Tracking the Blackout Bug 207
Alien54 writes "This earlier Slash story cited a CNN news report on how the August blackout was preventable. But, as seen in this Security Focus article, things are not so simple. 'In the initial stages, nobody really knew what the root cause was,' says Mike Unum, manager of commercial solutions at GE Energy. 'We test exhaustively, we test with third parties, and we had in excess of three million online operational hours in which nothing had ever exercised that bug,' says Unum. 'I'm not sure that more testing would have revealed that. Unfortunately, that's kind of the nature of software... you may never find the problem. I don't think that's unique to control systems or any particular vendor software.' Which leads to a number of other questions."
Software bug was just one part of bigger problem (Score:5, Informative)
Poor vegetation management probably played an even bigger role as overloaded power lines warmed up, expanded and sagged into trees and bushes that were supposed to have been cut back.
Poor communications between utilities played a major role.
This whole section of the transmission system was known to be unstable.
An inadequate regulatory structure lacked teeth to deal with known problems.
Lack of adequate transmission line capacity
If all these other problems hadn't been in place, the software bug might never have surfaced. And certainly, the rpoblems would have been contained within a much smaller area -- maybe just First Energy's service area.
An article [tipmagazine.com] featured on Slashdot last year lays out the underlying complexity of the power grid very well: "The World's Largest Machine"
Re:Software bug was just one part of bigger proble (Score:5, Interesting)
As well refer to the things leading up to WWII as 'one problem'.
This Defines All Catastrophic Failures (Score:2)
In the case of HVAC fire systems, there are probably over 500,000 installations of HVAC systems, and these are tested under real fire conditions several times a year (where the type of feedback seen in this blackout investigation is made, each time).
I think this should support Raindance's pointRe:Software bug was just one part of bigger proble (Score:2, Flamebait)
Realistically none of these problems had to happen and wouldn't have happened if the people in charge were doing their jobs. Maybe they were working on a way to make cold fusion feasible, I don't know but if they were negligent then they need to be removed from their position. If they were just too busy with other aspects of the system then they need to bring more people in so the system can be properly maintained. A power outage is a big
Re:Software bug was just one part of bigger proble (Score:3, Funny)
World's largest machine (Score:5, Interesting)
OK, it's nitpicking, but the largest machine is arguably the telephone system. Among other things, it maintains a synchronized clock (8 kHz base), even across oceans and continents.
Re:World's largest machine (Score:2)
Re:World's largest machine (Score:2)
Re:World's largest machine (Score:2)
When we went more digital, we assigned large optic ring networks (SONET) where pearts were for digital sending of analog and the others were for true digital data. Ever since the switch of ESS back in '87, we've been all using digital phone lines. They just happen to have a D/A hooked to them (thats what leads to our houses).
Re:World's largest machine (Score:3, Insightful)
It's actually plesiochronus, and only synchronized within certain (relatively large) regions. And I don't know where you're getting that 8 kHz figure from.
Basic relativity (not to mention propogation) will tell you that what you're describing is impossible.
de centralised power (Score:2, Insightful)
Re:Software bug was just one part of bigger proble (Score:5, Insightful)
Why don't we point out the real problem that likely caused this to happen. Energy deregulation in the first place.
I know I'll be jumped on by the free market types for daring to suggest this, but I'd rather have a regulated monopoly then a free-market for my life essential services anyday of the week. That article you linked is very interesting reading. Some quotes:
Of course it's the first quote that rings true with me. If deregulation is so friggen great then where is the cheap electric? Why can my Village sell me electric for $0.04/kWh with their regulated municipal power authority (while paying their workers Government rates and with Government benefits) when my girlfriend (who lives a whole two miles away) pays $0.14/kWh for electric supplied by a company that is supposedly part of the free market (a company that pays their employees crap and outsources their call center/billing functions to India). What's the problem with that picture?
