1.3 - WindSCADA - Secure Edition - 2.1 - WIND KXXX CFA01 - EDB001 - EN - Doc-0089060 - r01

- Original Document -
GE Renewable Energy
Technical Documentation
Wind Turbine Generator Systems
All Turbine Types - Onshore
Technical Description
WindSCADA Compact and WindSCADA
Secure Edition 2.1
RDS-PP: WIND = Kxxx CFA01 & EDB001
Rev. 01 - Doc-0089060 - EN 2022-03-04
imagination at work
© 2022 General Electric Company. All rights reserved.
GE Renewable Energy
Visit us at
www.gerenewableenergy.com
All technical data is subject to change in line with ongoing technical development!
Copyright and patent rights
All documents are copyrighted within the meaning of the Copyright Act. We reserve all rights for the exercise of
commercial patent rights.
© 2022 General Electric Company. All rights reserved.
This document is public. GE and the GE Monogram are trademarks and service marks of
General Electric Company.
Other company or product names mentioned in this document may be trademarks or registered trademarks of
their respective companies.
imagination at work
WindSCADA_Secure Edition_2.1_WIND Kxxx CFA01 _ EDB001_EN_Doc-0089060_r01.
GE Renewable Energy Technical Description
Table of Contents
Document Revision Table ............................................................................................................................................................................... 6
Abbreviation List ................................................................................................................................................................................................ 5
1 Introduction ................................................................................................................................................................................................ 7
2 WindSCADA System Offerings for New Windfarms ................................................................................................................. 8
2.1 WindSCADA Secure Edition 2.1 ............................................................................................................................................... 8
2.2 WindSCADA Compact .................................................................................................................................................................. 8
2.3 More than 200 WTGs ................................................................................................................................................................. 10
2.4 Summary of System Functions.............................................................................................................................................. 10
3 Network Topology Description ........................................................................................................................................................ 11
3.1 Overview ......................................................................................................................................................................................... 11
4 Environmental Requirements .......................................................................................................................................................... 14
4.1 WindSCADA Secure Edition 2.1 ............................................................................................................................................ 14
4.2 WindSCADA Compact ............................................................................................................................................................... 14
5 Cybersecurity Features ...................................................................................................................................................................... 16
5.1 Anti-Malware Endpoint Protection ...................................................................................................................................... 16
5.2 Segmented Network .................................................................................................................................................................. 17
5.3 SCADA Firewall ............................................................................................................................................................................ 17
5.4 Wind farm Firewall (Optional) ............................................................................................................................................... 17
5.5 Switch Hardening ........................................................................................................................................................................ 18
5.6 Turbine Secure Mode ................................................................................................................................................................. 18
5.7 Access Control System - Microsoft® Active Directory® ............................................................................................. 18
5.8 Domain Controller ...................................................................................................................................................................... 19
5.9 Backup Domain Controller ...................................................................................................................................................... 19
5.10 Certificate Authority .................................................................................................................................................................. 19
5.11 Security Information and Event Management (SIEM) ................................................................................................. 19
5.12 Backup and Recovery................................................................................................................................................................. 20
5.13 Regulatory and Standards alignment ................................................................................................................................. 21
5.14 WindSCADA Services................................................................................................................................................................. 21
6 Wind Plant Fiber Optic Network ..................................................................................................................................................... 22
6.1 Customer Scope .......................................................................................................................................................................... 22
6.2 Customer’s Fiber Optic Contractor Scope ........................................................................................................................ 22
6.3 GE Scope ......................................................................................................................................................................................... 23
6.4 Single Mode Fiber Optic Cable Specification ................................................................................................................... 23
6.5 Wind Farm Cable Distance Design Requirements ........................................................................................................ 24
6.6 Windfarm Network Fiber Loops............................................................................................................................................ 24
6.7 Windfarm Network standard IP Scheme for WindSCADA Secure Edition 2.1 .................................................. 24
7 System Interfaces ................................................................................................................................................................................. 24
7.1 Local System Interface Support ............................................................................................................................................ 24
7.2 Modbus TCP/IP Client Interfaces to Customer Supplied Met Mast Dataloggers ............................................. 25
7.3 Modbus TCP/IP Client Interface to Customer Supplied devices within the Substation ................................ 25
7.4 Customer Integrated IO ............................................................................................................................................................ 26
8 WindSCADA Remote System Integration (RSI) ........................................................................................................................ 27
8.1 ODBC Connection ....................................................................................................................................................................... 27
8.2 OPC Connections ........................................................................................................................................................................ 27
8.3 Data licensing................................................................................................................................................................................ 27
8.4 RSI Technical Specifications ................................................................................................................................................... 28
8.5 OPC Tags for Basic Monitoring .............................................................................................................................................. 28
PUBLIC – May be distributed external to GE on an as need basis.

