Professional Documents
Culture Documents
GE Renewable Energy
Technical Documentation
Wind Turbine Generator Systems
All Turbine Types - Onshore
Technical Description
WindSCADA Compact and WindSCADA
Secure Edition 2.1
imagination at work
© 2022 General Electric Company. All rights reserved.
- Original Document -
GE Renewable Energy
Visit us at
www.gerenewableenergy.com
All technical data is subject to change in line with ongoing technical development!
All documents are copyrighted within the meaning of the Copyright Act. We reserve all rights for the exercise of
commercial patent rights.
This document is public. GE and the GE Monogram are trademarks and service marks of
General Electric Company.
Other company or product names mentioned in this document may be trademarks or registered trademarks of
their respective companies.
imagination at work
WindSCADA_Secure Edition_2.1_WIND Kxxx CFA01 _ EDB001_EN_Doc-0089060_r01.
- Original Document -
GE Renewable Energy Technical Description
Table of Contents
Document Revision Table ............................................................................................................................................................................... 6
Abbreviation List ................................................................................................................................................................................................ 5
1 Introduction ................................................................................................................................................................................................ 7
2 WindSCADA System Offerings for New Windfarms ................................................................................................................. 8
2.1 WindSCADA Secure Edition 2.1 ............................................................................................................................................... 8
2.2 WindSCADA Compact .................................................................................................................................................................. 8
2.3 More than 200 WTGs ................................................................................................................................................................. 10
2.4 Summary of System Functions.............................................................................................................................................. 10
3 Network Topology Description ........................................................................................................................................................ 11
3.1 Overview ......................................................................................................................................................................................... 11
4 Environmental Requirements .......................................................................................................................................................... 14
4.1 WindSCADA Secure Edition 2.1 ............................................................................................................................................ 14
4.2 WindSCADA Compact ............................................................................................................................................................... 14
5 Cybersecurity Features ...................................................................................................................................................................... 16
5.1 Anti-Malware Endpoint Protection ...................................................................................................................................... 16
5.2 Segmented Network .................................................................................................................................................................. 17
5.3 SCADA Firewall ............................................................................................................................................................................ 17
5.4 Wind farm Firewall (Optional) ............................................................................................................................................... 17
5.5 Switch Hardening ........................................................................................................................................................................ 18
5.6 Turbine Secure Mode ................................................................................................................................................................. 18
5.7 Access Control System - Microsoft® Active Directory® ............................................................................................. 18
5.8 Domain Controller ...................................................................................................................................................................... 19
5.9 Backup Domain Controller ...................................................................................................................................................... 19
5.10 Certificate Authority .................................................................................................................................................................. 19
5.11 Security Information and Event Management (SIEM) ................................................................................................. 19
5.12 Backup and Recovery................................................................................................................................................................. 20
5.13 Regulatory and Standards alignment ................................................................................................................................. 21
5.14 WindSCADA Services................................................................................................................................................................. 21
6 Wind Plant Fiber Optic Network ..................................................................................................................................................... 22
6.1 Customer Scope .......................................................................................................................................................................... 22
6.2 Customer’s Fiber Optic Contractor Scope ........................................................................................................................ 22
6.3 GE Scope ......................................................................................................................................................................................... 23
6.4 Single Mode Fiber Optic Cable Specification ................................................................................................................... 23
6.5 Wind Farm Cable Distance Design Requirements ........................................................................................................ 24
6.6 Windfarm Network Fiber Loops............................................................................................................................................ 24
6.7 Windfarm Network standard IP Scheme for WindSCADA Secure Edition 2.1 .................................................. 24
7 System Interfaces ................................................................................................................................................................................. 24
7.1 Local System Interface Support ............................................................................................................................................ 24
7.2 Modbus TCP/IP Client Interfaces to Customer Supplied Met Mast Dataloggers ............................................. 25
7.3 Modbus TCP/IP Client Interface to Customer Supplied devices within the Substation ................................ 25
7.4 Customer Integrated IO ............................................................................................................................................................ 26
8 WindSCADA Remote System Integration (RSI) ........................................................................................................................ 27
8.1 ODBC Connection ....................................................................................................................................................................... 27
8.2 OPC Connections ........................................................................................................................................................................ 27
8.3 Data licensing................................................................................................................................................................................ 27
8.4 RSI Technical Specifications ................................................................................................................................................... 28
8.5 OPC Tags for Basic Monitoring .............................................................................................................................................. 28
Abbreviation List
AAA Authentication, Authorization and Accounting
AO Analog Output
CA Certificate Authority
DC Domain Controls
DO Digital Output
IO Input / Output
PC Personal Computer
VM Virtual Machine
1 Introduction
The GE Renewable Energy wind plant Supervisory Control and Data Acquisition (WindSCADA) system is a
supervisory control and operational data management system for a wind plant (wind farm) consisting of GE
wind turbines. WindSCADA is a fully integrated and easy-to-use system that improves productivity and
profitability of a wind plant. The solution integrates high reliability, superior data integrity, open system access,
and advanced data management into a single platform. This system also includes fully integrated, web-based
operator screens that are powerful and flexible. In addition, a web-based wind plant level reporting system
allows operators, owners, and other stakeholders to monitor and analyze historical wind plant operation and
performance. This all-encompassing tool set can support a wind plant which consists of up to 200 wind turbine
generators (WTG), depending upon the system configuration.
