Is Analog the Fix For Cyber Terrorism?

chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests." Or maybe you could isolate control systems from the Internet.

obviously BSG was right

[mindpivot]

the terrorists are like cylons and we need to disconnect all networked computers for humanity!!!

sure, no problem

[davester666]

>Or maybe you could isolate control systems from the Internet

said the person volunteering to get up at 3 am to go to the office to reset the a/c system.

Re:sure, no problem

Don't worry, Bill Gates says a robot will take that guy's job soon enough.

Re:sure, no problem

[TWX]

said the person volunteering to get up at 3 am to go to the office to reset the a/c system.

Sounds to me like you need a better A/C system.

Or you need to not consider an HVAC system to be so critical that it can't be on the network. Or, perhaps you need to design the HVAC system to take only the simplest of input from Internet-connected machines through interfaces like RS-422, and to otherwise use its not-connected, internal network for actual major connectivity. And design it to fail-safe, where it doesn't shut off and leave the data center roasting if there's an erroneous input.

And anything that is monitored three-shifts should not be Internet-connected if it's considered critical. After all, if it's monitored three shifts then it shouldn't have to notify anyone offsite.

Re:sure, no problem

[phantomfive]

said the person volunteering to get up at 3 am to go to the office to reset the a/c system.

I can't speak for everyone, but I would rather pay extra for someone to be willing to do that (or do it myself, it shouldn't be a common situation) before I connect important systems to the internet.

Having an air gap isn't a perfect solution, but it makes things a lot harder for attackers.

Re:sure, no problem

[mlts]

As a compromise, one can always do something similar to this:

1: Get two machines with a RS232 port. One will be the source, one the destination.

2: Cut the wire on the serial port cable so the destination machine has no ability to communicate with the source.

3: Have the source machine push data through the port, destination machine constantly monitor it and log it to a file.

4: Have a program on the destination machine parse the log and do the paging, etc. if a parameter goes out of bounds.

This won't work for high data rates, but it will sufficiently isolate the inner subsystem from the Internet while providing a way for data to get out in real time. Definitely not immune to physical attack, but it will go a long ways to stopping remote attacks, since there is no connections that can be made into the source machine's subnet.

Re:sure, no problem

[phantomfive]

The main use case that causes problems with air gaps (AFAIK) is transferring files to the computer that's hooked up to the heavy machinery. People get tired of copying updates over USB, for example, and hook it up. Or they want to be able to reboot their air conditioner remotely.

And that is the use case that caused problems with for Iran with Stuxnet. They had an airgap, but the attackers infected other computers in the area, got their payload on a USB key, and when someone transferred files to the main target, it got infected. That is my understanding of how that situation went down. But once you start thinking along those lines, you start thinking of other attacks that might work.

Re:sure, no problem

Networked does not imply internet connected. In the same way, if you are using electricity, it does not mean you need to be connected to the electric grid.

There is no reason to going analog IF people are not stupid.

Unfortunately, we have plenty of examples that refute your premise. People ARE stupid, including the people who designed the highly vulnerable smart grid that most of the US is now using for power distribution.

Re:sure, no problem

[richlv]

i remember watching 'nikita' episode where they hacked a computer through its power connection and going "um, that's a bit stretching it..."

then, several years later, some proof of concept attack vector like that was demonstrated. assuming that experts in the field can do much more than public knows, it might have been not that much of a stretch after all.

i would also imagine that attacks for analog systems have been polished quitealot, given that they have been around longer. not that they could not be more secure - but thinking that they are immune might be a dangerous trap.

Re:sure, no problem

Networked does not imply internet connected. In the same way, if you are using electricity, it does not mean you need to be connected to the electric grid. There is no reason to going analog IF people are not stupid.

You may want to be careful using words like "stupid". A reasonably intelligent person would recognize that a purely internal network without internet connectivity is still vulnerable. The internet is just one method of ingress. A malware payload could be introduced through physical media for example.

A lack of internet connectivity may make data theft more difficult however in an industrial control application merely getting into internal network and taking control of machinery is all that is necessary.

Re:sure, no problem

[CBravo]

And to make it even more simple: Everyone, including smart people, makes mistakes.

