You are on page 1of 28


( Affiliated to G.G.S.I.P. University, DELHI )

245, Budhpur Village, G.T. Karnal Road, Delhi-110036.


Submitted in partial fulfillment for the award of degree of

Bachelor of Technology


Mechanical and Automation Engineering


0871313608, 5th Semester


D-94, Sector-63, Noida, U.P.-201301


I am thankful to the institute "DIAC" for providing necessary facility to carry out
my training successfully.

It is my duty to record my sincere thanks and gratitude towards the institute staff
who helped me in bringing this project to its present form. The valuable
guidance and interest taken by them has been a motivator and source of
inspiration for me to carry out the necessary proceedings for the project to be
completed successfully.

Also, I am highly obliged to the head of our training and placement cell
"Mr. Welfred Peters" who provided me such a great opportunity to do my
summer training in a reputed institute like

"Dynamic Institute of Automation and Control".

•PLC Operation
•PLC Programming
•Ladder Logic
•Counters & Timers
•PLC application example
•System Concepts
•Human Machine Interface
•Remote Terminal Unit
•Security Issues
An industrial PLC and SCADA system is to for the development of automatic control of machinery.
PLC and SCADA system are methods to achieve Automation. Automation industry has fast growth potential
in a country like India, which has a large industry base.
This report focuses on brief concepts of PLC and SCADA system, their development, and also mentions
possible applications of these systems.
Almost every industry that has some electrical machinery may need Automation Services.
Attention is also paid to the security issues which have arisen with time.

Automation is the use of control systems such as computers to control industrial machinery and process,
reducing the need for human intervention. In the scope of industrialization, automation is a step beyond
mechanization. Whereas mechanization provided human operators with machinery to assist them with
physical requirements of work, automation greatly reduces the need for human sensory and mental
requirements as well. Processes and systems can also be automated.

Automation impacts
● It increases productivity and reduces cost.
● It gives emphasis on flexibility and convertibility in the manufacturing process. Manufacturers are
increasingly demanding the ability to easily switch from product A to manufacturing product B
without having to completely rebuild the production lines.
● Automation is often applied primarily to increase quality in the manufacturing process, where
automation can increase quality substantially.
● Automation reduces power consumption and reduces man power requirement.
● Automation improves production quality.
● Automation provides safer working conditions.
Programmable Logic Controller (PLC)
A PROGRAMMABLE LOGIC CONTROLLER (PLC) is an industrial computer control system that continuously
monitors the state of input devices and makes decisions based upon a custom program to control the state
of output devices.
Almost any production line, machine function, or process can be greatly enhanced using this type of control
system. However, the biggest benefit in using a PLC is the ability to change and replicate the operation or
process while collecting and communicating vital information.
Another advantage of a PLC system is that it is modular. That is, you can mix and match the types of input
and Output devices to best suit your application.

History of PLCs
● The first Programmable Logic Controllers were designed and developed by Modicon as a relay re-
placer for GM and Landis.
● These controllers eliminated the need for rewiring and adding additional hardware for each new
configuration of logic.
● The new system drastically increased the functionality of the controls while reducing the cabinet
space that housed the logic.
● The first PLC, model 084, was invented by Dick Morley in 1969.
● The first commercial successful PLC, the 184, was introduced in 1973 and was designed by Michael

Advantages of PLCs
PLCs not only are capable of performing the same tasks as hard-wired control, but are also capable of many
more complex applications. In addition, the PLC program and electronic communication lines replace much
of the interconnecting wires required by hard-wired control. Therefore, hard-wiring, though still required to
connect field devices, is less intensive. This also makes correcting errors and modifying the application
Some of the additional advantages of PLCs are as follows:

● Smaller physical size than hard-wire solutions.

● Easier and faster to make changes.
● PLCs have integrated diagnostics and override functions.
● Diagnostics are centrally available.
● Applications can be immediately documented.
● Applications can be duplicated faster and less expensively.
Inside A PLC

The Central Processing Unit (CPU), contains an internal program that tells the PLC how to perform the
following functions:
· Execute the Control Instructions contained in the User's Programs. This program is stored in "nonvolatile"
memory, meaning that the program will not be lost if power is removed
· Communicate with other devices, which can include I/O Devices, Programming Devices, Networks, and
even other PLCs.
· Perform Housekeeping activities such as Communications, Internal Diagnostics, etc.

