Water Security: The Role of the SCADA System

With security assessments and implementation of appropriate measures receiving the full attention of the water industry, we have been exploring how technology can contribute to these efforts.  We have consulted extensively with our users, reviewed measures they have put in place over the years and discussed their latest plans.

 

Many of them have a vision of an ideal monitoring system that is networked throughout their entire operation.  The system would provide constant monitoring of all vulnerable areas.  It would immediately report any security breaches or abnormal operating conditions.  It would eliminate any necessity for regular patrols and drastically reduce the frequency of visits to remote sites.

 

The system would be tolerant of efforts to defeat it.  It would continue operating if the power were cut off or a communication line severed.  It would be accessible to operations people even if the control room were disabled or evacuated.  It would provide security from hacking.

 

The system also would be able to automatically react to conditions and perform control actions, which could safely shut down processes or isolate sections of the water distribution system.

 

You probably realize this is really not a futuristic vision or even a description of an emerging technology.  The fact is the technology for such a system is nothing new.  Many of them are in operation, today, throughout the water industry.  You probably have one, as well.  It's your SCADA system.

 

 

A BRIEF OVERVIEW

 

The acronym tells it all.  "SCADA" stands for "supervisory control and data acquisition."  The SCADA system is essentially a distributed computer system that is used by operations and management for process monitoring and automation. 

 

As shown in Figure 1, the SCADA communication network is spread throughout the water distribution system.  Workstations, which are typically PC-based and located in a control room at a treatment plant, allow operators to view the entire process and perform control actions.

 

Within the plant, process controllers or programmable logic controllers (PLC's) supervise unit processes, such as chemical treatment and filters.  A local area network (LAN), such as Ethernet, links the controllers to the workstations as well as to one another.

 

Remote terminal units (RTU's) are used at remote sites and usually exist in vulnerable areas, such as pump stations, storage tanks, valve vaults and treatment facilities.  Today's RTU's are rugged versions of process controllers and operate in outdoor environments.

 

The RTU's communicate on a wide area network that is typified by the radio system shown in the figure below.  Traditionally a dial-up or leased telephone line system, the wide area network is now more often being implemented with wireless communication.

 

 

Realistically, most SCADA systems do not fit the ideal scenario.  Not all pump stations are equipped with RTU's.  Not all vulnerable areas are covered by the network.

 

Fortunately, expansion is not the nightmare it once was.  This is even true for proprietary systems.  In the old days, getting an elevated tank or pump station on the network meant contracting for leased telephone lines.  Long runs are very expensive and installation not necessarily very timely.  Today, the only problem is deciding among all the wireless options.

 

Even if you need a new RTU, today's equipment is cost effective, uses open architectures, and is available through numerous systems suppliers, who can reliably interface it to your existing system.

 

 

Leveraging the SCADA System

 

Utilizing the SCADA system to its fullest is the best way for water companies to leverage existing infrastructure and available resources.  With such capabilities and coverage at your service, the SCADA system should not merely be one aspect of your operation to consider in a security assessment.  Many companies have decided to make it central to their entire security effort.

 

A major advantage of SCADA systems is that security measures are coordinated with operations.  Many security systems and other recommended measures are not necessarily coordinated and require significant effort to do so.

 

A SCADA system linked to perimeter monitoring devices can either significantly reduce or eliminate the need for manned patrols.  Unlike patrols, the SCADA system can provide constant monitoring of all locations.

 

Security systems or equipment, including video cameras, motion detectors, contact switches, keypad entry devices and card readers, can be readily interfaced either directly to the SCADA network or via a nearby remote terminal unit (RTU).

 

Security breaches are reported to the operations staff in the same manner as process failures—via the alarm system that is built-in to all SCADA systems. SCADA systems alert operators via a broad array of visual indications on graphical displays, as well as audible alarms.

 

Today's SCADA systems further offer alarm management, which prevents operator overload in cases where many alarms occur within a short time.  It can also overcome deliberate attempts to decoy operators.  Alarm management filters alarms by location, logical grouping or priority and keeps operators focused.

 

Time-stamped alarm records, which are maintained in an audit trail, allow alarms to be correlated with other time-based information, such as video frames.  The audit trail is also extremely important to investigations, after-the-fact.

