An ICS/SCADA Primer

ics-scada

[ NOTE: This thing is not anywhere close to being done. It’s a giant soup sandwich. Still working on it. ]

SCADA and ICS are fascinating areas of study, with tons of terms, concepts, and protocols to learn. This short primer will attempt to cover the basics.

People outside the space tend to conflate ICS and SCADA. They are not the same.

ICS stands for Industrial Control System, and it generally refers to the control systems for Industrial Automation. SCADA stands for Supervisory Control and Data Acquisition, and it is a type of Industrial Control System that traditionally covered long distances, such as gas, power, and water distribution.

Example systems

SCADA controls many infrastructure services, such as:

  • Transmission of electricity

  • Transmission of gas

  • Transmission of oil

  • Water distribution

  • Traffic lights

  • Other infrastructure

Post micro-controller terminology

Before the invention of the micro-controller, there were highly specialized components that did one thing well.

Post micro-controller terminology

When the micro-controller became primary, people started consolidating many of these functions into the same hardware.

  • Industrial Control System (ICS): Computer-based systems that monitor and control industrial processes that exist in the real world

  • Supervisory Control and Data Acquisition (SCADA): a system for remote monitoring and control that operates with coded signals over communication channels (often using one communication channel per remote station). May be combined with data acquisition (hence the name) to update the status of the remote equipment. SCADA is now used to describe many different types of control system, but traditionally referred only to multi-site and wide area (long distance) implementations. Examples often included the distribution of energy (such as oil, gas, and electricity) over long distances

  • Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes

  • Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense siren systems, and large communication systems

  • Facility Processes occur both in public and private facilities, and include buildings, airpots, ships, and space stations. They monitor and control heating, ventilation, and air conditioning (HVAC), access, and energy consuption

  • Remote Terminal Units (RTUs): are field devices that connect to sensors and convert sensor signals to digital data. They can send and receive digital signals from the supervisory system. RTUs often have basic logic capabilities built in to the system.

  • Programmable logic controller (PLCs): like RTUs, PLC’s are also field devices that connect to sensors and convert their signals to digital data. PLCs, however, have more sophisticated embedded control capabilities (typically one or more IEC 61131-3 programming languages) than RTUs. PLCs do not have telemetry hardware, although this functionality is typically installed alongside them. PLCs are sometimes used in place of RTUs as field devices because they are more economical, versatile, flexible, and configurable.

  • Telemetry Systems are typically used to connect PLCs and RTUs with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave.

  • Data Acquisition Servers are software services that use industrial protocols to connect software services, via telemetry, with field devices such as RTUs and PLCs. They allow clients to access data from these field devices using standard protocols.

  • Human to Machine Interfaces (HMI): The HMI is the human interface to the SCADA system. The HMI client requests data from a data acquisition server and other external devices, creates reports, does alerting and notifications, etc, and then presents that processed data to a human operator for the purposes of monitoring and interaction with the process.Mimic diagrams are often used within the HMI to visually display the structure of the system to the operator as a schematic diagram. This might include the linking of pumps to pipes and other such relationships. This allows the operator to turn adjust specific components visually within the system, which will then be reflected in the readings immediately afterwards, e.g., increased or decreased pressure, etc.

  • A Historian: is a software service which collects data from a Data Acquisition Server, such as time-stamped data, boolean events, and boolean alarms, into a database which can be queried or used to populate graphic trends and other useful displays in the HMI.

  • Alarm Handling: is a critical component of SCADA implementations. The system monitors for conditions that will trigger an alarm, and then fire off notifications and/or take additional actions. In some cases the operator will have to acknowledge and disable the alarm manually. Alarm examples include things like sirens, pop-up boxes, or colored or flashing lights on a screen. Terminology in the industry include alarm point, alarm indicator, and alarm events.

  • IEC 61131-3: a suite of five programming languages including Function Block, Ladder, Structured Text, Sequence Function Charts, and Instruction List), is frequently used to create programs which run on RTUs and PLCs. The code for these languages look like physical control arrays, and aren’t as hard to learn as procedural modern programming languages.