The microprocessor or processor module is the brain of a PLC system. It consists of the microprocessor,
memory integrated circuits, and circuits necessary to store and retrieve information from memory. It also
includes communications ports to other peripherals, other PLC's or programming terminals. Today's
processors vary widely in their capabilities to control real world devices. Some control as few as 6 inputs
and outputs (I/O) and others 40,000 or more. One processor can control more than one process or
manufacturing line. Processors are often linked together in order to provide continuity throughout the
process. The number of inputs and outputs PLCs can control are limited by the overall capacity of the PLC
system hardware and memory capabilities. The job of the processor is to monitor status or state of input
devices, scan and solve the logic of a user program, and control on or off state of output devices.

RAM or Random Access Memory is a volatile memory that would lose its information if power were
removed. This is why some processor units incorporate a battery back-up. The type of RAM normally used is
CMOS or Complementary Metal Oxide Semiconductor. CMOS RAM is used for storage of the user's program
(ladder logic diagrams) and storage memory.

ROM or Read Only Memory is a non-volatile type of memory. This means you don't need an external power
source to keep information. In this type of memory, information can be read, but not changed. For this
reason the manufacture sometimes calls this firmware. It is placed there for the internal use and operation
of processor units.

EEPROM or Electrically Erasable Programmable Read Only Memory is usually an add-on memory module
that is used to back up the main program in CMOS RAM of the processor. In many cases, the processor can
be programmed to load theEEPOM's program to RAM if RAM is lost or corrupted.
Input Module

There are many types of input modules to choose from. The type of input module used is dependent upon
what real world input to the PLC is desired. Some examples of inputs are limit switches, electric eyes, and
pushbuttons. DC inputs, such as thumbwheel switches, can be used to enter integer values to be
manipulated by the PLC. DC input cards are used for this application. Since most industrial power systems
are inherently noisy, electrical isolation is provided between the input and the processor. Electromagnetic
interference (EMI) and Radio Frequency Interference (RFI) can cause severe problems in most solid state
control systems. The component used most often to provide electrical isolation within I/O cards is called an
optical isolator or optocoupler. The wiring of an input is not complex. The object is to get a voltage at a
particular point on the card. Typically there are 8 to 32 input points on any one input module. Each point
will be assigned a unique address by the processor. Analog input modules are special input cards that use
analog to digital conversion (A to D) to sense variables such as temperature, speed, pressure, and position.
The external device normally is connected to a controller (transducer) producing an electrical signal the
analog input card can interpret. This signal is usually 4 to
20 Ma or a 0 to 10 volt signal.

Output Module

Output modules can be for used for ac or dc devices such as solenoids, relays, contractors, pilot lamps, and
LED readouts. Output cards usually have from 6 to 32 output points on a single module. The output device
within the card provides the connection from the user power supply to the load. Usually silicon controlled
rectifiers (SCR), triac, or dry contact relays are use for this purpose. Individual outputs are rated most often
at 2 to 3 amperes. Output cards, like input cards have electrical isolation between the load being connected
and the PLC. Analog output cards are a special type of output modules that use digital to analog conversion
(D to A). The analog output module can take a value stored in a 12 bit file and convert it to an analog signal.
Normally this signal is 0 -10 volts dc or 4 to 20 Ma. This analog signal is often used in equipment such as
motor operated valves and pneumatic position control devices.

There are four basic steps in the operation of all PLCs : which continually take place in a repeating loop.
• Input Scan
• Program Scan
• Output Scan
• Housekeeping

• Input Scan : Detects the state of all input devices that are connected to the PLC
• Program Scan : Executes the user created program logic.
• Output Scan : Energizes or de-energize all output devices that are connected to the PLC.
• Housekeeping : This step includes communications with programming terminals, internal diagnostics

CHECK INPUT STATUS : First the PLC takes a look at each input to determine if it is on or off. In other words, is the sensor
connected to the first input on? Then the second input? Then the third and so on…. It records this data into its memory to
be used during the next step.
EXECUTE PROGRAM : Next the PLC executes your program one instruction at a time. Maybe the program says that if
the first input was on then it should turn on the first output. Since it already knows which inputs are on/off from the
previous step it will be able to decide whether the first output should be turned on based on the state of the first
input. It will store the execution results for use later during the next step.