 

SCADA systems can also automatically react to conditions and perform control actions, such as emergency shutdowns of processes, starting or stopping pumps, opening/closing valves, etc.  Input for these actions can come from anywhere on the network.

 

Whether the SCADA system is allowed to take such actions is up to management.  The SCADA system can automatically isolate a portion of your supply system by stopping pumps and closing valves or it can inform operators of the process conditions and let them decide.

 

Can the SCADA system provide detection of biohazards or chemical contaminants?  Ideally, on-line analyzers would exist for all possible contaminants to the water supply. They would provide standard interfaces, which allow alarms to be immediately reported through the SCADA system.

 

Today, on-line analyzers are available for a broad array of contaminants.  Many water systems currently use devices such as chromatographs to measure the presence of a variety of chemicals.  Dedicated analyzers measure chlorine content and dissolved oxygen.  Instrumentation is also available for variables such as color/turbidity, conductivity, pH, pressure and temperature.

 

However, many tests are still "off-line" and provide no interface.  In addition, technology for many contaminants is emerging.  We can only hope that new sensing technology will result in SCADA-compatible instrumentation.  Surely, those of us in the SCADA world are willing to cooperate with anyone developing such vital apparatus.

 

 

IMPLEMENTING SITE SECURITY MEASURES

 

Let's be more specific and show how security measures can be incorporated in an existing SCADA system.  A pump station is an example of a vulnerable area in which an RTU is normally present.  Functions of the RTU are generally limited to pump control, using input from flow or level sensors.

 

Pump operations can be fairly sophisticated.  The RTU usually alternates pumps, runs them for maximum efficiency, schedules them at off-peak times as much as possible, and keeps records for run time maintenance purposes.  Some systems work in conjunction with modeling software, in which case the RTU will start or stop pumps in anticipation of changes in demand.

 

The RTU can also report a number of alarms, which keep operators informed of the pump auto/manual status, changes in operation and failures.  If the pump station is working in conjunction with a storage tank, the RTU will also report limit alarms and perhaps rate-of-change alarms for the water level.

 

Usually, some access control or alarm devices are in place and do interface to the RTU.  For example, contact switches (or "intrusion sensors") for a gate, building door and the RTU enclosure door are wired to discrete inputs and allow the RTU to report an alarm if any is open.

 

If any contacts open when no water company personnel are known to be in the area, that's cause for alarm.  Until recently, this level of security was considered reasonable.

 

The figure below shows such an installation augmented with a highly informative surveillance system that is resistant to concerted attempts to overcome security.

 

 

Since wired contacts are easy to defeat, this system adds such measures as a keyless entry device and motion detector.  Both devices interface to discrete inputs on the RTU.  It is not unreasonable to expect an RTU to have at least two, spare discrete inputs.  Reprogramming the additional alarms is also normally not a difficult task.

 

Also available are more sophisticated keyless entry devices, which use serial interfaces.  They provide additional information, such as the card code or key code.  The RTU is not in the loop, which enables the door to open.  Instead, it records the information in the audit trail and informs the operators of the entry.  Problematic, however, for many existing RTU's is that they are far less likely to have spare serial ports than discrete inputs.

 

Also shown is a video camera.  While closed circuit television (CCTV) has traditionally not interfaced with SCADA systems, today's digital cameras are compatible with personal computers and can reside on the network.

 

IP cameras are, by definition, Internet-compatible but are also reasonably easy to drop into SCADA networks, which use IP (Internet Protocol).  Wireless Ethernet (as shown) and cellular digital packet data (CDPD) are good examples of IP networks typical in the SCADA world.  For non-IP SCADA networks, some digital cameras also provide an RS 232/modem connection.  However, some serious engineering effort could be involved in dropping a camera onto a proprietary network.  Using a separate, wireless IP network may be more effective.

 

As far as SCADA systems are concerned, IP camera technology is still new.  While cameras are not currently used in most systems, they can be readily accommodated if the SCADA system supports FTP (file transfer protocol) server capability.  The SCADA supplier would have to make this available through a version upgrade.

