SCADA
Encyclopedia
SCADA generally refers to industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes, as described below:
s (DCS). Generally speaking, a SCADA system always refers to a system that coordinates, but does not control processes in real time
. The discussion on real-time control is muddied somewhat by newer telecommunications technology, enabling reliable, low latency, high speed communications over wide areas. Most differences between SCADA and DCS are culturally determined and can usually be ignored. As communication infrastructures with higher capacity become available, the difference between SCADA and DCS will fade.
Summary:
Data acquisition
begins at the RTU or PLC level and includes meter readings and equipment status reports that are communicated to SCADA as required. Data is then compiled and formatted in such a way that a control room operator using the HMI can make supervisory decisions to adjust or override normal RTU (PLC) controls. Data may also be fed to a Historian
, often built on a commodity Database Management System
, to allow trending and other analytical auditing.
SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either "hard" or "soft". A hard point represents an actual input or output within the system, while a soft point results from logic and math operations applied to other points. (Most implementations conceptually remove the distinction by making every property a "soft" point expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as value-timestamp pairs: a value, and the timestamp
when it was recorded or calculated. A series of value-timestamp pairs gives the history of that point. It's also common to store additional metadata with tags, such as the path to a field device or PLC register, design time comments, and alarm information.
A human–machine interface
or HMI is the apparatus which presents process data to a human operator, and through which the human operator controls the process.
An HMI is usually linked to the SCADA system's database
s and software programs, to provide trending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information, detailed schematics for a particular sensor or machine, and expert-system troubleshooting guides.
The HMI system usually presents the information to the operating personnel graphically, in the form of a mimic diagram. This means that the operator can see a schematic representation of the plant being controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is running and how much fluid it is pumping through the pipe at the moment. The operator can then switch the pump off. The HMI software will show the flow rate of the fluid in the pipe decrease in real time. Mimic diagrams may consist of line graphics and schematic symbols to represent process elements, or may consist of digital photographs of the process equipment overlain with animated symbols.
The HMI package for the SCADA system typically includes a drawing program that the operators or system maintenance personnel use to change the way these points are represented in the interface. These representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic light in the field, or as complex as a multi-projector display representing the position of all of the elevators in a skyscraper or all of the trains on a railway.
An important part of most SCADA implementations is alarm handling. The system monitors whether certain alarm conditions are satisfied, to determine when an alarm event has occurred. Once an alarm event has been detected, one or more actions are taken (such as the activation of one or more alarm indicators, and perhaps the generation of email or text messages so that management or remote SCADA operators are informed). In many cases, a SCADA operator may have to acknowledge the alarm event; this may deactivate some alarm indicators, whereas other indicators remain active until the alarm conditions are cleared. Alarm conditions can be explicit—for example, an alarm point is a digital status point that has either the value NORMAL or ALARM that is calculated by a formula based on the values in other analogue and digital points—or implicit: the SCADA system might automatically monitor whether the value in an analogue point lies outside high and low limit values associated with that point. Examples of alarm indicators include a siren, a pop-up box on a screen, or a coloured or flashing area on a screen (that might act in a similar way to the "fuel tank empty" light in a car); in each case, the role of the alarm indicator is to draw the operator's attention to the part of the system 'in alarm' so that appropriate action can be taken. In designing SCADA systems, care is needed in coping with a cascade of alarm events occurring in a short time, otherwise the underlying cause (which might not be the earliest event detected) may get lost in the noise. Unfortunately, when used as a noun, the word 'alarm' is used rather loosely in the industry; thus, depending on context it might mean an alarm point, an alarm indicator, or an alarm event.
(DCS) components. Use of "smart" RTUs or PLCs
, which are capable of autonomously executing simple logic processes without involving the master computer, is increasing. A standardized control programming language, IEC 61131-3
(a suite of 5 programming languages including Function Block, Ladder, Structured Text, Sequence Function Charts and Instruction List), is frequently used to create programs which run on these RTUs and PLCs. Unlike a procedural language such as the C programming language
or FORTRAN
, IEC 61131-3 has minimal training requirements by virtue of resembling historic physical control arrays. This allows SCADA system engineers to perform both the design and implementation of a program to be executed on an RTU or PLC. A programmable automation controller
(PAC) is a compact controller that combines the features and capabilities of a PC-based control system with that of a typical PLC. PACs are deployed in SCADA systems to provide RTU and PLC functions. In many electrical substation SCADA applications, "distributed RTUs" use information processors or station computers to communicate with digital protective relay
s, PACs, and other devices for I/O, and communicate with the SCADA master in lieu of a traditional RTU.