UPDATE OUTPUT STATUS : Finally the PLC updates the status of the outputs. It updates the outputs based on which
inputs were on during the first step and the results of executing your program during the second step. Based on the
example in step 2 it would now turn on the first output because the first input was on and your program said to turn
on the first output when this condition is true.
After the third step the PLC goes back to step one and repeats the steps continuously. One scan time is
defined as the time it takes to execute the 3 steps listed above.
There are several methods to communicate between a PLC and a programmer or even between two PLCs.
Communications between a PLC and a programmer (PC or Hand held) are provided by the makers and you
only have to plug in a cable from your PC to the programming port on the PLC. This communication can be
RS232; RS485 or TTY. Communications between two PLCs can be carried out by dedicated links
supplied/programmed by the makers (RS232 etc) or via outputs from one PLC to the inputs on another PLC.
This direct link method of communication can be as simple as, if an output on the first PLC is on then the
corresponding input on the second PLC will be on and then this input is used within the program on the
second PLC.
If a word of input/outputs (16 bits) are used then numerical data can be transferred from one PLC to the
other (refer back to the section on numbering systems).
There are many other methods of communication between PLCs and also from PLC to PC. Refer to the
manuals supplied with the PLC that you are using for full details on communications.

Various languages are used for programming of PLCs :

Ladder diagram (LD)

Ladder diagram is a graphic programming language derived from the circuit diagram of directly wired relay
controls. The ladder diagram contains contact rails to the left and the right of the diagram; these contact
rails are connected to switching elements (normally open / normally closed contacts) via current paths and
coil elements.

Function block diagram (FBD)

In the function block diagram, the functions and function blocks are represented graphically and
interconnected into networks. The function block diagram originates from the logic diagram for the design
of electronic circuits.

Sequential function chart (SFC)

The sequential function chart is a language resource for the structuring of sequence-oriented control
programs. The elements of the sequential function chart are steps, transitions, alternative and parallel
branching. Each step represents a processing status of a control program, which is active or inactive. A step
consists of actions which, identical to the transitions, are formulated in the IEC 1131-3 languages. Actions
themselves can again contain sequence structures. This feature permits the hierarchical structure of a
control program. The sequential function chart is therefore an excellent tool for the design and structuring
of control programs.
Instruction list (IL)
Statement list is a textual assembler-type language characterised by a simple machine model (processor
with only one register). Instruction list is formulated from control instructions consisting of an operator and
an operand.

LD Part_TypeA
OR Part_TypeB
AND Part_present
AND Drill_ok
ST Sleeve_in

With regard to language philosophy, the ladder diagram, the function block diagram and instruction list
have been defined in the way they are used in today’s PLC technology. They are however limited to basic
functions as far as their elements are concerned. This separates them
essentially from the company dialects used today. The competitiveness of these languages is maintained
due to the use of functions and function blocks.

Structured text (ST)

Structured text is high-level language based on Pascal, which consists of expressions and instructions.
Instructions can be defined in the main as : Selection instructions such as IF...THEN...ELSE etc., repetition
instructions such as FOR, WHILE etc. and function block invocations.

Sleeve_in := (Part_TypeA OR Fig. B5.7: Part_TypeB) AND Part_present AND Drill_ok;

Structured text enables the formulation of numerous applications, beyond pure function technology, such
as algorithmic problems (highorder control algorithms etc.) and data handling (data analysis, processing of
complex data structures etc.).

Ladder Logic, or Ladder Diagrams is the most common programming language used to program a PLC.

Ladder logic was one of the first programming approaches used in PLCs because it borrowed heavily from
the Relay Diagrams that plant electricians already knew.

The symbols used in Relay Ladder Logic consists of a power rail to the left, a second power rail to the right,
and individual circuits that connect the left power rail to the right. The logic of each circuit (or rung) is
solved from left to right. The symbols of these diagrams look like a ladder - with two side rails and circuits
that resemble rungs on a ladder.

The picture above has a single circuit or "rung" of ladder.

• If Input1 is ON (or true) - power (logic) completes the circuit from the left rail to the right rail - and
Output1 turns ON (or true).
• If Output1 is OFF (or false) - then the circuit is not completed and logic does not flow to the right - and
Output 1 is OFF.

There are many logic symbols available in Ladder Logic - including Timers, Counters, Math, and Data Moves
- such that any logical condition or control loop can be represented in Ladder Logic. With just a handful of
basic symbols - a Normally Open Contact, Normally Closed Contact, Normally Open Coil, Normally Closed
Coil, Timer, Counter - most logical conditions can be represented.
With just the Normally Open Contact and Normally Open Coil - a surprising array of basic logical conditions
can be represented.