UNCONTROLLED when printed or transmitted electronically.
© 2022 General Electric Company and/or its affiliates. All rights reserved.
WindSCADA_Secure Edition_2.1_WIND Kxxx CFA01 _ EDB001_EN_Doc-0089060_r01
Document Revision Table

Date Affected
Rev. Change Description
(YYYY/MM/DD) Pages
01 2022/03/04 - Create new document, initial release

WindSCADA_Secure Edition_2.1_WIND Kxxx CFA01 _ EDB001_EN_Doc-0089060_r01
Abbreviation List
AAA Authentication, Authorization and Accounting
AO Analog Output
BDC Backup Domain Controller
CA Certificate Authority
CMS Condition Monitoring System
DC Domain Controls
DO Digital Output
GPS Global Positioning System
GPO Group Policy Objects
HMI Human Machine Interface
IDS Intrusion Detection System
IO Input / Output
LAN Local Area Network
LSI Local System Interfaces
ODBC Open Data Base Connectivity

Open Platform Communications, (formerly “OLE for Process Control”) DA (data
OPC, OPC-DA, OPC-UA
access), UA (Unified Architecture)
O&M Operations and Maintenance
PC Personal Computer
PDH Plant Data Highway
PLC Programmable Logic Controller
RADIUS Remote Authentication Dial-In User Service
RSI Remote System Integration
RTU Remote Terminal Unit
SCADA Supervisory Control and Data Acquisition
SQL Structured Query Language
SSI Substation Interface
SSL Secure Sockets Layer
TCP/IP Transmission Control Protocol/Internet Protocol

WindSCADA_Secure Edition_2.1_WIND Kxxx CFA01 _ EDB001_EN_Doc-0089060_r01 5/28
UPS Uninterruptible Power Supply
UDH Unit Data Highway
UTM Unified Threat Management
VM Virtual Machine
WAN Wide Area Network
WTG Wind Turbine Generator

6/28 WindSCADA_Secure Edition_2.1_WIND Kxxx CFA01 _ EDB001_EN_Doc-0089060_r01
1 Introduction
The GE Renewable Energy wind plant Supervisory Control and Data Acquisition (WindSCADA) system is a
supervisory control and operational data management system for a wind plant (wind farm) consisting of GE
wind turbines. WindSCADA is a fully integrated and easy-to-use system that improves productivity and
profitability of a wind plant. The solution integrates high reliability, superior data integrity, open system access,
and advanced data management into a single platform. This system also includes fully integrated, web-based
operator screens that are powerful and flexible. In addition, a web-based wind plant level reporting system
allows operators, owners, and other stakeholders to monitor and analyze historical wind plant operation and
performance. This all-encompassing tool set can support a wind plant which consists of up to 200 wind turbine
generators (WTG), depending upon the system configuration.
WindSCADA features a full range of unified and integrated modules to meet individual wind plant site
requirements. These functions allow information to be shared between wind plant assets and enterprise
applications, helping organizations improve operational efficiencies. Unified modules are focused on specific
applications such as real time data collection, historical data collection, archiving, alarm management, and
enterprise interfaces. These can be implemented individually or as part of an overall solution. The open
architecture of the GE Renewable Energy WindSCADA system allows wind plant operators to start with a basic
monitoring, control and reporting system, while maintaining the ability to expand to meet the evolving
requirements of wind plant operations.
The WindSCADA system offerings are available in flexible packages based on wind farm needs. The most
advanced GE WindSCADA system, WindSCADA Secure Edition 2.1, provides significant cybersecurity
capabilities to elevate the security level of a windfarm. These capabilities align to international cybersecurity
standards including ISA/IEC 62443 and NERC CIP.

2 WindSCADA System Offerings for New Windfarms

GE WindSCADA is available in WindSCADA Secure Edition 2.1 or WindSCADA Compact to fit the needs of a new
windfarm installation:
2.1 WindSCADA Secure Edition 2.1

The WindSCADA Secure Edition 2.1 is the most robust GE WindSCADA platform available for all new windfarm
installations. Customers will have the benefits of a system with comprehensive plant-level and unit-level user
interface screens, advanced data manipulation and alarming functions, connectivity, and interoperability with
other systems, as well as an integrated relational database that enables comprehensive reporting on plant and
unit metrics. The system database stores three years of detailed ten-minute records.
The system provides several preconfigured database scripts and jobs to facilitate ODBC (open database
connectivity) interactions with the historical data. The WindSCADA Secure Edition 2.1 supports up to 200
WTGs.
The WindSCADA Secure Edition 2.1 includes the following items:
 Global Positioning System (GPS) Time Synchronization server with antenna

 UPS Backup Time up to 60 minutes
 System Interface
 One Modbus TCP/IP (Transmission Control Protocol/Internet Protocol) interface to 3rd party
system, such as a substation RTU (remote terminal unit); pre-qualification required by GE
The WindSCADA Secure Edition 2.1 is also the most security-enabled WindSCADA platform with a segmented
network architecture and cybersecurity features as described in Section 5.
2.2 WindSCADA Compact

WindSCADA Compact is specifically designed for small wind plants that do not have a substation or control
room for the full-size WindSCADA rack. The WindSCADA Compact hardware is installed inside a compact
enclosure that is mounted inside the WTG tower or small control room.
The system provides the same features and functionality as WindSCADA Secure Edition 2.1 with the following
restrictions and limitations:
 Limited to wind farms of 20 or fewer onshore wind turbines

 Only one fiber optic loop available
 UPS backup time of ten minutes
 Historical data is limited to 1 year of wind plant operational and alarm data records. No additional
backup is provided. Customers should schedule periodic backup
 No network segmentation
 No CD or DVD writer for backup purposes. Customers can utilize standard portable USB devices
(DVD, external hard drive, etc.) for backup
 Five simultaneous SiteWebHMI connection sessions are included; five additional SiteWebHMI
connections can be added
The WindSCADA Compact enclosure includes a network switch for network connectivity. The optional product
components that can be installed within the enclosure while maintaining certification compliance are:
1. GE managed WAN (wide area network) router for remote monitoring service
2. Extra industrial PC for e.g. meteorological mast or substation interface
3. CMS (Condition Monitoring System) server instance as virtual appliance
4. Compact server for security package
5. GPS time server
Any additional devices would require re-evaluating certification compliance.
The primary HMI at the turbine level is implemented through a web-based interface. WindSCADA also provides
a web-based HMI for supervisory control at the wind farm level and for remote access. The system supports
connectivity to GE meteorological mast (metmast) interfaces, but no additional devices (e.g. dataloggers) can
be installed in the WindSCADA Compact enclosure due to space limitations.
Cybersecurity features are available through an optional cybersecurity package. Please refer to Section 5 for
additional details on options.