Re:sure, no problem

[Technician]

A more common control with this type of critical limits is an elevator. The digital controls calls the cars to the floors, opens doors, etc. Between the digital world and electrical/mechanical world is control relays. Limit switches are in pairs. One you are used to. The elevator arrives at a floor and there is a pause while the fine alignment is completed to level with the current floor. The hard limit on the other hand such as exceeding safe space below bottom floor or past the top floor, does interrupt power to the control for the power relays. One drops power to the motor and the other drops the power to the brake pick solonoid. Brakes fail safe in an elevator. Need power to release the brakes.

Yea, it is a pain to reset the elevator at 3 am with someone stuck inside, but that is better than a runaway elevator. And no, there is no software defeat for the hardware limit switches.

Re:sure, no problem

[thegarbz]

This is why security should be a system and not an airgap. The idea that a computer should not be on the internet and patting yourself on the back for the idea and calling it a job well done is almost becoming a slashdot meme.

Never underestimate what bored shift workers do during night shift. We had one group of people figure out how to watch a divx movie on the screen of an ABB Gas Chromatograph.

The problem is more social than technological.

Re:sure, no problem

[CGordy]

There's a lot of misconceptions on slashdot about how these "critical infrastructure" plants actually run. I've spent a lot of time working in chemical plants, and these plants are heavily instrumented, with all parameters recorded. These are accessible in real time to the plant engineers, who typically don't sit in the control room, and often aren't in the same state (there's a very limited pool of people available who are "experts" at some of these processes, and when a serious problem occurs companies want the best person to look at the data ASAP).

The guys who sit in the control room are not engineers. They're plant operators, and their job is to keep the plant running as smoothly as possible, and escalate the issue to an engineer if there's a non-standard problem. Most plants these days are so heavily automated that for normal, stable operation only two operators are required on site per say $100 million of plant (as a guesstimate - more during the day when scheduled maintenance is occurring).

The engineers at these sites are actually classed as management. That's because they have ultimate responsibility for the plant when problems happen, although they don't control the day to day operation of the site. Most of an engineer's day on a chemical plant should be spent looking at whether the plant is configured optimally, and trying to troubleshoot longer term problems which require a more theoretical viewpoint. However, they do have to get out of bed at three in the morning if something's gone wrong. They also have to manage the operators, and have a promotion path to "real" management - refinery managers (for example) are usually engineers.

However, what the article totally missed is that these sites already have two layers of control system - the Distributed Control System (DCS), and the Safety Instrumented System (SIS). The wikipedia contains a lot more detail, but essentially these SIS's are hard wired systems that aren't programmable at all, so they are intrinsically resistant to an internet or software based attack. However, they're very expensive (every trip needs to be built as a dedicated circuit), so these systems are only used to ensure that the plant fails in a safe manner, not continued operation. Priority is given to safety of people in the vicinity over integrity of the plant equipment - these systems wouldn't typically be used a stop a pump or centrifuge (for example) from running too fast, unless that could cause some consequential (human) damage.

Finally, an analog system would be a big step backwards from a safety viewpoint because it wouldn't allow the plants to automatically shut down safely when a problem occurs. Plant shutdowns are typically a multiple step process, and in a refinery (for example), large quantities of high temperature, high pressure flammable gases need to be disposed of, which would simply not be possible to safely "program" in an analog environment. Before digital systems came along, plant trips were "all hands on deck" incidents, with operators frantically adjusting adjusting setpoints on dials to bring the plants down. Of course, the risk of operator error was high, so automated shutdowns were a big step forwards in plant safety.

Re:sure, no problem

[AmiMoJo]

Or, perhaps you need to design the HVAC system to take only the simplest of input from Internet-connected machines through interfaces like RS-422, and to otherwise use its not-connected, internal network for actual major connectivity.

I used to do software for fire alarm systems and heard a story about this. A shopping centre wanted to have a remote monitoring and reset system. All it could do was read the indoor temperature or reset the system. RS-485 link to a dedicated PC, firewalled with just the remote management service exposed to the LAN. Access was by using a VPN connection to the LAN.