Normally Open Contact. This can be used to represent any input to the control logic - a switch or
sensor, a contact from an output, or an internal output.
When "solved" the referenced input is examined for an ON (logical 1) condition. If it is ON, the contact will
close and allow power (logic) to flow from left to right. If the status is OFF (logical 0), the contact is Open,
power (logic) will NOT flow from left to right.

Normally Open Coil. This can be used to represent any discrete output from the control logic.
When "solved" if the logic to the left of the coil is TRUE, the refrenced output is ON (logical 1).

Solving a Single Rung

Suppose a switch is wired to Input1, and a light bulb is wired through Output1 in such a way that the light is
OFF when Output1 is OFF, and ON when Output1 is ON.

When Input1 is OFF (logical 0) the contact remains open and power cannot flow from left to right.
Therefore, Output1 remains OFF (logical 0).

When Input1 is ON (logical 1) then the contact closes, power flows from left to right, and Output1 becomes
ON (the light turns ON).
The AND Rung
The AND is a basic fundamental logic condition that is easy to directly represent in Ladder Logic.

Suppose a switch is wired to Switch1, a second switch is wired to

Switch2, and a light bulb is wired through Light1 in such a way that the light is OFF when Light1 is OFF, and
ON when Light1 is ON.

In order for Light1 to turn ON, Switch1 must be ON, AND Switch2 must be ON.

If Switch1 is OFF, power (logic) flow from the left rail, but stops at Switch1. Light1 will be OFF regardless of
the state of Switch2.

If Switch1 is ON, power makes it to Switch2. If Switch2 is OFF, power cannot flow any further to the right,
and Light1 is OFF.

If Switch1 is ON, AND Switch2 is ON - power flows to Light1 solving its state to ON.
The OR Rung
The OR is a logical condition that is easy to represent in Ladder Logic.

Suppose a switch is wired to Switch1, a second switch is wired to Switch2, and a light bulb is wired through
Light1 in such a way that the light is OFF when Light1 is OFF, and ON when Light1 is ON. In this instance, we
want to the light to turn ON if either Switch1 OR Switch2 is ON.

If Switch1 is ON - power flows to Light1 turning it ON.

If Switch2 is ON - power flows through the Switch2 contact, and up the rail to Light1 - turning it ON.

If Switch1 AND Switch 2 are ON - Light1 is ON.

The only way Light1 is OFF is if Switch1 AND Switch2 are OFF.

* Another set of basic contacts and coils that can be used in Ladder Logic are the Normally Closed Contact
and the Normally Closed Coil. These work just like their normally open counterparts - only in the opposite.

When "solved" the referenced input is examined for an OFF condition. If the status is OFF (logical 0)
power (logic) will flow from left to right. If the status is ON, power will not flow.

When "solved" if the coil is a logical 0, power will be turned on to the device. If logical 1, power will
be OFF.

Many times we will want to take action in a control program based on more than the states of discrete
inputs and outputs. Sometimes, we will want to turn something on after a delay, or count the number of
times a switch is hit. To do these simple tasks, we will need Timers & Counters.

Simple Timers (TIM)

A timer is simply a control block that takes an input and changes an output based on time. There are two
basic timer types we will deal with initially (there are other advanced timers, but we will start with the
basics first) - On-Delay Timer and the Off-Delay Timer.

On-Delay Timer - this timer takes an input, waits a specific amount of time, then turns ON an output (or
allows logic to flow after the delay).
Off-Delay Timer - this timer takes turns ON an output (or allows logic to flow) and keeps that output ON
until the set amount of time has passed, then turns it OFF (hence off-delay)

Simple Counter (CNT)

A counter simply counts the number of events that occur on an input. There are two basic types of counters
- Up counter and a Down counter.

Up Counter - as its name implies, whenever a triggering event occurs, an up counter increments the
Down Counter - whenever a triggering event occurs, a down counter decrements the counter.

First consider a hardwired approach.

The following line diagram illustrates how a normally open and a normally closed pushbutton might be
connected to control a three-phase AC motor. In this example, a motor starter coil (M) is wired in series
with a normally open, momentary Start pushbutton, a normally closed, momentary Stop pushbutton, and
normally closed overload relay (OL) contacts.