2.3 More than 200 WTGs

Wind Farms that have between 200 and 500 wind turbines require a custom engineered SCADA from GE to
provide a suitable system. GE provides detailed system configuration and specification as part of the custom
engineered solution.
2.4 Summary of System Functions

WindSCADA
WindSCADA
Secure Edition
Compact
2.1
Number of Wind Turbines supported 20 200
Web based HMI and Reporting for PC Included Included
Local Data Storage (10-min historical
1-yr 3-yr
record)
Main Functions
UPS backup 10min 60min

GPS time synchronization system Included1 Included
SCADA Park PC for user interface Optional Optional
SCADA Service laptop for user
Optional Optional
interface
Rack mounted keyboard and monitor No Included
Multi-language support - English,
Included Included
French, Spanish, German, and Chinese
Remote Alarm Notification2 3 Optional Optional
Network Segmentation No Yes
Windfarm Firewall Recommended Recommended
Anti-Malware (McAfee) Yes Yes
Backup Domain Controller No Yes
Cybersecurity Functions
SCADA Firewall No Yes

Backup and Recovery No Yes
Password Policy Enforcement through
Yes
Active Directory
Switch Hardening5 Yes
Turbine "Secure Mode" feature Optional Yes
Domain Controller Security Yes
Active Directory Package4 Yes
Certificate Authority Yes
Log File Management Yes
Security Information Event Manager
No Yes
(SIEM)
1
GPS Time Server can be removed from the BoM. If removed then Customer must provide time synchronization option.
2 For SMS notification it requires customer to provide an approved CDMA or GSM cellular modem.
3 For mail notification it requires customer to provide necessary infrastructure (e.g. Mail Gateway).
4
Can be quoted separately as requested
5
Requires managed switches

3 Network Topology Description

3.1 Overview
The GE Renewable Energy WindSCADA system is designed with a flexible architecture to support the broad
requirements of different applications and to address the various functions of wind plant monitoring, control,
visualization, and reporting. The system can expand to support the addition of incremental wind farm assets,
such as additional GE WTGs, the GE WindCONTROL wind park management system, meteorological
dataloggers, and substation/utility interfaces. Customer-supplied device interfaces require validation by GE.
The schematics below portray the most advanced WindSCADA system offering: WindSCADA Secure Edition 2.1.
The network topology connects the WindSCADA, WindCONTROL, and turbines on the wind farm network
utilizing the Purdue Model or IEC 62443 zones and conduits approach to segment the network:
Figure 1: Wind Farm Network System Topology for WindSCADA Secure Edition 2.1 demonstrating segmentation

Figure 2: WindSCADA Secure Edition 2.1 options and scope view
NOTICE
Not all components or systems are included in a standard project.

Figure 3 shows the network topology for WindSCADA Compact which is the SCADA solution intended for
windfarms with 20 or less turbines.
Figure 3: WindSCADA Compact System
The WindSCADA system consists of the following primary subsystems:
 Wind Plant Local Area Network (SCADA LAN) is an Ethernet fiber optic-based system that
connects all GE WTGs within the wind plant to the WindSCADA rack. The LAN also connects
optional components such as the WindCONTROL plant-level control system, Substation Interface
Device and other approved/validated customer-supplied devices which interface with the
WindSCADA system.
 WindSCADA real-time system is the collection of services and applications which gather data from
the WTGs and auxiliary systems (WindCONTROL, substation, metmasts) and present them in real-
time to the client interfaces. It resides primarily on the servers in the SCADA rack but includes
applications running on the substation and metmast interface devices.
 The WindSCADA historical system includes a relational database of plant operational data, which
collect the historical (10-minute, alarms and events, commands) records from the WTG controllers
and auxiliary systems. Additionally, the historical system includes the reporting service for
querying and running reports on this data.

4 Environmental Requirements
4.1 WindSCADA Secure Edition 2.1
For WindSCADA Secure Edition 2.1, the SCADA server rack is typically located in the substation control room or
in an adjacent O&M building. The equipment must be in an environmentally controlled location. (Operating
temperature +20°C +/-25%, protected against rain, dust, moisture, etc.). Cable entry can be routed from either
the top or bottom of the rack for network connectivity and power. The rack weight is approximately 500 kg and
it is 1.85 m tall. For width and depth see pictures further below.
Power requirements are typically:
• Power consumption: 1500 W
• Heat dissipation: 5465 BTU/h
GE recommends the following breakers:
• Europe and 50 Hz regions: one circuit 230 VAC (L-N) / 50 Hz / 16 A
• 60 Hz regions: one circuit of 120 VAC (L-N) / 60 Hz / 30 A / NEMA L5-30R Outlet
4.2 WindSCADA Compact

