WHAT, HOW & WHEN
Heading to an international airport to catch a red-eye flight out would otherwise be impossible without the reliable, monitored power distribution system that many airports currently use. Behind the scenes is the Supervisory Control and Data Acquisition system (SCADA): an ever-growing backbone to the technologically advanced civilization we live in today. SCADA systems include a wide variety of trades including power distribution, refinery operations, or even controls for building cars.
SCADA systems began their popularity in the 1960’s as power and control stations required more reliable supervision. Before the implementation of microprocessors and telemetry, organizations were forced to employ personnel to manually operate and oversee critical points of infrastructure. From the birth of SCADA systems and telephone wires being introduced as relay systems and coding schemes to the evolution into implementing programmable logic controllers (PLC) and microprocessors; there has always been a need for the monitoring and control of critical distribution equipment.
SCADA – WHAT IS IT?
All SCADA systems are comprised of a few standard family members. The first member of this family, and first step in which operator personnel are introduced to SCADA systems, are the Human Machine Interfaces (HMI). These interface points are simply the mediums and methods of how a human operator interacts with a machine to be controlled. This may range from localized touch-screen control panels to master “facility-wide” control workstations. Another member of the SCADA family includes the Supervisory (computer) system, or software that an operator may use. This is the control system architecture including the graphical user interface (GUI) and networked data communication between all intelligent devices and the end-user workstation. Many companies are provided with customized GUI’s and specialized tools within these software packages to better suit their organizational needs. Control and supervision may be limited or granted to certain users while providing organized logs of error reports or critical points of failure. Some organizations may also choose, depending on the level of confidentiality, to view and control their equipment remotely via web-browser through security issues intersect in critical ways.
Found at local equipment substations is another family member of the SCADA system: Remote Terminal Units (RTUs). While each member of the SCADA family is crucial, system operators and their equipment require the RTUs or microprocessor-controlled electronic devices that are the point in which a physical installation or machine interfaces with the SCADA system network. These interface inputs and outputs to popular Modbus RTU, Profibus, DNP3, and others. Many of the major manufacturers in the building automation industry now offer “all‐in‐one” solutions for data acquisition, programmable control, and communication transmission. A major concern within this application is the compatibility between manufacturer’s products and their supported protocols as well as the physical differences between manufacturer hardware form factors.
Investigating various manufacturers’ automation controllers, I/O modules, or even security gateway shows the many differences a designer must take into an account. Without a Basis of Design the implementation of a new system may be problematic in standardization. Manufacturers such as General Electric for example offer many solutions for an equipment rack mountable or DIN rail mountable system automation controller such as the RXC3i. This controller includes processing unit(s), power supplies, discrete or analog input and output modules, temperature control, or serial communications modules. These controllers and modules are housed in everything from plastic bodies and mounted to a local equipment rack to hardened solutions for environmentally harsh conditions.
As an example, their RXC3i CPE400 controller offers a fan-less design, dual heat sinks, extended temperature operating range, and various added input slots. Other manufacturers such as SEL offer hardened standard rack mount size automation controllers such as the SEL-3530 real-time automation controller (RTAC). Even within this manufacturer there also exists many different form factors as the two-rack unit RTAC may be downsized to a module and placed on a larger backplane. This back plane offers other modular devices for power coupling, digital I/O, and AC metering.
PROTOCOLS
In addition to varying hardware form factors, many manufactures differ in their protocols accepted. RTU’s are programmed to operate with the SCADA system and other network systems that are all loosely based on the International Standards Organization (ISO) Open Systems Interconnection (OSI) model. This model provides the outline and functionality required of a functional network to ease the use and understanding between human and network. The OSI model includes seven layers: Physical, Data Link, Transport, Session, Presentation, and Application. PLC and RTU protocols exist at the Application level to deliver data from the field to a typical SCADA HMI while the remaining layers are used for establishing or terminating communication, frame relay or even the physical wiring. Matching protocols within a large SCADA system may quickly become a huge problem if a facility did not standardize on field devices. Without it, PLC and RTU communications may be lost in addressing other devices and determining correct actions based on information being received much like our own personal lives, we’ll never find the train station if we don’t speak the local’s language. The contractor awarded a SCADA system upgrade will be required to provide network and PLC interface devices capable of handling the various protocols currently supported.
THE BACK BONE
A robust and capable communication backbone is required for modern SCADA systems to provide redundancy and reliability. Some facilities implement their SCADA network separate from outside or Internet access using typical protocols such as Modbus TCP/IP or Profinet as the system is designed to control and supervise critical equipment and distribution site. However, Ethernet TCP/IP has found its way into SCADA system architecture due to the desire to utilize existing facility networks. The most common architecture for Ethernet/IP networks is a star arrangement where all network edge switches connect more directly to a core network switch without their communications passing through other edge switches and may in some cases be applied to SCADA system architecture. Redundancy may or may not be incorporated by utilizing redundant links in various arrangements within Profinet architecture as well. The question remains on whether or not a facility should incorporate their SCADA system into their existing IP based network or separate it entirely for cyber security reasons.
IP AND CYBER MEASURES
Incorporating a SCADA system into an existing facility IP network yields the ability to remotely monitor the control system through existing network access. This therefore should require further steps in authentication from outside devices and should only be provided to remote users on an as-needed basis. These extra steps in authentication and user access rights requires further network configuration and may cause issues in the long run due to possible inconsistencies in network management. A surefire way of confirming separation of the SCADA system network from the existing facility IP network is the physical separation of these networks. The SCADA system would be outfitted with dedicated network switches and PLC interface devices and would therefore require additional management and configuration from IT personnel. If the physical separation of these networks is not possible, IT personnel may separate the networks at a logical level but would require extensive network configuration and cyber counter-measures.
Many cases include an attempt to utilize virtual local area network (VLAN) to logically separate the SCADA network. This may open unwanted backdoors to your network, as the use of VLAN’s was not initially designed as a security measure. It is primarily a bandwidth-modeling tool for large IP networks. In addition to the SCADA system, a facility may employ a network manager to provide IT personnel with graphical representations of the network status while also providing standard performance and configuration settings. Utilizing a network manager in conjunction with a SCADA system may also discover managed and unmanaged network devices brought on and off the network, automatically discovering and creating a record of devices. Discovering possible points of failure as a device begins its decline into inoperability is crucial to a SCADA system as many are used for critical electrical or other utility distribution.
Look for PART II in one week.
