GURU PREMSUKH MEMORIAL COLLEGE OF ENGINEERING

( Affiliated to G.G.S.I.P. University, DELHI ) 245, Budhpur Village, G.T. Karnal Road, Delhi-110036.

SUMMER TRAINING REPORT
Submitted in partial fulfillment for the award of degree of Bachelor of Technology in Mechanical and Automation Engineering

NITISH BHARDWAJ
0871313608, 5th Semester

DYNAMIC INSTITUTE OF AUTOMATION AND CONTROL D-94, Sector-63, Noida, U.P.-201301

ACKNOWLEDGEMENT

I am thankful to the institute "DIAC" for providing necessary facility to carry out my training successfully. It is my duty to record my sincere thanks and gratitude towards the institute staff who helped me in bringing this project to its present form. The valuable guidance and interest taken by them has been a motivator and source of inspiration for me to carry out the necessary proceedings for the project to be completed successfully. Also, I am highly obliged to the head of our training and placement cell "Mr. Welfred Peters" who provided me such a great opportunity to do my summer training in a reputed institute like "Dynamic Institute of Automation and Control".

CONTENTS
•Automation •PLC •Introduction •History •Advantages •Hardware •PLC Operation •Communications •PLC Programming •Ladder Logic •Counters & Timers •PLC application example •SCADA •Introduction •System Concepts •Human Machine Interface •Alarm •Remote Terminal Unit •Communication •Evolution •Security Issues

PREFACE
An industrial PLC and SCADA system is to for the development of automatic control of machinery. PLC and SCADA system are methods to achieve Automation. Automation industry has fast growth potential in a country like India, which has a large industry base. This report focuses on brief concepts of PLC and SCADA system, their development, and also mentions possible applications of these systems. Almost every industry that has some electrical machinery may need Automation Services. Attention is also paid to the security issues which have arisen with time.

NITISH BHARDWAJ 25-11-2010

Automation
Automation is the use of control systems such as computers to control industrial machinery and process, reducing the need for human intervention. In the scope of industrialization, automation is a step beyond mechanization. Whereas mechanization provided human operators with machinery to assist them with physical requirements of work, automation greatly reduces the need for human sensory and mental requirements as well. Processes and systems can also be automated.

Automation impacts
● ●

● ● ● ●

It increases productivity and reduces cost. It gives emphasis on flexibility and convertibility in the manufacturing process. Manufacturers are increasingly demanding the ability to easily switch from product A to manufacturing product B without having to completely rebuild the production lines. Automation is often applied primarily to increase quality in the manufacturing process, where automation can increase quality substantially. Automation reduces power consumption and reduces man power requirement. Automation improves production quality. Automation provides safer working conditions.

Programmable Logic Controller (PLC)
A PROGRAMMABLE LOGIC CONTROLLER (PLC) is an industrial computer control system that continuously monitors the state of input devices and makes decisions based upon a custom program to control the state of output devices. Almost any production line, machine function, or process can be greatly enhanced using this type of control system. However, the biggest benefit in using a PLC is the ability to change and replicate the operation or process while collecting and communicating vital information. Another advantage of a PLC system is that it is modular. That is, you can mix and match the types of input and Output devices to best suit your application.

History of PLCs
● ● ● ● ●

The first Programmable Logic Controllers were designed and developed by Modicon as a relay replacer for GM and Landis. These controllers eliminated the need for rewiring and adding additional hardware for each new configuration of logic. The new system drastically increased the functionality of the controls while reducing the cabinet space that housed the logic. The first PLC, model 084, was invented by Dick Morley in 1969. The first commercial successful PLC, the 184, was introduced in 1973 and was designed by Michael Greenberg.

Advantages of PLCs
PLCs not only are capable of performing the same tasks as hard-wired control, but are also capable of many more complex applications. In addition, the PLC program and electronic communication lines replace much of the interconnecting wires required by hard-wired control. Therefore, hard-wiring, though still required to connect field devices, is less intensive. This also makes correcting errors and modifying the application easier. Some of the additional advantages of PLCs are as follows:
● ● ● ● ● ●

Smaller physical size than hard-wire solutions. Easier and faster to make changes. PLCs have integrated diagnostics and override functions. Diagnostics are centrally available. Applications can be immediately documented. Applications can be duplicated faster and less expensively.

Inside A PLC
The Central Processing Unit (CPU), contains an internal program that tells the PLC how to perform the following functions: · Execute the Control Instructions contained in the User's Programs. This program is stored in "nonvolatile" memory, meaning that the program will not be lost if power is removed · Communicate with other devices, which can include I/O Devices, Programming Devices, Networks, and even other PLCs. · Perform Housekeeping activities such as Communications, Internal Diagnostics, etc.

THE CPU
The microprocessor or processor module is the brain of a PLC system. It consists of the microprocessor, memory integrated circuits, and circuits necessary to store and retrieve information from memory. It also includes communications ports to other peripherals, other PLC's or programming terminals. Today's processors vary widely in their capabilities to control real world devices. Some control as few as 6 inputs and outputs (I/O) and others 40,000 or more. One processor can control more than one process or manufacturing line. Processors are often linked together in order to provide continuity throughout the process. The number of inputs and outputs PLCs can control are limited by the overall capacity of the PLC system hardware and memory capabilities. The job of the processor is to monitor status or state of input devices, scan and solve the logic of a user program, and control on or off state of output devices.

RAM
RAM or Random Access Memory is a volatile memory that would lose its information if power were removed. This is why some processor units incorporate a battery back-up. The type of RAM normally used is CMOS or Complementary Metal Oxide Semiconductor. CMOS RAM is used for storage of the user's program (ladder logic diagrams) and storage memory.

ROM
ROM or Read Only Memory is a non-volatile type of memory. This means you don't need an external power source to keep information. In this type of memory, information can be read, but not changed. For this reason the manufacture sometimes calls this firmware. It is placed there for the internal use and operation of processor units.

EEPROM
EEPROM or Electrically Erasable Programmable Read Only Memory is usually an add-on memory module that is used to back up the main program in CMOS RAM of the processor. In many cases, the processor can be programmed to load theEEPOM's program to RAM if RAM is lost or corrupted.

Input Module
There are many types of input modules to choose from. The type of input module used is dependent upon what real world input to the PLC is desired. Some examples of inputs are limit switches, electric eyes, and pushbuttons. DC inputs, such as thumbwheel switches, can be used to enter integer values to be manipulated by the PLC. DC input cards are used for this application. Since most industrial power systems are inherently noisy, electrical isolation is provided between the input and the processor. Electromagnetic interference (EMI) and Radio Frequency Interference (RFI) can cause severe problems in most solid state control systems. The component used most often to provide electrical isolation within I/O cards is called an optical isolator or optocoupler. The wiring of an input is not complex. The object is to get a voltage at a particular point on the card. Typically there are 8 to 32 input points on any one input module. Each point will be assigned a unique address by the processor. Analog input modules are special input cards that use analog to digital conversion (A to D) to sense variables such as temperature, speed, pressure, and position. The external device normally is connected to a controller (transducer) producing an electrical signal the analog input card can interpret. This signal is usually 4 to 20 Ma or a 0 to 10 volt signal.

Output Module
Output modules can be for used for ac or dc devices such as solenoids, relays, contractors, pilot lamps, and LED readouts. Output cards usually have from 6 to 32 output points on a single module. The output device within the card provides the connection from the user power supply to the load. Usually silicon controlled rectifiers (SCR), triac, or dry contact relays are use for this purpose. Individual outputs are rated most often at 2 to 3 amperes. Output cards, like input cards have electrical isolation between the load being connected and the PLC. Analog output cards are a special type of output modules that use digital to analog conversion (D to A). The analog output module can take a value stored in a 12 bit file and convert it to an analog signal. Normally this signal is 0 -10 volts dc or 4 to 20 Ma. This analog signal is often used in equipment such as motor operated valves and pneumatic position control devices.

PLC OPERATION
There are four basic steps in the operation of all PLCs : which continually take place in a repeating loop. • Input Scan • Program Scan • Output Scan • Housekeeping

• • • •

Input Scan : Detects the state of all input devices that are connected to the PLC Program Scan : Executes the user created program logic. Output Scan : Energizes or de-energize all output devices that are connected to the PLC. Housekeeping : This step includes communications with programming terminals, internal diagnostics etc...

CHECK INPUT STATUS : First the PLC takes a look at each input to determine if it is on or off. In other words, is the sensor connected to the first input on? Then the second input? Then the third and so on…. It records this data into its memory to be used during the next step. EXECUTE PROGRAM : Next the PLC executes your program one instruction at a time. Maybe the program says that if the first input was on then it should turn on the first output. Since it already knows which inputs are on/off from the previous step it will be able to decide whether the first output should be turned on based on the state of the first input. It will store the execution results for use later during the next step. UPDATE OUTPUT STATUS : Finally the PLC updates the status of the outputs. It updates the outputs based on which inputs were on during the first step and the results of executing your program during the second step. Based on the example in step 2 it would now turn on the first output because the first input was on and your program said to turn on the first output when this condition is true.

After the third step the PLC goes back to step one and repeats the steps continuously. One scan time is defined as the time it takes to execute the 3 steps listed above.

COMMUNICATIONS
There are several methods to communicate between a PLC and a programmer or even between two PLCs. Communications between a PLC and a programmer (PC or Hand held) are provided by the makers and you only have to plug in a cable from your PC to the programming port on the PLC. This communication can be RS232; RS485 or TTY. Communications between two PLCs can be carried out by dedicated links supplied/programmed by the makers (RS232 etc) or via outputs from one PLC to the inputs on another PLC. This direct link method of communication can be as simple as, if an output on the first PLC is on then the corresponding input on the second PLC will be on and then this input is used within the program on the second PLC. If a word of input/outputs (16 bits) are used then numerical data can be transferred from one PLC to the other (refer back to the section on numbering systems). There are many other methods of communication between PLCs and also from PLC to PC. Refer to the manuals supplied with the PLC that you are using for full details on communications.

PLC PROGRAMMING
Various languages are used for programming of PLCs :

Ladder diagram (LD)
Ladder diagram is a graphic programming language derived from the circuit diagram of directly wired relay controls. The ladder diagram contains contact rails to the left and the right of the diagram; these contact rails are connected to switching elements (normally open / normally closed contacts) via current paths and coil elements.

Function block diagram (FBD)
In the function block diagram, the functions and function blocks are represented graphically and interconnected into networks. The function block diagram originates from the logic diagram for the design of electronic circuits.

Sequential function chart (SFC)
The sequential function chart is a language resource for the structuring of sequence-oriented control programs. The elements of the sequential function chart are steps, transitions, alternative and parallel branching. Each step represents a processing status of a control program, which is active or inactive. A step consists of actions which, identical to the transitions, are formulated in the IEC 1131-3 languages. Actions themselves can again contain sequence structures. This feature permits the hierarchical structure of a control program. The sequential function chart is therefore an excellent tool for the design and structuring of control programs.

Instruction list (IL)
Statement list is a textual assembler-type language characterised by a simple machine model (processor with only one register). Instruction list is formulated from control instructions consisting of an operator and an operand.

LD Part_TypeA OR Part_TypeB AND Part_present AND Drill_ok ST Sleeve_in
With regard to language philosophy, the ladder diagram, the function block diagram and instruction list have been defined in the way they are used in today’s PLC technology. They are however limited to basic functions as far as their elements are concerned. This separates them essentially from the company dialects used today. The competitiveness of these languages is maintained due to the use of functions and function blocks.

Structured text (ST)
Structured text is high-level language based on Pascal, which consists of expressions and instructions. Instructions can be defined in the main as : Selection instructions such as IF...THEN...ELSE etc., repetition instructions such as FOR, WHILE etc. and function block invocations. Sleeve_in := (Part_TypeA OR Fig. B5.7: Part_TypeB) AND Part_present AND Drill_ok; Structured text enables the formulation of numerous applications, beyond pure function technology, such as algorithmic problems (highorder control algorithms etc.) and data handling (data analysis, processing of complex data structures etc.).

LADDER LOGIC
Ladder Logic, or Ladder Diagrams is the most common programming language used to program a PLC.

