Utility Horizons - Second Quarter 2013 - (Page 38)
The BLeading Edge...
By Jake Brodsky, PE | Process Controls Specialist | Washington Suburban Sanitary Commission
Bullet-proofing Your
SCADA System Against
the Evil-doers
Let’s suppose these evildoers find a remote pumping
station. The region has grown, but the pipelines have
not. Perhaps you had oversized the pumps, and the
line velocities are high. This is a perfect opportunity
for them to cause significant damage – or is it? Our
nemesis in his mother’s basement knows that by
sending start and stop commands to a pump in 20second cycles, something is likely to break. Perhaps
it will shear the bolts in a coupling, or maybe even
break a water main – yet nothing happens. Why not?
Thwarting Assaults with Resiliency
The secret is a restart timer. Once the pump shuts off,
it sets a timer that must count all the way down before
allowing a start command to go through. The timer
should be set so that pressure waves in the discharge
pipeline settle down. The intervals between pump
starts and stops are also inhibited by timers. Basically,
the commands from the hackers will be ignored until
those local timers timeout. Ideally, such timers should
be implemented with hardwired equipment; but an
isolated micro-PLC would work too.
How about those valves? Decades ago, someone
may have specified a large ball valve somewhere.
Ball valves have a Cv (valve flow coefficient) profile
that doesn’t do much to the flow until it reaches
the last 15% of travel. Closing that valve at normal
speed may introduce a vacuum and then a returning
pressure wave as the flow is suddenly pinched off.
For better resiliency, one could replace the trim of the
valve so that it doesn’t pinch off the flow so suddenly.
Or, perhaps consider replacing the actuator with
something that automatically slows down over the last
20 percent of travel. One could also install bypass
swing check valves and surge tanks to handle the
sloshing of pressure on the pipelines.
Selecting the Right Point of Automation
Ultimately, this comes back to what the first letter of
the acronym SCADA stands for: Supervisory Control
And Data Acquisition. Those who use a SCADA
system to turn things on and off directly are missing
an important point: A good SCADA system uses mode
commands and setpoints, and leaves the details of
the command to the remote equipment. An even
38 • UTILITY HORIZONS • Q2 - 2013
Y
OU’VE BEEN HACKED!
So it has come to this: You’ve been hacked. Someone
posted your entire SCADA I/O list to pastebin, the keys
to your VPNs have been leaked, and the SCADA system
is being attacked by people who know exactly what
they’re hitting. Is the game over? No, not necessarily.
There is still another layer of defense that most people
haven’t even considered: Resilient remotes and I/O.
better SCADA system might even send an entire
operating schedule to the remote for the next several
hours.
In a good SCADA system you will see scripts in the
RTU that do something reasonable in the event they
haven’t heard from the Operations Control Center
in some time. Note that this is the Control Center,
not the master station. A good SCADA system has a
heartbeat that goes from end-to-end to each RTU.
Why do this? Because if the control center is hacked,
you can safely amputate it and have hope that the
stations will do something reasonable while control
and view is not available. This method only has to
do things long enough to get crews to these stations.
With a table of setpoints and a time of day, one can
even program what the stations will do and when
to expect them to do it. (Note: GPS time clocks are
pretty inexpensive and PLC gear can be made to
synchronize with them fairly easily.)
Where You Store Your Data Matters
Another form of resilient I/O is where valuable data
is totaled in the RTU and reported to the master site
when queried. That way, if the historian or HMI gear
is brought down, you can still gather events and
totalizers from the field when you come back up.
Totaling things in the control room is not reasonably
resilient behavior because the totaling stops if the
communications fail.
Selecting athe Right Protocol
This brings me to another thing that anyone in the
water business should look at very carefully: Modbus
is ubiquitous across the water industry, and it’s a
great protocol for DCS process control nodes and
PLCs – but it was not designed for SCADA. Modbus
is strictly a real-time protocol; when what we really
need for SCADA is an event-oriented protocol that
www.UtilityHorizons.com
http://www.UtilityHorizons.com
Table of Contents for the Digital Edition of Utility Horizons - Second Quarter 2013