Lecture Notes for

EE-647 Cyber Security of Industrial Control Systems

Ghulam Mustafa

Professor, Department of Electrical Engineering

Pakistan Institute of Engineering & Applied Sciences
Email: gm@pieas.edu.pk, Homepage: faculty.pieas.edu.pk/gm
 Lecture-4: ICS Architectures

Supervisory Control and Data Acquisition (SCADA) System

Field Components

Communication System

Control Centre

4-1
 a remote access capability to allow operators to perform remote diagnostics and repairs usually over a
separate dial up modem or WAN connection. Standard and proprietary communication protocols running
SCADA System
over serial and network communications are used to transport information between the control center and
field sites using telemetry techniques such as telephone line, cable, fiber, and radio frequency such as
broadcast, microwave and satellite.
[center] SCADA communication topologies vary among implementations. The various topologies used, including
point-to-point, series, series-star, and multi-drop [5], are shown in Figure 2-3.
SCADA systems are widely used in utility industries such as electric power transmission
Point-to-point is functionally the simplest type; however, it is expensive because of the individual
and distribution, water
channels needed distribution,
for each liquid
connection. In a series and gas
configuration, pipelines
the number and
of channels usednow, in recent
is reduced;
however, channel sharing has an impact on the efficiency and complexity of SCADA operations.
industries such astheenvironmental
Similarly, monitoring
series-star and multi-drop and
configurations’ use cell
of one phone
channel tower
per device monitoring.
results in decreased
efficiency and increased system complexity.

Supervisory Control and Data Acquisition (SCADA) System 4-2

Figure 2-2. SCADA System General Layout
 A typical SCADA system is a combination of three subsystems:

▶ A field-located remote measurement and control equipment such as Remote

Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs)
▶ A wide-area communication system (telephonic, Internet, satellite, or radio) to
connect all these equipment
▶ A Control Centre that houses SCADA software to provide access to the system for
user and perform various operations

Supervisory Control and Data Acquisition (SCADA) System 4-3

 Core functionalities of a SCADA system are as follows:

1. Acquisition of data from field instrument devices via RTU.

2. Processing the field data to detect alarms and other significant process changes.
3. Providing a consistent database of process information about the facility.
4. Presenting the data via easy-to-understand graphical user interface, alarms,
trends, and reports.
5. Performing remote control of field devices.
6. Performing system monitoring and diagnosis and taking appropriate actions.

Supervisory Control and Data Acquisition (SCADA) System 4-4

 7. Historical archiving of data for recent and long-term historical storage and
analysis.
8. Transferring real-time engineering data directly to and from the modelling system
such as pipeline application system.
9. Providing system data to Management Information Systems (MIS) and supply
chain management.
10. Providing integration with geographical information system (GIS) facilities.

Supervisory Control and Data Acquisition (SCADA) System 4-5

 Field Components
[center]
▶ Collect measurements from the system
▶ Covert them to digital signals, if necessary
▶ Send data to Control Server or Master Terminal Unit (MTU)
▶ Receive control, settings, resets from the Control Server or MTU

Supervisory Control and Data Acquisition (SCADA) System 4-6

 Remote Terminal Unit (RTU)
[center]
An RTU is a microprocessor-controlled electronic device that interfaces objects in the
physical world to a DCS or SCADA system by7.3transmitting telemetry
REMOTE TERMINAL UNITS 251
data to a master
system, and by using messages from the master supervisory system to control
connected objects.

FIGURE(SCADA)
Supervisory Control and Data Acquisition 7.9 System 4-7
 An example of a modern day RTU

Supervisory Control and Data Acquisition (SCADA) System 4-8

 RTU Architecture
[center]
An RTU monitors the field digital and analog parameters and transmits data to a
SCADA Control Server.

