I ns ide Th is I ssue• WIN-911SMSMessagingReports• FreeSCADASeminars• TrainingClasses• SCADASymposium• GoNavy• IntegratorSpotlight• PathStudySharewareWorthaTry
Volume 20, Issue 2 • Fall/Winter 2010 A Publication of Sage Designs, Inc.
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
S C A DA , S e C u r i t y & Au to m At i o n n e w S l e t t e r
Continued on page 7
Continued on page 6
address the needs of the attractive water, wastewater, and oil and gas industries for which remote monitoring and control are critical to their large and dispersed sites. The combination of technologies, channels, customer knowledge and complementary execution capabilities will put us in an excellent position to capture new opportunities in these fast growing markets.”Customerscanexpectacommitmenttotheircorebusinesswithintegratedsolutionsdesignedtoprovidesafe,reliableandefficientenergy.ControlMicrosystemswillbecome
theglobalexpertsinremoteSCADAandtelemetrysolutionsforwater/wastewaterandoilandgas.AsthetransitiontoSchneiderElectricoccurs,thefourleadingproductlines(Accutech,SCADAPack,Trio,andClearSCADA)willcontinuetobesoldthroughtheestablishedsaleschannels.SchneiderElectricrecognizesthatexistingControlMicrosystems’representativesarehighlyskilled,specializedorganizationsthatfocusonprovidingbest-in-classsolutionstosolvecustomerchallenges.
ControlMicrosystemshasrecentlybeenacquiredbySchneiderElectric,theglobalspecialistinenergymanagement.UndertheirAutomationPortfolio,SchneiderElectricservesmachinebuilders,mining,mineralandmetals,water/wastewater,oilandgas,andelectricalenergymarkets.ControlMicrosystems’productportfoliocomplementsandexpandsSchneiderElectric’scurrentapplicationfields.MichelCrochon,ExecutiveVice-PresidentofSchneiderElectric’sIndustrybusiness,commentedinapressreleasedatedApril13th,2010:“Schneider Electric acquires a global telemetry platform to
SCADA Communication SecurityThe “Onion” Perspective
Free November SCADA Seminars
• Creatingauditlogsthatwillrevealevidenceoftampering.
• Encryption(hidingdataasitmovesacrossnetworks).
• Authentication(verifyingthatthepersonperformingacriticaloperationisauthorised).
Itisencryptionandauthenticationthatwillbethefocusofthisarticle.It’simportanttonotethatencryptionandauthenticationarenotmutuallyexclusive;theycanbothbeusedconcurrentlyonthesamesystem.
Encryption... and DecryptionEncryptionistheactofmanipulatinginformationuntilitappearsalmostmeaninglesstothecasualobserver.Decryptionistheactofrestoringanencryptedmessagetoitspreviousreadablestate.InatypicalSCADAsystem,allmessagesaresentusingagivenprotocolformat,suchasMODBUSorDNP3.Anyonewhocanseethemessagesbeingtransmittedcandecodethemandseewhatinformationisbeingtransferredfromdevicetodevice.InanencryptedSCADAsystem,messagesaretransformedintoaseeminglygarbledsequenceofbytes.Shortmessagesarestuffedwithextrarandombytestomakeitdifficulttoestimatethesizeofthemessagesbeingtransmitted.Acasualobservercan
AstheprofileofsecurityforSupervisoryControlandDataAcquisitionnetworkshasgrown,expertshavebeguntotalkmoreandmoreaboutthisissue.ItisasignofthetimesthatoneofthefirstactsofPresidentObamawastoinstigateacomprehensivereviewofcybersecurityandhesingledoutSCADAsystemsasakeypartofthereview.Why?BecausetheincreaseinI.T.networkingmeansthatSCADAsystemsarebeingconnectedtotheInternet,leavingthemmoreopentoattack.Muchliteraturehasafocusonsecuritytechnologyindetail.Thisdoesnothelpthosenewtothetechnology.Nordoesithelppeopletounderstandcybersecurityinthecontextofanoverallsecurityplan.Forthat,weneedareasonablemodel.Thisiswherethe“onion”comesin.AsShreksays“Ogres are like onions. Onions have layers.” Well,securityislikeanonion,too.Agoodsecurityplaninvolvesmanylayers.Onelayerofsecuritywon’tprovidemuchofadeterrent,butaddanother3or4layersandyou’restartingtogetsomewhere.Differentlayersofsecurityprotectagainstdifferentkindsofthreatsandwilloftencomplementoneanother.Therearemanypotentialsecuritylayers,betheyphysical,electronicorprocedural:• KeepingSCADAnetworksisolated
fromcorporatenetworks.• Notadvertisingconfigurations(e.g.
disableSSIDonwirelessnetworks).• Installingfielddevices(e.g.RTU,
PLC)insidelockedenclosures.
whichwatchthehealthofthecontrollers,theirprogramsandtheirI/O.Ifyouareinterestedinthesetopics,youshouldattendoneofourtwoupcomingfreeSCADAseminars.PresentationsbyexpertsatControlMicrosystemsexplaininganddemonstratingthesecapabilitieswhichhavebeenimplementedintheE-seriesSCADAPacksandClearSCADASCADAhostsoftwarewillleaveyouwithnodoubtthatthedaysofsimplepolledprotocolssuchasModbusandDF1aresoontobebehindus.Seetheregistrationforminthisnewsletterorgoon-linetowww.scadawise.comtoregister.