 

To accommodate bandwidth limitations in the SCADA network, the resolution, compression and frame rate are configurable in the camera.  In practice, most operators avoid viewing the live video image, which means video is not transmitted over the network, unless an alarm occurs.

 

In the configuration shown, the IP camera does not even interface with the RTU.  It simply shares the wireless Ethernet and transports video images to the SCADA workstations.  An operator can view the video image as a window on the same screen as other windows, which show a graphical display of the pump station, an alarm list and other information.

 

Some cameras also offer a limited alarm system, which sends a message when an alarm is detected.  A contact input triggers the alarm in the camera.  Some cameras also set an alarm from an internal motion detector.  A buffer, internal to the camera, keeps a number of images during the timeframe just before and just after the alarm.

 

For a pump station, use of the camera is debatable.  A small, fenced-in area or pump house is well served by access control measures and, particularly, a motion detector.  Cameras are more appropriate for perimeter monitoring and open areas, in which the video can distinguish intruders from animals and other motion that is no cause for alarm.  However, even for small, vulnerable sites like a pump station, live video provides an operator significant information.  For audits or investigations, a video system also offers the benefit of an image archive.

 

 

 

In another example, chemical storage is typical of an area that lacks SCADA coverage, not to mention, in many cases, security.  Nevertheless, such sites can economically be added to the system.  As shown in the figure above, an RTU is not necessary.  Via Ethernet or a serial port, a remote I/O module can link process I/O and security devices to the SCADA system.

 

 

A SECURE SCADA SYSTEM

 

If you are going to count on your SCADA system for security measures, the question is, how secure is the SCADA system, itself?

 

One utility manager mentioned that, in his company's security assessment, the SCADA system scored better than any other facet of the operation.

 

Many practices typical in the SCADA world are, in fact, perfect for security.  SCADA systems very commonly employ measures such as back-up power systems, redundancy, distributed workstations, password security and remote paging.

 

For instance, you can cut the main power to an RTU.  However, if equipped with a backup battery, the RTU will continue running and immediately report a power failure alarm.  If you disable communication to a vulnerable area, the SCADA system will quickly detect the fact that it cannot communicate with that particular RTU.  This puts the site "in the dark," a cause for immediate attention.

 

Of course, the communication link could simply be unreliable.  But your SCADA system should be able to distinguish a marginal line from a hard communication failure.  SCADA protocols have provisions for assured delivery, including handshaking, multiple attempts and error detection and can deal with marginal communication.

 

Methods used to increase network reliability also enhance security.  Redundancy is a common technique, especially for plant LAN's.  Two, live networks are used.  If one is damaged, communication continues on the other.  To further increase reliability, each run in a redundant physical network can use different routing.  However, the additional expense may not be worthwhile because LAN damage is reported as an alarm and can be quickly isolated. 

 

If the network is cut off, the controllers and RTU's simply continue monitoring and controlling their processes.  Once communication is re-established, many RTU's are able to report alarms, events and historical information for the time that the network was out of service.

 

Remote sites, such as pump stations, can also use redundant networks.  For example, CDPD or dial-up can back up a leased line.  Communication networks that use two different technologies can be difficult to defeat.  An excellent combination is one that uses both hard-wire and wireless communication.  This keeps the site "out of the dark" but you have to decide if it is worth the cost.

 

In many SCADA systems, the fact that the networks are private provides a great deal of security.  Hackers simply cannot access the network from any off-site location.  Keeping SCADA computers "disconnected" from the outside world, including the Internet, isolates the system from an awful lot of risks.

 

The only problem, today, is that there are too many benefits in connecting to the outside world.  Numerous information services are available via the Internet.  Equipment suppliers can perform maintenance via the Internet.  You can make operations information available anywhere in the world.  If you want your system "connected," prudent use of firewalls and cyber security measures is mandatory.

 

Off-site workstations can be extremely valuable in the event that the control room is disabled.  Workstations can be located not only elsewhere in the water system but also at home.  Wherever the workstation is located, password security is employed.  To ensure this is not the weakest link in security, management must establish passwords, other than the defaults, and periodically change them.