Momentarily pressing the Start pushbutton completes the pathfor current flow and energizes the motor
starter (M). This closes the associated M and Ma (auxiliary contact located in the motor starter) contacts.
When the Start button is released, current
continues to flow through the Stop button and the Ma contact, and the M coil remains energized.
The motor will run until the normally closed Stop button is pressed, unless the overload relay (OL) contacts
open. When the Stop button is pressed, the path for current flow is
interrupted, opening the associated M and Ma contacts, and the motor stops.
Now consider PLC approach :

This motor control application can also be accomplished with a PLC. In the following example, a normally
open Start pushbutton is wired to the first input (I0.0), a normally closed Stop pushbutton is wired to the
second input (I0.1), and normally closed overload relay contacts (part of the motor starter) are connected
to the third input (I0.2). These inputs are used to control normally open contacts in a line of ladder logic
programmed into the PLC.

Initially, I0.1 status bit is a logic 1 because the normally closed (NC) Stop Pushbutton is closed. I0.2 status bit
is a logic 1 because the normally closed (NC) overload relay (OL) contacts are closed. I0.0 status bit is a logic
0, however, because the normally open Start pushbutton has not been pressed. Normally open output Q0.0
contact is also programmed on Network 1 as a sealing contact. With this simple network, energizing output
coil Q0.0 is required to turn on the motor.
The Operation

When the Start pushbutton is pressed, the CPU receives a logic 1 from input I0.0. This causes the I0.0
contact to close. All three inputs are now a logic 1. The CPU sends a logic 1 to output Q0.0. The motor
starter is energized and the motor starts.

The output status bit for Q0.0 is now a 1. On the next scan, when normally open contact Q0.0 is solved, the
contact will close & output Q0.0 will stay on even if the Start pushbutton is released.

When the Stop pushbutton is pressed, input I0.1 turns off, the I0.1 contact opens, output coil Q0.0 de-
energizes, and the motor turns off.
SCADA stands for Supervisory Control And Data Acquisition. Ir refers to an industrial control system : a
computer system monitoring and controlling a process. The process can be industrial, infrastructure or
facility based as described below :
• Industrial Process : it includes those of manufacturing, production, power generation, fabrication
and refining and process may be in continuous, batch, repetitive or discrete modes.
• Infrastructure Process : it may be public or private, and water treatment and distribution,
wastewater collection and treatment, oil and gas pipelines, electrical power transmission and
distribution, and large communication systems.
• Facility Process : it occur both in public facilities and private ones, including buildings, airports, ships
and space stations. They monitor and control HVAC, access and energy consumption.

A SCADA System usually consists of the following SubSystems:

 A Human-Machine Interface (HMI) is the apparatus which presents process data to a human operator,
and through this, the human operator monitors and controls the process.
 A supervisory (computer) system, gathering (acquiring) data on the process and sending commands
(control) to the process.
 Remote Terminal Units (RTU) connecting to sensors in the process, converting sensor signals to digital
data and sending digital data to the supervisory system.
 Programmable Logic Controller (PLC) used as field devices because they are more economical, versatile,
flexible, and configurable than special-purpose RTUs.
 Communication infrastructure connecting the supervisory system to the Remote Terminal Units.
Systems concepts
The term SCADA usually refers to centralized systems which monitor and control entire sites, or complexes
of systems spread out over large areas (anything between an industrial plant and a country). Most control
actions are performed automatically by Remote Terminal Units ("RTUs") or by Programmable Logic
Controllers ("PLCs"). Host control functions are usually restricted to basic overriding or supervisory level
Ex: A PLC may control the flow of cooling water through part of an industrial process, but the SCADA system
may allow operators to change the set points for the flow, and enable alarm conditions, such as loss of flow
and high temperature, to be displayed and recorded. The feedback control loop passes through the RTU or
PLC, while the SCADA system monitors the overall performance of the loop.

Data Acquisiton begins at the RTU or PLC level and includes meter readings and equipment status reports
that are communicated to SCADA as required. Data is then compiled and formatted in such a way that a
control room operator using the HMI can make supervisory decisions to adjust or override normal RTU
(PLC) controls. Data may also be fed to a Historian, often built on a commodity Database Management
System, to allow trending and other analytical auditing.
SCADA systems typically implement a distributed database, commonly referred to as a tag database, which
contains data elements called tags or points. A point represents a single input or output value monitored or
controlled by the system. Points can be either "hard" or "soft". A hard point represents an actual input or
output within the system, while a soft point results from logic and math operations applied to other points.
(Most implementations conceptually remove the distinction by making every property a "soft" point
expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as value-
timestamp pairs: a value, and the Time-Stamp when it was recorded or calculated. A series of value-
timestamp pairs gives the history of that point. It's also common to store additional metadata with tags,
such as the path to a field device or PLC register, design time comments, and alarm information.