Since about 1998, virtually all major PLC manufacturers have offered integrated HMI/SCADA systems, many of them using open and non-proprietary communications protocols. Numerous specialized third-party HMI/SCADA packages, offering built-in compatibility with most major PLCs, have also entered the market, allowing mechanical engineers, electrical engineers and technicians to configure HMIs themselves, without the need for a custom-made program written by a software developer.
is also frequently used at large sites such as railways and power stations. The remote management or monitoring function of a SCADA system is often referred to as telemetry
.
This has also come under threat with some customers wanting SCADA data to travel over their pre-established corporate networks or to share the network with other applications. The legacy of the early low-bandwidth protocols remains, though.
SCADA protocols are designed to be very compact and many are designed to send information to the master station only when the master station polls the RTU. Typical legacy SCADA protocols include Modbus
RTU, RP-570
, Profibus
and Conitel. These communication protocols are all SCADA-vendor specific but are widely adopted and used.
Standard protocols are IEC 60870-5-101 or 104
, IEC 61850 and DNP3
. These communication protocols are standardized and recognized by all major SCADA vendors.
Many of these protocols now contain extensions to operate over TCP/IP. Although some believe it is good security engineering
practice to avoid connecting SCADA systems to the Internet
so the attack surface
is reduced, many industries, such as wastewater collection and water distribution, have used existing cellular networks to monitor their infrastructure along with internet portals for end-user data delivery and modification. This practice has been ongoing for many years with no known data breach incidents to date. Cellular network data is fully encrypted, using sophisticated encryption standards, before transmission and internet data transmission, over an "https" site, is highly secure.
With the move to IP rather than proprietary protocols, and with increasing cyber-security demands (e.g. North American Electric Reliability Corporation (NERC) and critical infrastructure protection
(CIP) in the US) there is increasing use and awareness of satellite-based communications infrastructure. This has the key advantages that the infrastructure can be self contained (no PTT circuits are used), can have built-in AES (Advanced Encryption Standard
) encryption and can be engineered to the availability and reliability required by the SCADA system operator. While earlier experiences using consumer grade VSAT were poor—modern carrier class systems area available that provide the quality of service required for SCADA.
RTUs and other automatic controller devices were being developed before the advent of industry wide standards for interoperability. The result is that developers and their management created a multitude of control protocols. Among the larger vendors, there was also the incentive to create their own protocol to "lock in" their customer base. A list of automation protocols is being compiled here.
Recently, OLE for process control (OPC
) has become a widely accepted solution for intercommunicating different hardware and software, allowing communication even between devices originally not intended to be part of an industrial network.
s. Networks did not exist at the time SCADA was developed. Thus SCADA systems were independent systems with no connectivity to other systems. Wide Area Network
s were later designed by RTU vendors to communicate with the RTU. The communication protocols used were often proprietary at that time. The first-generation SCADA system was redundant since a back-up mainframe system was connected at the bus level and was used in the event of failure of the primary mainframe system.
, the security of a SCADA installation was often badly overestimated, if it was considered at all.
has made them more vulnerable to attacks—see references. Consequently, the security of some SCADA-based systems has come into question as they are seen as potentially vulnerable to cyber attacks.
In particular, security researchers are concerned about:
SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen.
There are two distinct threats to a modern SCADA system. First is the threat of unauthorized access to the control software, whether it be human access or changes induced intentionally or accidentally by virus infections and other software threats residing on the control host machine. Second is the threat of packet access to the network segments hosting SCADA devices. In many cases, there is rudimentary or no security on the actual packet control protocol, so anyone who can send packets to the SCADA device can control it. In many cases SCADA users assume that a VPN is sufficient protection and are unaware that physical access to SCADA-related network jacks and switches provides the ability to totally bypass all security on the control software and fully control those SCADA networks. These kinds of physical access attacks bypass firewall and VPN security and are best addressed by endpoint-to-endpoint authentication and authorization such as are commonly provided in the non-SCADA world by in-device SSL or other cryptographic techniques.
