Escolar Documentos
Profissional Documentos
Cultura Documentos
A brief Review
M Suresh
Chief Research Engineer
SCADA Terminology
SUPERVISORY CONTROL AND DATA
ACQUISITION
an industrial control system: a computer system
monitoring and controlling a process. The process
can be industrial, infrastructure or facility-based.
Processes run in continuous, batch, repetitive, or
discrete modes
Industrial processes
manufacturing,
production,
power generation,
fabrication,
refining
Infrastructure processes
water treatment and distribution,
sewage collection and treatment,
oil and gas pipelines,
electrical power transmission and distribution
Wind Farms,
Railways,
large communication systems.
Facility processes
Buildings (Energy, Visitor, Parking, Infra.)
Airports (Baggage, flight scheduling, Information
displays, messaging, security,..)
Ships (inventory, operations, services, personnel..)
space stations (basic operations, schedule,... )
Common: They monitor and control HVAC, access, and
energy consumption
Levels in SCADA
Level 1: Field
Devices
RTUs / PLCs
Sensors
Level 4: Enterprise
Corporate LAN/WAN
World Wide Web
Virtual Private Network
Firewall for remote
users
Level 2: Telemetry
Fiber
Radio
Telephone leased line
Protocols
Level 3: SCADA - MTU
Operator
Workstations
Control
Engineering
Workstations
Servers Data
logging
Supervisory Station
(Master Terminal System)
Computer / servers and software responsible for
communicating with field equipment and HMI
software.
master station may be a single PC.
master station may include multiple servers,
distributed software applications, and disaster
recovery sites.
hot-standby dual-redundancy possible at
present for continuous control and monitoring.
PLC
Early PLCs were
designed to replace
relay logic systems.
These PLCs were
programmed in ladder
logic, strongly
representing various
resembles schematic
programs.
Processor Memory
Input
Image
Table
I:0/6
Data
Output Module
Output
Image
Table
I:0/6
O:0/7
I:1/4
O:1/5
Input Devices
O:0/7
Output Devices
I:0/6
I:1/4
O:0/7
Ladder
O:1/5
Program
I:1/4
O:1/5
Programming System
IEC 61131-3
defines five programming languages for
programmable control systems:
LD
Ladder diagram
IL
Instruction list
FBD
ST
Structured text
SFC
IEC 848
http://www.en.omesim.com
RTU vs PLC
RTUs focus on remote monitoring and control.
RTUs have high demand for application, communications
and protocol flexibility.
PLCs designed around localized fast control of discrete
variables and analog inputs.
RTUs built with RTOS benefit from faster task processing,
reduced memory requirements, and lower risk of failure due
to overly complex code.
PLCs have proprietary OS
RTUs have Communication Protocol Supports for TCP/IP,
Mobile/portable two-way radio, Analog/digital trunking ,
broadband (e.g. WLAN), Cellular modem (GPRS), etc.
RTU vs PLC
Generally RTUs can handle more number of PID
loops than PLCs for same costs.
SOE (Sequence of Events recording) is generally
lacking in PLCs.
RTUs can log thousands of events, time tagged to
1ms.
PLCs lack Data logging features.
RTUs have High storage capacity (FLASH, DRAM,
SRAM) for adding programs, functions and data
storage.
HMI Operator
Terminals
Programming Software
Configuration Tools
Wide variety of
ports;
Speaker, mic
alarm contacts,
DIO for external
(remote),
USB, Ethernet,
RS485/232/422
Compact flash,
SDCard
HMI mimic
Presents information to operators graphically, in
the form of mimic diagram.
See schematic representation of plant being
controlled.
Mimic diagrams may consist of line graphics and
schematic symbols to represent process elements,
may consist of digital photographs of process
equipment overlain with animated symbols
Alarm handling
SCADA monitors whether certain alarm conditions
are satisfied to determine occurrence of alarm
events
Once an alarm event is detected, one or more
actions are taken
activation of one or more alarm indicators,
generation of email or text messages
Alarm handling
An operator may have to acknowledge alarm event;
this may deactivate some alarm indicators,
other indicators may remain active until alarm
conditions clear.
Explicit Alarms: NORMAL or ALARM based on
analog and digital points
Implicit Alarms: analog point within or outside limit
values
Data Communication
Twisted-Pair Metallic Cable (STP)
Coaxial Metallic Cable (Co-ax)
Fiber Optic Cable (FOC)
Power Line Carrier (PLCC)
Very Small Aperture Terminal (VSAT: Ku, C)
Leased Telephone Lines (LTN, PSTN)
Very High Frequency Radio (VHF)
Ultra High Frequency Radio (UHF)
Microwave Radio (MW)
IEC 60870-5
IEC 60870-5-1 (1990-02)
Specifies basic requirements for services to be provided by the data link
and physical layers for telecontrol applications.