One day they noticed that the system was stuck in some kind of reset loop. Seems someone found a way in and caused the machine it was connected to to keep sending reset commands. It must have happened some time in the night, and by the time they figured out what was going on the next day a couple of the motorized vents and one fan had failed due to the motors overheating. Every time the reset command was sent they did a self test where they exercised their motors.

The suspicion was that this was a distraction to cover up whatever else they were doing inside the network. Not being close to it I never found out the fully story, but it just shows that even a simple reset command can cause significant damage if abused.

Re:sure, no problem

[LoRdTAW]

Stuxnet proved that air gapping isn't enough.

Air gapping is not a 100% fix. Its part wishful thinking and part buzz phrase which gets thrown around carelessly. If someone guarantees nothing will go wrong because of an air gap or one way serial connection then they are full of shit.

Think about it, how many computers have you ever come across that could function on a 100% "air gap"? What about updates or software fixes? You could write a control program and debug the hell out of it to ensure nothing will go wrong but eventually you know something will break and need fixing. And that fixing requires a PC that most likely has seen the internet.

Dont get me wrong, an air gap will reduce your attack surface. But many PAC's made today are running full blown operating systems. And Many of those run Windows XP embedded or Windows 7 embedded with real time subsystems (like TenAsys INtime or IntervalZero RTX). Then add to that the proliferation of ethernet and even wifi in industrial networks coupled with unsecured protocols and you have a nice time bomb. All you need is one infected USB key plugged into a Windows HMI to fix a small glitch or update a recipie and BAM, your air gapped network is now toast.

Re:sure, no problem

[wagnerrp]

Only because no one thought to put some sort of rate limiter on the reset command. If you're continually needing to reset something, clearly there is a serious issue that should warrant a tech or engineer being called out to investigate.

Re:sure, no problem

[Sockatume]

That's terrible. For research purposes, I'd like to know how he did it.

Re:sure, no problem

[andyring]

Just don't put your HVAC controls on the same network as your credit card payment devices...

Re:sure, no problem

[mlts]

When a local startup went out of business, one of the things the failed startup had at their bankruptcy auction was an electric motor that would spin a crankshaft/flywheel... only for a generator head on the other end to turn the motion back into electricity. I wondered why they had something that inefficient until I found that it was a "power firewall"... i.e. to mitigate attacks via the mains power.

Because no analog system has

ever been compromised :) Physical kill switches, human operated are not simply analog (one might argue they are digital at the switch level). Analog might be the wrong word, since analog systems have been repeatedly compromised (from macrovision, to phreaking boxes, etc, etc). keep it off a communications network, even off local networks if they are uber critical.

Re:Because no analog system has

[phantomfive]

I think his point is that anything that can be accessed remotely by a trusted party can also be accessed remotely by an attacker. The distinction between analog and digital is a red herring.

Maybe that wasn't his point, but it's still a good one. :)

Re:Because no analog system has

[mysidia]

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire.

Usually the "remote analog" access is through an analog circuit provided by a telecommunications company between two locations called an ISDN circuit.

If the locations are far enough, your so called "dedicated wire" gets muxed, and then transmitted over a digital trunk which may be copper or optical with a bunch of other "dedicared wires"

The communication is subject to possible attack -- interception and insertion of false signals, at any point the line crosses, if compromised physically.

Or theoretically possible by remote attacks, if the Telco becomes compomised.

Re:Because no analog system has

[erice]

No, it is not. If the remote analog access is by a dedicated wire (and that is what you do in analog), then the attacker has to have physical access to that wire

And that dedicated wire could control digital circuitry or even a conventional computer running software. So what is your point?

The only advantage of analog is that control methods are generally so limited that doing something stupid like sending a critical control signal over the Internet is not possible. However, the cost is very very high and it doesn't do anything that following a policy of never sending controls over the Internet would not do. Further, without such a policy, the security advantage is lost the first time someone gets the bright idea of inserting a repeater.

Re:Because no analog system has

[Nethead]

What does the "D" in ISDN stand for? "does."

As in It Still Does Nothing.

Old telecom joke.

Stuxnet

[scorp1us]

"Or maybe you could isolate control systems from the Internet."
Wasn't Stuxnet partially a sneakernet operation? I can't imagine Iran being so stupid to connect secret centrifuges to the internet.

The only way to win is not to play.