Before energy deregulation the price of our electric was regulated by the PSC (Public Service Commission) and was fairly stable. The company that had the monopoly in this area made a set amount of profit (it wasn't a bad stock to pick up either -- you knew what you were getting), treated their employees well and charged a fair rate. Nowadays they treat their employees like crap, the stock has tanked because they are eating the price difference from their suppliers (otherwise we'd be paying about $0.20 kWh) and they are being raped by out of state suppliers that bought all of their generation capacity.
In another slightly related story the out of state company that bought one of their power plants sued the local township because they wanted the tax levy on the power plant reduced. They claimed that it wasn't worth what it used to be because they didn't plan on operating it (it was to be backup generation). After a three-year legal battle the township lost (ran out of money to pay the lawyers) and the tax levy was reduced by some 60%. Property and school taxes on
Re:Software bug was just one part of bigger proble (Score:2, Interesting)
I think it is more accurate to say that deregulation enabled, not caused, the problem. Certainly First Energy used deregulation to put in place much of the pieces of the problem. You just don't hear about all the well run deregulated power systems.
Re:Software bug was just one part of bigger proble (Score:2, Insightful)
Yes, we do not hear about them, because they do not exist.
Sure, it was First Energy's lines that failed initially, but if it wasn't First Energy, some other utility would have failed eventually. The engineering and the legal descriptions of the current electrical generation and distriubtion system in North America are at odds with one another.
There's a good technical discussion [tipmagazine.com] on the failings of the power grid that may interest you
Re:Software bug was just one part of bigger proble (Score:2)
So if I enable a problem that wasn't enabled before that means I didn't cause it? Explain that one to me. You just don't hear about all the well run deregulated power systems.
Generally speaking if you don't hear about something then it probably doesn't exist.
Re:Software bug was just one part of bigger proble (Score:2)
Perhaps because the municipal power authorities don't pay any attention to the future, take new lines the the non-municipal paid to install without paying for it, has many more customers per mile, and does minimal maintenance.
At least in my area it is like that. I'm a member of an electric co-op. We have 16 customers per mile of line on average, the nearest investor owned utility has ~45, and the municipal ~115. The municipal takes the high profit lines, and leaves the rest to someone else. Both the
Re:Software bug was just one part of bigger proble (Score:3, Insightful)
I'm going to call bullshit on that. My Village has been running municipal electric since the 1910s. It is self-sustaining (i.e: takes in enough money to operate without using tax dollars) and geared towards the future. They didn't annex any lines or equipment from private companies -- it was built from the ground up. They don't own their own generator plants anymore (last one went offline in the 50s) -- they
Re:Software bug was just one part of bigger proble (Score:3, Interesting)
Bzzzt wrong answer. My municipal power agency has been self-sustaining since 1920. They don't take in any tax dollars -- they run it all on the money they take in. Sure it's a Government run Agency so it can't make a profit (though
Re:Software bug was just one part of bigger proble (Score:2)
Yeah, and don't forget the biggest cause: Canada! We all knew immediately that it was their fault. They probably wrote this software too.
Well if you've got no warning... (Score:2, Insightful)
For the 21st century... (Score:3, Funny)
Re:For the 21st century... (Score:5, Insightful)
Re:For the 21st century... (Score:2)
Many businesses can't function, businesses of all types from banks to some hotels, to retailers, printing presses, the list goes on.
We are very fortunate to have a power grid as stable as it is. For the most part things do just work, although there is no telling how much damage is done every year to electronics because someone turne
Re:For the 21st century... (Score:3, Interesting)
Bug free! (Score:5, Funny)
{
return 0;
}
Because I have shown you bug free software, does that invalidate the rest of your argument?
Matt Fahrenbacher
Re:Bug free! (Score:2)
See you relied on BUGGY software to make a binary of your "perfect program"
Re:For the 21st century... (Score:5, Insightful)
Actually, that's statistically untrue. We have, perhaps, the least reliable power system in all the countries of the first-world. Sure, 3rd-world countries have worse-off power systems, but the comparison isn't valid at all.
Since when does the hardship of others make an unreliable power system a plus? Some places may be worse, but so what? We pay a lot for power, and expect our money is being spent on making sure we DO NOT have many outages.