▶ Power Supply
All RTUs include a form of power supply for operation from the AC mains for
various CPU, status wetting voltages and other interface cards. RTUs may include
a battery and charger circuitry to continue operation in event of AC power failure
for critical applications where a station battery is not available.
▶ Digital Inputs
Most RTUs incorporate an input section or input status cards to acquire digital
inputs from devices. Examples of devices with digital inputs include electrical
breakers, liquid valve positions, alarm conditions, and mechanical positions of
devices.
Supervisory Control and Data Acquisition (SCADA) System 4-9
 ▶ Analog Inputs
A RTU can monitor analog inputs of different types including 0-1 mA, 4–20 mA
current loop, 0–10 V., ± 2.5 V, ±5.0 V etc. Many RTU inputs buffer larger
quantities via transducers to convert and isolate real-world quantities from
sensitive RTU input levels. A RTU can also receive analog data via a
communication system from a master or IED (intelligent electronic device)
sending data values to it.
▶ Digital Outputs
RTUs may drive high current capacity relays to a digital output to switch power
on and off to devices in the field such as voltage to the coil in the relay, which
closes the high current contacts, which completes the power circuit to the device.

Supervisory Control and Data Acquisition (SCADA) System 4-10

 ▶ Analog Outputs
An RTU may include analog outputs to control devices that require varying
quantities such as graphic recording instruments.
▶ Software and Control Logic
Modern RTUs are usually capable of executing simple programs autonomously
without involving the host computers of the DCS or SCADA system to simplify
deployment and to provide redundancy for safety reasons.
▶ Communication
An RTU may be interfaced to multiple master stations and IEDs (Intelligent
Electronic Devices) with different communication protocols (usually serial (RS232,
RS485, RS422) or Ethernet). An RTU may support standard protocols (Modbus,
IEC 60870-5-101/103/104, DNP3, IEC 60870-6-ICCP, IEC 61850 etc.) to
interface any third party software.

Supervisory Control and Data Acquisition (SCADA) System 4-11

 7.4 COMMUNICATION TECHNOLOGIES 265
IP-Ready RTUs
[center]

FIGURE 7.15
Supervisory Control and Data Acquisition (SCADA) System 4-12
 Intelligent Electronic Device (IED)
[center]
An IED is a term used in the electric power industry to describe microprocessor-based
controllers of power system equipment, such as circuit breakers, transformers and
capacitor banks.

An example relay IED

Supervisory Control and Data Acquisition (SCADA) System 4-13

 ▶ Similar to RTU, communication is based on open protocol or proprietary protocol
▶ Acquires data from electrical devices, e.g. relay or circuit breaker status, switch
position.
▶ Reads meter data such as V, A, MW, MVAR. Some modern meters have IED
capabilities, they can communicate their readings with RTU or MTU.
▶ Can issue control commands, such as tripping circuit breakers if they sense
voltage, current, or frequency anomalies, or raise/lower voltage levels in order to
maintain the desired level.
▶ IEDs can support horizontal communication

Supervisory Control and Data Acquisition (SCADA) System 4-14

 Communication System
[center]

▶ Telephone
▶ Leased Radio
▶ Wifi and WiMAX
▶ Cellular
▶ Digital Networking Technologies (IP-Modbus, IP-Distributed Network Protocol 3
(DNP3.0), Intern-control Centre Communication Protocol (ICCP), Utility
Communicaiton Architecture 2 (UCA2.0)
▶ The Internet

Supervisory Control and Data Acquisition (SCADA) System 4-15

 ▶ Star

▶ Ring

▶ Mesh

▶ Tree

▶ Bus

Supervisory Control and Data Acquisition (SCADA) System 4-16

 Control Centre
[center]

▶ Provides for real-time process/plant management

▶ SCADA Server; also known as the master terminal unit (MTU)
▶ HMI for visualisation and human interaction
▶ Programming/Engineering workstations
▶ Data historian, a database storage for operational activities
▶ Communication routers

Supervisory Control and Data Acquisition (SCADA) System 4-17

 Supervisory Control Applications
[center]

The software in a SCADA system can be classified into layers:

▶ Software that owns the computer and its resources and makes them available to
application programs. That is the operating system layer.
▶ Software that performs basic SCADA system functions – including RTU polling
and communications, basic display generation, alarming and reporting, and other
fundamental SCADA capabilities.
▶ Software that consists of the advanced supervisory application programs that
make use of the collected information to perform more advanced calculations and
potentially send control commands back down to the RTUs in the field.

