Professional Documents
Culture Documents
Introduction To SCADA Systems
Introduction To SCADA Systems
DATA
Communication
Methods
Directly wired
Power line carrier
Microwave
Radio (spread spectrum)
Fiber optic
Control Center
Provides network status,
enables remote control,
optimizes system
performance, facilitates
emergency operations,
dispatching repair crews and
coordination with other
utilities.
Control Strategy
Control Center
Key Priorities:
1. Safety
2. Protect equipment from damage
3. Reliability
4. Economics
Control Areas
Reliability Overview
Balance generation and demand
Balance reactive power supply and demand
Monitor flows and observe thermal limits
Observe power and voltage stability limits
Operate for unplanned contingencies
Plan, design and maintain a reliable system
Prepare for emergencies
Reliably operate the system you have!
SCADA Functions
Supervisory Control
Data Acquisition
Real Time Database
Graphical Operator Interface
Alarm Processing
Data Historian/Strip Chart Trending
Mapboard Interface
Communications
Analysis
State Estimation/Contingency Analysis
Economic Dispatch
Short Term Load Forecasting
One-Line Diagram
Alarm Processor
Frequency Control
Frequency Control
Actual
Frequency
Scheduled
Frequency
Actual Net
Interchange
Scheduled Net
Interchange
Frequency
Bias
Area Control
Error (ACE)
Frequency Regulation
64
60.05
Governor Response
Equipment Damage
63
60.04
60.03
62
Time Correction
Frequency
61
Governor Response
60
59
Nominal Frequency
58
Contingency Response
Normal Frequency
Deviation and AGC
Corrective Action
Range
Time Correction
Normal Conditions
57
60.01
60.00
59.99
59.98
59.97
59.96
Equipment Damage
56
60.02
Governor Response
59.95
Frequency
Main
Application
Processing
Central
Processing
LAN
Secondary
Server
Inter-site
Gateway
Telemetry
Server 1
Telemetry
Server n
Telemetry
LAN
RTU Comm
Server
Independent
Control
Center A
Leased
Lines
Independent
Control
Center B
RTU Comm
Server
Serial
Links
Modem Bridge
Bridge Modem
Modem
Modem
Modem
Bridge
Modem
RTU
RTU
RTU
x
xx
Redundant
Paths
RTU
RTU
RTU
y
yy
IED
PLC
IED
RTU
RTU
RTU
z
zz
Phone Line
Radio
Fiber Optic
SCADA Trends
Open Protocols
Open industry standard protocols are replacing
vendor-specific proprietary communication protocols
Market Systems
Interconnection into market systems is relatively
new
Some disagree this should be done
Few agree on how it should be done securely
ANSI X3.28
BBC 7200
CDC Types 1 and 2
Conitel
2020/2000/3000
DCP 1
DNP 3.0
Gedac 7020
IBM 3707
Landis & Gyr 8979
Pert
PG&E
QEI Micro II
Redac 70H
Rockwell
SES 91
Tejas 3 and 5
TRW 9550
Vancomm
Protocol Background
International Standards Organization Open System Interconnection Reference Model
ISO OSI Reference Model (protocol stack)
7 Application
Presentation
Data representation
Session
Transport
Network
Data Link
Physical
Device #1
Device #2
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Physical
REPEATER
BRIDGE
ROUTER
Data Link
Physical
3 Application
Data Link
Physical
BLOCK 1
USER CRC
DATA
BLOCK n
...
USER CRC
DATA
BODY
START
LENGTH
CONTROL
DESTINATION
SOURCE
CRC
USER DATA
Each block following the header has 16 octets of User defined data
FIN FIR
FIN
USER DATA
1 to 249 OCTETS IN LENGTH
SEQUENCE
FIR
SEQUENCE Number between 0 and 63 to ensure frames are being received in sequence
Roosevelt Dam
As reported by the Washington
Post June 27, 2002:
Bureau of Reclamation facility
in Arizona
SCADA system controlling
dam floodgates accessed by a
12-year old hacker in 1998
Hacker had complete
command of the SCADA
system controlling the dams
massive floodgates
Motivation: exploring on a
lark
Queensland, Australia
April 23, 2000: Vitek Boden, 48, caught with stolen
computer, radio transmitter. During his 46th successful
intrusion.
Until then, utility managers didnt know why the system
was leaking hundreds of thousands of gallons of sewage
into parks, rivers, and the Hyatt Regency hotel grounds.
Attack method: software on his laptop identified itself as
pumping station 4. He then suppressed alarms, and
became the central control system with unlimited
command of 300 SCADA nodes.
Disgruntled former employee convicted and sentenced
to two years in prison.
Bellingham, Washington
June 10, 1999: 237,000 gallons of gasoline leak from 16
pipeline, ignited 1.5 hours later. Three deaths, 8 injuries,
extensive property damage.
Immediately prior to and during the incident, the SCADA
system exhibited poor performance that inhibited the
pipeline controllers from seeing and reacting to the
development of an abnormal pipeline operation.
Warning issued to other pipeline
operators by the Office of Pipeline
Safety July 1999
NTSB report issued October 2002
Key recommendation:
Utilize an off-line development system
for implementing and testing changes
to the SCADA database
Location
Load Interrupted
November 9, 1965
Northeast
20,000 MW
New York
6,000 MW
West Coast
California
7,500 MW
Wyoming, Idaho
9,336 MW
July 2, 1996
Wyoming, Idaho
11,743 MW
Western Interconnection
30,489 MW
Midwest
Northeast
12,350 MW
950 MW
61,800 MW
Investigation Process
Joint U.S. - Canada Power System Outage Task Force
Electric System Working Group
Investigate the
cascading electrical
failure.
Review performance
of plants and assess
possibility of damage.
Determine if failures
were caused with
malicious intent.
Phase I
Investigate the outage to determine
its causes and why it was not contained
Interim report released 11/19/03
Phase II
Develop recommendations to reduce
the possibility of future outages and
minimize the scope of any that occur
Final report released 4/5/04
Report available at:
http://electricity.doe.gov (Blackout link)
Steering Group
Investigation
Team Lead
Project Planning and
Support
MAAC/ECAR/NPCC
Coordinating Group
Sequence of Events
Restoration
Operations - Tools,
SCADA/EMS
Communications Op
Planning
Frequency/ACE
System Planning,
Design, & Studies
MAAC
ECAR
NPCC
MEN Study
Group
Investigation
Process Review
Vegetation/ROW
Management
Transmission System
Performance,
Protection, Control
Maintenance & Damage
Generator Performance,
Protection, Controls
Maintenance & Damage
Substation instrumentation
Digital fault recorders, digital protective relays,
synchronized phasor measurement units
Some instrument clocks were not
synchronized to an established time standard
Data format issues
Established at NERC
Dedicated server on a segmented network
Accessible by all members of the blackout investigation team
VPN access enabled for off-site members of the investigation team
Vulnerability Assessment
Background
DOE Program Initiated in 1997
Voluntary Assessments
Energy Infrastructures
Post-September 11 Activities
Top 50 Energy Assets Identified
(subsequently grew to 100+ assets)
Quick assessment surveys initiated
on priority ranking, encompassing
a range of assessment options
Electric power
Oil
Outreach Activities
Natural Gas
Structured adversaries
Terrorists, hactivists
Organized crime
Foreign nations
Insiders
Witting
Unwitting
Half-witting
Anecdotes
2003 CSI/FBI Computer Crime and Security
Survey
Overall financial losses from 530 survey respondents totaled
$201,797,340. This is down significantly from 503 respondents
reporting $455,848,000 last year. (75 percent of organizations
acknowledged financial loss, though only 47% could quantify
them.)
The overall number of significant incidents remained roughly
the same as last year, despite the drop in financial losses.
Losses reported for financial fraud were drastically lower, at
$9,171,400. This compares to nearly $116 million reported last
year.
As in prior years, theft of proprietary information caused the
greatest financial loss ($70,195,900 was lost, with the average
reported loss being approximately $2.7 million).
In a shift from previous years, the second-most expensive
computer crime among survey respondents was denial of
service, with a cost of $65,643,300--up 250 percent from last
year's losses of $18,370,500.
Anecdotes (Contd)
Carnegie-Mellon CERT
120000
Incidents
100000
80000
60000
40000
20000
03
20
02
20
01
20
00
20
99
19
98
97
19
96
19
95
19
94
19
93
19
92
19
91
19
90
19
89
19
19
19
88
0
*Q1-Q3
Vulnerability Concerns
Confidentiality
Protecting information from unauthorized access
Important for deregulation, competitive
intelligence
Integrity
Assuring valid data and control actions
Most critical for real-time control applications
Availability
Continuity of operations
Important for real-time control applications
Historically addressed with redundancy
Vulnerable Points
SCADA
IED
Modem
Remote Access
Remote Control
Network
Interface
IED
Local Control
Remote Access
Substation
Controller
LAN 1
Network
Interface
Modem
Router to WAN
Remote Monitoring
Remote Access
Sources of Vulnerabilities
Exploits at the application, platform, or network level
Remote trusted access by
Other enterprise elements (e.g., front office, support
functions, etc.)
Vendors, customers, business partners
Security coordinators, neighboring control areas, etc.
Vulnerability Trends
Much more interconnectivity
Internal and external networks merging
Functional, organization interconnection
Increased standardization
Open protocols, common operating systems and platforms
Industry in transition
Deregulation, mergers, new systems and procedures
Driven to do more with less
Small organizations
Organizations experiencing major culture or mission changes
Restoration
Time
Grid Collapse
---No Physical Damage
Hours
No Physical Damage
-----No Blackout
Minutes
Low
High
Unfair profiting
Erosion of investor confidence
Disruption of capital investments
Inadequate supply and bottlenecks within the power
grid
Microwave
Channel
Modem
SCADA Master
Substation
RTU
TEST
SET
Connected to Network
as Node 10
Modem
Intruder
Spare
Node
2
Node
3
PLC
Node
10
Spare
Node
4
PLC
Node
5
Power Power
Meter Meter
Node
6
Protective Relay
Node
7
Protective Relay
Operator Interface
Field Device
Scenarios
Denial of service
Operator spoofing
Direct manipulation
of field devices
Combinations of above
Protocol Analyzer
(Intruder)
Repeating easily
decipherable format
Captured by the
ASE Protocol Analyzer
Countermeasures to enhance
security of SCADA systems
Jeff Dagle, PE
Pacific Northwest National Laboratory
Grainger Lecture Series for the
University of Illinois at Urbana-Champaign
September 15, 2005
Presidential Homeland
Security Documents
National Strategy for
Homeland Security
July 2002
Lead Agency
Agriculture, Food
Department of Agriculture
Water
Public Health
Environmental Protection
Agency
Health and Human Services
Energy
Department of Energy
Department of Treasury
Department of Interior
Department of Defense
National Infrastructure
Protection Plan
Information
Technology
Multi-State
Public Transit
Research and
Education Network
Surface Transportation
Telecommunications
Water
http://www.esisac.com
Operations
Policy
ESISAC
Subcommittee
Security Planning
Subcommittee
Outreach WG
Reporting Technologies WG
Indications, Analysis, Warnings WG
Grid Monitoring System TF
IDS Pilot TF
Mitigation Strategies
Security through obscurity
Poor defense against structured adversary
Isolated network
Unrealistic given todays business demands
Communication encryption
Concerns over latency, reliability, interoperability
Vendors waiting for customer demand
Signal authentication
May provide good defense without the concerns
associated with full signal encryption
Other Issues
Early detection is critical
Infrastructure Analysis
System-Level Security
Fault-tolerant architecture
Defense in depth security strategy
Inherent redundancy, resiliency
Cyber Security
Risk Management