Meanwhile, in California, prices are high, and power was VERY unreliable. "Rolling Blackouts" anyone?
My point is this. If something is broken, we want to fix it. We don't want to sit around saying "Well, it isn't as broke as that one". If we do, pretty soon it will get worse, and worse, and worse, until we have no other countries to point at.
How about our medical system, and water utility? Should we accept thousands of deaths due to malpractice, or contaminated water, by just saying "Well, it's not as bad as country XYZ"? No, I don't think anyone would believe that, but it's really the same thing. Power outages do mean deaths, and do mean losses of lots of money. Businesses can't run, food can't be properly preserved, or even delivered. People die of heat-stroke, or hypothermia due to power loss. Ambulances can't get through dense traffic caused by traffic signals loosing power, etc.
A power outage is a lot more serious than people "whining" about not being able to watch TV... And yet you get moderated up anyhow... Amazing.
Re:For the 21st century... (Score:5, Informative)
NOTE: I AM NOT SAYING BRAZIL IS BETTER THAN THE USA... JUST THAT IT'S NOT WORSE EITHER.
Brazil's electrical power, as of 2001, was about 97% hydroelectric. Because of years of below-average rainfall, this system was threatened, and in 2001, we were told there might be "rolling blackouts" here (except that the Brazilian government, unlike the US government, was honest enough to call it what it was: power rationing). We ended up not getting any "rolling blackouts," and a regression toward the mean in rainfall has left us sufficiently well off that we don't even have to use the new polluting thermo plants that were built around the time of the crisis. Electrical power here is cheap and reliable, especially compared to places like California, where a lot of my friends had to endure "rolling blackouts" because the folks at the deregulated power companies decided to put more money on their bottom line by not investing in infrastructure upgrades and maintenance. So the execs who made those decisions increased profits in the short term, increasing their bonuses and the value of their stock. When the $#!+ hit the fan, guess who had to pay, both in damages from "rolling blackouts" and in higher rates? The consumers, of course!
The only power problems I've had here in São Paulo were a neighborhood issue, not a city-wide, state-wide, or nation-wide problem. Basically, the new condo across the street overloaded the local grid 3 times in a 2-week span. The worst thing is that the new condo has its own generator, so the newcomers would knock out the neighborhood power and then not even notice, because their generator kicked in. Meanwhile, those of us who had already been in the neighborhood were screwed. Even those problems have been resolved, though. With even more people moving into the new condo, it's been about 6 weeks since we had a problem. The power companies here are pretty efficient. Yeah, I'd have liked for somebody to stop people from moving into the new condo until the local power grid was adequately updated, but they responded pretty quickly once the problem did present itself in an inconvenient way.
--Mark
Re:For the 21st century... (Score:2)
I'm sure it's not just Brazil.
In the US, the big thing we have going for us is a lot of competition between companies. That means a lot of choice in products, and low prices. However, there are a lot of exceptions to that, and we are completely screwed when it comes to anything monopolized, or govern
Re:For the 21st century... (Score:2)
Lack of capacity isn't lack of reliability.
Re:For the 21st century... (Score:2)
Yes, it is. In fact, lack of capacity is a CAUSE of the lace of reliability.
If there is not power to your wall, the power system has failed. It doesn't matter how reliable the individual power plants are, we are talking about overall grid reliability.
Re:For the 21st century... (Score:2)
I have two units myself.
Re:For the 21st century... (Score:2)
B Method? (Score:5, Interesting)
Isn't this the type of problem the B Method (and maybe the Z language too) are designed to address? Use proof logic initially - once you have decided on a behavior you want, design the system in such a way that it is provable it executes this design.
That doesn't mean the DESIGN is flawless, of course. But if we start engineering software on as many levels as we can, mightn't things improve? Normal software development and testing would never have found a critical bug with rare trigger conditions and a millisecond window. If you need precision on that level, you need to (for starters) to KNOW your implimentation of your design is sound, and preferably the code you are running exactly impliments the proven logic. Isn't this what the B Method was created for?
Re:B Method? (Score:5, Interesting)
Ye gods, you've frightened the hell out of me with reference to Z. I'd almost entirely forgotten it, and had hoped its cold corpse would lie in the ground undisturbed, undiscovered and most importantly of all unreferenced until the end of time. Still, "That is not dead which may eternal lie"...
Z is a beautiful way to mathematically prove that you have design bugs at the highest level possible. You can then design your unit tests around those bugs, and confirm that they're valid.
That's it. It provides nothing else that unit testing on its own couldn't do, with the exception of a few salaries and a research grant here and there. Whilst you can mathematically prove implementations of certain designs, the vast majority of designs have more complex interactions. Try using Z for a multithreaded real-time environment for example - my Software Engineering tutor at the time, Iain Sommerville (well known in the field due to his books, oh and 'at the time' would ~1993), basically said that Z just breaks down in those circumstances. I wouldn't know - I personally had no clue how to even make it begin in those circumstances, let alone break down.
Please confine Z to camp-fire ghost stories used to scare new programmers. It always was a living hell, and it really shouldn't be resurrected now.
Cheers,
Ian
Re:B Method? (Score:5, Interesting)
Now admittedly, FirstEnergy's system is a little smaller in territory, but I wonder if their mergers over the recent years (Cleveland Electric and Ohio Edison became FE, and then proceeded to take Toledo Edison and GPU of PA) have outpaced the collection capabilities of their mainframe (which was already at the end of its life and was scheduled to be replaced). That could account for some of the "slowing" that the G.E. testers said they had to do to make the race condition appear.
Re:B Method? (Score:2, Interesting)
Problem is, doing and verifying proofs is just as subject to error as creating and reviewing code. All you've really done is change your symbol set.
Re:B Method? (Score:3, Insightful)
Unfortunately, if you actually come out of the library and the computer labs, software has to be done -- yesterday. Flawless, provable code would cause most software houses to go bankrupt. It's a fact of life...
I don't trust this Mike Unum guy... (Score:2, Funny)
The American jackasses who blamed Canada (Score:5, Interesting)
Canada has a history of bad grid control (Score:3, Informative)
What they didnt know is that the energy was routed through the southern bit of Canada along the lake area, back into the USA in Michigan, to feed all of the communities along the southern shores of th
Re: (Score:2, Insightful)
Re: (Score:2)
Re:The American jackasses who blamed Canada (Score:2)
With their beedy lil' eyes and flapping heads so full of lies!
Xenophobic, yes.
"In the initial stages, nobody really knew what the root cause was,"
But you know, there are freedom canadians! And they put gravy and cheese on their freedom fries, those foreign weirdos...
Re:The American jackasses who blamed Canada (Score:4, Funny)
Testing isn't the answer... (Score:5, Insightful)
The only way to have bug-free software is to write it properly. You have to modularize and simplify everything down to the point that each one is easilly understandable, and it is easy to detect when one is providing a sensless answer (in other words, cross-checking every result). Then, you have to tie them all together in a robust but simple way.
I know it's far easier to say it than do it, but it seems like nobody even tries to do it these days. Even mission-critical systems are commonly built as a single monolithic program, and when you have a lot of things going on within a single program, with no checks of the sanity of the data going into or comming out of each component, there is no way to be 100% certain that the program is theoretically and genuinely perfect. Meanwhile, by modularizing everything, you can PROVE that it is actually perfect.
But this is really just the old Macrokernel vs. Microkernel arguement all over again. A Microkernel can be perfect, while a macrokernel can never be completely bug-free, but people just find the latter to be easier to write, and then spend hundreds times more man-hours finding and removing bugs, rather than spending (less, overall) time doing it correctly in the first place.
Oh yes, almost forgot, IMHO...