Supervisory Control and Data Acquisition (SCADA) System 4-18

 Human-Machine Interface
[center]
Once a SCADA system is installed, commissioned, and placed into continuous
operation, it is primarily the system operators who interact with the system and use
the system to monitor and control the target process and field equipment.

Supervisory Control and Data Acquisition (SCADA) System 4-19

 Standard System Displays
All SCADA systems collect real-time and historical information and then provide a
wide range of modes in which this information can be displayed and accessed. Most
SCADA systems offer process-related (operational) displays and system-related
(diagnostic) displays.

Diagnostic Displays
Diagnostic displays help verify that the SCADA system is functioning properly or make
adjustments or modifications as needed. A very common SCADA diagnostic display is
an RTU polling channel status display.

Supervisory Control and Data Acquisition (SCADA) System 4-20

 RTUs on and off polling.
An example RTUFigure
polling
7.22 givesand communications
an example of such an RTU polling diagnostic and
and communications configuration
diagnostic and configu- display
ration display. Most SCADA systems also provide a system operational status display, a diagnostic

FIGURE 7.22
Typical RTU polling and communications diagnostics display
Supervisory Control and Data Acquisition (SCADA) System 4-21
 Site/Industry-Specific Displays
Most modern SCADA systems (since the 1990s) have used semigraphical and now fully
graphical custom-developed displays as the primary way of presenting information to
the system operators. Depending on the industry and application, these user-defined
display pages may be in the form of process-flow diagrams, map displays, or plant
layout displays.

Graphical Displays
Most SCADA systems make extensive use of graphical data presentation technologies.
Graphical data presentation – particularly when there is a physical, geographic, or
process-flow relationship – is the clearest and least ambiguous way to deliver
information to operational personnel.

Supervisory Control and Data Acquisition (SCADA) System 4-22

 sets or facilities within the overall process being monitored by the SCADA system. An operator might
watch a high-level overview display that is geographic in nature and then zoom in to a more detailed
An example process flow
process-flow operational
graphic graphic
that shows the specifics display
of the selected substation, pipeline pump station,
or water-pumping/storage facility. Figure 7.25 shows a simple example of a multi-window process

FIGURE 7.25
Process flow operational graphical display
Supervisory Control and Data Acquisition (SCADA) System 4-23
 Alarms and Indicators
SCADA systems deal with large volumes of constantly changing data (2,000–70,000
tags, depending on the application), making it infeasible, and far too time-consuming,
for a human operator to constantly cycle through all of the data looking for problems.
Detecting alarm and abnormal conditions – and bringing these to the attention of the
operators – is a primary function of SCADA systems.
7.6 OPERATOR INTERFACE 287

FIGURE 7.27
Alarm limitSystem
Supervisory Control and Data Acquisition (SCADA) checking on a typical analog input point 4-24
 Data Historian
[center]

▶ a specialized software system that collects point values, alarm events, batch
records, and other information from industrial devices and systems and stores
them in a purpose-built database.
▶ Most ICS vendors including ABB, Areva, Emerson, GE, Honeywell, Invensys,
Rockwell, Schneider, Siemens, and others provide their own proprietary data
historian systems.
▶ There are also third-party industrial data historian vendors, such as Aspen
Technologies (www.aspentech.com), Canary Labs (www.canarylabs.com), Modiüs
(www.modius.com), and OSIsoft (www.osisoft.com),

Supervisory Control and Data Acquisition (SCADA) System 4-25

 ▶ These interoperate with ICS assets and even integrate with proprietary ICS
historians in order to provide a common, centralized platform for data
historization, analysis, and presentation.
▶ Properly isolating and securing data historian components that connect with
assets in less trusted networks within a semi trusted DMZ
▶ Component-level cyber security testing of assets, not introduce vulnerabilities not
common in the traditional public disclosure realm (e.g. Microsoft monthly security
bulletins) to the ICS

Supervisory Control and Data Acquisition (SCADA) System 4-26

 SCADA Implementation Example
[center]

▶ Direct Connection

▶ Connection with slave.

Supervisory Control and Data Acquisition (SCADA) System 4-27