For the WindSCADA Compact configuration the SCADA hardware is designed to be installed inside a
WindSCADA Compact enclosure located within the WTG and/or substation. When deploying WindSCADA
Compact enclosure within the WTG, GE provides all power connections. Equipment supplied for this
deployment will be environmentally compatible with other control equipment. The Universal Cabinet which
houses WindSCADA Compact weighs about 300 kg and it is 2.1 m tall. For width and depth see pictures further
below.
Power requirements are typically:
• Power consumption (without heater and A/C unit): 910 W
• Power consumption of heater: 550 W
• Power consumption of A/C unit: 1334 W
• Heat dissipation: 4500 BTU/h
GE recommends the following breaker for 50 and 60hz regions:
• One circuit of 230 VAC (L-N), 15 A (standard for GE turbine auxiliary power supply)

Maximum footprint dimensions and clearances to allow for access and the operation of the cabinet doors:
1.2m
≥ 1m
≥ 1m ≥ 1m
0.6m ≥120° 0.625m
≤120°
0.6m REAR FRONT

≥ 1m
≥ 1m
Compact cabinet SCADA rack

5 Cybersecurity Features
WindSCADA Secure Edition 2.1 provides a comprehensive cybersecurity solution. An in-depth approach to
cyber solutions is integrated into the wind farm's industrial control system via:
 Anti-virus Endpoint Protection

 A segmented network architecture
 Firewalls at conduits that separate zones within the network
 A recommended, optional, Windfarm Firewall, with GE pre-configurations at the point of external
data connection to enable secure windfarm connectivity for customers
 Hardening of the infrastructure equipment
 Secure and encrypted communication for management traffic and data replication
 Identity Management Services (Certificate Authority, Directory and Policy Services)
 Security Information and Event Management (SIEM)
 Industrial Protocol Inspection
 Integrated Backup and Recovery System
 Windfarm Health Management Services to provide long-term support in keeping pace with new
vulnerability and security updates from 3rd party SW providers (optional)
5.1 Anti-Malware Endpoint Protection

WindSCADA Compact, and Secure Edition 2.1 ship with McAfee™ as the standard offering for unified End Point
Protection application which provides antivirus and malware protection. The system is continuously monitored
for viruses, spyware, rootkits, Trojans, and adware. When detected, offending files are blocked, and the data is
consolidated to the SIEM for logging and management. The system is initially provided with a 1-year license
which requires the customer to update and maintain End Point Protection capability.
As part of the Wind Farm Health Management (WFHM) subscription service, antivirus threat signatures are
validated in a secure simulated SCADA environment prior to being available to customers for auto-update
through the GE update-server. Threat signature validation is currently only available for McAfee. GE regularly
verifies that the updates occurred successfully as part of the Wind Farm Health Management Program.

5.2 Segmented Network

With the WindSCADA Secure Edition 2.1, the wind farm network is designed using a segmentation and zoning
strategy by grouping and separating assets at various secure points. This segmentation helps to prevent any
malicious actor or infection from accessing or moving from one segmented area to another.
Wind Farm and SCADA dataflows are segmented based on the following functions:
 Infrastructure Management
 Windfarm Operations
 Industrial DMZ
 Physically Separation for IT Networks
 Services and Farm Level Function
The WindSCADA Secure Edition 2.1 utilizes a default private IP scheme. Modifications to the default IP scheme
will require GE to provide a custom engineered solution. See Section 6.7 for further details on the default IP
scheme.
5.3 SCADA Firewall

To secure the communications in and out of the SCADA environment a next generation firewall will be deployed
on the wind farm for WindSCADA Secure Edition 2.1. The firewall is configured with a zero-trust model,
meaning that all traffic is denied from traversing the environment by default. Individual rules must be
configured based on 5 tuple model. This security appliance is in line between each conduit inspecting and
authorizing traffic across the SCADA network. Both routed and transparent firewall deployments are
strategically deployed at these specific locations. Other functions have been enabled on the firewall such as
reporting, security posture assessments and a one arm sniffer to inspect industrial protocols out of line (IDS...).
The firewall is pre-configured to support the operations of the wind farm. The customer is responsible to make
additional configurations on the firewall to enable external access, such as to enable customer network and/or
third party access.
5.4 Wind farm Firewall (Optional)

External connectivity is required for remote management and data acquisition of the Wind Farm. It is therefore
imperative that this ingress point utilize a wind farm firewall. This firewall provides the customer with control
over the separation point between the Wind Farm network and any other third party (including GE). The
administration of this firewall is in the customer's scope of responsibilities. A standard firewall configuration
and policy is pre-installed on the device. The customer can choose to enable the pre-installed configuration or
create a customized configuration to meet their needs. To support remote site access for GE personnel, the
firewall configuration requirements can be found in the "Technical Description Wide Area Network Connectivity
Requirements" document.

5.5 Switch Hardening

Network switches within the SCADA environment are hardened to protect the network and wind farm from
unauthorized access and attacks. This configuration is accomplished using several techniques from limiting
access to host facing ports to authorizing devices attached to the network. Network status changes,
configuration updates and access to these devices are logged for auditing purposes and compliance.
Furthermore, the logical segmentation is augmented using specialized technology which prevents advanced
techniques for circumventing layer 2 boundaries.
5.6 Turbine Secure Mode

WindSCADA Secure Edition 2.1 provides identity management capabilities that enable the wind turbine
controllers to operate in a "Secure Mode”. Turbine controllers in secure mode provide several important
cybersecurity benefits. For example, in secure mode unencrypted protocols such as telnet, FTP and other
nonessential ports are disabled or closed to and from the controller. Furthermore, access to the controller is
augmented using a public key infrastructure to verify the identity and role of an individual user. This feature
helps to ensure that users are segmented and using the least privilege model when administering the wind
turbines. Moreover, secure mode also activates an application whitelist to ensure only authorized programs can
run on the device.
5.7 Access Control System - Microsoft® Active Directory®

The WindSCADA Secure Edition 2.1 use the Microsoft® Active Directory® infrastructure for access and account
management. Privileged access to network devices is managed using Remote Authentication Dial-In User
Service (RADIUS) authentication. Authorized administrators can add and delete users per site policy, as well as
perform role-based user assignments to groups. Domain password policy can be configured in the Active
Directory.
This platform domain provides a role-based access control system to manage access to resources and
applications based on the identity and privileges assigned to the user by the administrator. This role-based
concept grants users minimum rights and privileges to perform their role. Limiting the privileges to the
minimum required reduces user impact on the system. Proper assignment of user privileges limits the ability of
a user to cause harm to a system through either malicious intent or inadvertent action (e.g. inadvertently
triggered malware).
Role Based Concepts include:
 Each user has an individual identifiable account

 Each user account grants the rights and privileges needed to do the job (and no more)
 Users can have more than one account if they perform more than one role
 Event logs can trace actions back to the (unique, identifiable) user whom initiated the action
Human-machine Interfaces (HMIs) and other computers are also registered within the directory service. Policy
servers enforce access controls across users and computers in the domain. Additionally, access to network
devices is managed using the AAA model (Authentication, Authorization and Accounting).

The access management system is redundant between the primary directory server and the backup directory
server. An audit trail is created for access to the system and is available through the Security Information and
Event Management (SIEM) application.
5.8 Domain Controller

The Domain Controller (DC) runs the Windows Server operating system and has Active Directory Domain
Services installed. Microsoft® Active Directory® is used to create a domain for all computers and users in the
system. Active Directory® holds the list of users, rights and privileges granted to each user, the Group Policy
Objects (GPOs), and the assignments of the GPOs. Active Directory® runs on the Domain Controllers, and its
database is queried by all computers in the domain.
Non-domain based elements (such as network switches) access Active Directory® user authentication rights
through RADIUS servers running on the Domain Controllers. The RADIUS servers allow non-domain based
elements to leverage security permissions assigned to domain users to either allow or disallow access to
device.
5.9 Backup Domain Controller

The Backup Domain Controller (BDC) provides customers with a degree of redundancy. If the primary domain
controller has an issue, the Backup Domain Controller will continue to provide user authentication services. To
accomplish this, the domain controllers replicate information between each other to keep them up-to-date.
When a domain controller is started, it attempts to contact an existing running domain controller to
resynchronize.
5.10 Certificate Authority

The Microsoft® Active Directory® Certificate Services is used as the Certificate Authority (CA). The CA issues
and revokes digital certificates between users and services operating in the context of the Domain. The
certificate authority issues digital certificates that certify the ownership of a public key by the named subject of
the certificate. The CA provides a trusted third party, trusted both by the owner of the certificate and the
consumer of the certificate, to have valid credentials. The CA enables encryption technologies such as SSL and
HTTPS.
The combination of Active Directory, Domain Controller and Certificate Authority provide key identity
management capabilities that are at the heart of securing access to the turbine controllers, the network
switches and WindSCADA.
5.11 Security Information and Event Management (SIEM)

The SIEM provides the Splunk® application that has a browser-based interface to security-related log and event
information. The Splunk® application presents this information in dashboards that users can review for further
analysis. Users can also extend the predefined queries through building custom queries and reports. Typically,
up to three years of data is available for review.
The Splunk® application receives and collates events received from various sources, including:
1. Microsoft Windows® Active Directory®

2. Microsoft Windows® Event Manager

3. Cisco® IOS® switches and routers
4. Fortinet® Unified Threat Management (UTM) and related devices
5. Devices that can generate Syslog Protocol RFC 5424
6. Mark VIe controller
The Splunk® application also records events sent from the sources listed above. Examples of data in the
database include:
 Account changes from Active Directory®

 Configuration changes reported by the Mark VIe controller
 Failed login attempts reported by Active Directory® and network switches
5.12 Backup and Recovery

The WindSCADA Secure Edition 2.1 are provided with Acronis® Backup & Recovery® application for the backup
and recovery of computers on the domain. The system is sized to include the security package and the number
of HMIs in the original site configuration. Additional capacity can be added to include other computers added to
the domain. The Acronis® Backup & Recovery® Management Console is used as a centralized backup
management point. It provides dashboard information on backup status, including errors or warnings related to
backup or recovery tasks. Each HMI under security management has an Acronis® Backup Agent installed to
report status to the console.

5.13 Regulatory and Standards alignment

Certain WindSCADA platforms align to industry accepted Industrial Automation and Control System
cybersecurity standards such as IEC 62443, NERC CIP, and NIST 800-82 to provide security for wind farms.
Security features as shown in Section 2.4, align to NERC CIP and IEC 62443 as shown below:
Security Feature NERC CIP alignment* IEC 62443 alignment*
Network CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.1 - Network Segmentation,
Segmentation SR 5.2 Zone Boundary Protection
Windfarm Firewall CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.2 customer zone boundary
protection
Anti-Malware CIP-007 R3 - Malicious Code Prevention IEC 62443-3-3 SR 3.2 Malicious Code Protection
Domain Controller CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
authentication control
SCADA Firewall CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.1 - Network Segmentation,
SR 5.2 Zone Boundary Protection
Backup and CIP-009 R1 - Recovery Plans IEC 62443-3-3 SR 7.3 Control system backup
Recovery
Password Policy CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
Enforcement authentication control
Switch Hardening* CIP 007 R1 - Ports and Services IEC 62443-3-3 SR 7.7 Least functionality
Turbine "Secure CIP-007 R1 - Ports and Services IEC 62443-3-3 SR 3.1 Communication Integrity
Mode" feature
Backup Domain CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
Controller authentication control
Active Directory CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
authentication control
Certificate IEC 62443-3-3 FR1 Identification and
Authority authentication control
Log File CIP-007 R4 - Security Event Monitoring IEC 62443-3-3 SR 3.3 Security Functionality
Management Verification
Security CIP-007 R4 - Security Event Monitoring IEC 62443-3-3 SR 3.2 RE2 Central management
Information Event and reporting for malicious code protection, SR
Manager (SIEM) 6.1 Audit log accessibility, SR 6.2 Continuous
monitoring, SR 2.8 Auditable events
*Note: As shown In Section 3.4, some features are not included in all WindSCADA systems.
5.14 WindSCADA Services

To ensure the continued compliance and security posture of a wind farm, the WindSCADA systems should be
monitored for system health, maintained with the latest security patches, and verified for proper operation on a
regular basis. GE Renewable Energy has a suite of services provided in the Wind Farm Health Management
program to maintain the WindSCADA system. These can be purchased as an additional annual subscription.

6 Wind Plant Fiber Optic Network

The following defines GE requirements for the fiber optic cable within the wind plant network and details the
scope of work split between GE, the Customer, and the Customer’s fiber optic contractor. It is the customer’s
responsibility to ensure proper installation, termination, labeling, and testing of the fiber optic cable network.
The GE standard wind plant fiber optic design utilizes single mode 9/125 fiber cable. Any deviation from the
fiber optic specification in this section is considered a deviation from the standard and must be agreed upon
with GE.
6.1 Customer Scope

 Procure single mode fiber optic cable per the specification defined within this document.
 Layout the fiber optic cable network according to the GE recommendation, with a minimum
service loop of 9 meters at the point where the cable termination is to take place (turbine,
meteorological interface, WindSCADA rack and WindCONTROL cabinet).
 Provide the communication drawings to GE showing the path of the fiber optic connections
throughout the wind farm, connections to turbine patch panels and connections to network
switches 60 days prior to commissioning start.
6.2 Customer’s Fiber Optic Contractor Scope

 Pull the fiber optic cable through the grommets placed at the bottom of the various enclosures.
 Provide the fan-out kit with a total of twelve pigtails for every twelve-strand cable end. Typically,
two cable ends are pulled inside the turbine controller (in/out), which requires two fan-out kits
with 24 pigtails (unless the turbine is at the end of the array). If met tower input arrives at a
turbine then three cables run into the unit and three fan out kits with 36 pigtails are required. If a
wind turbine generator is at a branch point within the fiber optic network, 36 pigtails are required
in a 3-Way. A maximum of four twelve-strand fiber optic cables is supported. The usage of four
way WTGs must be limited to not exceed one per site and must not follow or precede other
branch points within a fiber optic loop.
 Splice all the fiber optic strands using the fan-out kit of pigtails at the turbine controller, met
tower, substation, and O&M building.
 Connector type LC is universally used.
 Provide all the extra hardware that is not provided by GE (extra patch panels, inserts, fiber optic
connectors, etc.), if changes are made during project construction that are in variance from the
design provided to GE.
 Perform testing on all fiber optic terminations including splices by use of a qualified measurement
system at 1310 nm. Mark and inform the GE representative of any broken fibers.
 After the cable testing is complete, install all the fiber optic connectors at every turbine.
 Connect fiber strands within the fiber optic cable to the rear of wind farm equipment patch panels.
 Use patch cables provided with GE equipment to patch turbines, WindSCADA, WindCONTROL and
other wind farm equipment to the local network. Patch cables must be installed running from the
front of the patch panel to the fiber optic switch included with the wind farm equipment.

 The Send and Receive fibers must be crossed once per connection to a fiber optic switch to ensure
upstream and downstream communication.
 Met mast fiber optics switch and cable from met mast to SCADA server.
6.3 GE Scope
 GE utilizes single-mode fiber within the ring architecture for windfarm LAN per default.
 Provide the fiber optic switches for the GE wind farm network, patch panels and patch cables for
every turbine controller, and in the WindSCADA rack and WindCONTROL cabinet.
 Provide the fiber optic cable inserts that are pre-installed inside the patch panels.
 If the Site Fiber Optic Network Design option is selected, GE performs the fiber optic network loop
design and provides the fiber optic communication drawings. These drawings must show the path
of the fiber optic connections throughout the wind farm, the connections to turbine patch panels
and connections to network switches based on the customer supplied wind farm collection
system drawing. The collection system drawing must be provided to GE 70 days prior to the start
of commissioning. The Site Fiber Optic Network Design option does not include fiber laying,
splicing, terminating or patching.
6.4 Single Mode Fiber Optic Cable Specification

 The cable must feature standard 9/125 single-mode fiber.
 The core tube must include twelve strands of fiber at a minimum. It must feature a high bandwidth
and must be designed for outside plant applications, underground duct or direct burial.
 Fiber optic cable that includes a steel core, which typically is used in overhead runs, cannot be
installed inside a WTG. Fiber optic cable used inside the WTG must not contain any metallic
materials due to the requirement for isolation of voltage transients.
 The fiber optic cable must at a minimum comply with the characteristics in the table below:
Fiber Optic Type: Single Mode

Fiber quantity: 12
Fiber diameter: 9/125 Microns
0.4 @ 1310 nm dB/km
Maximum attenuation:
0.3 @ 1550 nm dB/km

6.5 Wind Farm Cable Distance Design Requirements

 Single mode E9/125μm fiber optic cables are used for distances up to 20 km (12.4 miles) between
the transmitter and the receiver. Special equipment is required, if the distance is greater than 20
km (12.4 miles) with no intermediate splices and is not included in the standard scope of supply.
 The customer is responsible for informing GE if the distances exceed 20 km (12.4 miles), so that
the appropriate hardware can be provided at an additional cost to the customer.
6.6 Windfarm Network Fiber Loops

The GE standard network switch configuration at the WindSCADA rack supports up to sixteen independent
fiber optic loops (loop-head switches) of up to 20 WTGs per loop. If there are more than sixteen loops (loop-
head switches), and/or more than 200 turbines total, a GE custom engineered solution is required, which may
include an additional cabinet or rack. WindSCADA Compact only supports one loop.
Every loop must have a dedicated fiber optic cable backbone and a dedicated fiber optic switch. No more than
one fiber optic loop can be accommodated within a single fiber optic backbone. Splitters must not be utilized on
a fiber optic backbone to create multiple loops.
6.7 Windfarm Network standard IP Scheme for WindSCADA Secure Edition 2.1
The WindSCADA Secure Edition 2.1 utilizes a default private IP scheme, 10.16.X.X, incrementing the 2nd octet
by 1 for each turbine loop. Modifications to the default IP scheme will require GE to provide a custom
engineered solution.
7 System Interfaces
7.1 Local System Interface Support
The standard WindSCADA platform includes Local System Interfaces (LSI) for Integration of Auxiliary on-
premise data generating devices. Detailed specifications for these interfaces are shown in the table below.
More information is provided in the following sections.
WindSCADA Secure
WindSCADA Compact
Edition 2.1
Local System Interfaces (LSI)
Auxiliary Devices (Met mast 2 Devices 12 Devices

dataloggers, RTUs). 50 Data Points/Device 50 Data Points/Device
WindSCADA Met-Mast Interface
Optional Optional
(Modbus TCP)
WindSCADA Substation
Optional Included
Interface (Modbus TCP)
Custom Integrated Turbine IO 16 non-standard IOs per
No
Support turbine
Customer Server
(for use by the customer running
No Included
terminal services and other
applications)
Max of 2 Interface: Max of 4 Interface:
Note 1st on SCADA Master VM Each on dedicated
2nd on extra industrial PC Application Interface VM

7.2 Modbus TCP/IP Client Interfaces to Customer Supplied Met Mast

Dataloggers
GE presently supports an interface to Campbell Scientific CR1000 and CR3000 met mast dataloggers with the
capability to support other devices dependent upon datalogger communication capability and system
validation by GE. The customer is responsible for datalogger and fiber-optic cabling between the SCADA system
entry point and the met mast, as well as the fiber optic switch.
The data from the met mast(s) is collected by the WindSCADA system for real-time operator displays. In
addition, the data is archived within the system database for historical reporting purposes.
Customer input is required in a comma-separated file format with the following information:
 Met Customer Input per point

 Met Device Modbus Slave Address
 Met Device IP Address
 Modbus Register Address
 Data Point Description
 Data point units
 Data Point Type (16 bit = Single and 32 bit = Double Word)
 Data Point Signed or Unsigned. Data point Multiplier or Scaling/Conversion Factor
 Data point Normal Position or Active State of the Data Point
 Data Point Precision
7.3 Modbus TCP/IP Client Interface to Customer Supplied devices within the
Substation
Substation device interfaces can be supported as an option. GE presently supports interfaces to GE D20, GE
D25, SEL 2030, SEL 2032, SEL 3332, SEL 3551, and Orion 5R. Other devices are capable of support, dependent
upon system validation by GE.
GE scope includes the configuration of an interface of up to 200 data points and development of one
WindSCADA system user interface screen to display this data. Typically, up to ten control outputs (i.e. Open
Breaker) are supported. GE does not support Close Breaker controls due to the lack of Select-Check-Before
Operate functionality within the WindSCADA system.
Customer input is required in a comma-separated file format with the following information:
 SSI Customer Input Per point

 Substation Device Modbus Slave Address
 Substation Device IP Address
 Modbus Register Address
 Data Point Description
 Data point units

 Data Point Type (16 bit = Single and 32 bit = Double Word)
 Data Point Signed or Unsigned. Data point Multiplier or Scaling/Conversion Factor
 Data point Normal Position or Active State of the Data Point
 Data Point Precision
7.4 Customer Integrated IO

Customer Integrated IO enables customers to add external sensors and systems at the wind turbine level. IOs
can be located both up-tower and down-tower. WindSCADA supports all current data types to configure digital
and analog IOs. The web-based HMI displays real-time values and reports for non-standard inputs.
Up to two sets of additional IOs are supported per turbine, one set down-tower and one set up-tower. A cabinet
needs to be provided and installed for every IO set. Each IO cabinet contains up to 16 non-standard IO points,
but each turbine only accommodates a maximum of 16 non-standard IOs.
Both digital and analog inputs and outputs are supported. Additionally, control commands that set an AO or a
DO are supported. The IO data is connected via Modbus TCP to the SCADA system. The IO data is not available
to the turbine controller.