Re:Testing isn't the answer... (Score:2, Insightful)
You invoke the magic buzzwords of "modular design" as if it were a new thing. It isn't. That concept is older - in practice, even - than the median user on
Magic buzzwords can't prevent defects from occurring. QA can't find them all, no matter the bu
Re:Testing isn't the answer... (Score:2)
Fortunately, that's not true. Unfortunately, nobody seems to even try to write provably bug-free code.
/. story touted the first provably unbreakable encryption method. Now, it's not a method tha
You see, everything dealing with computers in math. Everything that happens can be simplified down to a binary-base math problem. In math (unlike the real world) you CAN prove that something is perfect.
For instance, it was a while back that a
Re:Testing isn't the answer... (Score:3, Insightful)
Umm, no. Modular design is great for theoretical process correctness, i.e. if a certain input is made to the running program, will it provably produce a certain output. The main problem with this, of course, is it assumes that the program is physically running the whole time.
The systems (I assume) are being used here have to deal with more ephemeral and unpredictable conditions: failing hardware, CPUs going offline in the
Reasons for power blackouts (Score:5, Interesting)
This paper [computer.org] (click on the PDF link) has a good summary of the problems in keeping power outages from happening again.
Re:Reasons for power blackouts (Score:2)
No, I'm not ready to give up on an industry that, so far, is so exceptionally reliable that most people are without electricity for maybe 5 hours out of the year. We get excited just for approaching that level of reliab
Re:Reasons for power blackouts (Score:2)
No, I'm not ready to give up on an industry that, so far, is so exceptionally reliable that most people are without electricity for maybe 5 hours out of the year. We get excited just for approaching that level of reliability
Re:Reasons for power blackouts (Score:2)
What
Race conditions are nasty ... (Score:5, Insightful)
Re:Race conditions are nasty ... (Score:2, Informative)
Baloney. It is possible to write programs for which race conditions are undecideable. Such programs are broken. It is possible to write programs for which race condition detection is NP-hard. Such programs are broken if N is large. It is also possible to write programs for which race conditions can be proven to be absent. That's what you want to do.
Actually, it's straightforward to design software to be fre
Re:Race conditions are nasty ... (Score:3, Informative)
hint: NP-hard [wikipedia.org] is a problem that is NP-complete [wikipedia.org], or worse. An NP-hard problem does not have to be solvable. NP [wikipedia.org] in this context stands for nondeterministic polynomial (with reference to time bounds). NP means that a problem can be solved in polynomial time with an infinitely parallel system. NP-complete problems are at least as hard as all other NP problems.
Sorry, it just bugs me whenever people try to talk about theory of CS and use "non-polynomial" or something
Re:Race conditions are nasty ... (Score:2, Insightful)
I doubt PGN was refering to software to test for race conditions; I expect he was alluding to methods for writing code that does not contain them. People have, after all, been thinking about Dining Philosophers [mtu.edu] for quite a while now, yet coders still do amazingly stupid things with threads.
Mutexes and Locks (Score:2)
You need programmers with a good background in real-time and concurrent programming, who understand the hazards and how to avoid them.
Re:Mutexes and Locks (Score:2)
Agreed. Including all the places that look innocent but are capable of encountering such hazards. Including the pathological cases where innocent-looking code can have extremely evil consequences. Including code that looks dangerous but is in fact safe. Including code that looks safe but is in fact dangerous.
Re:Race conditions are nasty ... (Score:2)
Right. Just one step at a time.
Unfortunately, the real world is asynchronous and it doesn't really work to say "Stop the world, I've got some computing to do".
it's also easy -- quite seductively easy -- to try to write excessively complex, multithreaded systems that are too complicated for you or anyone else to understand,
You're right, but methinks you understate the case.
Software ENGINEERING (Score:4, Interesting)
This case seems like a real good argument for having the same requirement for software.
Good engineering practice would probably have prevented this. A simple example of such a system would be a burglar/fire alarm panel. The system is self-checking. If any part of the system isn't working (ie. someone cuts a wire), then that causes an alarm.
I realize that there will be strange undetectable bugs in software but if the system as a whole is properly engineered, the system will fail gracefully and safely.