The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety. Such an attack has already occurred, carried out on Maroochy Shire Council's sewage control system in Queensland, Australia. Shortly after a contractor installed a SCADA system there in January 2000 system components began to function erratically. Pumps did not run when needed and alarms were not reported. More critically, sewage flooded a nearby park and contaminated an open surface-water drainage ditch and flowed 500 meters to a tidal canal. The SCADA system was directing sewage valves to open when the design protocol should have kept them closed. Initially this was believed to be a system bug. Monitoring of the system logs revealed the malfunctions were the result of cyber attacks. Investigators reported 46 separate instances of malicious outside interference before the culprit was identified. The attacks were made by a disgruntled employee of the company that had installed the SCADA system. The employee was hoping to be hired full time to help solve the problem.
Many vendors of SCADA and control products have begun to address the risks posed by unauthorized access by developing lines of specialized industrial firewall
and VPN solutions for TCP/IP-based SCADA networks as well as external SCADA monitoring and recording equipment. Additionally, application whitelisting solutions are being implemented because of their ability to prevent malware and unauthorized application changes without the performance impacts of traditional antivirus scans.
Also, the ISA Security Compliance Institute (ISCI) is emerging to formalize SCADA security testing starting as soon as 2009. ISCI is conceptually similar to private testing and certification that has been performed by vendors since 2007. Eventually, standards being defined by ISA99 WG4 will supersede the initial industry consortia efforts, but probably not before 2011.
The increased interest in SCADA vulnerabilities has resulted in vulnerability researchers discovering vulnerabilities in commercial SCADA software and more general offensive SCADA techniques presented to the general security community. In electric and gas utility SCADA systems, the vulnerability of the large installed base of wired and wireless serial communications links is addressed in some cases by applying bump-in-the-wire devices that employ authentication and Advanced Encryption Standard
encryption rather than replacing all existing nodes.
In June 2010, VirusBlokAda
reported the first detection of malware that attacks SCADA systems (Siemens' WinCC
/PCS7 systems) running on Windows operating systems. The malware is called Stuxnet
and uses four zero-day attacks to install a rootkit which in turn logs in to the SCADA's database and steals design and control files. The malware is also capable of changing the control system and hiding those changes. The malware was found by an anti-virus security company on 14 systems, the majority of which were located in Iran.
- Industrial processIndustrial processIndustrial processes are procedures involving chemical or mechanical steps to aid in the manufacture of an item or items, usually carried out on a very large scale. Industrial processes are the key components of heavy industry....
es include those of manufacturing, production, power generation, fabricationFabrication (metal)Fabrication as an industrial term refers to building metal structures by cutting, bending, and assembling. The cutting part of fabrication is via sawing, shearing, or chiseling ; torching with handheld torches ; and via CNC cutters...
, and refining, and may run in continuous, batch, repetitive, or discrete modes. - InfrastructureInfrastructureInfrastructure is basic physical and organizational structures needed for the operation of a society or enterprise, or the services and facilities necessary for an economy to function...
processes may be public or private, and include water treatmentWater treatmentWater treatment describes those processes used to make water more acceptable for a desired end-use. These can include use as drinking water, industrial processes, medical and many other uses. The goal of all water treatment process is to remove existing contaminants in the water, or reduce the...
and distribution, wastewater collection and treatmentWastewater TreatmentWastewater treatment may refer to:* Sewage treatment* Industrial wastewater treatment...
, oil and gas pipelines, electrical power transmission and distribution, wind farmWind farmA wind farm is a group of wind turbines in the same location used to produce electric power. A large wind farm may consist of several hundred individual wind turbines, and cover an extended area of hundreds of square miles, but the land between the turbines may be used for agricultural or other...
s, civil defense sirenCivil defense sirenA civil defense siren is a mechanical or electronic device for generating sound to...
systems, and large communication systems. - Facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVACHVACHVAC refers to technology of indoor or automotive environmental comfort. HVAC system design is a major subdiscipline of mechanical engineering, based on the principles of thermodynamics, fluid mechanics, and heat transfer...