 

It is important that off-site access be limited.  Command sets can be proprietary and restricted.  If system management capabilities such as programming and downloading are available, hackers can potentially do a lot of damage.

 

Even if off-site workstations are not used, most SCADA systems offer provisions for off-site personnel to stay informed.  Many facilities are unoccupied at least 16 hours a day.  For such situations, many SCADA systems use dial-up or remote paging in response to alarms.  Some systems are being programmed to dial-up the local police in case of certain, high-priority alarms.  In addition, some users are backing up the SCADA system with independent dial-up units for some sites.

 

Many users feel secure because of the proprietary nature of their systems.  "Cryptic" command sets, communication protocols and programming tools can be sufficiently discouraging.  But we have seen the results of work by determined terrorists.  Anyone willing to invest the time can figure out proprietary systems.

 

The question is what terrorists could accomplish by accessing the SCADA system.  By changing process operations, they can, in fact, cause major nuisance problems, damage process equipment and cut-off service to your customers.  However, this activity is more in the realm of hackers and disgruntled employees.  The widespread harm sought by terrorists can only be accomplished by introducing outside agents to the water supply.  Therefore, securing vulnerable areas is the priority.

  

 

ENHANCED UTILIZATION OF THE SCADA SYSTEM

 

Since the real risks are not in the SCADA system but in the process, how can you further utilize the SCADA system to reduce process risk?

 

In its most simple implementation, a SCADA system can still reliably distinguish between normal and abnormal operation.  Even basic monitoring functions include the discrete, limit and rate alarms mentioned earlier.  As in the pump station example, control actions can also be verified and alarms set to indicate failures.

 

Alarm limits can also dynamically follow the process.  For example, a ratio alarm could be set if the chlorinator feed rate were inappropriate to the water flow rate, even if it were within fixed high and low limits.  If someone tampered with the chlorinator setting, this setup would catch it and report an alarm.  Note that a chlorine analyzer further downstream could also back up this system.

 

Perhaps the most advanced functions are performed when the SCADA system is used in conjunction with a modeling and simulation system.  If the SCADA system is networked with the modeling and simulation system, it can provide live process information to build a model of your entire distribution system.

 

The model can be used to establish feed forward controls and run the process with increased efficiency.  It can also provide for back-up alarming.  If a process alarm, e.g. for a pump failure, does not work, the inevitable effect elsewhere in the system can still result in an alarm, which reports the pump failure as the likely cause.

 

Security issues are making simulation significantly more important than in the past.  Now emerging are techniques that use the model to simulate addition of contaminants at various points in the system and how they move through it.  In an actual event, this information should help verify the point of contamination and determine actions at sites, such as pump stations, to isolate the appropriate section of the distribution system.

 

 

SUMMARY

 

Since SCADA systems exist in most water operations, they allow water companies to leverage existing infrastructure and available resources.

 

The SCADA system is typically distributed throughout the entire operation.  It should be central to a water company's security and, at the same time, can provide the added benefit of more efficient operation.

  

The SCADA System can:

 

·        Coordinate security measures with process operations

·        Reduce or eliminate manned patrols; provide constant monitoring, system-wide

·        Record alarms and events

·        Automatically react to alarms and events by performing emergency shutdowns or other control actions

·        Typically expand rather easily via additional I/O points, RTU devices and network links

 

Practices typical in SCADA provide security for the system, itself:

 

·        Backup power systems

·        Redundant networks

·        Distributed operator workstations

·        Alarm system alerts operators to failures of SCADA components

·        Typically private networks that are not accessible to the outside world

·        Password security

·        Dialup and paging

 

Furthermore, the value of the SCADA system can be enhanced if it incorporates advanced capabilities, such as modeling and simulation.

 

Download this article in PDF format

 

This article is provided by Bristol Babcock, written by Kevin Finnan, Director of Marketing at Bristol Babcock. Bristol Babcock is a leading supplier of measurement and control instruments and systems with offices throughout the world.  Kevin Finnan has extensive experience with measurement products and SCADA systems.  Over 21 years at Bristol Babcock, he has held positions including systems engineer, instructor, industry manager and product manager.  For more information on Bristol Babcock, please visit their website at http://www.bristolbabcock.com.