Re:Stuxnet

[NixieBunny]

Yes, it was a USB flash drive with a firmware update.

I work on a telescope whose Siemens PLC is so old that it has a PROM in a 40 pin DIP package for firmware updates. Not that we've touched the firmware in 20 years. After all, it works. And it ought to work for another 20 years, as long as we replace the dried-out aluminum electrolytic capacitors regularly.

This is very, very old

[gweihir]

It is called self-secure systems. They have limiters, designed-in limitations and regulators in there that do not permit the systems to blow themselves up and there is no bypass for them (except going there in person and starting to get physical). This paradigm is centuries old and taught in every halfway reasonable engineering curriculum. That this even needs to be brought up shows that IT and CS do not qualify as engineering disciplines at this time. My guess would be that people have been exceedingly stupid, e.g. by putting the limiters in software in SCADA systems. When I asked my EE student class (bachelor level) what they though about that, their immediate response was that this is stupid. Apparently CS types are still ignoring well-established knowledge.

Re:This is very, very old

[DMUTPeregrine]

That's because CS is math, not engineering. Computer Engineering is engineering, Computer Science is the study of the mathematics of computer systems. CE is a lot rarer than CS though, so a lot of people with CS degrees try to be engineers, but aren't trained for it.

Re:This is very, very old

[vux984]

My guess would be that people have been exceedingly stupid, e.g. by putting the limiters in software in SCADA systems.

Or they just did what they were told by management. After all, software solutions to problems tend to be a fraction of the price of dedicated hardware solutions, and can be updated and modified later.

Apparently CS types are still ignoring well-established knowledge.

You can't build a SCADA system with *just* CS types; so apparently all your 'true engineers' were also all asleep at the wheel. What was their excuse?

Seriously, get over yourself. The CS types can and should put limiters and monitors and regulators in the software; there's no good reason for them not to ALSO be in there; so when you run up into them there can be friendly error messages, logs, etc. Problems are caught quicker, and solved easier, when things are generally still working. This is a good thing. Surely you and your EE class can see that.

Of course, there should ALSO be fail safes in hardware too for when the software fails, but that's not the programmers job, now is it? Who was responsible for the hardware? What were they doing? Why aren't those failsafes in place? You can't possibly put that at the feet of "CS types". That was never their job.

analog vs digital isnt the problem

[Osgeld]

analog is actually more suceptable to interference generated by rather simple devices, as there is no error checking on whats being fed to the system

the problem is your reactor is for some fucking reason hooked to the same network as facebook and twitter

Re:analog vs digital isnt the problem

[Tablizer]

the problem is your reactor is for some fucking reason hooked to the same network as facebook and twitter

Rats, I knew I shouldn't have "liked" nuclear meltdown.

Good idea

[Animats]

There's a lot to be said for this. Formal analysis of analog systems is possible.The F-16 flight control system is an elegant analog system.

Full authority digital flight control systems made a lot of people nervous. The Airbus has them, and not only do they have redundant computers, they have a second system cross-checking them which is running on a different kind of CPU, with code written in a different language, written by different people working at a different location. You need that kind of paranoia in life-critical systems.

We're now seeing web-grade programmers writing hardware control systems. That's not good. Hacks have been demonstrated where car "infotainment" systems have been penetrated and used to take over the ABS braking system. Read the papers from the latest Defcon.

If you have to do this stuff, learn how it's done for avionics, railroad signalling, and traffic lights. In good systems, there are special purpose devices checking what the general purpose ones are doing. For example, most traffic light controllers have a hard-wired hardware conflict checker. If it detects two green signals enabled on conflicting routes, the whole controller is forcibly shut down and a dumb "blinking red" device takes over. The conflict checker is programmed by putting jumpers onto a removable PC board. (See p. 14 of that document.) It cannot be altered remotely.

That's the kind of logic needed in life-critical systems.

Re:Good idea

[pipedwho]

It's not that the secondary system is 'cross checking' or comparing results. They are really just monitoring circuits with a particular set of rules embedded in separate circuitry that just makes sure the primary system never breaks those rules. It is effectively the master control and will always 'win' if there is a problem. They are designed to be simple, robust and if possible, completely hardware based.