AstheneedfordataincreasesinthemodernworldofSCADA,itseemsnaturalthatprotocolsfortoday’ssystemsmustadvancetoaccommodatethisthirst.Addionally,utilitiesmanagerswanttobeabletobettermanagetheirequipmentinthefieldwithouteverleavingtheirofficeinordertosavetimeandlabor.Thankfully,thecurrenttrendtowardsDNP3makesbothofthesegoalsachievable.NotonlydoesDNP3turnyourremotesintodata-loggerswhichdon’tmissaneventjustbecauseitoccursbetweenpollcycles,buttheprotocolallowsforimplementationswhichsupportthere-configurationoftheremotes,versioncontrolofprogramsinthemanddiagnostics
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
Get SMS Reports with Win-911
toolforfieldpersonnelandaugmentsthepowerfulalarmingcapabilityofWin-4112-waySMS.ItsupportsallmajorwirelessserviceprovidersandisincludedintheWin-911/PROsoftwarepackage.WithWindowsSmartPhones,youcanrunMobile-411whichincludesenhancedfeaturessuchasatabularlayoutforreports,plusaRefreshbuttonforgettingthelatestvalueswithasinglestroke.Otherfeaturesincludetheabilitytoreceiveand
Inadditiontoreceivingalarmsonanycellphone,userscannowrequesttextreportsandgetthecurrentvaluesofprocessvariablesusingthe2-WaySMScapabilityavailablewithallWIN-911/PROsystems.AusercanrequestareportbytextingWin-911withareportnumber.Thesereportscancontainseveralvariables,eachofwhichwillcomeinasaseparatemessageonyourphone.Reportscanberequestedatanytime,whetherornotanyalarmsareactive.Win-411Reportsisavaluable
TakeWIN-911SMSalarmnotificationtoawholenewlevelusingWIN-411TextReportsandMobile-911.Managedataandalarmsmoreeffectivelyandkeepinformedwhenitreallycounts.CallSageDesignsformoreinformationorvisitthemanufacturer’swebsite:www.specterinstruments.com
FiretideMeshNode
Firetide BackhaulWireless Mesh
Firetide HotPort® 6000-900Wireless Mesh Nodes
• Reliable, High-Performance Networks in Challenging Wireless Environments
• Street-Level Connectivity• Encryption for End-to-End Security
UtilityCompany
Smart UtilityMeter
DataCollectionUnit
SCADA & Wireless Instrumentation
San Antonio, TX • October 17-19
SymposiumControlMicrosystems,aSchneiderElectriccompany,ishostingthe2010SCADA&WirelessInstrumentationSymposiuminSanAntonio,TX,fromOctober17-19,2010.SageDesignswouldliketoinviteyoutojoinusforindustryandtechnicaldiscussions,marketupdates,andcomprehensivehands-ontrainingsessions.ThroughCMI’spartnershipwithPDHonline,attendeeswillreceive1ContinuingEducationUnitor10ProfessionalDevelopmentHoursuponcompletingthetraining.
What is offered:• Separatebreakoutsessions
forW/WWandO&Gindustries• Afull-dayofhands-on
technicaltraining• ContinuingEducationUnits
(CEUs)andProfessionalDevelopmentHours(PDHs)
• Technologyandmarketupdates
• Applicationshowcase• Paneldiscussion–
“TheFutureofSCADA”• Fullonandoff-sitemeals
eachdayWe hope to see you there!
Registration link can be found at www.controlmicrosystems.com
acknowledgeindividualalarmsandgetalarmstatusreports.ConfiguringWIN-411TextReportsiseasyusingthenew411reportmodule.SimplyadddatatagsthathavebeenimportedintoWIN-911fromyourSCADAdatabase,thenaddashortdescriptionforeach.
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
150 Shoreline Hwy. #8A ● Mill Valley, CA 94941-3634 ● 1-888-ASK-SAGE or 415-331-8826 ● 1-888-FAX-SAGE ● www.SageDesignsInc.com
F r e e S C A D A S e m i n a r Integrated Water/Wastewater SCADA Solutions
N o v e m b e r 3 , 2 0 1 0 N o v e m b e r 4 , 2 0 1 0 8AM – Noon 8AM – Noon Radisson Hotel Newport Beach Embassy Suites Walnut Creek 4545 MacArthur Blvd. 1345 Treat Blvd. Newport Beach, CA 92660 Walnut Creek, CA, 94597
Water utilities have been using Supervisory Control and Data Acquisition (SCADA) for many years, during which SCADA systems have evolved from simple tone telemetry to web-centric solutions. A SCADA system’s primary function is to monitor and control the conditions of remote assets, such as pumps and lift stations, distribution networks, and treatment plants, while ensuring data integrity, overall system visibility, and security. If you are expanding, upgrading, or developing a new SCADA system, selecting the right hardware and software components can help you cope with ever changing demands in securing your infrastructure and improving data collection and reporting. Join us to learn more about intelligent field controllers that can dramatically improve environmental compliance and reduce cost of deployment for water systems. Understand the benefits of event data logging and time-stamped data in the remote controller and how historical data backfill can help you meet regulatory requirements. Learn about secure and encrypted data transmission and innovative system architectures that can reduce your cost of operation.