Ladder logic was one of the first programming approaches used in PLCs because it borrowed heavily from the Relay Diagrams that plant electricians already knew. The symbols used in Relay Ladder Logic consists of a power rail to the left, a second power rail to the right, and individual circuits that connect the left power rail to the right. The logic of each circuit (or rung) is solved from left to right. The symbols of these diagrams look like a ladder - with two side rails and circuits that resemble rungs on a ladder. The picture above has a single circuit or "rung" of ladder.
• •

If Input1 is ON (or true) - power (logic) completes the circuit from the left rail to the right rail - and Output1 turns ON (or true). If Output1 is OFF (or false) - then the circuit is not completed and logic does not flow to the right - and Output 1 is OFF.

There are many logic symbols available in Ladder Logic - including Timers, Counters, Math, and Data Moves - such that any logical condition or control loop can be represented in Ladder Logic. With just a handful of basic symbols - a Normally Open Contact, Normally Closed Contact, Normally Open Coil, Normally Closed Coil, Timer, Counter - most logical conditions can be represented.

CONTACTS AND COILS
With just the Normally Open Contact and Normally Open Coil - a surprising array of basic logical conditions can be represented.

Normally Open Contact. This can be used to represent any input to the control logic - a switch or sensor, a contact from an output, or an internal output. When "solved" the referenced input is examined for an ON (logical 1) condition. If it is ON, the contact will close and allow power (logic) to flow from left to right. If the status is OFF (logical 0), the contact is Open, power (logic) will NOT flow from left to right.

Normally Open Coil. This can be used to represent any discrete output from the control logic. When "solved" if the logic to the left of the coil is TRUE, the refrenced output is ON (logical 1). Solving a Single Rung

Suppose a switch is wired to Input1, and a light bulb is wired through Output1 in such a way that the light is OFF when Output1 is OFF, and ON when Output1 is ON. When Input1 is OFF (logical 0) the contact remains open and power cannot flow from left to right. Therefore, Output1 remains OFF (logical 0). When Input1 is ON (logical 1) then the contact closes, power flows from left to right, and Output1 becomes ON (the light turns ON).

The AND Rung The AND is a basic fundamental logic condition that is easy to directly represent in Ladder Logic.

Suppose a switch is wired to Switch1, a second switch is wired to Switch2, and a light bulb is wired through Light1 in such a way that the light is OFF when Light1 is OFF, and ON when Light1 is ON. In order for Light1 to turn ON, Switch1 must be ON, AND Switch2 must be ON. If Switch1 is OFF, power (logic) flow from the left rail, but stops at Switch1. Light1 will be OFF regardless of the state of Switch2. If Switch1 is ON, power makes it to Switch2. If Switch2 is OFF, power cannot flow any further to the right, and Light1 is OFF. If Switch1 is ON, AND Switch2 is ON - power flows to Light1 solving its state to ON.

The OR Rung The OR is a logical condition that is easy to represent in Ladder Logic.

Suppose a switch is wired to Switch1, a second switch is wired to Switch2, and a light bulb is wired through Light1 in such a way that the light is OFF when Light1 is OFF, and ON when Light1 is ON. In this instance, we want to the light to turn ON if either Switch1 OR Switch2 is ON. If Switch1 is ON - power flows to Light1 turning it ON. If Switch2 is ON - power flows through the Switch2 contact, and up the rail to Light1 - turning it ON. If Switch1 AND Switch 2 are ON - Light1 is ON. The only way Light1 is OFF is if Switch1 AND Switch2 are OFF.

* Another set of basic contacts and coils that can be used in Ladder Logic are the Normally Closed Contact and the Normally Closed Coil. These work just like their normally open counterparts - only in the opposite.

When "solved" the referenced input is examined for an OFF condition. If the status is OFF (logical 0) power (logic) will flow from left to right. If the status is ON, power will not flow.

When "solved" if the coil is a logical 0, power will be turned on to the device. If logical 1, power will be OFF.

TIMERS AND COUNTERS
Many times we will want to take action in a control program based on more than the states of discrete inputs and outputs. Sometimes, we will want to turn something on after a delay, or count the number of times a switch is hit. To do these simple tasks, we will need Timers & Counters.