, access, and energy consumption.
Common system components
A SCADA system usually consists of the following subsystems:- A human–machine interfaceUser interfaceThe user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
or HMI is the apparatus which presents process data to a human operator, and through this, the human operator monitors and controls the process. - A supervisory (computer) system, gathering (acquiring) data on the process and sending commands (control) to the process.
- Remote terminal units (RTUs) connecting to sensors in the process, converting sensor signals to digital dataData acquisitionData acquisition is the process of sampling signals that measure real world physical conditions and converting the resulting samples into digital numeric values that can be manipulated by a computer. Data acquisition systems typically convert analog waveforms into digital values for processing...
and sending digital data to the supervisory system. - Programmable logic controllerProgrammable logic controllerA programmable logic controller or programmable controller is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. PLCs are used in many industries and machines...
(PLCs) used as field devices because they are more economical, versatile, flexible, and configurable than special-purpose RTUs. - Communication infrastructure connecting the supervisory system to the remote terminal units.
- Various process and analytical instrumentation
Supervision versus control
There is, in several industries, considerable confusion over the differences between SCADA systems and distributed control systemDistributed control system
A distributed control system refers to a control system usually of a manufacturing system, process or any kind of dynamic system, in which the controller elements are not central in location but are distributed throughout the system with each component sub-system controlled by one or more...
s (DCS). Generally speaking, a SCADA system always refers to a system that coordinates, but does not control processes in real time
Real-time computing
In computer science, real-time computing , or reactive computing, is the study of hardware and software systems that are subject to a "real-time constraint"— e.g. operational deadlines from event to system response. Real-time programs must guarantee response within strict time constraints...
. The discussion on real-time control is muddied somewhat by newer telecommunications technology, enabling reliable, low latency, high speed communications over wide areas. Most differences between SCADA and DCS are culturally determined and can usually be ignored. As communication infrastructures with higher capacity become available, the difference between SCADA and DCS will fade.
Summary:
- DCS is process oriented, while SCADA is data acquisition oriented.
- DCS is process driven, while SCADA is event driven.
- DCS is commonly used to handle operations on a single locale, while SCADA is preferred for applications that are spread over a wide geographic location.
Systems concepts
The term SCADA usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (anything from an industrial plant to a nation). Most control actions are performed automatically by RTUs or by PLCs. Host control functions are usually restricted to basic overriding or supervisory level intervention. For example, a PLC may control the flow of cooling water through part of an industrial process, but the SCADA system may allow operators to change the set points for the flow, and enable alarm conditions, such as loss of flow and high temperature, to be displayed and recorded. The feedback control loop passes through the RTU or PLC, while the SCADA system monitors the overall performance of the loop.Data acquisition
Data acquisition
Data acquisition is the process of sampling signals that measure real world physical conditions and converting the resulting samples into digital numeric values that can be manipulated by a computer. Data acquisition systems typically convert analog waveforms into digital values for processing...
begins at the RTU or PLC level and includes meter readings and equipment status reports that are communicated to SCADA as required. Data is then compiled and formatted in such a way that a control room operator using the HMI can make supervisory decisions to adjust or override normal RTU (PLC) controls. Data may also be fed to a Historian
Operational historian
Operational Historian refers to a software application that logs or historizes data. Operational Historians are like Enterprise Historians but differ in that they are used by engineers on the plant floor rather than by business processes. They are typically cheaper, lighter weight, and easier to...
, often built on a commodity Database Management System
Database management system
A database management system is a software package with computer programs that control the creation, maintenance, and use of a database. It allows organizations to conveniently develop databases for various applications by database administrators and other specialists. A database is an integrated...
, to allow trending and other analytical auditing.
SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either "hard" or "soft". A hard point represents an actual input or output within the system, while a soft point results from logic and math operations applied to other points. (Most implementations conceptually remove the distinction by making every property a "soft" point expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as value-timestamp pairs: a value, and the timestamp
Timestamp
A timestamp is a sequence of characters, denoting the date or time at which a certain event occurred. A timestamp is the time at which an event is recorded by a computer, not the time of the event itself...
when it was recorded or calculated. A series of value-timestamp pairs gives the history of that point. It's also common to store additional metadata with tags, such as the path to a field device or PLC register, design time comments, and alarm information.
Human–machine interface
User interface
The user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
or HMI is the apparatus which presents process data to a human operator, and through which the human operator controls the process.
An HMI is usually linked to the SCADA system's database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
s and software programs, to provide trending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information, detailed schematics for a particular sensor or machine, and expert-system troubleshooting guides.
The HMI system usually presents the information to the operating personnel graphically, in the form of a mimic diagram. This means that the operator can see a schematic representation of the plant being controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is running and how much fluid it is pumping through the pipe at the moment. The operator can then switch the pump off. The HMI software will show the flow rate of the fluid in the pipe decrease in real time. Mimic diagrams may consist of line graphics and schematic symbols to represent process elements, or may consist of digital photographs of the process equipment overlain with animated symbols.
The HMI package for the SCADA system typically includes a drawing program that the operators or system maintenance personnel use to change the way these points are represented in the interface. These representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic light in the field, or as complex as a multi-projector display representing the position of all of the elevators in a skyscraper or all of the trains on a railway.
An important part of most SCADA implementations is alarm handling. The system monitors whether certain alarm conditions are satisfied, to determine when an alarm event has occurred. Once an alarm event has been detected, one or more actions are taken (such as the activation of one or more alarm indicators, and perhaps the generation of email or text messages so that management or remote SCADA operators are informed). In many cases, a SCADA operator may have to acknowledge the alarm event; this may deactivate some alarm indicators, whereas other indicators remain active until the alarm conditions are cleared. Alarm conditions can be explicit—for example, an alarm point is a digital status point that has either the value NORMAL or ALARM that is calculated by a formula based on the values in other analogue and digital points—or implicit: the SCADA system might automatically monitor whether the value in an analogue point lies outside high and low limit values associated with that point. Examples of alarm indicators include a siren, a pop-up box on a screen, or a coloured or flashing area on a screen (that might act in a similar way to the "fuel tank empty" light in a car); in each case, the role of the alarm indicator is to draw the operator's attention to the part of the system 'in alarm' so that appropriate action can be taken. In designing SCADA systems, care is needed in coping with a cascade of alarm events occurring in a short time, otherwise the underlying cause (which might not be the earliest event detected) may get lost in the noise. Unfortunately, when used as a noun, the word 'alarm' is used rather loosely in the industry; thus, depending on context it might mean an alarm point, an alarm indicator, or an alarm event.
Hardware solutions
SCADA solutions often have distributed control systemDistributed control system
A distributed control system refers to a control system usually of a manufacturing system, process or any kind of dynamic system, in which the controller elements are not central in location but are distributed throughout the system with each component sub-system controlled by one or more...
(DCS) components. Use of "smart" RTUs or PLCs
Programmable logic controller
A programmable logic controller or programmable controller is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. PLCs are used in many industries and machines...
, which are capable of autonomously executing simple logic processes without involving the master computer, is increasing. A standardized control programming language, IEC 61131-3
IEC 61131-3
IEC 61131-3 is the third part of the open international standard IEC 61131 for programmable logic controllers, and was first published in December 1993 by the IEC...
(a suite of 5 programming languages including Function Block, Ladder, Structured Text, Sequence Function Charts and Instruction List), is frequently used to create programs which run on these RTUs and PLCs. Unlike a procedural language such as the C programming language
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
or FORTRAN
Fortran
Fortran is a general-purpose, procedural, imperative programming language that is especially suited to numeric computation and scientific computing...
, IEC 61131-3 has minimal training requirements by virtue of resembling historic physical control arrays. This allows SCADA system engineers to perform both the design and implementation of a program to be executed on an RTU or PLC. A programmable automation controller
Programmable automation controller
A programmable automation controller ' is a compact controller that combines the features and capabilities of a PC-based control system with that of a typical programmable logic controller . PACs are most often used in industrial settings for process control, data acquisition, remote equipment...