WindSCADA features a full range of unified and integrated modules to meet individual wind plant site
requirements. These functions allow information to be shared between wind plant assets and enterprise
applications, helping organizations improve operational efficiencies. Unified modules are focused on specific
applications such as real time data collection, historical data collection, archiving, alarm management, and
enterprise interfaces. These can be implemented individually or as part of an overall solution. The open
architecture of the GE Renewable Energy WindSCADA system allows wind plant operators to start with a basic
monitoring, control and reporting system, while maintaining the ability to expand to meet the evolving
requirements of wind plant operations.
The WindSCADA system offerings are available in flexible packages based on wind farm needs. The most
advanced GE WindSCADA system, WindSCADA Secure Edition 2.1, provides significant cybersecurity
capabilities to elevate the security level of a windfarm. These capabilities align to international cybersecurity
standards including ISA/IEC 62443 and NERC CIP.
The system provides several preconfigured database scripts and jobs to facilitate ODBC (open database
connectivity) interactions with the historical data. The WindSCADA Secure Edition 2.1 supports up to 200
WTGs.
The system provides the same features and functionality as WindSCADA Secure Edition 2.1 with the following
restrictions and limitations:
The WindSCADA Compact enclosure includes a network switch for network connectivity. The optional product
components that can be installed within the enclosure while maintaining certification compliance are:
1. GE managed WAN (wide area network) router for remote monitoring service
2. Extra industrial PC for e.g. meteorological mast or substation interface
3. CMS (Condition Monitoring System) server instance as virtual appliance
4. Compact server for security package
5. GPS time server
Any additional devices would require re-evaluating certification compliance.
The primary HMI at the turbine level is implemented through a web-based interface. WindSCADA also provides
a web-based HMI for supervisory control at the wind farm level and for remote access. The system supports
connectivity to GE meteorological mast (metmast) interfaces, but no additional devices (e.g. dataloggers) can
be installed in the WindSCADA Compact enclosure due to space limitations.
Cybersecurity features are available through an optional cybersecurity package. Please refer to Section 5 for
additional details on options.
1
GPS Time Server can be removed from the BoM. If removed then Customer must provide time synchronization option.
2 For SMS notification it requires customer to provide an approved CDMA or GSM cellular modem.
3 For mail notification it requires customer to provide necessary infrastructure (e.g. Mail Gateway).
4
Can be quoted separately as requested
5
Requires managed switches
The schematics below portray the most advanced WindSCADA system offering: WindSCADA Secure Edition 2.1.
The network topology connects the WindSCADA, WindCONTROL, and turbines on the wind farm network
utilizing the Purdue Model or IEC 62443 zones and conduits approach to segment the network:
Figure 1: Wind Farm Network System Topology for WindSCADA Secure Edition 2.1 demonstrating segmentation
NOTICE
Not all components or systems are included in a standard project.
Figure 3 shows the network topology for WindSCADA Compact which is the SCADA solution intended for
windfarms with 20 or less turbines.
Wind Plant Local Area Network (SCADA LAN) is an Ethernet fiber optic-based system that
connects all GE WTGs within the wind plant to the WindSCADA rack. The LAN also connects
optional components such as the WindCONTROL plant-level control system, Substation Interface
Device and other approved/validated customer-supplied devices which interface with the
WindSCADA system.
WindSCADA real-time system is the collection of services and applications which gather data from
the WTGs and auxiliary systems (WindCONTROL, substation, metmasts) and present them in real-
time to the client interfaces. It resides primarily on the servers in the SCADA rack but includes
applications running on the substation and metmast interface devices.
The WindSCADA historical system includes a relational database of plant operational data, which
collect the historical (10-minute, alarms and events, commands) records from the WTG controllers
and auxiliary systems. Additionally, the historical system includes the reporting service for
querying and running reports on this data.