Who should attend? • SCADA Engineers, Managers and Technicians • Water Systems Managers, Operators and
Technicians • SCADA Solution Providers
Featured Applications • Pump/lift Station Controllers • Water Quality Monitoring • District Meter Zones • Real-time and Historical Data Gathering • Wireless Instrumentation & Measurement
Featured Products • SCADAPack E-Series PLC/RTU • ClearSCADA Integrated Enterprise Software • Trio Long-range Industrial Wireless Radios
Featured Technologies • Integrated Enterprise Software • Historical Data Backfilling • Wireless Ethernet Communications • Data Encryption and SCADA Security
Continental breakfast included
- - - - - - - - - - - - - - - - - - - - - - - - - Download the registration form at http:www.sagedesignsinc.com/events - - - - - - - - - - - - - - - - - - - - - - - - - - -Pre-registration Required
To Register: Email this form to [email protected] or fax to 1-888-329-7243. A confirmation will be emailed to you. The registration form and hotel directions can be found on the Events Page of our website: http://www.sagedesignsinc.com/events. For more information, call 1-888-275-7243. □ Register me for the free seminar in Newport Beach on Wednesday, November 3, 2010
□ Register me for the free seminar in Walnut Creek on Thursday, November 4, 2010
Name (please print): Title:
Company: Phone:
Address: Fax:
Email:
City/State/Zip: Dietary Restrictions:
* * * Registration Deadline: October 29, 2010 * * *There is no charge for this event, but we would appreciate notification if you must cancel your reservation.
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
ClearSCADA Training CourseDecember 13-16, 2010 - Corte Madera, CA February 28 - March 3, 2011 - Mill Valley, CA
Day1(8AM–4PM) InstallingClearSCADA,IntroductiontoClearSCADA, Components,UsingViewX,UsingWebX,ClearSCADAHelp
Day2(8AM-4PM) ConfiguringusingViewX,DatabaseOrganization,BasicTelemetryConfiguration,CreatingMimics,CreatingTrends
Day3(8AM-4PM) ConfiguringusingViewX,Templates&Instances,LogicLanguages,Security,CommunicationsDiagnostics
Day4(8AM-4PM) Reports,SystemConfiguration,SystemArchitecture,Questions
Cost: ClearSCADATrainingCourse $1,800
SCADAPack TelePACE Studio Training CourseNovember 15-17, 2010 - Mill Valley, CA February 15-17, 2011 - Mill Valley, CAAn optional SCADAPack 350, SCADAPack 334 or SCADAPack 32 is available at a special price* with the course—an excellent way to get started using Control Microsystems’ Controllers.
Day1(8AM-4PM) SCADAPackcontrolleroperation,Series5000I/O,TelePACEStudiointroduction
Day2(8AM-4PM) TelePACEStudioadvancedprogrammingtechniquesandadvancedfunctions
Day3(8AM-2PM) Controllercommunications,ModbusMaster/Slaveprotocol,Diagnostics,Modems
Cost: SCADAPackTelePACEStudioCourse$1,275*OptionalSCADAPack350TrainingKit–adds$990*OptionalSCADAPack334TrainingKit–adds$990*OptionalSCADAPack32TrainingKit–adds$1,060
Instructors: ClearSCADA&SCADAPackTelePACEclasseswillbetaughtbyTonySannellla,SageDesigns,aControlMicrosystems’Factory-CertifiedInstructor.TheClearSCADATestDriveswillbeconductedbyIanMetcalfe,USClearSCADASales,ControlMicrosystems.Location:Seeindividualcourseregistrationform.Thoserequiringovernightaccommodationsshouldcallthehoteldirectlyforreservations.
What should I bring?LaptopcomputerwithminimumofWin2KorXPwith15mbfreediskspace,CDROM,mousewithascrollwheel,workingserial,USBorEthernetport,andnecessarypermissionstoinstallsoftwareonyourcomputer.
What is provided?Lunchandcoffee,softdrinksandsnackseachday.
*Optional Training Kits at special course pricing (TelePACE class only): Limit one (1) for every two (2) students per organization. Training Kits will be shipped N/C to training facility, provided your registration is received approximately 4 weeks before the first day of the course, or shipped to you after the course when available. Training kits include a SCADAPack 350, SCADAPack 334 or SCADAPack 32 Controller, TelePACE Studio Software, Hardware Manual (on CD-ROM), I/O Simulator board, AC/2 Transformer, & programming cable. Prices do not include applicable California sales taxes.
TM Training Classes
Download the Registration form at: http://www.sagedesignsinc.com/events/index.htm
Please send me the Registration Form ClearSCADA: ❑ December 13-16, 2010 - Corte Madera, CA ❑ February 28 - March 3, 2011 - Mill Valley, CA SCADAPack TelePACE: ❑ November 15-17, 2010 - Mill Valley, CA ❑ February 15-17, 2011 - Mill Valley, CA
Name(please print): Title:Company: Phone:Address: Fax:
Email:City/State/Zip:
* * * Registration Deadline: 2 weeks before 1st day of course * * *Allregistrationsaresubjecttocancellationfees.Aconfirmationnoticewillbesenttoallregistrantsonorbeforethedeadlinedate.