  • Programmable Automation Controllers (PACs): are a combination of PC-based controller and typical PLC. PACs are deployed to provide functionality that you’d normally get from an RTU or PLC.

  • Supervisory Station: A supervisory station is the hardware and software responsible for communicating with the field equipment (RTUs, PLCs, and Sensors) and sending the data to the HMI software running in the control room or wherever. In small installations the master station could be a single PC. In larger systems the master station could include multiple servers, distributed software, and DR sites.

  • Mean Time Between Failures: is often used as a metric for dependability of equipment.

  • Telemetry: is the term for remote monitoring and/or management of a SCADA system. Much of traditional SCADA communication took place over a combination of wired and wireless connections.

  • SCADA usually refers to centralized monitoring and control systems, not the local RTUs or PLCs. SCADA intervenes when an override or supervisory intervention is required. As an example, a PLC may control the flow of cooling water through a process, but the SCADA system is what sends the PLC its parameters for operation, enables alarm conditions such as loss of flow and high temperature, etc. The feedback control loop passes through the RTU or PLC, and the SCADA system monitors the overall performance of the loop.

  • Data acquisition begins at the RTU or PLC level and includes meter readings and equipment status reports that are communicated to the SCADA system as required. Data is then compiled and formatted in such a way that a control room operator using the HMI can make supervisory decisions to adjust or override normal RTU (PLC) controls. Data may also be fed to a Historian, often built on a commodity Database Management System, to allow trending and other analytical auditing.

  • SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either “hard” or “soft”. A hard point represents an actual input or output within the system, while a soft point results from logic and math operations applied to other points. (Most implementations conceptually remove the distinction by making every property a “soft” point expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as value-timestamp pairs: a value, and the timestamp when it was recorded or calculated. A series of value-timestamp pairs gives the history of that point. It is also common to store additional metadata with tags, such as the path to a field device or PLC register, design time comments, and alarm information.

  • SCADA systems, especially in highly critical environments, are equipped with multiple, redundant, and varied communications channels, and are implemented to be able to handle multiple types of environment and weather conditions. An example might be the use of one wireless protocol, a health check for connectivity, and then the automatic enabling of a second wireless medium if the first were to fail.

  • Since 1998 many PLC manufacturers have been bundling HMI and SCADA systems with their offerings.

  • SONET/SDH is often used for large systems such as railways and power stations.

  • SCADA protocols are designed to be quite compact. Many are designed to only send data when the master station polls the RTU. Legacy protocols include Modbus RTU, RP-570, Profbus, and Conitel. These are all vendor-specific but are widely adopted throughout the industry.

  • Standard protocols include IEC 60870-5-101, 60870-5-104, IEC 61850, and DNP3. These are recognized by all SCADA vendors as standards, and many have extensions to work over TCP.

  • Process Control Network (PCN): A large, multi-lan system used by large SCADA systems for communications

  • Satellite communication is also used for SCADA communications

  • Industrial Processes (Continuous)

  • Industrial Processes (Batch

  • Industrial Processes (Repetitive)

  • Industrial Processes (Discrete)

  • Industrial Automation (IA)

  • Manufacturing and Control Systems (M&CS) [DEPRECATED]

  • Industrial Automation and Control Systems (IACS) [ISA-99]

  • PID

  • PLC-5

  • PLC

  • Process Control (Refineries)

  • Discrete Control (Automotive)

  • SCADA (Wide Area Control) (Pipelines)

  • Master Terminal Unit (MTU) / Remote Terminal Unit (RTU)

  • Distributed Control System (DCS)

SCADA Evolutions

SCADA architecutres have gone through a number of generations:

  1. Monolithic: used large microcomputers, proprietary communication protocols, redundancy used back-up mainframes

  2. Distributed: command processing distributed across multiple systems connected through a LAN, information shared in realtime, stations can be specialized which can save money, communication protocols still not standardized, security usually overlooked

  3. Networked: systems can be spread over more than one LAN network called a Process Control Network (PCN) that is separated geographically