Simple Timers (TIM)
A timer is simply a control block that takes an input and changes an output based on time. There are two basic timer types we will deal with initially (there are other advanced timers, but we will start with the basics first) - On-Delay Timer and the Off-Delay Timer. On-Delay Timer - this timer takes an input, waits a specific amount of time, then turns ON an output (or allows logic to flow after the delay). Off-Delay Timer - this timer takes turns ON an output (or allows logic to flow) and keeps that output ON until the set amount of time has passed, then turns it OFF (hence off-delay)

Simple Counter (CNT)
A counter simply counts the number of events that occur on an input. There are two basic types of counters - Up counter and a Down counter. Up Counter - as its name implies, whenever a triggering event occurs, an up counter increments the counter. Down Counter - whenever a triggering event occurs, a down counter decrements the counter.

MOTOR STARTER EXAMPLE :
First consider a hardwired approach. The following line diagram illustrates how a normally open and a normally closed pushbutton might be connected to control a three-phase AC motor. In this example, a motor starter coil (M) is wired in series with a normally open, momentary Start pushbutton, a normally closed, momentary Stop pushbutton, and normally closed overload relay (OL) contacts.

Momentarily pressing the Start pushbutton completes the pathfor current flow and energizes the motor starter (M). This closes the associated M and Ma (auxiliary contact located in the motor starter) contacts. When the Start button is released, current continues to flow through the Stop button and the Ma contact, and the M coil remains energized. The motor will run until the normally closed Stop button is pressed, unless the overload relay (OL) contacts open. When the Stop button is pressed, the path for current flow is interrupted, opening the associated M and Ma contacts, and the motor stops.

Now consider PLC approach :
This motor control application can also be accomplished with a PLC. In the following example, a normally open Start pushbutton is wired to the first input (I0.0), a normally closed Stop pushbutton is wired to the second input (I0.1), and normally closed overload relay contacts (part of the motor starter) are connected to the third input (I0.2). These inputs are used to control normally open contacts in a line of ladder logic programmed into the PLC.

Initially, I0.1 status bit is a logic 1 because the normally closed (NC) Stop Pushbutton is closed. I0.2 status bit is a logic 1 because the normally closed (NC) overload relay (OL) contacts are closed. I0.0 status bit is a logic 0, however, because the normally open Start pushbutton has not been pressed. Normally open output Q0.0 contact is also programmed on Network 1 as a sealing contact. With this simple network, energizing output coil Q0.0 is required to turn on the motor.

The Operation
When the Start pushbutton is pressed, the CPU receives a logic 1 from input I0.0. This causes the I0.0 contact to close. All three inputs are now a logic 1. The CPU sends a logic 1 to output Q0.0. The motor starter is energized and the motor starts.

The output status bit for Q0.0 is now a 1. On the next scan, when normally open contact Q0.0 is solved, the contact will close & output Q0.0 will stay on even if the Start pushbutton is released.

. When the Stop pushbutton is pressed, input I0.1 turns off, the I0.1 contact opens, output coil Q0.0 deenergizes, and the motor turns off.

SCADA
SCADA stands for Supervisory Control And Data Acquisition. Ir refers to an industrial control system : a computer system monitoring and controlling a process. The process can be industrial, infrastructure or facility based as described below : • Industrial Process : it includes those of manufacturing, production, power generation, fabrication and refining and process may be in continuous, batch, repetitive or discrete modes. • Infrastructure Process : it may be public or private, and water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, and large communication systems. • Facility Process : it occur both in public facilities and private ones, including buildings, airports, ships and space stations. They monitor and control HVAC, access and energy consumption.

A SCADA System usually consists of the following SubSystems:

A Human-Machine Interface (HMI) is the apparatus which presents process data to a human operator, and through this, the human operator monitors and controls the process. A supervisory (computer) system, gathering (acquiring) data on the process and sending commands (control) to the process. Remote Terminal Units (RTU) connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system. Programmable Logic Controller (PLC) used as field devices because they are more economical, versatile, flexible, and configurable than special-purpose RTUs. Communication infrastructure connecting the supervisory system to the Remote Terminal Units.

Systems concepts
The term SCADA usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (anything between an industrial plant and a country). Most control actions are performed automatically by Remote Terminal Units ("RTUs") or by Programmable Logic Controllers ("PLCs"). Host control functions are usually restricted to basic overriding or supervisory level intervention. Ex: A PLC may control the flow of cooling water through part of an industrial process, but the SCADA system may allow operators to change the set points for the flow, and enable alarm conditions, such as loss of flow and high temperature, to be displayed and recorded. The feedback control loop passes through the RTU or PLC, while the SCADA system monitors the overall performance of the loop.

