Professional Documents
Culture Documents
net/publication/341384501
CITATIONS READS
0 704
2 authors:
1 PUBLICATION 0 CITATIONS
Yasar University
103 PUBLICATIONS 821 CITATIONS
SEE PROFILE
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Tuncay Ercan on 14 May 2020.
1
Section Title
2
Industry 4.0 From The Management Information Systems Perspectives
2. Methods
We all know that computer systems and networking technologies pass through rapid
changes and this makes Information and Communication Technologies (ICT) one
of the most developing sectors. There is no doubt that ICT is highly related with
critical information systems in different industrial sectors. Therefore, SCADA
became more important for many application areas (particularly in the energy
sector) and is required to be used by the National Organizations of Energy Market
Regulatory. SCADA has a subgroup of Industrial Control System (ICS) and another
subgroup for Distributed Control System (DCS) in geographically distributed
locations. ICSs can be used in different industries (electric, water, oil, gas etc.).
DCSs are supervisory and regulatory control systems and generally used to control
production systems within a factory.
2.1. General SCADA Architecture
SCADA concept was first introduced in the mid-20th century and based on several
production floors, industrial facilities and personnel to manually control and
monitor remote sites for pushing alert buttons and making urgent analogue calls
with the people in charge. The term "SCADA" emerged in the early 1970s, and for
decades the rise of microprocessors and PLCs has increased the ability to monitor
and control the automation processes of enterprises more than ever. The latest
developments in technology have enabled automated SCADA systems according to
the company with maximum efficiency at low cost. SCADA has some auditing and
data collection systems running behind the scenes in almost every plant or in any
workplace setting up a network (Hayden, 2014).
Advancements in Intelligent Instrumentation and Remote Terminal Units
(RTUs)/PLCs have made the process-control solutions to be easily managed and
operated by a SCADA system. SCADA is an industrial computer-based control
system employed to gather and analyze the real-time data to keep track, monitor
and control industrial equipment in different types of industries. PLC is an
automation device used in the control of processes such as control of machines or
production departments in factories. Unlike normal computers, the PLC has many
inputs and outputs (I/O). PLC plays a big role in the foreground of factors such as
producing more and better-quality products in a short time, producing with very low
error rates. General architecture of SCADA system is given in Figure 1.
3
Section Title
• Multiple master stations should be able to talk at the same time through
separate communication channels.
• RS-232, RS-485 physical communication layer, copper and fiber optic
physical environment, should be able to communicate with multiple
protocols.
• Must have the ability to be easily expanded, configured and maintained.
• It should be able to carry out its own tests, the faults that occur should have
a structure that stimulates both itself and the SCADA center.
• Redundancy is most important aspect of continuing the production. When
replacing a faulty module, there must be a hardware structure that does not
require cutting of the energy.
2.2. ORC SCADA Architecture in Use
Organic Ranking Cycle (ORC) is currently used in geothermal energy utilities in
order to generate electrical power (Ozden & Paul, 2011). Operators control the
energy generation in ORC using HMIs. In ORC utilities, there are more than 1000
sensors in a typical site. These sensors collect data from all production & re-
injection wells, brine transfer pumps, pentane levels, volume tank, turbines,
generator and much more things which working in a utility. Operators manage all
of things with HMIs in SCADA UI. ORC system is given in Figure 3 (Singh, 2009).
5
Section Title
network. It must install NGAV (next generation anti-virus) and zero-day malicious
detector software to industrial PCs (HMIs) for protect the any infection risk. OS
updates are also mandatory to fix the vulnerabilities in OS. These systems must
warn operators and IT admins with e-mails or intranet messaging by warning and
error information messages (Kobara, 2016).
Since every IoT device has an internet connectivity like 6LowPAN going to a direct
server, this will not be an efficient choice for security (Hui, Culler, Chakrabarti,
2009). In our case, we applied SaaS Cloud Computing service that automatically
provides load balancing, Dynamic DNS, VPN, Hash mechanism features. These
settings will enable both an instant data stream and an anonymous connection to
IoT devices. Cloud server provider may take over the automatic IP distribution by
a PPPoE (Point-to-Point over Ethernet) server on the cloud and a VPN connection
with the cloud can be established. While PPPoE allocates the IPs by authentication,
VPN additionally enforces multi-factor authentication and confidentiality when
communicating with IoT devices (Condry et. al 2016).
In many cases, the first step in a cyber-attack is a target discovery that remotely
monitors the profiles and configurations of destinations, as well as internal
information such as operators and operational roles. Ports and security vulnerability
scanners have been popular to search for open ports, services, and security
vulnerabilities from the Internet, but other approaches using dedicated search
engines such as (SHODAN, 2017) have become serious, because they can easily
list weaker and more vulnerable targets. IP addresses and port numbers can be
searched if the targets do not have publicly disclosed vulnerabilities, more security
vulnerabilities are examined.
Some modern ICS devices or services provide Web interfaces that can be vulnerable
to SQL / OS command injections or cross-site exploits like cross-site scripting and
cross-situational fraud. It can also provide inappropriate remote access control
mechanisms like default IDs, passwords for authentication and access control
schemes. Additional jumping mechanisms that can be written manually cope with
the loss of passwords. Another security measure for Internet discovery is to put
devices and servers behind a firewall. ICS / SCADA honeypots are useful for
understanding their discovery activities. They imitate the behavior of common
industrial control protocols and monitor activities related to them. These honey pots
can be created using CONPOT. Telescoping devices have IoTPOT, which is
common in some IoT devices (Pa et al. 2015; Kobara, 2016).