  4. Internet of Things: use cloud technologies, report state in near-real-time, horizontal scale of cloud, can use more complex algorithms than old PLCs could handle, can use TLS to increase security, uses Data Modeling from object oriented programing to make use of decentralized data rather than having all data come back to one central location to be displayed via a single HMI, virtual representations of devices are constructed in the SCADA software, also contain metadata about the devices

Security

  • SCADA systems have benefited from Security Through Obscurity for decades, and security experts fear what will happen when those systems are exposed to larger, more conventional networks such as the Internet and the Internet of Things

Security incidents

  • Ukraine attacks from Russia via phishing

  • Stuxnet

  • Queensland, Australia Maroochy Shire Council’s sewage control system

Process Automation Protocols

  • AS-i – Actuator-sensor interface, a low level 2-wire bus establishing power and communications to basic digital and analog devices

  • BSAP – Bristol Standard Asynchronous Protocol, developed by Bristol Babcock Inc.

  • CC-Link Industrial Networks – Supported by the CLPA

  • CIP (Common Industrial Protocol) – can be treated as application layer common to DeviceNet, CompoNet, ControlNet and EtherNet/IP

  • Controller Area Network utilised in many network implementations, including CANopen and DeviceNet

  • ControlNet – an implementation of CIP, originally by Allen-Bradley

  • DeviceNet – an implementation of CIP, originally by Allen-Bradley

  • DF-1 – used by Allen-Bradley PLC-5, SLC-500, and MicroLogix class devices

  • DirectNet – Koyo / Automation Direct[1] proprietary, yet documented PLC interface

  • EtherCAT

  • Ethernet Global Data (EGD) – GE Fanuc PLCs (see also SRTP)

  • EtherNet/IP – IP stands for “Industrial Protocol”. An implementation of CIP, originally created by Rockwell Automation

  • Ethernet Powerlink – an open protocol managed by the Ethernet POWERLINK Standardization Group (EPSG).

  • FINS, Omron’s protocol for communication over several networks, including ethernet.

  • FOUNDATION fieldbus – H1 & HSE

  • HART Protocol

  • HostLink Protocol, Omron’s protocol for communication over serial links.

  • Interbus, Phoenix Contact’s protocol for communication over serial links, now part of PROFINET IO

  • MACRO Fieldbus – “Motion and Control Ring Optical” developed by Delta Tau Data Systems.

  • MECHATROLINK – open protocol originally developed by Yaskawa, supported by the MMA

  • MelsecNet, supported by Mitsubishi Electric.

  • Modbus PEMEX

  • Modbus Plus

  • Modbus RTU or ASCII or TCP

  • OSGP – The Open Smart Grid Protocol, a widely use protocol for smart grid devices built on ISO/IEC 14908.1

  • Optomux – Serial (RS-422/485) network protocol originally developed by Opto 22 in 1982. The protocol was openly documented[2] and over time used for industrial automation applications.

  • PieP – An Open Fieldbus Protocol

  • Profibus – by PROFIBUS International.

  • PROFINET IO

  • RAPIEnet – Real-time Automation Protocols for Industrial Ethernet

  • Honeywell SDS – Smart Distributed System – Originally developed by Honeywell. Currently supported by Holjeron.

  • SERCOS III, Ethernet-based version of SERCOS real-time interface standard

  • SERCOS interface, Open Protocol for hard real-time control of motion and I/O

  • SSCNET, Servo System Controller Network by Mitsubishi Electric for control of motion and I/O

  • GE SRTP – GE Fanuc PLCs

  • Sinec H1 – Siemens

  • SynqNet – Danaher

  • TTEthernet – TTTech

  • MPI – Multi Point Interface

ICS Protocols

  • MTConnect

  • OPC

  • OPC UA

  • Woopsa

Building Automation Protocols

  • Smart-BUS (SBUS)

  • ELAN-Net – Main Protocol for Elan Home Automation System

  • 1-Wire – from Dallas/Maxim

  • BACnet – for building automation, designed by committee ASHRAE.