IEC-60870-5-2 (1992-04)
selection of link transmission procedures using a control field and
optional address field;
IEC 60870-5-3 (1992-09)
specifies rules for structuring application data units in transmission
frames of telecontrol systems; general structure of application data and
basic rules to specify application data units without specifying details
about information fields and their contents.
IEC 60870-5-4 (1993-08)
rules for defining information data elements and a common set of
information elements, particularly digital and analog process variables
that are frequently used in telecontrol applications.
IEC 60870-5-5 (1995-06)
defines basic application functions that perform standard procedures for
telecontrol systems,
SCADA Software
MIMIC Display
Alarm Handling
Trending
Access Control
Users organised in groups with a set of allocated
privileges
Large number of groups possible
Privileges limit write access to process parameters
Some allow access to graphics and functionality to
be limited
Automation of Process
Actions can be initiated automatically triggered by
an event
Recipes
Sequencing and scripting possibilities
Report Generation
ASCII
Files
Commercial
DB
Commercial
Devel.
tool
ASCII
File
Editor
Graphics
Editor
Trending
MMI
Alarm
Display
Log
Display
Library
Export
/
Import
Recipe
Managt
Project
Editor
Data
Proces
Report
Gener.
Alarm
Log
Archive
RT
DB
SQL
Alarm DB
Log DB
Archive DB
Ref.
DB
Data
R/W
Driver
Toolkit
VME
Active X
Controls
Active X
Container
Driver
OPC
PLC
PLC
ODBC
DDE
API/DLL
Private
Application
EXCEL
Development Tools
Project editor
Graphics editor
Configuration through parameter
templates
Scripting language
Driver Development Tool Kit
SCADA Clients
ALARMS
SCADA
Alarms
draw attention of operators to condition
outside of desired normal operation.
Such conditions require some decision or
intervention by persons.
Alarms support operation of industrial
plants by alerting operators to a variety of
conditions.
Process Alarms
majority of alarms in process control system aid
operators to keep manufacturing process
running in the intended manner
help achieve best possible production
performance.
Many alarms will warn of deviations that are
linked to possible hazards
Process Alarms
Is plant operation happening correctly?
Process parameters within the range?
Level, flow, pressure, temperature within
limits?
Relates to efficiency of process or indicate
deviations from intent.
System Alarms
(Machinery or equipment alarms)
lot of process equipment and operating devices
System needs to work correctly 24x7
The paranoia: everything that can possibly go
wrong will, someday!
Our need for accurate information on health of
every element of the system
Generally: status (eg. Bearing temperature High)
System Alarms
Power supplies: commercial AC power, battery,
backup generators, UPS systems, etc.
Building and facility alarms: intrusion, entry, opendoor, fire, smoke, flooding, etc.
Environmental conditions: temperature, humidity
RTU/communication equipment: switches,
Routers, fiber optic equipment, microwave radios,
modem.
Hazop Alarms
A Prevention layers to prevent occurrence of
hazardous.
Prevention layers:
Plant Design, Process Control system, Alarms
Systems, mechanical safety devices, Interlocks,
Shutdown (SIS) systems.
Hazops dictate large no. of add-in alarms as quick
fix solution to numerous operability problems.
Alarm formats
Detailed alarm descriptions
Alarm sorting and categorizing
Separate Standing Alarm and Change of State
(COS) Alarm lists
24x7 unmanned remote alarms:
pager, SMS, email notification
ODBC Architecture
Application
Driver Manager
Driver
Data Source
ODBC Architecture
Application
Performs processing and calls ODBC functions
to submit SQL statements and retrieve results.
Driver Manager
Loads and unloads drivers on behalf of an
application.
Processes ODBC function calls or passes them
to a driver.
ODBC Architecture
Driver: Processes ODBC function calls, submits SQL
requests to a specific data source, and returns results to
application.
Can modify an application's request so that it conforms
to syntax supported by DBMS package.
Data Source:
data that user wants to access,
DBMS,
OS and network platform (if any) used to access DBMS.
ODBC Driver
Primarily intended for reporting, it enables an
ODBC-compliant application to access from
SCADA/DCS database,
Data: history, event, point parameter values.
Server database queried using SQL
commands from ODBC client applications.
custom applications written in Visual Basic or
C++ to access the server database
OLE for
Process Control
(OPC)
Why OPC?
Traditionally, any time a package needs
access to data from a device, a custom
interface, or driver, had to be written.