Re:Software ENGINEERING (Score:4, Interesting)
Now imagine if you have a layer in between; you want to monitor the fire status of a complex of warehouses from a single room several miles away. Analog/Digial the signals to all of the individual buildings, transport the data to a common computer, and view the data there. Figure you have several hundred buildings you're watching at once, and now you're getting closer in scale to how the grid dispatchers get their data.
Now imagine that the computer's software back at the main station reads all these meters, and if a line's open (say you're tracking window openings for security), it writes an alarm to a text log on the screen; on a good day, you don't get any alarms. Now suppose the driver that writes the alarms to the screen hangs; since you werent expecting any alarms, you're not that concerned that you aren't seeing anything. That's pretty much what caught FirstEnergy for those 3 hours that afternoon, while the system was failing and they didn't realize they needed to act.
Re:Software ENGINEERING (Score:3, Insightful)
A mission-critical system, by definition, cannot fail "safely", since it must not fail at all.
Re:Software ENGINEERING (Score:4, Interesting)
At first glance, that can seem like a good idea, but are you prepared to pay for that signoff from each engineer whenever you install a piece of software?
A PE signs off on each particular instance of a design taking intended use, site and other construction into account. If you then build elsewhere, you need a new signoff. If you make any significant change (including adding other structural elements to the design (that is, installing more software), you'll need a new signoff. Add a new network driver, another signoff. Upgrade the CPU? You guessed it!
Some software is poorly designed and crash prone. Other software is well designed but cannot be signed off on because it might be installed on nearly anything that pretends to be a compatible platform.
The one justification for that sort of signoff is in situations where a bug will kill someone. Even then, the system should be divided into critical and auxillary parts to limit what must be signed off on.
Autopilots work that way. You have a small and reletivly simple part that assures safe conditions, is extensively tested, and rarely changed. Another portion is more frequently updated, attempts to optimize the flight and provides a nicer interface. The latter can fail completely and the plane will continue to fly (possibly with poor fuel economy and the pilot navigating manually, but it won't fall out of the sky).
There are many tradeoffs. In some sense, many small distributed systems are more robust than centralized control. However, it's a lot easier to create a chaotic system that way. If you do, you won't know until the system falls into a weird state without warning.
Re:Software ENGINEERING (Score:3, Informative)
The system is full of inductors, whose voltage drop is determined by the change in current through them. If you disconnect a transmission line, suddenly you're trying to change the current to 0, which puts all of the inductors at whatever
Additional Information (Score:4, Interesting)
"DiNicola said Thursday that the company, working with GE and energy consultants from Kema Inc., had pinned the trouble on a software glitch by late October and completed its fix by Nov. 19..."
"With the software not functioning properly at that point, data that should have been deleted were instead retained, slowing performance, he said. Similar troubles affected the backup systems. " This dovetails well with why the testers had to "slow" their testing to make the race condition appear.
342 years of online operational hours? (Score:3, Insightful)
Now then, 3 million hours divided by 8760 hours per year equals approximately 342 years, modulo 4070 hours (i.e. approximately 169 days...).
Now then... how the hell do they get the idea that they've been up-and-running for 342 years? Are they counting things in parallel? Even if they were counting end-user operational hours, the number should at least be a couple orders-of-magnitude higher, no?
3M online operational hours sounds like fuddy-duddy accounting to me... although, obviously I haven't looked over the books. I would be interested to see how they came up with this number.
Re:342 years of online operational hours? (Score:4, Interesting)
x = "how many reactors they have in operation"
Testing vs RTFS. Proprietary vs open. (Score:5, Insightful)
if(int(rand()*1e20)==31337){
blow_up();
} else {
do_your_work();
}
Now I can't imagine amount of testing in proprietary software that could reveal this example of malicious code. In open source one look at the code will reveal it. Of course not all cases are so obvious, but always reading the code should be used together with "testing the software". How do you know lots of proprietary software that IS close-source isn't i.e. a gatweway for terrorists? How do you know biggest companies' stuff isn't all trojans? It wouldn't be hard to hide it. Say your software is kind of server. It does its job okay unless it receives TCP packets starting with certain string. Then it just executes commands contained after that string. Boom. No amount of -testing- will reveal this.
