600.436
High-Assurance Systems
Fall 01/Introduction
22
Threat Models are not Perfect
¨1986: 5ESS: 5mins downtime in 25 years
–Including routine maintenance
–Included backup batteries, power fail detection, and
“scream for help” facilities for
unattended (switching bunker) operation.
¨Mother’s Day, 1988, Hinsdale Illinois
–Switching center fire disrupts service to 35,000
customers
–This was a triple failure: ambiguous alarm design,
simultaneous low probability alarms
(power, fire), failure of alarm circuits to reset correctly.
¨Threat model was (needless to say) revised…
SECURITY
IS A PROCESS,
NOT A
SOLUTION!