Some other examples are 'jabber' control hardware lockouts to stop a radio transmitter from crashing and permanently keying active; the watchdog timers in critical systems that will reset the system if it isn't periodically reset; power control systems that shutdown power domains if an overload is detected; etc.

Something like a nuclear power station should have more complex monitoring systems, but the rules are similar. In modern critical system design, the rules are generally set up to require a sanitising channel between the 'internet' and the control network. That channel may be some simple UART to UART based control logic that allows the a subset of general control commands to be issued without the ability to override the primary safety lockouts. If you want to override those, you have to turn up in person.

This type of security has been standard practice for years by the embedded systems engineers. Once people started shoehorning inappropriate solutions into critical system control, that's where it went belly up. That's where you end up with glorified 'web coders' writing what should be done by someone that understands the pitfalls. Sometimes, it's because 'management' has decided to requisition and install something beyond the design parameters set by the engineers.

Re:Good idea

[Viol8]

"Code written in a different language is totally helpless here"

No it isn't. Some languages have different pitfalls to others eg, C code often has hidden out of bounds memory access issues , Ada doesn't because checking these is built into the runtime. Also different languages make people think in slightly different ways to solve a problem which means the chances of them coming up with exactly the same algorithm - and hence possibly exactly the same error - is somewhat less.

yes isolate

[globaljustin]

Or maybe you could isolate control systems from the Internet.

Unkown Lamer has it.

tl;dr - using analog in security situations would be obvious if "computer security" wasn't so tangled in abstractions

Sure someone may point out that the "air gap" was overcome by BadBios http://it.slashdot.org/story/1... but that requires multiple computers with speakers and microphones connected to an infected system

IMHO computer security (and law enforcement/corrections) has been reduced to hitting a "risk assessment" number, which has given us both a false sense of security & a misperception of how our data is vulnerable to attack

100% of computers connected to the internet are vulnerable...just like 100% of lost laptops with credit card data are vulnerable

Any system can have a "vulnerability map" illustrating nodes in the system & how they can be comprimised. I imagine it like a Physical Network Topology map for IT networking only with more types of nodes.

This is where the "risk assessment" model becomes reductive...they use statistics & infer causality...the statistics they use are historical data & they use voodoo data analysis to find **correlations** then produce a "risk assessment" number from any number of variables.

If I'm right, we can map every possible security incursion in a tree/network topology. For each node of possible incursion, we can identify every possible vulnerability. If we can do this, we can have alot more certainty than an abstract "risk assessment" value.

Analog comes into play thusly: if you use my theory, using **analog electronics** jumps out as a very secure option against "cyber" intrusions. Should be obvious!

"computer security"....

besides digital or analog, for safety, use physics

[raymorris]

Analog vs. digital, fully connected vs less connected - all can fail in similar ways. If it's really critical, like nuclear power plant critical, use simple, basic physics. The simpler the better.

You need to protect against excessive pressure rupturing a tank. Do you use a digital pressure sensor or an analog one? Use either, but how also add a blowout disc made of metal 1/4th as thick as the rest of the tank. An analog sensor may fail. A digital sensor may fail. A piece of thin, weak material is guaranteed to rupture when the pressure gets to high.

Monitoring temperature in a life safety application? Pick analog or digital sensors, ei ther one, but you better have something simple like the vials used in fire sprinklers, or a wax piece that melts, something simple as hell based on physics. Ethanol WILL boil and wax WILL melt before it gets to be 300 F. That's guaranteed, everytime.

New nuclear reactor designs do that. If the core gets to hot, something melts and it falls into a big pool of water. Gravity is going to keep working when all of the sophisticated electronics doesn't work because "you're not holding it right".

No, it's education

[Casandro]

Such systems are not insecure because they are digital or involve computers or anything. (seriously I doubt the guy even understands what digital and analog means) Such systems are insecure because they are unnecessarily complex.

Let's take the Stuxnet example. That system designed to control and monitor the speed at which centrifuges spin. That's not really a complex task. That's something you should be able to solve in much less than a thousand lines of code. However the system they built had a lot of unnecessary features. For example if you inserted an USB stick (why did it have USB support) it displayed icons for some of the files. And those icons can be in DLLs where the stub code gets executed when you load them. So you insert an USB stick and the system will execute code from it... just like it's advertised in the manual. Other features include remote printing to file, so you can print to a file on a remote computer, or storing configuration files in an SQL database, obviously with a hard coded password.