Human Machine Interface

A Human Machine Interface or HMI is the apparatus which presents process data to a human operator, and
through which the human operator controls the process.
An HMI is usually linked to the SCADA system's Database and software programs, to provide trending,
diagnostic data, and management information such as scheduled maintenance procedures, logistic
information, detailed schematics for a particular sensor or machine, and expert-system troubleshooting
The HMI system usually presents the information to the operating personnel graphically, in the form of a
mimic diagram. This means that the operator can see a schematic representation of the plant being
controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is
running and how much fluid it is pumping through the pipe at the moment. The operator can then switch
the pump off. The HMI software will show the flow rate of the fluid in the pipe decrease in real time. Mimic
diagrams may consist of line graphics and schematic symbols to represent process elements, or may consist
of digital photographs of the process equipment overlain with animated symbols.
The HMI package for the SCADA system typically includes a drawing program that the operators or system
maintenance personnel use to change the way these points are represented in the interface. These
representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic
light in the field, or as complex as a multi-projector display representing the position of all of the elevators
in a skyscraper or all of the trains on a railway.
An important part of most SCADA implementations is alarm handling. The system monitors whether certain
alarm conditions are satisfied, to determine when an alarm event has occurred. Once an alarm event has
been detected, one or more actions are taken (such as the activation of one or more alarm indicators, and
perhaps the generation of email or text messages so that management or remote SCADA operators are
informed). In many cases, a SCADA operator may have to acknowledge the alarm event; this may deactivate
some alarm indicators, whereas other indicators remain active until the alarm conditions are cleared. Alarm
conditions can be explicit - for example, an alarm point is a digital status point that has either the value
NORMAL or ALARM that is calculated by a formula based on the values in other analogue and digital points
- or implicit: the SCADA system might automatically monitor whether the value in an analogue point lies
outside high and low limit values associated with that point. Examples of alarm indicators include a siren, a
pop-up box on a screen, or a coloured or flashing area on a screen (that might act in a similar way to the
"fuel tank empty" light in a car); in each case, the role of the alarm indicator is to draw the operator's
attention to the part of the system 'in alarm' so that appropriate action can be taken. In designing SCADA
systems, care is needed in coping with a cascade of alarm events occurring in a short time, otherwise the
underlying cause (which might not be the earliest event detected) may get lost in the noise. Unfortunately,
when used as a noun, the word 'alarm' is used rather loosely in the industry; thus, depending on context it
might mean an alarm point, an alarm indicator, or an alarm event.
Remote Terminal Unit (RTU)
The RTU connects to physical equipment. Typically, an RTU converts the electrical signals from the
equipment to digital values such as the open/closed status from a Switch or a valve, or measurements such
as pressure, flow, voltage or current. By converting and sending these electrical signals out to equipment
the RTU can control equipment, such as opening or closing a switch or a valve or setting the speed of a
Characteristics of Quality SCADA RTUs :
1. Supervisory Station
The term "Supervisory Station" refers to the servers and software responsible for communicating with the
field equipment (RTUs, PLCs, etc.), and then to the HMI software running on workstations in the control
room, or elsewhere. In smaller SCADA systems, the master station may be composed of a single PC. In
larger SCADA systems, the master station may include multiple servers, distributed software applications,
and disaster recovery sites. To increase the integrity of the system the multiple servers will often be
configured in a dual-redundant or hot-standby formation providing continuous control and monitoring in
the event of a server failure.
2. Operational philosophy
For some installations, the costs that would result from the control system failing are extremely high.
Possibly even lives could be lost. Hardware for some SCADA systems is ruggedized to withstand
temperature, vibration, and voltage extremes, but in most critical installations reliability is enhanced by
having redundant hardware and communications channels, up to the point of having multiple fully
equipped control centres. A failing part can be quickly identified and its functionality automatically taken
over by backup hardware. A failed part can often be replaced without interrupting the process. The
reliability of such systems can be calculated statistically and is stated as the mean time to failure, which is a
variant of mean time between failures. The calculated mean time to failure of such high reliability systems
can be on the order of centuries.
Communication infrastructure and methods
SCADA systems have traditionally used combinations of radio and direct serial or modem connections to
meet communication requirements, although Ethernet and IP over SONET / SDH is also frequently used at
large sites such as railways and power stations. The remote management or monitoring function of a SCADA
system is often referred to as telemetry.
This has also come under threat with some customers wanting SCADA data to travel over their pre-
established corporate networks or to share the network with other applications. The legacy of the early
low-bandwidth protocols remains, though. SCADA protocols are designed to be very compact and many are
designed to send information to the master station only when the master station polls the RTU. Typical
legacy SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel. These communication protocols
are all SCADA-vendor specific but are widely adopted and used. Standard protocols are IEC 60870-5-101 or
104, IEC 61850 and DNP3. These communication protocols are standardized and recognized by all major
SCADA vendors. Many of these protocols now contain extensions to operate over TCP / IP. It is good security
engineering practice to avoid connecting SCADA systems to the internet so the attack surface is reduced.
SCADA systems have evolved through 3 generations as follows :