4 Environmental Requirements
4.1 WindSCADA Secure Edition 2.1
For WindSCADA Secure Edition 2.1, the SCADA server rack is typically located in the substation control room or
in an adjacent O&M building. The equipment must be in an environmentally controlled location. (Operating
temperature +20°C +/-25%, protected against rain, dust, moisture, etc.). Cable entry can be routed from either
the top or bottom of the rack for network connectivity and power. The rack weight is approximately 500 kg and
it is 1.85 m tall. For width and depth see pictures further below.
• One circuit of 230 VAC (L-N), 15 A (standard for GE turbine auxiliary power supply)
Maximum footprint dimensions and clearances to allow for access and the operation of the cabinet doors:
1.2m
≥ 1m
≥ 1m ≥ 1m
0.6m ≥120° 0.625m
≤120°
5 Cybersecurity Features
WindSCADA Secure Edition 2.1 provides a comprehensive cybersecurity solution. An in-depth approach to
cyber solutions is integrated into the wind farm's industrial control system via:
As part of the Wind Farm Health Management (WFHM) subscription service, antivirus threat signatures are
validated in a secure simulated SCADA environment prior to being available to customers for auto-update
through the GE update-server. Threat signature validation is currently only available for McAfee. GE regularly
verifies that the updates occurred successfully as part of the Wind Farm Health Management Program.
Wind Farm and SCADA dataflows are segmented based on the following functions:
Infrastructure Management
Windfarm Operations
Industrial DMZ
Physically Separation for IT Networks
Services and Farm Level Function
The WindSCADA Secure Edition 2.1 utilizes a default private IP scheme. Modifications to the default IP scheme
will require GE to provide a custom engineered solution. See Section 6.7 for further details on the default IP
scheme.
The firewall is pre-configured to support the operations of the wind farm. The customer is responsible to make
additional configurations on the firewall to enable external access, such as to enable customer network and/or
third party access.
This platform domain provides a role-based access control system to manage access to resources and
applications based on the identity and privileges assigned to the user by the administrator. This role-based
concept grants users minimum rights and privileges to perform their role. Limiting the privileges to the
minimum required reduces user impact on the system. Proper assignment of user privileges limits the ability of
a user to cause harm to a system through either malicious intent or inadvertent action (e.g. inadvertently
triggered malware).
Human-machine Interfaces (HMIs) and other computers are also registered within the directory service. Policy
servers enforce access controls across users and computers in the domain. Additionally, access to network
devices is managed using the AAA model (Authentication, Authorization and Accounting).
The access management system is redundant between the primary directory server and the backup directory
server. An audit trail is created for access to the system and is available through the Security Information and
Event Management (SIEM) application.
Non-domain based elements (such as network switches) access Active Directory® user authentication rights
through RADIUS servers running on the Domain Controllers. The RADIUS servers allow non-domain based
elements to leverage security permissions assigned to domain users to either allow or disallow access to
device.
The combination of Active Directory, Domain Controller and Certificate Authority provide key identity
management capabilities that are at the heart of securing access to the turbine controllers, the network
switches and WindSCADA.
The Splunk® application receives and collates events received from various sources, including:
The Splunk® application also records events sent from the sources listed above. Examples of data in the
database include:
Security features as shown in Section 2.4, align to NERC CIP and IEC 62443 as shown below:
Network CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.1 - Network Segmentation,
Segmentation SR 5.2 Zone Boundary Protection
Windfarm Firewall CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.2 customer zone boundary
protection
Anti-Malware CIP-007 R3 - Malicious Code Prevention IEC 62443-3-3 SR 3.2 Malicious Code Protection
Domain Controller CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
authentication control
SCADA Firewall CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.1 - Network Segmentation,
SR 5.2 Zone Boundary Protection
Backup and CIP-009 R1 - Recovery Plans IEC 62443-3-3 SR 7.3 Control system backup
Recovery
Password Policy CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
Enforcement authentication control
Switch Hardening* CIP 007 R1 - Ports and Services IEC 62443-3-3 SR 7.7 Least functionality
Turbine "Secure CIP-007 R1 - Ports and Services IEC 62443-3-3 SR 3.1 Communication Integrity
Mode" feature
Backup Domain CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
Controller authentication control
Active Directory CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
authentication control
Certificate IEC 62443-3-3 FR1 Identification and
Authority authentication control
Log File CIP-007 R4 - Security Event Monitoring IEC 62443-3-3 SR 3.3 Security Functionality
Management Verification
Security CIP-007 R4 - Security Event Monitoring IEC 62443-3-3 SR 3.2 RE2 Central management
Information Event and reporting for malicious code protection, SR
Manager (SIEM) 6.1 Audit log accessibility, SR 6.2 Continuous
monitoring, SR 2.8 Auditable events
*Note: As shown In Section 3.4, some features are not included in all WindSCADA systems.