Those systems are unfortunately done by people who don't understand what they are doing. They use complex systems, but have no idea how they work. And instead of making their systems simpler, they actually make them more and more complex. Just google for "SCADA in the Cloud" and read all the justifications for it.

Battlestar Galactica

[sg_oneill]

Reminds me a bit of one of the tropes from battlestar galactica. Adama knew from the previous war that the cylons where master hackers and could disable battlestars by breaking into networks via wireless and then using them to disable the whole ship, leaving them effectively dead in the water, so he simply ordered that none of his ship ever be networked and that the ship be driven using manual control. Later on they meet the other surviving battleship, the pegasus, and it turns out that only survived because its network was offline due to maintainance. Its not actually a novel idea in militaries. I remember in the 90s doing a small contract for a special forces group I can't name, and asked them about their computer network. He said they used "Sneaker-net", which is that any info that needed transfer was put on a floppy and walked to its destination, thus creating an air gap between battlefield systems.

I guess this isn't quite that, but it certainly seems to be a sort of variant of it.

This fixes it as a side effect

[gman003]

The core problem is that "data" and "code" are being sent over the same path - the reporting data is being sent out, and the control "data" is being sent in, but it's over a two-way Internet connection. If you had an analog control system that was openly accessible in some way, you'd have the exact same problems. Or you could have a complete separate, non-public digital control connection that would be secure. But nobody wants to lay two sets of cable to one device, and there's a convenience factor in remote control. So since security doesn't sell products*, but low price and convenience features do, we got into our current situation. It's not "digital"'s fault. It's not "analog"'s fault. It probably would have happened even if all our long-range communication networks were built of hydraulics and springs.

* For those who are about to point out how much money antivirus software makes, that's fear selling, not security. Fear moves product *very* well.

"Isolate from the Internet" is hard

[roca]

Air-gap alone is not enough. Stuxnet travelled via USB sticks. And if your hardware (or anything connected to it) has a wireless interface on it (Bluetooth, Wifi, etc), you have a problem ... an operator might bring a hacked phone within range, for example.

Simplifying the hardware down to fixed-function IC or analog reduces the attack surface much more than attempts to isolate the hardware from the Internet.

Re:"Isolate from the Internet" is hard

[thegarbz]

Simplifying the hardware down to fixed-function IC or analog reduces the attack surface much more than attempts to isolate the hardware from the Internet.

It also dramatically reduces the functionality. You've saved yourself from hackers only to get undone by dangerous undetected failure of instrumentation. Anyone who boils a security argument down to stupefying everything has missed a world of advancements which have come from the digital world. Thanks but no thanks. I'm much more likely to blow up my plant due to failed equipment than due to some hacker playing around.

Obvious solution is obvious

[Karmashock]

The hubris of some thinking that everything can be linked to the internet while maintaining acceptable security is ignorant.

Some systems need to be air gapped. And some core systems just need to be too simple to hack. I'm not saying analog. Merely so simple that we can actually say with certainty that there is no coding exploit. That means programs short enough that the code can be completely audited and made unhackable.

Between airgapping and keeping core systems too simple to hack... we'll be safe from complete infiltration.

Lots of unproven assertions here.

[johnnys]

"obvious: that 'every digital system has a vulnerability,' "

So far, this has been demonstrated (NOT proven) only in the current environment where hardware and software architects, developers and businesses can get away from product liability requirements by crafting toxic EULAs that dump all the responsibility for their crappy designs and code on the end user. If the people who create our digital systems had to face liability as a consequence of their failure to design a secure system, we may find they get off their a**es and do the job properly. Where's Ralph Nader when you need him?

And as the original poster noted, you CAN isolate the control systems from the Internet! Cut the wire and fire anyone who tries to fix it.