Data Acquisiton begins at the RTU or PLC level and includes meter readings and equipment status reports that are communicated to SCADA as required. Data is then compiled and formatted in such a way that a control room operator using the HMI can make supervisory decisions to adjust or override normal RTU (PLC) controls. Data may also be fed to a Historian, often built on a commodity Database Management System, to allow trending and other analytical auditing.

TAGS (POINTS)
SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either "hard" or "soft". A hard point represents an actual input or output within the system, while a soft point results from logic and math operations applied to other points. (Most implementations conceptually remove the distinction by making every property a "soft" point expression, which may, in the simplest case, equal a single hard point.) Points are normally stored as valuetimestamp pairs: a value, and the Time-Stamp when it was recorded or calculated. A series of valuetimestamp pairs gives the history of that point. It's also common to store additional metadata with tags, such as the path to a field device or PLC register, design time comments, and alarm information.

Human Machine Interface
A Human Machine Interface or HMI is the apparatus which presents process data to a human operator, and through which the human operator controls the process. An HMI is usually linked to the SCADA system's Database and software programs, to provide trending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information, detailed schematics for a particular sensor or machine, and expert-system troubleshooting guides. The HMI system usually presents the information to the operating personnel graphically, in the form of a mimic diagram. This means that the operator can see a schematic representation of the plant being controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is running and how much fluid it is pumping through the pipe at the moment. The operator can then switch the pump off. The HMI software will show the flow rate of the fluid in the pipe decrease in real time. Mimic diagrams may consist of line graphics and schematic symbols to represent process elements, or may consist of digital photographs of the process equipment overlain with animated symbols. The HMI package for the SCADA system typically includes a drawing program that the operators or system maintenance personnel use to change the way these points are represented in the interface. These representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic light in the field, or as complex as a multi-projector display representing the position of all of the elevators in a skyscraper or all of the trains on a railway.

ALARM
An important part of most SCADA implementations is alarm handling. The system monitors whether certain alarm conditions are satisfied, to determine when an alarm event has occurred. Once an alarm event has been detected, one or more actions are taken (such as the activation of one or more alarm indicators, and perhaps the generation of email or text messages so that management or remote SCADA operators are informed). In many cases, a SCADA operator may have to acknowledge the alarm event; this may deactivate some alarm indicators, whereas other indicators remain active until the alarm conditions are cleared. Alarm conditions can be explicit - for example, an alarm point is a digital status point that has either the value NORMAL or ALARM that is calculated by a formula based on the values in other analogue and digital points - or implicit: the SCADA system might automatically monitor whether the value in an analogue point lies outside high and low limit values associated with that point. Examples of alarm indicators include a siren, a pop-up box on a screen, or a coloured or flashing area on a screen (that might act in a similar way to the "fuel tank empty" light in a car); in each case, the role of the alarm indicator is to draw the operator's attention to the part of the system 'in alarm' so that appropriate action can be taken. In designing SCADA systems, care is needed in coping with a cascade of alarm events occurring in a short time, otherwise the underlying cause (which might not be the earliest event detected) may get lost in the noise. Unfortunately, when used as a noun, the word 'alarm' is used rather loosely in the industry; thus, depending on context it might mean an alarm point, an alarm indicator, or an alarm event.

Remote Terminal Unit (RTU)
The RTU connects to physical equipment. Typically, an RTU converts the electrical signals from the equipment to digital values such as the open/closed status from a Switch or a valve, or measurements such as pressure, flow, voltage or current. By converting and sending these electrical signals out to equipment the RTU can control equipment, such as opening or closing a switch or a valve or setting the speed of a pump. Characteristics of Quality SCADA RTUs : 1. Supervisory Station The term "Supervisory Station" refers to the servers and software responsible for communicating with the field equipment (RTUs, PLCs, etc.), and then to the HMI software running on workstations in the control room, or elsewhere. In smaller SCADA systems, the master station may be composed of a single PC. In larger SCADA systems, the master station may include multiple servers, distributed software applications, and disaster recovery sites. To increase the integrity of the system the multiple servers will often be configured in a dual-redundant or hot-standby formation providing continuous control and monitoring in the event of a server failure. 2. Operational philosophy For some installations, the costs that would result from the control system failing are extremely high. Possibly even lives could be lost. Hardware for some SCADA systems is ruggedized to withstand temperature, vibration, and voltage extremes, but in most critical installations reliability is enhanced by having redundant hardware and communications channels, up to the point of having multiple fully equipped control centres. A failing part can be quickly identified and its functionality automatically taken over by backup hardware. A failed part can often be replaced without interrupting the process. The reliability of such systems can be calculated statistically and is stated as the mean time to failure, which is a variant of mean time between failures. The calculated mean time to failure of such high reliability systems can be on the order of centuries.