The GE standard wind plant fiber optic design utilizes single mode 9/125 fiber cable. Any deviation from the
fiber optic specification in this section is considered a deviation from the standard and must be agreed upon
with GE.
The Send and Receive fibers must be crossed once per connection to a fiber optic switch to ensure
upstream and downstream communication.
Met mast fiber optics switch and cable from met mast to SCADA server.
6.3 GE Scope
GE utilizes single-mode fiber within the ring architecture for windfarm LAN per default.
Provide the fiber optic switches for the GE wind farm network, patch panels and patch cables for
every turbine controller, and in the WindSCADA rack and WindCONTROL cabinet.
Provide the fiber optic cable inserts that are pre-installed inside the patch panels.
If the Site Fiber Optic Network Design option is selected, GE performs the fiber optic network loop
design and provides the fiber optic communication drawings. These drawings must show the path
of the fiber optic connections throughout the wind farm, the connections to turbine patch panels
and connections to network switches based on the customer supplied wind farm collection
system drawing. The collection system drawing must be provided to GE 70 days prior to the start
of commissioning. The Site Fiber Optic Network Design option does not include fiber laying,
splicing, terminating or patching.
Every loop must have a dedicated fiber optic cable backbone and a dedicated fiber optic switch. No more than
one fiber optic loop can be accommodated within a single fiber optic backbone. Splitters must not be utilized on
a fiber optic backbone to create multiple loops.
6.7 Windfarm Network standard IP Scheme for WindSCADA Secure Edition 2.1
The WindSCADA Secure Edition 2.1 utilizes a default private IP scheme, 10.16.X.X, incrementing the 2nd octet
by 1 for each turbine loop. Modifications to the default IP scheme will require GE to provide a custom
engineered solution.
7 System Interfaces
7.1 Local System Interface Support
The standard WindSCADA platform includes Local System Interfaces (LSI) for Integration of Auxiliary on-
premise data generating devices. Detailed specifications for these interfaces are shown in the table below.
More information is provided in the following sections.
WindSCADA Secure
WindSCADA Compact
Edition 2.1
Local System Interfaces (LSI)
The data from the met mast(s) is collected by the WindSCADA system for real-time operator displays. In
addition, the data is archived within the system database for historical reporting purposes.
Customer input is required in a comma-separated file format with the following information:
7.3 Modbus TCP/IP Client Interface to Customer Supplied devices within the
Substation
Substation device interfaces can be supported as an option. GE presently supports interfaces to GE D20, GE
D25, SEL 2030, SEL 2032, SEL 3332, SEL 3551, and Orion 5R. Other devices are capable of support, dependent
upon system validation by GE.
GE scope includes the configuration of an interface of up to 200 data points and development of one
WindSCADA system user interface screen to display this data. Typically, up to ten control outputs (i.e. Open
Breaker) are supported. GE does not support Close Breaker controls due to the lack of Select-Check-Before
Operate functionality within the WindSCADA system.
Customer input is required in a comma-separated file format with the following information:
Data Point Type (16 bit = Single and 32 bit = Double Word)
Data Point Signed or Unsigned. Data point Multiplier or Scaling/Conversion Factor
Data point Normal Position or Active State of the Data Point
Data Point Precision
Up to two sets of additional IOs are supported per turbine, one set down-tower and one set up-tower. A cabinet
needs to be provided and installed for every IO set. Each IO cabinet contains up to 16 non-standard IO points,
but each turbine only accommodates a maximum of 16 non-standard IOs.
Both digital and analog inputs and outputs are supported. Additionally, control commands that set an AO or a
DO are supported. The IO data is connected via Modbus TCP to the SCADA system. The IO data is not available
to the turbine controller.
Data access and use of certain classifications of data or data acquisition methods may be subject to additional
terms and conditions. Licensing and pricing are available upon request to support the following WindSCADA
features.
There are technical resource limitations for each WindSCADA platform as described in the “RSI Technical
Specifications” table below. Purchase of the OPC Server License option (OPC DA or OPC UA) includes access to
approximately 50 fixed tags for Basic Monitoring in section 8.5. Please contact your GE Sales Representative for
information on expanded data licensing.
1
GE recommends using an OPC tunneler when using OPC-DA
200,000 tags
5,000 tags.
max.
Maximum number of
clients for optimal 3 3
OPC DA or UA
performance
interfaces
Maximum number of
(Concurrent 5 5
clients
interfaces not
Maximum number of
supported, must 20 200
turbines
choose 1)
Maximum number of
OPC groups for optimal 50 50
performance
Maximum number of
OPC Items per OPC 1,000 1,000
Group
Minimum update rate 1s 1s
OPC Tags Refer to Technical Description: WindSCADA System Real Time Data Packages for information on the
available data package options.