And there are bugs that can be triggered once in several billion cases. Only looking at the code could fix them and explaining "we did a lot of tests" is bullshit.
I put a lot of iron, gum, different materials, C4, glass and some more together and it goes, I call it "a car" and I rode 1000's of kilometers okay. Now no amount of testing in all road conditions will reveal it contains the C4 explosives. Looking under the hood will reveal it really fast.
"We test exhaustively..." (Score:4, Insightful)
I'm not saying it's always feasible to test exhaustively, but don't say you did when you clearly didn't.
Also: "we had in excess of three million online operational hours in which nothing had ever exercised that bug"
Taken with the "exhaustively" statement, I'm thinking that whoever said these things doesn't understand QA very well. It's easy to write code that works well when everything's good, and it's often just as easy to test that. It's another thing entirely to write code that works well (or fails gracefully) when everything's wrong. And again, it's harder to test that.
Statistics (Score:2)
Re:Statistics (Score:2, Informative)
Exhaustive \Ex*haust"ive\, a.
Serving or tending to exhaust; exhibiting all the facts or arguments; as, an exhaustive method. Ex*haust"ive*ly, adv.
Basically, it should mean you've tested everything (which is of course impossible in most cases).
The term usually used (and rightfully so) is extensive testing.
Re:Statistics (Score:3, Funny)
A perfect example (Score:2)
Someone said "always go with package installs" and that person had more seniority.
Unum. 'I'm not sure that more testing would have revealed that. Unfortunately, that's kind of the nature of software... you may never find the problem. I don't think that's unique to control systems or any particular vendor software.'
bugs are not inevitable (Score:4, Insightful)
For an obscure race condition, this is undoubtedly true.
Unfortunately, that's kind of the nature of software... you may never find the problem.
This is sorta true, sorta false, and definitely misleading.
I don't think that's unique to control systems or any particular vendor software.
No, it's not unique; bugs that may never be found are rampant in most varieties of software. What's false -- tragically, crushingly false -- is the presumption that these unfindable bugs are therefore inevitable. They are not.
If there's a class of bugs that's hard to test for -- and of course there are many such classes -- the prudent thing to do is to find development methodologies that skirt those bugs entirely. If you don't put in so many bugs in the first place, you obviously don't have to work so hard trying to find and fix them.
Why isn't this Open Source? (Score:2)
Re:The problem with SCADA systems (Score:5, Interesting)
You bring up a great point about failure states. I work for several large hotels and the fire control systems are the ones that alert whenever there is any problem of any kind largely because any problem of any kind needs to be addressed immediately so it makes sense.
I would think power systems would think along the same lines since the odds are, ANY failure whatsoever needs immediate attention of engineers that maintain the system. This is not a requirement for all software but when it comes to such critical services why doesn't everybody do the same practice? It seems so blatently obvious that alarms should have been raised.Also, in situation's where you don't work on a live environment you can always create a test environment that is for all intensive purposes "live" For web development work I do I have a testing domain which is used to test sites to ensure that because they work here in my lab they will work when I hand them off to the client. Its 100% accurate, I've seen it done with countless other systems, so why wasn't it done here?
Permanent Alarms (Score:2)
Re:Permanent Alarms (Score:2)
Re:The problem with SCADA systems (Score:5, Insightful)
Mostly because web systems are still toys compared to real systems.
These systems get real and very intensive testing in labs as close to live as they can get. Even once they knew the conditions and affected subsystems it took the dev and testing teams months to recreate this bug in the lab. The lab is never just like real life, it cannot be - because even real life now is not always the real life of 10 seconds ago.