Schedule Your Own
Free Hands-On Test DriveCalltoScheduleaTestDriveCall 1-888-ASK-SAGEemail:[email protected]
Sage advice
Tools of the TradeSoftwareprogramsusedforpathstudiesareanamazingtool.Theyallowyoutoestimatelossesyouwillhaveinyourradiosystembeforeyougettothefield,soyouknowwhatisworthtestingandwhatisnot.Althoughthereareprogramsforthisthatcosttensofthousandsofdollars,thereisonepieceoffreewarethatdoesaprettygoodjobdespiteitsminorflaws:RadioMobile.Theprogramallowsyoutoplaceradiosanywhereontheearthanduseselevationdatatogenerateaprofileoftheterrainbetweenstations,whichishowitcalculatesthepathlosses.Itcanuseavarietyofsourcesforthedata,includingtheShuttleRadarTopographyMission(SRTM)datafromNASA.Youtheninputdetailsaboutyourradiofrequency,sensitivity,antennagain,cablelossesandotherinformationanditwillgeneratedetailsaboutthepath.Unfortunately,noneoftheprogramsforpathstudiestakeintoaccountbuildings,treesorotherman-madeobstructions,whichcanspelldisasterforaradiopath,andeventhemost
carefulpractitionercannotmakeupforthisomission.Ontheup-side,thiswilltellyouifthereishopeforyoursystem.Nowanyonecangetapictureofwhatchallengestheywillfaceinbuildingaradionetwork,whetheritbeforvoice,videoordata,withoutcommittingtoanexpensivefieldsurvey,butbuyerbeware.It’snotthatRadioMobiledoesn’taccuratelycalculatethelosses.Ihavecomparedtheresultstotheexpensiveproductsandfoundthattheresultsareprettymuchidentical.It’sthatnomatterhowwelltheseprogramswork,theyarenosubstitutionforarealsurveydoneinthefield.YoucandownloadafreecopyofRadioMobileat:www.cplus.org/rmw/english1.html,butpleaseconsidersendingadonationtohelppaytheexpensesoftheprogrammer.
Asthedecadeofthe60’scametoaclose,SierraControlSystems,Inc.founderAllenWilsonrecognizedaneedforaccuratemeasurementofopenchannelwatersystems.In1972,he
incorporatedSierraControlSystemsinCarsonCity,Nevada.Initiallyworkingfromagaragewiththehelpoffamily,thecompanydevelopedhighlyaccuratewaterlevelinstruments,watercontrolsystems,andradiotelemetry.Employingasoup-to-nutsapproach,SCSengineered,designedthecircuitsandthecircuitboards,andmachinedandfabricatedmuchofthehardwarein-house.Theydevelopedtheprogramsandinstalledthefinishedproduct.SCSthenfollowedthroughwithsupportandtraining.SCADAwasarelativelynew,emergingtechnology.Oneoftheindustriestomakewide-useofthetechnologywashydroelectricpowergeneration.SierraControlSystemswascontractedtoengineerandprovideequipmenttomonitorandcontrolthecriticalprocessesinvolvedatmanyofthehydropowerplantsinCalifornia.TheexpertiseandreputationofthecompanygrewalongwiththeSCADAindustryitself.InadditiontoSCS’sworkwiththepowerindustry,municipalutilitiesandirrigationdistrictsalsowantedtomonitorandcontroltheirfacilities.Tothisend,thecompanydevelopedtanktopmonitorswithtelemetryforwaterstoragetanks,pumpcontrollers,andgatecontrollers.Thesecouldreporttoamastertelemetryunitinacentrallocation.Again,theproductwasengineeredandbuiltdowntotheboardlevelattheSierraControlSystemsfacility.Thecompanywasquicklybecomingknownasaproviderofreliable,qualityequipment,muchofwhichisstillinservicetoday.Asthe90’sapproached,openarchitectureinSCADAsystemsbecameanimportantconsideration,asmorevendorsviedtoprovideproductsforthegrowingSCADAindustry.Itbecameessentialthatequipmentfromvendor“A”couldintegratewithequipment
fromvendor“B”.Suddenly,everyonewasspeakingModbus.SierraControlSystemsquicklyembracedthechanges.ThenewControlMicrosystems’VS/3RTUhadbeenintroduced.Theconvenient,single-boardpackagebeganappearinginSCScontrollers.TheControlMicrosystems’TeleSAFE6000RTUsoonfollowed.SCScontinuedtodevelopproductstoexpandthenewcontroller’scapabilities.TheseincludedmultiplexersforenhancedI/OcountandtelemetryinterfacestoexistingSCStechnology,amongothers.AsthechoiceofOITdeviceswaslimitedatthistime,SierraControlSystemsdesignedandbuiltitsown.Thesecapabilitieshelpedacceleratethecompany’sentryintotheSystemIntegratorranks,whilesettingthecompanyapart.Today,SCSremainsattheforefrontofmodernSCADAsystemsuppliers.TheirSeries900controller,whichisbasedonaControlMicrosystems’SCADAPackcontroller,hasbeendeployedinhundredsofmeasurementandcontrolapplicationsthroughouttheWest.TheDNP3protocolcapabilitiesofthesecontrollerscanprovidetheircustomerswiththelatestinopenarchitectureSCADAsolutions,