First generation: "Monolithic"

In the first generation, computing was done by mainframe computers. Networks did not exist at the time
SCADA was developed. Thus SCADA systems were independent systems with no connectivity to other
systems. WAN were later designed by RTU vendors to communicate with the RTU. The communication
protocols used were often proprietary at that time. The first-generation SCADA system was redundant since
a back-up mainframe system was connected at the bus level and was used in the event of failure of the
primary mainframe system.

Second generation: "Distributed"

The processing was distributed across multiple stations which were connected through a LAN and they
shared information in real time. Each station was responsible for a particular task thus making the size and
cost of each station less than the one used in First Generation. The network protocols used were still mostly
proprietary, which led to significant security problems for any SCADA system that received attention from a
hacker. Since the protocols were proprietary, very few people beyond the developers and hackers knew
enough to determine how secure a SCADA installation was. Since both parties had invested interests in
keeping security issues tight, the security of a SCADA installation was often badly overestimated, if it was
considered at all.

Third generation: "Networked"

These are the current generation SCADA systems which use open system architecture rather than a vendor-
controlled proprietary environment. The SCADA system utilizes open standards and protocols, thus
distributing functionality across a WAN rather than a LAN. It is easier to connect third party peripheral
devices like printers, disk drives, and tape drives due to the use of open architecture. WAN protocols such
as Internet Protocol (IP) are used for communication between the master station and communications
equipment. Due to the usage of standard protocols and the fact that many networked SCADA systems are
accessible from the Internet, the systems are potentially vulnerable to remote cyber-attacks. On the other
hand, the usage of standard protocols and security techniques means that standard security improvements
are applicable to the SCADA systems, assuming they receive timely maintenance and updates.
Security Issues
The move from proprietary technologies to more standardized and open solutions together with the
increased number of connections between SCADA systems and office networks and the Internet has made
them more vulnerable to attacks - see references. Consequently, the security of SCADA-based systems has
come into question as they are increasingly seen as extremely vulnerable to cyberwarfare/cyberterrorism
In particular, security researchers are concerned about:
1. The lack of concern about security and authentication in the design, deployment and
operation of existing SCADA networks.
2. The belief that SCADA systems have the benefit of security through obscurtiy through the use
of specialized protocols and proprietary interfaces.
3. The belief that SCADA networks are secure because they are physically secured.
4. The belief that SCADA networks are secure because they are disconnected from the Internet.

SCADA systems are used to control and monitor physical processes, examples of which are transmission of
electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems
used as the basis of modern society. The security of these SCADA systems is important because compromise
or destruction of these systems would impact multiple areas of society far removed from the original
compromise. For example, a blackout caused by a compromised electrical SCADA system would cause
financial losses to all the customers that received electricity from that source. How security will affect
legacy SCADA and new deployments remains to be seen.

In June 2010, Virus BlokAda reported the first detection of malware that attacks SCADA systems (Siemens'
WinCC/PCS7 systems) running on Windows operating systems. The malware is called stuxnet and uses four
zero-day attacksto install a rootkit which in turn logs in to the SCADA's database and steals design and
control files. The malware is also capable of changing the control system and hiding those changes. The
malware was found by an anti-virus security company on 14 systems with the majority in Iran.