8 WindSCADA Remote System Integration (RSI)

The optional WindSCADA Remote System Integration (RSI) module provides the necessary protocols, data and
software services to securely integrate the farm level SCADA system with the Customer's enterprise
infrastructure. Several service product packages are available to increase access and transparency to turbine
data with the protocols necessary to enhance remote Monitoring, Operations, and/or Data Collection.
Data access and use of certain classifications of data or data acquisition methods may be subject to additional
terms and conditions. Licensing and pricing are available upon request to support the following WindSCADA
features.
8.1 ODBC Connection

The ODBC Connection enables enterprise integration via ODBC protocol to programmatically access data
within the WindSCADA Historical Database. Customer can run custom queries against the local WindSCADA
database from remote/enterprise systems to generate new reports and datasets across their fleet. ODBC
connections also enable mirroring and batch data transfer from local to enterprise systems. Information
accessible remotely via ODBC Connectivity includes Historical Events, 10 min historical records.
8.2 OPC Connections

GE WindSCADA provides an external data interface via the Open Platform Communications (OPC) Data Access
(DA)1 or Unified Architecture (UA) specifications. OPC supports real-time data only and can be used to send 1-
second resolution data to external data receivers such as the customer’s enterprise historian database or a
third-party such as an Independent System Operator.
There are technical resource limitations for each WindSCADA platform as described in the “RSI Technical
Specifications” table below. Purchase of the OPC Server License option (OPC DA or OPC UA) includes access to
approximately 50 fixed tags for Basic Monitoring in section 8.5. Please contact your GE Sales Representative for
information on expanded data licensing.
8.3 Data licensing

WindSCADA Remote System Interfaces are configured according to the purchased data services and licenses.
1
GE recommends using an OPC tunneler when using OPC-DA

8.4 RSI Technical Specifications

WindSCADA
WindSCADA
Secure Edition
Compact
2.1
ODBC Interface
Database connection Optional Optional
configuration
Option
Option
Approximately
Approximately
51 Level 1:
51 Level 1:
Monitoring
Monitoring
Tags/WTG
Maximum number of Tags/WTG
Included w/ OPC
OPC Items Included w/ OPC
Server
Server
Expandable to
Expandable up to
Remote System Integration
200,000 tags
5,000 tags.
max.
Maximum number of
clients for optimal 3 3
OPC DA or UA
performance
interfaces
Maximum number of
(Concurrent 5 5
clients
interfaces not
Maximum number of
supported, must 20 200
turbines
choose 1)
Maximum number of
OPC groups for optimal 50 50
performance
Maximum number of
OPC Items per OPC 1,000 1,000
Group
Minimum update rate 1s 1s
Adding more OPC Clients than

Notes
mentioned above, may impact
performance.
8.5 OPC Tags for Basic Monitoring
OPC Tags Refer to Technical Description: WindSCADA System Real Time Data Packages for information on the
available data package options.


1.3 - WindSCADA - Secure Edition - 2.1 - WIND KXXX CFA01 - EDB001 - EN - Doc-0089060 - r01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1.3 - WindSCADA - Secure Edition - 2.1 - WIND KXXX CFA01 - EDB001 - EN - Doc-0089060 - r01

Uploaded by

Copyright:

Available Formats

- Original Document -

RDS-PP: WIND = Kxxx CFA01 & EDB001

Rev. 01 - Doc-0089060 - EN 2022-03-04

Copyright and patent rights

© 2022 General Electric Company. All rights reserved.

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

Document Revision Table

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

BDC Backup Domain Controller

CMS Condition Monitoring System

GPS Global Positioning System

GPO Group Policy Objects

HMI Human Machine Interface

IDS Intrusion Detection System

LAN Local Area Network

LSI Local System Interfaces

ODBC Open Data Base Connectivity

O&M Operations and Maintenance

PDH Plant Data Highway

PLC Programmable Logic Controller

RADIUS Remote Authentication Dial-In User Service

RSI Remote System Integration

RTU Remote Terminal Unit

SCADA Supervisory Control and Data Acquisition

SQL Structured Query Language

SSI Substation Interface

SSL Secure Sockets Layer

TCP/IP Transmission Control Protocol/Internet Protocol

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

UPS Uninterruptible Power Supply

UDH Unit Data Highway

UTM Unified Threat Management

WAN Wide Area Network

WTG Wind Turbine Generator

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

2 WindSCADA System Offerings for New Windfarms

2.1 WindSCADA Secure Edition 2.1

The WindSCADA Secure Edition 2.1 includes the following items:

 Global Positioning System (GPS) Time Synchronization server with antenna

2.2 WindSCADA Compact

 Limited to wind farms of 20 or fewer onshore wind turbines

GE Renewable Energy Technical Description

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

2.3 More than 200 WTGs

2.4 Summary of System Functions

UPS backup 10min 60min

SCADA Firewall No Yes

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

3 Network Topology Description

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

Figure 2: WindSCADA Secure Edition 2.1 options and scope view

PUBLIC – May be distributed external to GE on an as need basis.

GE Renewable Energy Technical Description

Figure 3: WindSCADA Compact System