"analog protection systems have one big advantage over their digital successors: they are immune"

Nonsense! There were PLENTY of breakins by thieves into banks, runaway trains, industrial accidents and sabotage BEFORE the digital age. There was no "golden age" of analog before digital: That's just bullsh*t.

perspective of a controls engineer--

[volvox_voxel]

There are billions of embedded systems out there, and most of them are not connected to the internet. I've designed embedded control systems for most of my career, and can attest to the many advantages a digital control system has over an analog one. Analog still has it's place (op-amps are pretty fast & cheap), but it's often quite useful to have a computer do it. Most capacitors have a 20% tolerance or so, have a temperature tolerance, and have values that drift. Your control system can drift over time, and may even become unstable due to the aging of the components in the compensator (e.g. PI, PID,lead/lag) .. Also a microcontroller wins hands down when it comes to long time constants with any kind of precision (millihertz). It's harder to make very long RC time constants, and trust those times. Microcontrollers/FPGA's are good for a wide control loops including those that are very fast or very very slow. Microcontrollers allow you to do things like adaptive control when you plant can vary over time like maintaining a precision temperature and ramp time of a blast-furnace when the volume inside can change wildly.. They also allow you to easily handle things like transport/phase lags, and a lot of corner conditions, system changes -- all without changing any hardware..

I am happy to see the same trend with software-defined radio, where we try to digitize as much of the radio as possible, as close to the antenna as possible.. Analog parts add noise, offsets, drift, cross-talk exhibit leakag,etc.. Microcontrollers allow us to minimize as much of the analog portion as possible.

Re:The difference between CS and CE ...

[ttucker]

That's because CS is math, not engineering. Computer Engineering is engineering, Computer Science is the study of the mathematics of computer systems. CE is a lot rarer than CS though, so a lot of people with CS degrees try to be engineers, but aren't trained for it.

The difference between CS and CE is usually just the name the department chooses, not their course work. In other words it is usually a cosmetic difference.

This is not true, or even approximately true. CE is a discipline of EE. It is created mostly by learning EE, with a few computer architecture classes, lots of Verilog, and a few CS classes. In most universities, the program is offered by the EE college.

Re:besides digital or analog, for safety, use phys

[ttucker]

Is a piece of wax melting analog, or something else entirely?

Tautology

[Yoda222]

A "cyber-attack" is a digital attack. So if your system is not digital, you can't be cyber-attacked. Great news.

Re:Tautology

[TeknoHog]

No. A "cyber-attack" is an attack on a "cyber". Whatever the fuck that is.

Cybernetics refers to control and feedback systems, which is traditionally an analogue discipline. Today "cyber", for whatever reasons, refers to doing things over teh intarwebz. So the problem is having old cyber connected to new cyber.

(BTW, "cyber" has something to do with "android" when you stay within either one of the "old" or "new" namespaces.)

Re:besides digital or analog, for safety, use phys

[CGordy]

It's digital. It's either melted, or it's not.

@ CGordy - Re:sure, no problem

[nukenerd]

I am a nuclear power station engineer, in fact I am in line of signing off everything that might affect plant safety. I recognise most of what you say, such as the plant not relying on any one safety system, but on two or even three (depending on potential severity) independent and differently designed control systems (not counting the human watchkeepers) - the jargon being "redundancy and diversity". An earlier poster implied that a digital system would save people being called out of bed at 3 am for a plant event, but on my nuclear plants this would happen anyway. The station manager would certainly be called up for a plant trip (at the very least because he would want to know about it), as would several other personnel, even though safe shut-down would not depend on their presence as it would be done automatically anyway.

However, the plant operators are engineers (this is the UK) and the senior ones and fast-track juniors have degrees (though a degree does not mean so much these days), even though the Operating Department is separate from the Engineering Department. Personnel do move from one to the other, and it is expected that even senior management will have had at least a few months experience "on the desk" (ie in the Control room).

There is no way whatsoever, no-how, any-which-way-but-loose (how else can I say it?) that these sysems would have any connection to the outside world or even within the plant itself to other than to the essential control panels.

There is however a problem with modern "smart" devices such as thermocouple local amplifiers/transmitters with microchips in them. This is that we don't always know how they are programmed. I am not talking about malware, but simply the programmer making errors (or well-meaning assumptions) such as buffer overflow after a certain future date. For this reason we prefer the old-fashioned analog versions of devices at this level.