withouttheneedtoreengineertheproducts.ControlMicrosystems’ClearSCADASCADAhostsoftwarenicelytiesthesesystemstogether,creatingasystemthatcanmeettheneedsofthemostdemandingofcustomers.SierraControlSystemsworkscloselywithengineersattheIrrigationTrainingandResearchCenteratCaliforniaPolytechnicStateUniversity,SanLuisObispo.TheITRChasdevelopedavastknowledgeofirrigationsystempracticesandflowstudiesthatitshareswithirrigationdistrictsthroughoutCalifornia.ITRCassiststhedistrictswithengineeringaimedatmaximizingtheefficientuseofvaluablewaterresourcesthroughmonitoringandautomatedcontrol.SierraControlSystemshasprovided,installed,andtestedgatemonitoring/controltelemetryunitsforseveralCaliforniaandNevadaIrrigationDistricts.SierraControlSystemsislocatedina15,600sq.ft.facilityat940MalloryWayinCarsonCity,Nevada.Currently,
SCSisheadedbycompanypresidentJerryKelley.Mr.Kelleyhasbeenwiththecompanysinceitsinceptionandisamajorinfluenceintheproductintegrityandengineeringpracticesemployed.Day-to-dayoperationsareoverseenbygeneralmanagerJoelMcMenamy.SCSprovidesskilledjobsfor22localNevadans.Withafull-timestaffof7engineersandthesupportoffabrication,manufacturing,test,field,andadministrativeresources,thecompanyhasneverbeenbusier.SCSstillusesstate-of-the-artproductsfromControlMicrosystemsintheir“Series900”controllers.SierraControlSystemsisanactiveControlMicrosystemsSCADAPartnerPlusmemberandamajoruserofClearSCADA.Asnewproductscometomarket,SCScarefully
evaluatestheirusefulnessandreliability.Theengineerscontinuallyupdatetheirknowledgeofnewsoftwareandhardwarewithmanufacturestraining,includingreportingoptionsandadvancedHMIdevelopment.SierraControlSystemsenjoysalongreputationforquality,reliability,andservice.Withdecadesofexperienceasamanufactureroftelemetryandcontrolsystems,andapioneerinthefieldofsystemsintegrationofSCADAsystems,SierraControlSystemsentersthenewcenturywithoptimism.SierraControlSystems,Inc.canbereachedat(775)883-0043ortheirwebsite:sierracontrols.com
Integrator Spotlight: Sierra Control Systems
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
NorthAmericanIndustryTech,Inc.(NAIT),acontrolsystemsintegratorinSouthernCalifornia,wasgiventheprivilegeofreplacinganexistingpotablewatertreatmentplantcontrolsystemfortheNavalAirFacilityinElCentro,CAaboutthreeyearsago.TheprimaryreasonwewereinvitedtothesitewastheNavy’stotaldissatisfactionwiththeexistingwatertreatmentplantcontractoperators.TheNavywantedtoreplacethecontractoperators,butwasfearfulthatanewcontractorwouldn’tbeabletooperatetheexistingsystem.Theexistingwatertreatmentplantcontrolsystemwastypicalofmostoldersystems,lacedwithmanyfailingelectricalsubsystemsandindividualmechanicalhardwarecomponents.Italsoseemedthatitwasbeingkeptthisway,perhapsinanefforttoprovidejobsecurityfortheexistingcontractoperators.Priortobeingawardedtheproject,wehadsomeseriouspersuadingtodo.TheNavypersonnelwereunderthemisguidednotionthatalloftheirhardwareneededtobechanged.Theyseemedtobefocusedonreplacementofthefilterunits.Afterourpreliminarysurvey,wefoundmostoftheexistinghardwaretobeacceptable,withtheonlyexceptionbeingthecontrolsystem.Thepotablewaterfilterunitswere,actually,theonlythingsthatseemedtobeworkingwell.Allthesub-systems,however,wereprettymuchinshambles.FortheNavy,theysimplywantedapotablewatertreatmentplantthatwasmanageable,andworkedwell.Thiswouldallowthemtochangethecontractoperators,iftheyfeltnecessary,whilemaintainingahighqualitywatersupplybase-wide.Thepotablewaterplantwascomposedofsevenindividualpumpstations,withsomeoperatingonlevelcontrols,andsomeoperatingonpressurecontrol.Severalofthesepumpstationswerepartofthefilterbackwashbatchroutine,aswellasthechemicalcontrols.Theplant’sexistingprimarycontrol,performedbyarotatingcam-typeactuatorwithcontactblocks,wastotallydysfunctional.Thisresultedintheoperatorsperformingmanualbackwashfunctionswhenevertheythoughtitwasneeded,whichturnedouttobeaboutevery2or3days.Duringtheawardprocessfortheproject,weassessedtheissuesathand:Problem#1:Politicalproblemsbetweentheownerandtheoperationstaff.Problem#2:Owner’sbeliefthatthewholeplanthadtobechanged.Problem#3:Ahighlevelofskepticismbytheclientthatourproposedsolutionwouldsolvetheirproblems.Ultimately,theclientdidfinallycommittolettingushelpsolvetheirproblems.