  • C-Bus Clipsal Integrated Systems Main Proprietary Protocol

  • CC-Link Industrial Networks, supported by Mitsubishi Electric

  • DALI

  • DSI

  • Dynet

  • EnOcean – Low Power Wireless protocol for energy harvesting and very lower power devices.

  • KNX – World standard for building control. Previously EIB/EHS/BATIBus

  • LonTalk – protocol for LonWorks technology by Echelon Corporation

  • Modbus RTU or ASCII or TCP

  • oBIX

  • HDL-Bus- main protocol for HDL home automation system.

  • TIS-BUS main protocol for Texas Intelligent Systems Home and Hotel Automation and GRMS system.

  • VSCP

  • xAP – Open protocol

  • X10 – Open industry standard

  • Z-Wave – Wireless RF Protocol

  • ZigBee – Open protocol for Mesh Networks

  • Dynet – Philips Dynalite Proprietary Protocol

  • UPB – is PCS Pulse works Power Line Communication DIY Automation Protocol Standard

  • INSTEON – SmartHome Labs Pro New 2-way Protocol based on Power-BUS.

Power system automation protocols

  • Smart-BUS (SBUS)

  • ELAN-Net – Main Protocol for Elan Home Automation System

  • 1-Wire – from Dallas/Maxim

  • BACnet – for building automation, designed by committee ASHRAE.

  • C-Bus Clipsal Integrated Systems Main Proprietary Protocol

  • CC-Link Industrial Networks, supported by Mitsubishi Electric

  • DALI

  • DSI

  • Dynet

  • EnOcean – Low Power Wireless protocol for energy harvesting and very lower power devices.

  • KNX – World standard for building control. Previously EIB/EHS/BATIBus

  • LonTalk – protocol for LonWorks technology by Echelon Corporation

  • Modbus RTU or ASCII or TCP

  • oBIX

  • HDL-Bus- main protocol for HDL home automation system.

  • TIS-BUS main protocol for Texas Intelligent Systems Home and Hotel Automation and GRMS system.

  • VSCP

  • xAP – Open protocol

  • X10 – Open industry standard

  • Z-Wave – Wireless RF Protocol

  • ZigBee – Open protocol for Mesh Networks

  • Dynet – Philips Dynalite Proprietary Protocol

  • UPB – is PCS Pulse works Power Line Communication DIY Automation Protocol Standard

  • INSTEON – SmartHome Labs Pro New 2-way Protocol based on Power-BUS.

Automatic meter reading protocols

  • ANSI C12.18

  • DLMS/IEC 62056

  • IEC 61107

  • M-Bus

  • ZigBee Smart Energy 2.0

  • Modbus

  • ANSI C12.21

  • ANSI C12.22

Automotive Protocols

  • Controller Area Network (CAN) – an inexpensive low-speed serial bus for interconnecting automotive components

  • DC-BUS[3] – automotive power-line communication multiplexed network

  • FlexRay – a general purpose high-speed protocol with safety-critical features

  • IDB-1394

  • IEBus

  • J1708 – RS-485 based SAE specification used in commercial vehicles, agriculture, and heavy equipment.

  • J1939 and ISO11783 – an adaptation of CAN for agricultural and commercial vehicles

  • Keyword Protocol 2000 (KWP2000) – a protocol for automotive diagnostic devices (runs either on a serial line or over CAN)

  • Local Interconnect Network (LIN) – a very low cost in-vehicle sub-network

  • Media Oriented Systems Transport (MOST) – a high-speed multimedia interface

  • SMARTwireX

  • Vehicle Area Network (VAN)

Notes

  1. Some of these sections are copied and rewritten from other sources, such as Wikipedia and other open, free guides. It’s not necessarily just raw copy and paste, but usually involves some cleanup, summarization, and/or elaboration.

  2. Source: https://www.tofinosecurity.com/blog/scada-security-basics-scada-vs-ics-terminology

  3. Source: https://en.wikipedia.org/wiki/SCADA

Related posts: