hydro, etc plants tend to hold a given output.

Power facilities? Yeah ok maybe. But you know there are far more scary facilities out there than a power plant. Cutting the power to a city for a day may be a bit chaotic, over pressuring a vapour cloud explosion at an oil refinery can quickly kill a lot of people, especially in the USA where residential areas are encroaching on industrial areas.

Most industrial plants do NOT have the capability to allow people to take orders remotely over the phone, chemical reactions happen far faster than that.

As to insiders hacking the system, there is no solution to that issue so that's a bullshit counter argument.

You call it a bullshit counter argument, I call what happened in Iran direct evidence that the meme of airgapping will protect us doesn't do jack shit from a foreign attacker with enough resources.

The automation and remoting is nice. But it often isn't worth the risk. For major multi billion dollar power facilities they can afford to have ONE person there on staff that manually throttles the system. That doesn't sound unreasonable.

If you think a local person will protect you from a control system gone AWOL then I would wager that you don't actually work in the industry or have any appreciation for how control systems work. A critical hint is that it's the control system which provides the manual control to the operator. Mechanical interlocks are used about as often as pneumatic control loops, i.e. rarely in any modern plant.

Oh and in many cases remoting isn't just nice, but necessary. Grid control works very poorly on a local level. That is exactly how cascading faults like the North East Blackout occur. Advanced control schemes which require constant connection to all local control systems can easily manage such a scenario. It works very well in a local refinery setting but for a power grid, water grid, oil well management, gas compression network, ... that requires remote access. Note: requires, not "nice to have".

Double Oh, most projects go through risk review and determine that it actually is worth the risk. That's the evil profit motive right there for you. The very odd and remote chance of a hacker penetrating into the control network is nothing compared to the profit potential of not having to invest massive capital to increase capacity. Squeezing capacity out of existing equipment, extending maintenance times, and running things ever closer to the limit has been the trend world wide for years now, and advanced control over an entire plant / grid is the metaphorical golden egg in this case.

Re:Obvious solution is obvious

[Karmashock]

Industrial plants are manned. There is no reason they couldn't manage such systems locally.

Automation and remote administration is fine... you just need to not be a fucking retard about it.

Case in point... by all means have your remote administration tools set up so that a central control room can monitor and manage the chemical plant. But don't be so foolish as to link those control systems to the internet. Air gap the control room. Yes an inside man can do bad things. But an inside man could do that regardless of your precautions. An inside man could blow up a factory 100 years ago. So again, I'm not worried about that.

In regards to Iran, well thanks for arguing against yourself. Because my point was to limit automation and complexity such that inserting viruses into control systems simply wouldn't be possible. But you seem to think those systems are essential despite the fact that we've had industrial processes that managed similarly complex tasks for generations that did not make use of such systems.

But since I'm actually trying to solve a problem rather then come up with bullshit reasons for why it can't be solved... I'm probably wrong. Forgive me for having a functioning nervous system.

Your attitude has not been productive. "IF" you have any specialized knowledge you've not contributed or used it to enrich this discussion. Rather you've attempted to use it to brow beat me into accepting fallacious arguments or back up counter productive insults.

You want to link core control systems to the internet accessible by Croatian teenagers or the Chinese cyberwarfare agents.

What could possibly go wrong?

You say these systems can't operate without such automation. Well, they didn't have it 40 years ago and they worked then. Possibly less efficiently? Possibly. Though that might also be a factor of other improving technologies or some "convenient" shortcuts that on consideration are not worth the risk.

In regards to brown outs, those can be managed very easily with better local fail safes. Correct me if I'm wrong here... the two situations you're going to run into will be either too much power or too little. Right? In the case of a major localized power drain that cannot be met in a timely manner... Cut the area off. Yes, they'll have a brown out for a couple seconds. Boo hoo. It happens. Anyone that really can't have power disruptions has uninterruptible power supplies. That includes hospitals. You can rolling blackout hospitals all day and the lights won't even flicker.

As to having too much power for whatever reason... I should think dumping the power into the ground would be preferable to blowing fuses.

I can only imagine you're about to come back at me with some arrogant comment about your experience in the power industry, chemical plant industry, and likely something else unlikely.

Even if any of that is justified, you must admit that your ability to cite it is dubious. If you want ANYONE to take you seriously in this context, you need to demonstrate your expertise... not merely claim it.

I'm going to assume you're just going to be irrationally angry and combative at this point. So if that is the case... we can end the discussion now since the discussion will be over.

If you can subsume ego and social ineptitude then we can continue. Forgive my own barbs... I believe in tit for tat as regards these things and that made us even.

Your move.

Lots of unproven assertions here.

[johnnys]

"obvious: that 'every digital system has a vulnerability,' "

So far, this has been demonstrated (NOT proven) only in the current environment where hardware and software architects, developers and businesses can get away from product liability requirements by crafting toxic EULAs that dump all the responsibility for their crappy designs and code on the end user. If the people who create our digital systems had to face liability as a consequence of their failure to design a secure system, we may find they get off their a**es and do the job properly. Where's Ralph Nader when you need him?

And as the original poster noted, you CAN isolate the control systems from the Internet! Cut the wire and fire anyone who tries to fix it.

"analog protection systems have one big advantage over their digital successors: they are immune"

Nonsense! There were PLENTY of breakins by thieves into banks, runaway trains, industrial accidents and sabotage BEFORE the digital age. There was no "golden age" of analog before digital: That's just bullsh*t.

Re:Lots of unproven assertions here.

... were PLENTY of break-ins by thieves into banks ...

Great straw-man: The original point was ... immune against cyber attacks . If there's a way in legally, then there's a way in illegally. Digital systems tend to be be online which allows cracking through remote control instead of through explosives and stolen keys. For the most part, physical security is so good that it takes a lot of high-tech equipment to break-in before the police arrive. Software security of operating systems and browsers is historically weak and there is little effort to change that predicament.

The key is cost

[Nkwe]

It is not a analog or digital issue, it is a cost issue. To be secure from remote attack you have to be willing to pay to have trusted (human) individual with a sense of what is reasonable (with respect to the process) to be in the control loop. The problem is of course that trusted humans with a sense of reason are expensive.

Re:The key is cost

[fuzzyfuzzyfungus]

It doesn't necessarily come down to humans (who can't necessarily save you if very fast responses are required or very subtle deviations need to be detected), though they can certainly help; but cost is much of the problem on the software side as well. More than a few important things run at the 'incompetent and overworked IT staff usually apply patches within a few months of release, assuming it isn't one of the systems that the vendor says you shouldn't touch' level and people are unwilling enough to shell out what it would take to bring them up to 'commercial best practice' levels, much less the (stratospheric, if we even have enough suitably qualified humans available) cost of 'all formally proven and whatnot'...

Don't associate your self-deluded angry mind ...

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire. Come on, does not body know basic EE anymore? No wonder all this insecurity and stupidity happens... What this comment shows nicely is how incompetent CS types are routinely and how far they misunderstand the world.

Please don't associate your self-deluded angry mind with EE, it reflects poorly on the bulk of EE types who are more stable than you. If you understood the world, even a small amount, you might realize that physical access is no placebo. You might even realize that a man in the middle attack predates CS, by millennia. Analog systems have been compromised and will be compromised.

The difference between CS and CE ...

That's because CS is math, not engineering. Computer Engineering is engineering, Computer Science is the study of the mathematics of computer systems. CE is a lot rarer than CS though, so a lot of people with CS degrees try to be engineers, but aren't trained for it.

The difference between CS and CE is usually just the name the department chooses, not their course work. In other words it is usually a cosmetic difference.

Re:The difference between CS and CE ...

[ttucker]

That's because CS is math, not engineering. Computer Engineering is engineering, Computer Science is the study of the mathematics of computer systems. CE is a lot rarer than CS though, so a lot of people with CS degrees try to be engineers, but aren't trained for it.

The difference between CS and CE is usually just the name the department chooses, not their course work. In other words it is usually a cosmetic difference.

This is not true, or even approximately true. CE is a discipline of EE. It is created mostly by learning EE, with a few computer architecture classes, lots of Verilog, and a few CS classes. In most universities, the program is offered by the EE college.

Re:The difference between CS and CE ...

Coursework is really different in the undergraduate level as well. A university CS degree might recommend you to take 180 credits of pure mathematics courses for the basic degree, an computer related engineering degree might offer you 60 credits of pure mathematics courses and the rest, what ever is necessary, is learned along the degree related courses. A CS degree might not require to you to take courses in industrial engineering and production engineering, an engineering degree might. Those are just limited examples.

Re:The difference between CS and CE ...

You are correct.

I happened to get my masters degree in "Computer Science and Engineering" so I got parts from both fields.

The individual courses definitely had different flavors.

The computer engineering parts were mostly handled by the electrical engineering departments, while the computer science parts were primarily dealt with by the mathematics departments.

The program started as a spinoff from pure EE, shifted slightly to CE and added the CS parts. It turned out a good program, in my opinion. Nice mix of subjects.

Re:The difference between CS and CE ...

Not even close.
Computer Engineering is an engineering discipline which means it needs to meet ABET and other things. A CmpE will have to take interdisciplinary courses, circuits, electronics, physical phenomena, etc. A CS does not need any of that.

Compare http://catalog.tntech.edu/preview_program.php?catoid=11&poid=1094&returnto=1861 (CSC)
and http://www2.tntech.edu/ece/UGRAD/CmpE/CmpE-curriculum-2013.html (CmpE)

perspective of a controls engineer--

[volvox_voxel]

There are billions of embedded systems out there, and most of them are not connected to the internet. I've designed embedded control systems for most of my career, and can attest to the many advantages a digital control system has over an analog one. Analog still has it's place (op-amps are pretty fast & cheap), but it's often quite useful to have a computer do it. Most capacitors have a 20% tolerance or so, have a temperature tolerance, and have values that drift. Your control system can drift over time, and may even become unstable due to the aging of the components in the compensator (e.g. PI, PID,lead/lag) .. Also a microcontroller wins hands down when it comes to long time constants with any kind of precision (millihertz). It's harder to make very long RC time constants, and trust those times. Microcontrollers/FPGA's are good for a wide control loops including those that are very fast or very very slow. Microcontrollers allow you to do things like adaptive control when you plant can vary over time like maintaining a precision temperature and ramp time of a blast-furnace when the volume inside can change wildly.. They also allow you to easily handle things like transport/phase lags, and a lot of corner conditions, system changes -- all without changing any hardware..

I am happy to see the same trend with software-defined radio, where we try to digitize as much of the radio as possible, as close to the antenna as possible.. Analog parts add noise, offsets, drift, cross-talk exhibit leakag,etc.. Microcontrollers allow us to minimize as much of the analog portion as possible.

Fix digital security

Analog is a step backwards. We should be moving forward with digital security.

Re:Don't associate your self-deluded angry mind ..

[phantomfive]

physical access is no placebo

I literally have no idea what this means. I've read it five times and still don't know.

Computer viruses predated the internet ...

[perpenso]

Computer viruses predated the internet and worked across sneaker nets. Code on a floppy can be infected. A floppy can contain data crafted to overrun buffers and execute code, etc. The internet just simplifies the process, automates it.

Redundant

This seems a bit redundant, there's already methods to mathematically prove digital systems from metal to software (although at the metal level, it gets quite time consuming).

The issue is people have critical infrastructure built on, or controlled by insecure systems (regardless of if it's digital or not).

As many have stated, isolation is the easiest first step - but you can go further, building on well define/restricted ASIC, built on mathematically proven macro kernels which give essential access via MAC (also mathematically provable, via the kernel & MAC manifests) to 'processes' (drivers, software, etc) built on mathematically provable languages.

A lot of functional languages (typically those who are strict implementations of lambda calculus w/ minor (if any) extensions based on a well known type system - which again in the FP domain is typically a Hindley Milner type system (or super/sub-set of)) can be proven mathematically to meet various constructs/restrictions, which in a strict macro kernel environment, and using drivers under identically strict process environments meet very high levels of security from both intrusion and correctness perspectives.

Some of this is even 'required' for various military contracts (personally, we use a subset of Java SE for military grade gun mounts & control systems for various national militaries around the world - and have an entire team of mathematicians/CS staff whose sole job is to validate correctness and prove system reliability from various standpoints, who do exactly this - albeit for a Java-like language, not an FP language).

Are the cylons running on analog engine ?

If the cylons themselves are based on digital, they have the same vulnerabilities as any other digital lifeforms and are hackable.

Re:Are the cylons running on analog engine ?

[NotDrWho]

In one of the episodes (Flight of the Phonenix, I believe) they did actually turn the virus back against the cylons, and destroyed a huge fleet of them.

Typo: "requiring physical access"

... then the attacker has to have physical access to that wire ...

[requiring] physical access is no placebo

I literally have no idea what this means. I've read it five times and still don't know.

Sorry, typo, should have been "requiring physical access".

Re:Typo: "requiring physical access"

[gweihir]

Still does not make any sense. You seem to have a disconnect between how great you think you are and the actual rather low level of skill and insight you are currently demonstrating.

analog control != airgap or dedicated line

[gl4ss]

. ..
so the article speaks of a dedicated line when it speaks of "analog"? I don't think so(without reading the article). it just speaks of analog protection systems, like an analog temp fuse on fire suppression water lines.

(analog dedicated control line would be only as useful as both ends of the wire are secure.. making it about as useful as a digital line only transmitting a simple protocol handled with good code at both ends)

real analog control and protection systems aren't programmable and so less vulnerable to someone hacking the max RPM limit on some centrifuges etc, since the attacker would need to physically alter the control mechanisms/analog electronics to alter the rpm. obviously such systems are more demanding to operate too..

they are more expensive to do and more prone for faults though...

Re:analog control != airgap or dedicated line

[gweihir]

Sure, dedicated analog wires, analog circuits, etc. What you overlook is that basically no "dedicated digital wires" exist anymore. They are all using the Internet in some fashion or other. Or course, any real bare ("analog") wire can be made digital by attaching modems. But that is not the point.

Re:analog control != airgap or dedicated line

[RabidReindeer]

. ..
so the article speaks of a dedicated line when it speaks of "analog"? I don't think so(without reading the article). it just speaks of analog protection systems, like an analog temp fuse on fire suppression water lines.

(analog dedicated control line would be only as useful as both ends of the wire are secure.. making it about as useful as a digital line only transmitting a simple protocol handled with good code at both ends)

real analog control and protection systems aren't programmable and so less vulnerable to someone hacking the max RPM limit on some centrifuges etc, since the attacker would need to physically alter the control mechanisms/analog electronics to alter the rpm. obviously such systems are more demanding to operate too..

they are more expensive to do and more prone for faults though...

Consider the dreaded EMP attack. By producing a sufficiently powerful EM impulse sufficiently close, even digital circuits can be pushed into analog domains where they can become deranged or destroyed.

That's an extreme, but it shows that attacks need not be solely on the wire or through the wire. A more finely-tuned attack might be able to simply strobe some other line in a cable bundle to a degree that its effects leak past whatever shielding might be present and induce a false impression of a control or data analog value.

To pull off such a stunt obviously requires a good knowledge of your target systems, but so does the equivalent type of operation done in digital code and that happens routinely.

Re:analog control != airgap or dedicated line

[Lord+Lemur]

Consider the dreaded vampire tap, or induction, or wire cutters. Physical access isn't only a vunerability at the end points. Analog systems are beaten easily.

Re:besides digital or analog, for safety, use phys

[ttucker]

Is a piece of wax melting analog, or something else entirely?

re: wax - name that song.

'My time is a piece of wax falling on a termite, who's choking on the splinters'

Tautology

[Yoda222]

A "cyber-attack" is a digital attack. So if your system is not digital, you can't be cyber-attacked. Great news.

Re:Tautology

No.
A "cyber-attack" is an attack on a "cyber". Whatever the fuck that is.
You can attack digital or analog things, as long as you have some kind of access in order to perform the attack.

Re:Tautology

[TeknoHog]

No. A "cyber-attack" is an attack on a "cyber". Whatever the fuck that is.

Cybernetics refers to control and feedback systems, which is traditionally an analogue discipline. Today "cyber", for whatever reasons, refers to doing things over teh intarwebz. So the problem is having old cyber connected to new cyber.

(BTW, "cyber" has something to do with "android" when you stay within either one of the "old" or "new" namespaces.)

Hmm...

[fuzzyfuzzyfungus]

I think I have a call from 1985 on line one, from some guy called 'Therac-25' who seems very excited about the importance of hardware safeguards and not trusting your software overmuch...

Re:Hmm...

[stenvar]

The Therac-25 problems could have been easily prevented with better software processes and practices; no hardware safeguards were/are needed. If the hardware had been developed like the software was, the hardware would likely have failed too.

The simple fact is this :

[Rollgunner]

My sister-in law was excitedly showing off her new car to me, and I said that I didn't care for the idea of a remote-start function for cars. "But it's security coded." she said. My response was this:

If a device can be controlled with an electronic signal, that means that the device can be controlled with an electronic signal.

Sometimes that signal will come from where you want it to, but there can be no guarantee that it will not come from somewhere else.

Re:The simple fact is this :

And if you don't connect your PC to the internet you won't risk a virus getting in from the internet. However you won't be able to play DOTA either.

If your car can't be controlled from the remote then it can't be hacked remotely. However you won't be able to change the timer on your heater if you decide to go to work an hour later than normally either.

There are ups and downs to connecting stuff to internet/remotes, you have to weigh the risk against the benefit. For a car I think it's easily worth the miniscule risk that they might break into my car (it's still an encrypted signal they have to break) vs to convinience of checking if you forgot to lock the car or turning on the diesel heater from my phone.

Re:The simple fact is this :

This.

Open communication means anybody can control it, not just the intended controller.

Why does the "info"tainment system have any connection to the car other than power and antenna, and maybe a separate wire to the steering wheel-mounted controls?

Remote start is, IMNSHO, dumb. Remote door locks - marginally so if they work at more than 20-30 feet. And the Tesla update-any-time setup isn't unique - many cars these days have that kind of potential connectivity even if you haven't bought Onstar-like service, as demonstrated in Defcon and other papers.

-Curmudgeon

Or just do it as it's done in reality?

If you have a critical system why not just put a fail-safe system in control of the actuators? I mean when I have a pump that is controlled over the internet via VPN I know that there is a chance that it can be hacked. But even if they turn it off the pump will still start if the water level reaches catastrophy levels. Sure you won't get any alarms and you won't be able to load balance it with any other pumps and you won't get a counter showing the hours utilized, but it will still work because there will be an electrical system or fail-safe PLC controlling it in the end overriding any stupid commands from the normal control PLC.

Re:Don't associate your self-deluded angry mind ..

[gweihir]

You seem to be unaware what "placebo" means. Maybe you have taken too many drugs and mean "panacea"?

Physical access has one characteristic: You need to be there to attack. That makes it expensive. You also need to know where "there" is.

This is dumb

"Or maybe you could isolate control systems from the Internet."

Or maybe you could not build nuclear power plants in the first place. Fixed.

Same goes for connecting weapons systems to computer networks or any other number of dumb things we seem to be doing with technology.

digital is great !

when a cyclone/tornado/tsunami -whatever hit indonesia recently, it knocked out all the phone towers... hmmm no-one had ham radio anymore.

Re:What a pathetic uninformed crock of sh ar

[Neil+Boekend]

The problem is that modern digital systems have to many possibilities. You can not be certain that a security system with in field reprogramming abilities is safe.
It may be expensive (in both space and dollars) but critical systems should have safe limits embedded in the hardware. A powerplant should not be able to increase the output voltage without hardware modifications. A nuclear plant must fail safe, even if the software is hacked.

In essence you are right: It doesn't matter if those securities are in digital (relays for example) or analog (dunno how you'd do that). What matters is that they don't run software. However that is how digital vs analog is used these days. Language is fluid, it changes. What once was wrong now is correct. This has been forever, just analyze the word "regularly".

Re:besides digital or analog, for safety, use phys

[thegarbz]

Inherently safe design and mechanical safety systems are the final word you are absolutely correct, however in the digital vs analogue debate I would not be so quick to say use either. Digital systems have allowed a world of advanced diagnostics to be reported. Your pressure transmitter can now not only tell you what it thinks the pressure is, but it can also tell you if the tapping / impulse line is plugged. Your valve can report when it's near failure or if torque requirements are increasing, or stiction is occurring.

You shouldn't have to rely on inherently safe design. Your valve should report that it has a problem before it gets stuck and your rupture disc blows. The name of the game is LAYERS of protection, not just using mechanical protections as the last word.

Analog computers are very useful, reliable.

And very very fast.

But they are NOT secure.

Analog computers are only as good as the mathematical model they implement - just as digital computers are.

They are subject to input failures in the same way.

They ALSO have a calibration failure that is worse than digital. As parts age, the calibration drifts...

Digital circuits just quit. Analog gives the wrong answer.

Re:besides digital or analog, for safety, use phys

[CGordy]

It's digital. It's either melted, or it's not.

Perhaps.

[nospam007]

"the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks."

Unfortunately they are not immune to idiotic engineers as we learned the hard way.

Yeah, but that means

you'll have to hire competent analog engineers. Unfortunately, this costs money to educate them, because unlike digital bit-shovelers, analog electron-pushers need real equipment in real labs. This costs universities more money than just a room with a neckbeard mumbling arcane programming stuff into his beard.

Then companies will need to pay these engineers too.

In other words, except for military stuff, this will never, ever happen. The golden age of electrical engineering is safe in the past.

slashdot needs...

[apcullen]

Slashdot needs an official galacticawasntnetworked tag.

When I worked on dangerous equipment

in our case ion implanters with high voltage, boiling oil, great whirling
blades and poisonous gasses, one rule of thumb was you needed
two completely non-computerized layers of safety beyond what the
control system provided. Relays were ok. Always seemed like a good
  rule to me.

My comments to Langler

[frisc]

I suggested to Ralph that while replacing the analog protective relays at a critical missile defense power plant I discovered that the replacement digital relays made by General Electric were not cyber secure. I included cyber security precautions in the Operation & Maintenance Manuals and recommended periodic checks to verify that the relays were not connected to the internet. The Office of the Director of National Intelligence retained me to visit the site and report on the status. The Air Force refused permission fo me to visit the site. The FBI and US congressional delegation's efforts to intervene were rebuffed by USAF General. Fraser.. Upgrading controls from old technology hardware implementations to software/hardware based devices is fraught with issues. NOT ONLY DIGITAL DEVICES BUT ALSO BUREAUCRATIC REFUSALS TO LISTEN AND FOLLOW PROCEDURES ARE BOTH EQUALLY DANGEROUS. A description of the project is in the minutes of the Spokane Western Protective Relay Conference. Signed Theodore G.Creedon, P.E.

Ralph Langner is NOT a cyber terrorism expert

I take umbrage to the OP calling Langner a 'cyber terrorism expert'. He is no such thing. Mr. Langner was an ICS engineer who stumbled onto Stuxnet and eventually became an authority on this specific piece of malware because of his tenacity in researching it. While impressive in what he's done with it, he is by no means anything towards a cyber terrorism expert. Stuxnet was not a cyber terrorist weapon either; it was developed by at least one nation state. Two, if we believe the NYT (the US and Israel). Neither of these nations are considered terrorist organizations by the Western world. So the article couldn't be more wrong, really.

Slashdot

[wisnoskij]

You think we could at least get summaries written by people who understand basic tech terms.

Is Analog the fix...

[rossdee]

I dunno, I haven't read a recent issue. Their science (fact) articles used to be pretty good though.

The trouble with SF magazines is you have to wait a month for the next installment of a story. (though for short stories they are OK)

And the Kindle suscription is apparantly more costly than the paper magazine.

leased lines

Has no one ever heard of (or remember) leased lines for remote access command and control. There was remote networking before the net was publicly available.

Embrace the power of AND

[TheCarp]

> Or maybe you could isolate control systems from the Internet.

Actually I am thinking... AND you could isolate control systems from the internet.

Take a simple steam tank (yes its an old house) like I have in by basement. Damned thing is basically a bomb in my basement (as is the water heater). You can hook up the whole system to a new control unit, which I have considered, and perhaps come up with a more intelligent means of control than the simple thermostat on/off/.... you can even go hog wild and add pressure sensors and all....

but under no circumstances would I replace the safety valves with a computer control. If I added some water level monitor to the digital control, I would still leave in the float valve emergency shut off.

Just because you have a control system doesn't mean it is ok to skimp out on safety equipment.

@ CGordy - Re:sure, no problem

[nukenerd]

I am a nuclear power station engineer, in fact I am in line of signing off everything that might affect plant safety. I recognise most of what you say, such as the plant not relying on any one safety system, but on two or even three (depending on potential severity) independent and differently designed control systems (not counting the human watchkeepers) - the jargon being "redundancy and diversity". An earlier poster implied that a digital system would save people being called out of bed at 3 am for a plant event, but on my nuclear plants this would happen anyway. The station manager would certainly be called up for a plant trip (at the very least because he would want to know about it), as would several other personnel, even though safe shut-down would not depend on their presence as it would be done automatically anyway.