Dueconsiderationwastakentoselecttheproductsbecauseofthelocationoftheplant(inthesouthernCaliforniaDesert),havinghighdeserttemperatures,andexposedtoadustyenvironment.Withits158°Ftemperatureratinganditsresistancetothecorrosiveenvironmentofsalty,moistairfoundatthebase,theControlMicrosystems’SCADAPackcontrollersweretheobviouschoice.Further,thehightemperatureratingallowedustoforgocontrolpanelairconditioners.Themodel357wasselectedasitsI/OcountprettymuchmatchedtheI/Orequirementpersite.FortheSCADAmanagementsoftware,ControlMicrosystems’ClearSCADAwasconsideredandchosenbecauseofseveralfactors:itsopenarchitecture,openindustrystandardinterfaces,suchasOPC,ODBC,.NETforintegrationwithbusinesssystems;anintegratedevent–basedhistorian;andanintegratedzero-configurationwebserver,makingremoteaccesseasy.AsthiswasNAIT’sfirstexperienceworkingwithSCADAPackcontrollers,itgaveusachancetoworkwithnewproductsandprotocols.Duringprogramdevelopment,wefoundtheSCADAPackprogrammingalmostidenticaltotheModiconseriesofcontrollers.TheprogrammingsoftwareforthecontrollerswassimilarenoughthatusingTelePACEwasamajorplus.Inshort,wediscoveredthatthepriceofaSCADAPack357wasclosetothatofaModiconCompact(withlimitedI/O),butwegot(almost)alltheI/Oweneededforthisfairlylargeproject,plusthePLCprogrammingsoftwareenabledustohitthegroundrunning.Additionally(andhere’stherealicingonthecake),thiscontrollerhasthesamecommandsetasthemostexpensivecontrollersyoucanbuy,anditsupportsTCP/IP,USB,RS232,andRS485rightoutofthebox.WeendedupusingaprimarycontrolpanellocatedinthewaterplantcontrolbuildingnexttotheMotorControlCenter,withoneremoteterminalunit(RTU)locatednexttothefilterunits.ThetwopanelscommunicateusingModbusoverRS485.ImplementingClearSCADAwasanentirelydifferentsituation.Thelearningcurveinitiallyseemedsteep,sinceClearSCADAisdramaticallydifferentfromtheotherSCADAsoftwarewehadbeenusingforthelast20years.Wecanactuallysaythough,fiveimplementedsystemslater,wehavefoundthatusingClearSCADAasaSCADAmanagementsoftwaresavesdevelopmenttimeandallowsmanymoreoptionswithoutthelaboriousnecessityofusingcustomprogramming,asopposedto
configuration.WewillnevergobacktotheotherHMIpackages.Theeaseofconnectingtoenddevicesisoneofthemostimportantfeaturesofthissoftwareoveralltheothers.ThecontrolsystemimplementedfortheNavyhasnowbeeninoperationforabout3years.Afterthecompleteautomationupgrade,theplantsitstheremostofthetimemakinghighqualitypotablewaterwithoutoperatorintervention,asdesigned.Itisworthmentioningthat,sincetheupgrade,bothfilterunitsarerarelyused;theplantalmostalwaysrunswithonlyoneofthetwofiltersonline,andbackwashesautomaticallybasedonthewatercolumnwithinthefilterunit.OuroutdoorNEMA4RTUpanel,whichislocatedinanuncoveredmetallicenclosureregularlysubjectedto
temperaturesinexcessof115degrees,hasnotexperiencedasinglefailure.Sincethislevelofautomationwasestablishedattheplant,theNavyhascycledthroughthreedifferentcontractoperatorsuntilfindingonetheyarehappywith.Theyfeelthiswouldnothavebeenpossiblewithouttheplantrunning,andcontinuingtoproducehighqualitypotablewater,onitsownduringthechangeoverandfamiliarityperiodsofthenewoperationsstaff.Attheconclusionofthisproject,weteamedwithControlMicroSystemsasanAuthorizedSCADAPartner,andconsidertheirproductstobeourfrontlinehardwareandsoftware.—KentSurrattNorthAmericanIndustryTech(NAIT)
Navy Seals the Deal with SCADA Partner
Sage Siting
Control Microsystems’ Evolution OurevolutiontoSchneiderElectric,theglobalspecialistinenergymanagement,re-affirmsourcommitmenttoprovideyouwithinnovativeremoteSCADAandtelemetrysolutions,best-in-classcustomerservice,andexceptionalqualityineverythingwedo.Weareproudtobeyourpartner,andwearededicatedtohelpingyoumakethemostofyourenergy.
About Schneider Electric:Asaglobalspecialistinenergymanagementwithoperationsinmorethan100countries,SchneiderElectricoffersintegratedsolutionsacrossmultiplemarketsegments,includingleadership
positionsinenergyandinfrastructure,industrialprocesses,buildingautomation,anddatacentres/networks,aswellasabroadpresenceinresidentialapplications.Focusedonmakingenergysafe,reliable,andefficient,thecompany’s100,000plusemployeesachievedsalesof15.8billioneurosin2009,throughanactivecommitmenttohelpindividualsandorganizations“Make the most of their energy.”www.schneider-electric.com
Control Microsystems is becoming Schneider ElectricContinued from page 1
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
determinelittlemorethanthefactthatamessagehasbeensentfromonedevicetoanother.EncryptionmakesspyingonandtamperingwithSCADAnetworksmuchmoredifficult.Themannerinwhichencryptionisachievediscomplexandrequiresthecommunicatingdevicestosharesecretknowledge.Ingeneral,thissecretknowledgetakestheformofasequenceofcharacters,knownasakey.Agoodkeyhassimilarpropertiestoagoodinternetpassword.Itshouldbelongandhaverandomcharacters.Anyonewhodoesnothavethekeycannotdeterminethemeaningofthemessagewithoutagreatdealofeffort.Howmucheffort?Likeanyformofphysicalorelectronicsecurity,encryptioncanbedefeated,whichisdonebyobtainingthekey.Therearedifferentwaystoobtainakey.Abruteforceapproachinvolvestestingrandomkeysuntiltherightkeyisfound.Thisoftenrequiresalargesampleoftransactiondataandlotsofcomputerprocessingtime.Sometypesofencryptionmightrequirehundredsofyearsofcomputerprocessingtimetobreakinthisway.Thehugecomputationalcostrenderssuchanapproachimpractical.Itismucheasiertoobtainakeybytrickingoperatorsorinfiltratingcomputersystemsandaccessingstoredkeys,orevenbybreakingintoasiteandstealingafielddevice.Thisiswheretheonionmodel
comesin.Theotherlayersofsecurity,likephysicallocks,operatingproceduresandseparatecorporatenetworks,keeptheencryptionkeysafe.Thereisapricetobepaidforthesecurityofencryption.Firstly,encryptinganddecryptinginvolvenumerousmathematicalcalculations.ASCADAdevicemustbepowerfulenoughtoperformthesecalculationswhilestillcarryingoutitstraditionaltasksofcommunication,monitoringandcontrol.Secondly,encryptedcommunicationstakeupmorebandwidth.Allencryptedmessageshaveextraheaderinformation
tohelphandleroutingandencrypting.Shortmessagesmustbestuffedwithextrarandombytes,sothatthemessagetypeisnotmadeobviousbyitssize.Lastly,thesystem’sconfigurationbecomesmorecomplicated,asalldevicesonanencryptednetworkmustbegivensecuritykeys.Thiscostofinconvenienceistrueofanykindofsecurity,andisnotlimitedtoencryption.Itcanbeminimisedbyhavingacommonkeyfortheentirenetwork,butthiswillmakethenetworkmorevulnerableshouldthatsinglekeyfallintothewronghands.Attheoppositeendofthesecurityspectrum,everysinglepairofdevicescouldhaveasecuritykey.Whilethissystemwouldbemorecomplextosetup,alargenumberofkeyswouldhavetobediscoveredbeforethesystemwasseriouslycompromised.
Authentication – Challenge & ResponseAuthenticationistheprocessofonepartofaSCADAsystemprovingitsidentitytoanother.WheneveraSCADAdevicereceivescommandstoperformcontrolsorrespondwithdata,itwillchallengethesendingdeviceusingaspecialmessage.Thesendingdevicemustthenprovidethechallengeresponse.Ifthereceivingdeviceissatisfiedwiththechallengeresponse,thenitwillactontheoriginalcommand.ThinkofthislikeabouncerdemandingtoseeIDbeforeheletsyouintoanightclub:ChallengeandResponse.
Likeencryption,authenticationrequirestwoSCADAdevicestohaveamutuallyknownsecretkey.Whereasencryptionusesitskeytotransformentiremessagesintoencryptedbytes,challengesandchallengeresponsesarecreatedbyusingthekeytocreateaspecialdigitalsignature.Themathematicsissimilartothatofencryption,butonlyasmallamountofdataneedstobemanipulated.Thismeansthatauthenticationiscomputationallyfarcheaperthanencryption.AuthenticationpreventsmaliciouspartiesfromcontrollingtheSCADAdevice,butitwillnotstopthemfrominterceptingandreadingmessages.
Atthispoint,itmayseemlikeauthenticationisastrippeddownversionofencryption,butthisisnottrue.Authenticationguaranteesthatthesenderofthecontrolhastheauthoritytoperformthatcontrol.Withencryption,themessagecouldbeforwardedfromaSCADAdevicethatisencryptingamessageonbehalfofasenderwhodoesnothavetheauthoritytoissuesuchacontrol.Forexample,amisconfiguredpeerdeviceoramalicioususermaybethesourceofthecontrol,butwithouttheauthenticationkey,anysuchrequestswillbedenied.Authenticationisassociatedwithusers.AusercanbeadeviceontheSCADAnetworkoranoperatorusingapieceofinterfacesoftware.Therecanbeasinglegenericauthenticationuserusedbyallstaffanddevicesonanetwork.Attheotherextreme,therecanbeanauthenticationuserforeachSCADAdeviceandindividualwhoneedstoperformprotectedoperations.Authenticationcomeswithcostssimilartothatofencryption.Theextraprocessorperformanceoverheadissmallerthanthatofencryption,butisstillpresent.ExtrabandwidthisrequiredfortheheaderinformationandChallenge/Responsemessages.Keysmuststillbemanagedproperly,lesttheyfallintothewronghands.
Choosing the layersThegovernmentmandatesthedeploymentofsecuritytechnologyforsomeSCADAsystems,whileleavingothersfreetouseitorleaveit.Wemustrememberthat,evenwithinasecuritymandate,thereisscopeforchoiceabouthowtoimplementthesecuritysystem:authenticationorencryption,orboth.RememberthatencryptionhidesthemessagesonyourSCADAnetwork.Ifyouhavesensitivedatabeingtransmitted,youneedtohideit.Authenticationleavesthe
messagesvisible,butverifiestheidentityofthesenderofthemessage.Ifyouhavecriticalcontrols,youneedtoguaranteetheyarelegitimate.
Keys to SecurityAspreviouslymentioned,anencryptionsystemcanuseasinglekeyoraseparatekeyforeverycommunicationlinkinthesystem,dependingonthedesiredcomplexity.AnauthenticationsystemcanhaveagenericuserorauserforeveryoperatorandSCADAdevice.Morekeysmeanmoresecurity,aswellasmoreoverheadinkeepingthekeysup-to-dateandsecure.Whileitisdifficulttogeneralizethisdecision,astraightforwardchoiceisauthenticationkeysforafewcategoriesofusersandencryptionkeysforseverallogicalsubgroupsoftheSCADAnetwork.PerhapsthewisestapproachistostartwithaverysimplesecuritysetupandreviseitupwardsastheorganisationbecomesmorefamiliarwithasecureSCADAsystem.Itisbeyondthescopeofthisarticletodiscussthemanyotheraspectsofsecurity,butkeepinmindthattheothersecuritylayerswillneedtoprotectthekeysoftheencryptionandauthenticationlayers.Wellsecuredphysicalsites,goodlogauditinganddisciplinedkeydistributionandupdateproceduresallgoalongwaytowardsthisend.Theeverexpandingdigitalagemeansthatcybersecurityissuesarewithusandareheretostay.Itisineveryone’sinteresttobeinformedaboutSCADAsecurity.EncryptionandauthenticationarethenewestlayersinacomprehensiveplanforasecureSCADAnetwork.Layeruponlayeruponlayer,justliketheonion.— Metin Ozturk, Senior Engineering Specialist and SCADA Analyst, Control Microsystems, a Schneider ElectricCompany
The “Onion” Perspective Continued from page 1
WIRELESSSpread Spectrum & Licensed Radios
Broad-band Mesh Networks Wireless Transmitters
SCADAHMI Software &
Controllers
Out-of-the-Box Pump Controller
WIN-911 Alarm Notification Software from Specter Instruments
KYOCERA Solar Arrays & Charge Controllers
SECURITYAnalog & IP Cameras, Video Surveillance
Hardware & Software
PureActiv Video Analytics & Camera Management
1-888-ASK-SAGE • 1-888-FAX-SAGEwww.SageDesignsInc.com
Acknowledgements: SCADAPack™, FlowStation™, and ClearSCADA™ are trademarks of Control Microsystems Inc. Win-911® is a registered trademark of Specter Instruments. HotPort™, HotClient™, and HotView™ are trademarks of Firetide, Inc.. Firetide® is a registered trademark of Firetide, Inc.
S C A DA , S e C u r i t y & Au to m At i o n n e w S l e t t e rCa lendar of Events
SAvE A TREE
150 Shoreline Hwy., Suite #8AMill Valley, CA 94941-3634
Return Service Requested
STANDARD MAILuS poSTAGE pAID
pERMIT 191SANTA RoSA CA
September9,2010 CWEA/Tri-Counties September Workshop & Exhibit, SanLuisObispo,CA
September14,2010 CWEA/San Diego Section & SDCWWG 3rd Annual Joint Vendor Fair, Poway,CA
September16,2010 CWEA Northern Regional Training Conference, Modesto,CA
September28-29,2010 Tri-State Seminar on the River,Primm,NV
October2-6,2010 WEFTEC ’10 – 83rd Annual Technical Exhibition & Conference, NewOrleans,LA
October5-8,2010 CA-NV AWWA 2010 Fall Conference, Sacramento,CA
Oct17-19,2010 Control Microsystems’ 2010 SCADA & Wireless Instrumentation Symposium*, SanAntonio,TX.
October26,2010 ISA/Orange County Section AutomationOC Expo & Oktoberfest,HuntingtonBeach,CA
November3,2010 Free SCADA Seminar*, NewportBeach,CANovember4,2010 Free SCADA Seminar*, WalnutCreek,CANovember15-17,2010 SCADAPack TelePACE Studio Training*, MillValley,CADecember13-16,2010 ClearSCADA Training Course*, CorteMadera,CA
February1-3,2011 DistribuTECH 2011 Conference & Exhibition,SanDiego,CA
February15-17,2011 SCADAPack TelePACE Studio Training*, MillValley,CAFebruary28–March3,2011 ClearSCADA Training Course*, MillValley,CA
April13-14,2011 CWEA Annual Conference,Ontario,CA
*Downloadtheregistrationformfromourwebsiteorcallformoreinformation.