Communication infrastructure and methods
SCADA systems have traditionally used combinations of radio and direct serial or modem connections to meet communication requirements, although Ethernet and IP over SONET / SDH is also frequently used at large sites such as railways and power stations. The remote management or monitoring function of a SCADA system is often referred to as telemetry. This has also come under threat with some customers wanting SCADA data to travel over their preestablished corporate networks or to share the network with other applications. The legacy of the early low-bandwidth protocols remains, though. SCADA protocols are designed to be very compact and many are designed to send information to the master station only when the master station polls the RTU. Typical legacy SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel. These communication protocols are all SCADA-vendor specific but are widely adopted and used. Standard protocols are IEC 60870-5-101 or 104, IEC 61850 and DNP3. These communication protocols are standardized and recognized by all major SCADA vendors. Many of these protocols now contain extensions to operate over TCP / IP. It is good security engineering practice to avoid connecting SCADA systems to the internet so the attack surface is reduced.

EVOLUTION
SCADA systems have evolved through 3 generations as follows : First generation: "Monolithic" In the first generation, computing was done by mainframe computers. Networks did not exist at the time SCADA was developed. Thus SCADA systems were independent systems with no connectivity to other systems. WAN were later designed by RTU vendors to communicate with the RTU. The communication protocols used were often proprietary at that time. The first-generation SCADA system was redundant since a back-up mainframe system was connected at the bus level and was used in the event of failure of the primary mainframe system. Second generation: "Distributed" The processing was distributed across multiple stations which were connected through a LAN and they shared information in real time. Each station was responsible for a particular task thus making the size and cost of each station less than the one used in First Generation. The network protocols used were still mostly proprietary, which led to significant security problems for any SCADA system that received attention from a hacker. Since the protocols were proprietary, very few people beyond the developers and hackers knew enough to determine how secure a SCADA installation was. Since both parties had invested interests in keeping security issues tight, the security of a SCADA installation was often badly overestimated, if it was considered at all. Third generation: "Networked" These are the current generation SCADA systems which use open system architecture rather than a vendorcontrolled proprietary environment. The SCADA system utilizes open standards and protocols, thus distributing functionality across a WAN rather than a LAN. It is easier to connect third party peripheral devices like printers, disk drives, and tape drives due to the use of open architecture. WAN protocols such as Internet Protocol (IP) are used for communication between the master station and communications equipment. Due to the usage of standard protocols and the fact that many networked SCADA systems are accessible from the Internet, the systems are potentially vulnerable to remote cyber-attacks. On the other hand, the usage of standard protocols and security techniques means that standard security improvements are applicable to the SCADA systems, assuming they receive timely maintenance and updates.

Security Issues
The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks - see references. Consequently, the security of SCADA-based systems has come into question as they are increasingly seen as extremely vulnerable to cyberwarfare/cyberterrorism attacks. In particular, security researchers are concerned about: 1. The lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks. 2. The belief that SCADA systems have the benefit of security through obscurtiy through the use of specialized protocols and proprietary interfaces. 3. The belief that SCADA networks are secure because they are physically secured. 4. The belief that SCADA networks are secure because they are disconnected from the Internet. SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen. In June 2010, Virus BlokAda reported the first detection of malware that attacks SCADA systems (Siemens' WinCC/PCS7 systems) running on Windows operating systems. The malware is called stuxnet and uses four zero-day attacksto install a rootkit which in turn logs in to the SCADA's database and steals design and control files. The malware is also capable of changing the control system and hiding those changes. The malware was found by an anti-virus security company on 14 systems with the majority in Iran.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.