However, the plant operators are engineers (this is the UK) and the senior ones and fast-track juniors have degrees (though a degree does not mean so much these days), even though the Operating Department is separate from the Engineering Department. Personnel do move from one to the other, and it is expected that even senior management will have had at least a few months experience "on the desk" (ie in the Control room).

There is no way whatsoever, no-how, any-which-way-but-loose (how else can I say it?) that these sysems would have any connection to the outside world or even within the plant itself to other than to the essential control panels.

There is however a problem with modern "smart" devices such as thermocouple local amplifiers/transmitters with microchips in them. This is that we don't always know how they are programmed. I am not talking about malware, but simply the programmer making errors (or well-meaning assumptions) such as buffer overflow after a certain future date. For this reason we prefer the old-fashioned analog versions of devices at this level.

Re: @ CGordy - Re:sure, no problem

[CGordy]

Without disagreeing with you, the point I was trying to make was that SIS or safety systems are hard wired and so are not physically capable of being connected to the internet, but (at least on the plants I've worked on) DCS data is available remotely via the company VPN. It is always possible to do financial damage by entering incorrect DCS setpoints, but it shouldn't be possible to compromise the plant safety (in a perfect world, anyway).

Obviously, my experience is in refining and chemicals, not nuclear, so the way control rooms are managed is probably different. I also suspect there is a difference in terminology, as I wouldn't class someone without a four year degree an engineer, but that's another discussion entirely.

It may be of interest to consider....

... an analog computer in this context.

When younger, I was one of a team supporting the installation of the first copy of Babbage's Difference Engine in the Science Museum (London). An interesting, but little appreciated feature is that, once set in operation, any repositioning of the counting gear mechanism causes the whole machine to lock up.

This was initially seen as a design fault, but later we considered it to be an intended feature. The machine is operated by rotating handles a number of times, and this work would usually be designated to a servant. If the servant found that he could reposition the counting mechanism to make it look as if he had rotated the handles several thousand times when he had not done so, it is likely that this would be used as a method of avoiding work, with consequent error in the calculation.

Important computer security tip from the 1820s - human maliciousness and laziness has not changed, and physical analog systems are just as prone to attack as digital electronic ones; only the vector will be different...

If they ever heard of the idea...

[whitroth]

Several years ago, here in DC, I went to a forum about security and the Internet. On the panel were staffers from then-Sen. Kerry, and from a House committee. After it was over, I went up and spoke to each, individually, and neither had ever *heard* of the concept of an air gap between controls and the 'Net... and we were speaking of nuclear power plants, etc.

Ignorance and "cost savings" make *great* insecurity vectors.

                  mark

Nice

For on-call pay and two hour's minimum for getting a call? Hell yes.

Why analog?

[Khashishi]

The author seems to be assuming that since all digital systems have vulnerabilities, analog systems should be used. But analog systems have vulnerabilities, too.

Re:What a pathetic uninformed crock of sh ar

Analog refers to systems with an infinite number of states

a 3rd grader who write[sic] with technical words to look smart

uh huh

Re:besides digital or analog, for safety, use phys

[budgenator]

Is a piece of wax melting analog, or something else entirely?

Analog, to be digital the wax would have to be eutectic, some waxes do come close.

Because Phreaking Did Not Exist

Really?

Triconex SIS

[iMactheKnife]

I'm the original VP R&D of Triconex and developer of the triplicated fault-tolerant industrial control system.

These systems have NO single points of failure, not even the power supplies, and each independent CPU is "educated" from the other verified good boards. There is no commercial operating system in these computers. They run a combination of Relay Ladder Logic and Analog Control System usually downloaded from a Wonderware or XCell application in a PC and run-tested on the actual plant machinery..

The vulnerability would be in the PC end, if those PC's are running unprotected interfaces to the Web. The PC control systems must not be connected to the Web, and the actual control application in the control computers should be programmed with automatic safety shutoffs and overrides which do not depend on the PC connections. The applications I oversaw were set up that way.