(PAC) is a compact controller that combines the features and capabilities of a PC-based control system with that of a typical PLC. PACs are deployed in SCADA systems to provide RTU and PLC functions. In many electrical substation SCADA applications, "distributed RTUs" use information processors or station computers to communicate with digital protective relay
Digital protective relay
In electrical engineering of power systems, a digital protective relay uses a microcontroller with software-based protection algorithms for the detection of electrical faults...
s, PACs, and other devices for I/O, and communicate with the SCADA master in lieu of a traditional RTU.
Since about 1998, virtually all major PLC manufacturers have offered integrated HMI/SCADA systems, many of them using open and non-proprietary communications protocols. Numerous specialized third-party HMI/SCADA packages, offering built-in compatibility with most major PLCs, have also entered the market, allowing mechanical engineers, electrical engineers and technicians to configure HMIs themselves, without the need for a custom-made program written by a software developer.
Remote terminal unit
The RTU connects to physical equipment. Typically, an RTU converts the electrical signals from the equipment to digital values such as the open/closed status from a switch or a valve, or measurements such as pressure, flow, voltage or current. By converting and sending these electrical signals out to equipment the RTU can control equipment, such as opening or closing a switch or a valve, or setting the speed of a pump. It can also control the flow of a liquid.Supervisory station
The term supervisory station refers to the servers and software responsible for communicating with the field equipment (RTUs, PLCs, etc.), and then to the HMI software running on workstations in the control room, or elsewhere. In smaller SCADA systems, the master station may be composed of a single PC. In larger SCADA systems, the master station may include multiple servers, distributed software applications, and disaster recovery sites. To increase the integrity of the system the multiple servers will often be configured in a dual-redundant or hot-standby formation providing continuous control and monitoring in the event of a server failure.Operational philosophy
For some installations, the costs that would result from the control system failing are extremely high. Possibly even lives could be lost. Hardware for some SCADA systems is ruggedized to withstand temperature, vibration, and voltage extremes, but in most critical installations reliability is enhanced by having redundant hardware and communications channels, up to the point of having multiple fully equipped control centres. A failing part can be quickly identified and its functionality automatically taken over by backup hardware. A failed part can often be replaced without interrupting the process. The reliability of such systems can be calculated statistically and is stated as the mean time to failure, which is a variant of mean time between failures. The calculated mean time to failure of such high reliability systems can be on the order of centuries.Communication infrastructure and methods
SCADA systems have traditionally used combinations of radio and direct serial or modem connections to meet communication requirements, although SONET / SDHSynchronous optical networking
Synchronous Optical Networking and Synchronous Digital Hierarchy are standardized multiplexing protocols that transfer multiple digital bit streams over optical fiber using lasers or highly coherent light from light-emitting diodes . At low transmission rates data can also be transferred via an...
is also frequently used at large sites such as railways and power stations. The remote management or monitoring function of a SCADA system is often referred to as telemetry
Telemetry
Telemetry is a technology that allows measurements to be made at a distance, usually via radio wave transmission and reception of the information. The word is derived from Greek roots: tele = remote, and metron = measure...
.
This has also come under threat with some customers wanting SCADA data to travel over their pre-established corporate networks or to share the network with other applications. The legacy of the early low-bandwidth protocols remains, though.
SCADA protocols are designed to be very compact and many are designed to send information to the master station only when the master station polls the RTU. Typical legacy SCADA protocols include Modbus
Modbus
Modbus is a serial communications protocol published by Modicon in 1979 for use with its programmable logic controllers . Simple and robust, it has since become one of the de facto standard communications protocols in the industry, and it is now amongst the most commonly available means of...
RTU, RP-570
RP-570
RP-570 is a communications protocol used in industrial environments to communicate between a front-end computer and the substation to be controlled.It is a SCADA legacy protocol and is based on the low-level protocol IEC TC57, format class 1.2....
, Profibus
Profibus
PROFIBUS is a standard for field bus communication in automation technology and was first promoted in 1989 by BMBF...
and Conitel. These communication protocols are all SCADA-vendor specific but are widely adopted and used.
Standard protocols are IEC 60870-5-101 or 104
IEC 60870-5
In electrical engineering and power system automation, the International Electrotechnical Commission 60870 standards define systems used for telecontrol . Such systems are used for controlling electric power transmission grids and other geographically widespread control systems...
, IEC 61850 and DNP3
DNP3
DNP3 is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies. Usage in other industries is not common. It was developed for communications between various types of data acquisition and control...
. These communication protocols are standardized and recognized by all major SCADA vendors.
Many of these protocols now contain extensions to operate over TCP/IP. Although some believe it is good security engineering
Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
practice to avoid connecting SCADA systems to the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
so the attack surface
Attack surface
The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services....
is reduced, many industries, such as wastewater collection and water distribution, have used existing cellular networks to monitor their infrastructure along with internet portals for end-user data delivery and modification. This practice has been ongoing for many years with no known data breach incidents to date. Cellular network data is fully encrypted, using sophisticated encryption standards, before transmission and internet data transmission, over an "https" site, is highly secure.
With the move to IP rather than proprietary protocols, and with increasing cyber-security demands (e.g. North American Electric Reliability Corporation (NERC) and critical infrastructure protection
Critical Infrastructure Protection
Critical infrastructure protection is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation....
(CIP) in the US) there is increasing use and awareness of satellite-based communications infrastructure. This has the key advantages that the infrastructure can be self contained (no PTT circuits are used), can have built-in AES (Advanced Encryption Standard
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
) encryption and can be engineered to the availability and reliability required by the SCADA system operator. While earlier experiences using consumer grade VSAT were poor—modern carrier class systems area available that provide the quality of service required for SCADA.
RTUs and other automatic controller devices were being developed before the advent of industry wide standards for interoperability. The result is that developers and their management created a multitude of control protocols. Among the larger vendors, there was also the incentive to create their own protocol to "lock in" their customer base. A list of automation protocols is being compiled here.
Recently, OLE for process control (OPC
OLE for process control
OLE for Process Control , which stands for Object Linking and Embedding for Process Control, is the original name for a standards specification developed in 1996 by an industrial automation industry task force...
) has become a widely accepted solution for intercommunicating different hardware and software, allowing communication even between devices originally not intended to be part of an industrial network.
SCADA architectures
SCADA systems have evolved through 3 generations as follows:First generation: "Monolithic"
In the first generation, computing was done by mainframe computerMainframe computer
Mainframes are powerful computers used primarily by corporate and governmental organizations for critical applications, bulk data processing such as census, industry and consumer statistics, enterprise resource planning, and financial transaction processing.The term originally referred to the...
s. Networks did not exist at the time SCADA was developed. Thus SCADA systems were independent systems with no connectivity to other systems. Wide Area Network
Wide area network
A wide area network is a telecommunication network that covers a broad area . Business and government entities utilize WANs to relay data among employees, clients, buyers, and suppliers from various geographical locations...
s were later designed by RTU vendors to communicate with the RTU. The communication protocols used were often proprietary at that time. The first-generation SCADA system was redundant since a back-up mainframe system was connected at the bus level and was used in the event of failure of the primary mainframe system.
Second generation: "Distributed"
The processing was distributed across multiple stations which were connected through a LAN and they shared information in real time. Each station was responsible for a particular task thus making the size and cost of each station less than the one used in First Generation. The network protocols used were still mostly proprietary, which led to significant security problems for any SCADA system that received attention from a hacker. Since the protocols were proprietary, very few people beyond the developers and hackers knew enough to determine how secure a SCADA installation was. Since both parties had vested interests in keeping security issues quietSecurity through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
, the security of a SCADA installation was often badly overestimated, if it was considered at all.
Third generation: "Networked"
Due to the usage of standard protocols and the fact that many networked SCADA systems are accessible from the Internet, the systems are potentially vulnerable to remote cyber-attacks. On the other hand, the usage of standard protocols and security techniques means that standard security improvements are applicable to the SCADA systems, assuming they receive timely maintenance and updates.Security issues
The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
has made them more vulnerable to attacks—see references. Consequently, the security of some SCADA-based systems has come into question as they are seen as potentially vulnerable to cyber attacks.
In particular, security researchers are concerned about:
- the lack of concern about security and authentication in the design, deployment and operation of some existing SCADA networks
- the belief that SCADA systems have the benefit of security through obscuritySecurity through obscuritySecurity through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
through the use of specialized protocols and proprietary interfaces - the belief that SCADA networks are secure because they are physically secured
- the belief that SCADA networks are secure because they are disconnected from the Internet.
SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen.
There are two distinct threats to a modern SCADA system. First is the threat of unauthorized access to the control software, whether it be human access or changes induced intentionally or accidentally by virus infections and other software threats residing on the control host machine. Second is the threat of packet access to the network segments hosting SCADA devices. In many cases, there is rudimentary or no security on the actual packet control protocol, so anyone who can send packets to the SCADA device can control it. In many cases SCADA users assume that a VPN is sufficient protection and are unaware that physical access to SCADA-related network jacks and switches provides the ability to totally bypass all security on the control software and fully control those SCADA networks. These kinds of physical access attacks bypass firewall and VPN security and are best addressed by endpoint-to-endpoint authentication and authorization such as are commonly provided in the non-SCADA world by in-device SSL or other cryptographic techniques.
The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety. Such an attack has already occurred, carried out on Maroochy Shire Council's sewage control system in Queensland, Australia. Shortly after a contractor installed a SCADA system there in January 2000 system components began to function erratically. Pumps did not run when needed and alarms were not reported. More critically, sewage flooded a nearby park and contaminated an open surface-water drainage ditch and flowed 500 meters to a tidal canal. The SCADA system was directing sewage valves to open when the design protocol should have kept them closed. Initially this was believed to be a system bug. Monitoring of the system logs revealed the malfunctions were the result of cyber attacks. Investigators reported 46 separate instances of malicious outside interference before the culprit was identified. The attacks were made by a disgruntled employee of the company that had installed the SCADA system. The employee was hoping to be hired full time to help solve the problem.
Many vendors of SCADA and control products have begun to address the risks posed by unauthorized access by developing lines of specialized industrial firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
and VPN solutions for TCP/IP-based SCADA networks as well as external SCADA monitoring and recording equipment. Additionally, application whitelisting solutions are being implemented because of their ability to prevent malware and unauthorized application changes without the performance impacts of traditional antivirus scans.
Also, the ISA Security Compliance Institute (ISCI) is emerging to formalize SCADA security testing starting as soon as 2009. ISCI is conceptually similar to private testing and certification that has been performed by vendors since 2007. Eventually, standards being defined by ISA99 WG4 will supersede the initial industry consortia efforts, but probably not before 2011.
The increased interest in SCADA vulnerabilities has resulted in vulnerability researchers discovering vulnerabilities in commercial SCADA software and more general offensive SCADA techniques presented to the general security community. In electric and gas utility SCADA systems, the vulnerability of the large installed base of wired and wireless serial communications links is addressed in some cases by applying bump-in-the-wire devices that employ authentication and Advanced Encryption Standard
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
encryption rather than replacing all existing nodes.
In June 2010, VirusBlokAda
VirusBlokAda
VirusBlokAda is an antivirus software vendor established in 1997 in Belarus. In 2010 it discovered Stuxnet, the first malware that attacks supervisory control and data acquisition systems....
reported the first detection of malware that attacks SCADA systems (Siemens' WinCC
WinCC
SIMATIC WinCC is a supervisory control and data acquisition and human-machine interface system from Siemens. It can be used in combination with Siemens PCS 7 and Teleperm control systems. WinCC is written for Microsoft Windows operating system...
/PCS7 systems) running on Windows operating systems. The malware is called Stuxnet
Stuxnet
Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment...
and uses four zero-day attacks to install a rootkit which in turn logs in to the SCADA's database and steals design and control files. The malware is also capable of changing the control system and hiding those changes. The malware was found by an anti-virus security company on 14 systems, the majority of which were located in Iran.