undefined | Better HN

0 pointsWalterBright5y ago0 comments

I also wonder why nobody who has secure computing issues demands physical write-enable switches for ROM, rather than using software switches that are inevitably corrupted.

0 comments

5 comments · 1 top-level

rckoepke5y ago· 4 in thread

Generally it's been the opinion that the control systems need to be modifiable. For example if you add a single valve in a facility which has 4,000 valves already, it would be nice to just add add a controller for that valve to the current SCADA system.

However, a write-only ROM system is possible as long as the ROM chips were reasonably affordable and a company could provide reasonable turnaround times for small modifications. That would move the target of vulnerability up the supply chain.

Some of the things which matter though are necessarily run-time variables like "is the valve commanded open or closed?" and "what are the tuning parameters for this PID control loop?". It's always theoretically possible for a buffer overflow/rowhammer/etc to flip the bit responsible for the valve's open/closed command. Even with an OS/Application stack burned into ROM. You still need RAM.

At least power cycling a readonly-storage device would remove any malicious RAM changes.

WalterBrightOP5y ago

Thanks for your many informative posts here. It's a pleasure reading from someone who knows what they're talking about :-)

I did say ROMs, but you can also use EEPROMs, which are erasable in-circuit, and you certainly put a physical write-enable in that circuit. Ideally, it would be a momentary push-button that has to be pushed in person on-site.

Back in college we used EPROMs, which are erased by putting them for 20 minutes or so under a UV lamp. EEPROMs came out later.

WalterBrightOP5y ago

Another thing that can be done is to divide the pipeline into several sections, not just one long one. So if one section gets compromised, it doesn't propagate to the next.

PeterisP5y ago

Do you propose that each section gets their own control/monitoring facility staffed 24/7 ? If not, the shared control/monitoring facility is the most likely place of compromise anyway, and it by design can control all the pipeline hardware.

ineedasername5y ago

I'm not sure how that would work-- each section would still need to send its petroleum products to the next section, making it effectively still one pipeline. Unless I misunderstand your statement?

1 more reply

j / k navigate · click thread line to collapse

0 comments

5 comments · 1 top-level

rckoepke5y ago· 4 in thread

At least power cycling a readonly-storage device would remove any malicious RAM changes.

WalterBrightOP5y ago

Thanks for your many informative posts here. It's a pleasure reading from someone who knows what they're talking about :-)

Back in college we used EPROMs, which are erased by putting them for 20 minutes or so under a UV lamp. EEPROMs came out later.

WalterBrightOP5y ago

Another thing that can be done is to divide the pipeline into several sections, not just one long one. So if one section gets compromised, it doesn't propagate to the next.

PeterisP5y ago

ineedasername5y ago

I'm not sure how that would work-- each section would still need to send its petroleum products to the next section, making it effectively still one pipeline. Unless I misunderstand your statement?

1 more reply

j / k navigate · click thread line to collapse