OPC defines common interface that is
written once, reused by any SCADA, HMI,
business or custom software packages.
Client Server approach
Software
Driver
Trend
Application
Software
Driver
Report
Application
Software
Driver
Software
Driver
Why OPC ?
Display
Application
Trend
Application
Report
Application
OPC
OPC
OPC
OPC
OPC
OPC
OPC
Software
Driver
Software
Driver
Software
Driver
Software
Driver
Architecture
RealTime PV
OPC DA Clients
DA
Alarm/Event SP
DA
OPC AE Clients
OPC Server
DA/AE/HDA/DX
AE
DX
Protocol Driver
Comm Interface
AE
HDA
Historian DB
OPC HDA Clients
OPC Server
DA/AE/HDA/DX
Protocol Driver
HDA
Comm Interface
Computer
Controller
Smart Device
DCS Sub-System
Comm Interface
Comm Interface
Comm Protocol
Comm Protocol
Process
Process
I/O
I/O
Concepts, Security,
Address Space, Services
Information Model, Mappings, Profiles
Data Access,
Alarms and Conditions,
Programs,
Historical Access, etc.
http://www.opcfoundation.org
Firewall
Alarm Server
Ethernet
Firewall
Data Server
Client
Commn.Bus
Security Issues!!
PLC/SCADA
Hacking:
Sending spoofed commands to PLC
So you can have the operator
seeing something entirely
different than what's happening
in the process, causing the pipe
to burst and the tank to
overflow
http://www.securityweek.com
/black-hat-researchersremotely-hack-scadasystems-oil-rigs
Use of Firewalls: Ethernet In
and Ethernet Out ports
between SCADA device and
Internet
SCADA Failures
Iran used SIEMENS WinCC SCADA to control centrifuges for refining uranium. Weaknesses in
WINCC combined with vulnerabilities in Microsoft's Windows OS -- allowed malworm
Stuxnet to disrupt the centrifuges; an act of sabotage (U.S. and Israel)
http://www.infoworld.com/d/security/siemens-industrial-software-targeted-stuxnet-still-full-of-holes206654
Malware, Trojan
Generally, affects Microsoft Windows OS where
SCADA is installed.
malware spreads via mobile data carriers, USB
sticks and networks.
Trojans activated by viewing contents of USB stick.
Also affects PACs, Embedded systems
Other computers
Infrastructure computers (file servers, domain
controllers, other servers...)
Computers with and without WinCC installed
Virtual machines (e.g. VMWARE installations)
Purposes of Attacks
Operational or Corporate data for personal gain
or sell to competition or hold as ransom
Gain Info for future attacks or satisfy curiosity
Gain control of SCADA System
to impact damage on industrial systems,
possibly causing environmental impact,
damage corporate identity thru public exposure
Cause danger to facility or company by staging
a false alarm shutdown of the plant or facility
Ring of Defences
Defence mechanisms
SCADA Firewalls:
additional layer to mediate traffic between
protected network & external network.
protect passwords, IP addresses, files, etc.
SCADA Internal Network Design
with own IP segment, use smart switches and
proper sub-masking
Operating systems
with proper patches
default NULL NT accounts and administrator
accounts to be removed or renamed.
Open technologies
Control system implementation continues to move
toward the use of off-the-shelf technologies such as
Microsoft Windows operating systems and standard,
open Ethernet communications
Allow system to be more easily connected to the
enterprise or plant LAN to exchange information and
allow remote access to improve business
performance
Cyber security
The use of open technologies exposes the control
system to the same types of security issues as the
plant LANs.
Process control systems have traditionally been
built on proprietary technology.
proprietary systems provide reasonable level of
security from unauthorized access due to its
closed nature
Redundancy
Concepts for
PLC/SCADA and DCS
Concept of Redundancy
addition of information, resources, or time beyond what is
needed for normal system operation.
Hardware redundancy: extra hardware for the purpose of
detecting or tolerating faults.
Software redundancy: extra software to detect, possibly
tolerate faults.
Information redundancy : extra information to implement given
function eg. ECC)
Time redundancy : For fault detection, fault tolerance;
Hardware Redundancy
Passive techniques use concept of fault masking
achieve fault tolerance without requiring action on part of
system.
Relies on voting mechanisms.
Hybrid techniques
combine the attractive features of passive and active
approaches.
Troubleshooting
techniques
Instrumentation in
PLC/SCADA and DCS
Connectivity/Comm issues
Instrumentation Loop
Open connections
Loop impedance issues: Digital device
communication issues
Power supply noise
Calibration / drift issues
Other problems
IO card failure cause identification
Troubleshooting and Diagnostics: KepnerTregoe approach