Risk factors of any infrastructure should be identified under the name of the risk
management framework of the organizations and short, medium and long-term
security measures are planned. These measures can be examined by analyzing
universal rules, cyber resources, preliminary risk analysis, threat and preparation
levels, and cyber threat tools (Stouffer, Pillitteri, Abrams and Hahn, 2015).
7
Section Title
3. Findings
The occurrence of any breakdown in the power generation plant should be
intervened quickly. The SCADA system we experienced in the plant uses SaaS in
Cloud Computing. Security and management information can be displayed in
accordance with the user's requests. Thousands of sensors connected to the ICS and
DCS infrastructure ensure real-time data simulations within the system. Many data
can also be collected from RTUs. In the selection of SCADA systems for energy
sector, including more than one plant, the management capability includes several
operating zones together with maintenance, cost and separate installation criteria.
That SCADA applications should also be compatible with external applications in
the company and support Turkish language as well is an important criterion in
system administration. Thus, hidden additional costs that will arise after installation
are reduced in advance (Moness, 2016).
Current technologies will have security weaknesses unless being constantly
updated. To protect against these security weaknesses, it is necessary to educate
employees. In some production sites, unfortunately SCADA has not been produced
and no automation has been considered (U.S. General Accounting Office, 2011).
Industrial control system is an indispensable capability in the management of plants.
Turkish Electricity Transmission Company (TEIAS) continuously communicates
with the RTU to read the instant 154KV output values in the plant and measure
power quality. In order to read the output quality, TUBITAK (Scientific and
Technological Research Council of Turkey) also receives all data from its servers
via the NTP protocol discussed by (Alcaraz and Zeadally, 2013).
This remote access through the internet connection should be symmetric. The DoS
prevention system on the Internet service provider should be activated with
certainty. Thus, the speed of symmetrical internet will always be constant. The 7th
OSI layer firewall should be installed to read SCADA packets between HMI and
sensors. All VLANs should be separated from each other and careful switching rules
should be defined on the firewall. Hazardous packages should be blocked by
opening IPS / IDS. All user devices must be easily identified with the help of the
Active Directory server to be installed inside. It may be necessary to make Group
Policy settings to restrict the people who will use SCADA. Using an MFA will be
a good security measure if it is going to be accessed from outside using VPN. It is
not necessary to forget the human factor in SCADA systems. Operators may have
inappropriate security clearances or abuse the system. For this reason, training and
supervision is very important.
Authors state that the faults in the system should be examined in two main
categories, internal and external. These faults cause a definite stance in production
systems. Therefore, the system must have a redundant structure (Alcaraz and
Zeadally, 2013).
8
Industry 4.0 From The Management Information Systems Perspectives
9
Section Title
Hui J., Culler D., Chakrabarti S., (January 2009). 6LoWPAN: Incorporating IEEE 802.15.4
into the IP architecture. Internet Protocol for Smart Objects (IPSO) Alliance.
ISACA Journal, Volume 1, (2014), “SCADA Cybersecurity Framework”, Accessed 1 May
2017. Retrieved from http://www.isacajournal-
digital.org/isacajournal/2014_volume_1?pg=20#pg2
Kobara K., (APRIL 2016). Cyber Physical Security for Industrial Control Systems and IoT.
IEICE Trans. Inf. & Sysy., Vol. E99–D, NO.4.
Knapp E., Broad J., (2011) Industrial Network Security (Book). ELSEVIER.
K. Lin et al., Human localization based on inertial sensors and fingerprint in industrial
internet of things, Computer Networks (2015), Accessed 9 May 2017. Retrieved from
http://dx.doi.org/10.1016/j.comnet.2015.11.012
Lojka, T., Bundzel, M., Zolotová, I. (2016). Service-oriented Architecture and Cloud
Manufacturing. ACTA Polytechnica Hungarica Vol. 13, No. 6.
Moness M., Moustafa M., (2016). A Survey of Cyber-Physical Advances and Challenges of
Wind Energy Conversion Systems: Prospects for Internet of Energy. IEEE Internet of Things
Journal, Vol. 3, No. 2.
Ozden H., Paul D., (2011). Organik Rankin Çevrim Teknolojisiyle Düşük Sıcaklıktaki
Kaynaktan Faydalanılarak Elektrik Üretimi. Örnek Çalışma: Sarayköy Jeotermal Santrali.
X. Ulusal Tesisat Muhendisligi Kongresi, 13-16 April 2011 IZMIR.
Pa Y.M.P., Suzuki S., Yoshioka K., and Matsumoto T., IoTPOT: Analysing the Rise of IoT
Compromises. 9TH USENIX Workshop on Offensive Technologies (WOOT 15), August.
2015, WASHINGTON, DC.
PI. (2015). PROFINET – The Solution Platform for Process Automation. PI White Papers.
Singh Sh. A., (2009). Organic Rankine Cycle Power Plant for Renewable Energy Resources,
Maulana Azad National Institute of Technology Bhopal, India, 462051
SHODAN, (2017). Search Engine, Accessed 11 April 2017. Retrieved from
https://www.shodan.io/
Stouffer K., Pillitteri V., Abrams M., Hahn A., (May 2015). Guide to Industrial Control
Systems (ICS) Security. NIST Special Publication, 800-82.
Official Gazette of Turkey, (2012). REGULATION ON SERVICE QUALITY IN
ELECTRICITY DISTRIBUTION AND RETAIL SALE Date and Number: 21/12/2012 – 28504
43th article, Energy Market Regulatory Authority of Turkey.
U.S. Government Accountability Office, (2011). Critical Infrastructure Protection. United
States Government Accountability Office report to Congressional Requesters, GAO-12-92,
WASHINGTON, DC.
10