Oops, the technician was having some problems one day, so they plugged a wireless device on one bus and another on the other bus so even after pulling the fuse hackers still had control.
Of course, if they are connected by default, it's very likely the hacker could establish control of a device on the secure side of the bus and load up something in NVRAM on it maintaining control even after a disconnect.
Well I didn't add this but I would stipulate that the secure side would have almost no permanent memory at all if possible. I mean, we've been controlling boats without electronics for millenia so if you make it a priority to have no permanent memory, it should be achievable.
It's doable. The biggest issue is that all these engineers are gonna cost $$$$ to design these systems and you will need to do a lot of QA, which also costs $$$$.
It could be doable to transition back to pneumatic PID blocks by some royal decree but it’s definitely not going to be any real government’s solution. PLC’s are here to stay for all complex machines, and these ships are relatively complex.
More interesting to talk about options that could realistically happen, and discuss pros/cons of various government/industry solutions that are actually likely to occur.
I wish I could find a cutaway of a pneumatic PID block though. They’re quite amazing technology that implemented true P-I-D “calculation” logic in a purely physical form by using pressure of air at two inputs (setpoint, current value) to control one output penumatic pressure which in turn would control some valve a distance away. Really amazing engineering we had before electronic control! The air lines had a bad tendency to get clogged up though.
Specifically, either don't plug wireless devices on the trusted network, or have some procedure that makes it damn sure any such device will be unusable when the ship is running.
We have some ways of protecting against malicious firmware, but the kind of consumer hardware that gets those is so complex and flawed that you are better without. If the hacker needs full physical access to the ship before the attack, you are about as good as you can get.
Two small devices should be fine... you're just bridging the bus with something that can communicate with the bus. The 'unsafe' side of the bus will be doing all the heavy lifting for you across your unauthorized bridge. Think more like "IT guy leaves diagnostic connection up on laptop while connected to wireless type event.
Of course, if they are connected by default, it's very likely the hacker could establish control of a device on the secure side of the bus and load up something in NVRAM on it maintaining control even after a disconnect.