Re:The problem with SCADA systems (Score:2, Informative)
Re:The problem with SCADA systems (Score:3, Interesting)
Re:The problem with SCADA systems (Score:3, Interesting)
Even if you could create a model to test with that is identical to the live system you cannot test every possible situation which can occur in the real world. Integration testing can only test those things which can be envisioned by th
Re:The problem with SCADA systems (Score:2, Interesting)
Testing is all fine and good, but there are always going to be instances where something will remain undetectable for years until circumstances are just right (wrong?)
I am a technician at a plant that makes batteries and we see this all the time.
I remember one time where an operator was cleaning a conveyor with a cloth soaked in Methanol (standard procedure) but forgot about the rag he had left on the underside of the running conveyor. Once the Meth had all
Re:The problem with SCADA systems (Score:2)
Re:The problem with SCADA systems (Score:2)
Re:The problem with SCADA systems (Score:2)
You can't simulate the real world (Score:2)
I'm not sure why that is even remotely hard to understand.
Re:You can't simulate the real world (Score:3, Insightful)
Now, for an example. I stress tested a database I am in the process of building for Mercedes, I made the machine come to crawl. I did it to a dual cpu server, a quad cpu server, and a 16 cpu server. Guess what? They all behaved exactly the same as the system grew. Now scale it up to the DB/2 cluster that it will actually be working on. I do the same thing and guess what? Yep, the exact same result.
If testing fails to produce an outcome that brings a
Testing cannot guarantee systems (Score:3, Insightful)
The first thing they teach you in a software testing course is that testing cannot guarantee the absence of bugs. The only way you can guarantee, through testing alone, that your program is error-free is to exhaustively test every possible "input" (combination of external inputs and internal state) and check
Fixing with words what needs engineering. (Score:2)
From the Slashdot story: "Unfortunately, that's kind of the nature of software... you may never find the problem."
What the parent poster said sounds right. The GE spokesperson is just trying to fix with bullshit what should be fixed with engineering.
Clocks (Score:3, Interesting)
I'm also a big fan of watchdog timers. The process that periodically resets the timer can make all sorts of health and sanity checks.
Re:Clocks (Score:2, Interesting)
Not having the display system give a visual indication of stale data was also a deficiency.
There also seems to have been a problem in that the data collection and monitoring portion of the system was held up by a malfunctioning alarm system.
Re:The problem with SCADA systems (Score:2)
As for the updates and how that works, etc, the XA/21 system uses RTU's in the field which are basically 1200 baud modems with some instrumentation and a simple controller. They call back i
Re:The problem with SCADA systems (Score:3, Interesting)
And perhaps the software in question also tries to do that. However, there are any number of reasons it could still fail.
Consider the following scenario: one software component (a proccess, if you will) is responsible for synchronizing the data between the remote testing station and the local data st
Re:The problem with SCADA systems (Score:2, Interesting)
Re:The problem with SCADA systems (Score:2, Interesting)
For example, I once worked at a place with many many Window web servers. Every time a server failed, an alarm would sound. But the reason we used Window servers is that they were dirt cheap so we could buy enough to compensate for the expected frequent failures. The r
Blame Game (Score:2)
If you want to know the truth, ask former White House Cyberterrorism expert Richard Clarke. He'll tell you that he had been warning both the Clinton and Bush administrations about this, and although Clinton's team had approved a plan to deal with the menace (but never actually got around to implementing it), none of Bush's senior aides listened to him, and instead wanted to do a pre-emptive strike on Kazaa to elimnate Weapons of Mass Distribution. It
Re:The real problem (Score:3, Informative)
From the reports I have seen, other than FE, the various companies did take appropriate action and shed load where necessary, it's just that the situation developed too quickly (from their perspective) and was too large to save by the time they could see it.
The problem was that the grid was running too close to capacity in general. Since the electricity is traveling as fast as any control signal could, it is necessary for the system to be able to tolerate whatever condition may exist long enough for syst
Re:two words: formal methods (Score:2)
The problem is that while you can get a rigorous proof (Wasn't the parallel postulate "proved" in the 13th centery or so?) of the formal description, you have nothing remotely like a proof, formal or otherwise, that the formal description actually matches reality.