Data Reliability and Data Security Considerations for SCADA Systems Dan Ehrenreich, Motorola Inc. Presented at ENTELEC 2004 www.entelec.org
April 14-16, 2004 San Antonio, Texas
Overview Supervisory Control and Data Acquisition (SCADA) solutions provide a base for improved monitoring and management of oil and gas installations such as pipelines, production sites, valve installations, compressor stations and other remote sites. Customers have learned over years that SCADA plays an important part in providing means for upgrading their operating productivity, reducing maintenance costs, minimizing the number of outages, helping to avoid difficult problems and leading to safer operation of the entire infrastructure. To achieve these goals one must implement a solution, which is based on reliable communications, and utilize a suitable data protocol. Among the popular communication media used in these systems are fiberoptic links, telephone and leased lines, VHF/UHF conventional radio including the 800 MHz trunked radio, analog and digital wireless networks, UHF Multiple Address Systems (MAS), Spread Spectrum communication, microwave, satellite, etc. In a complex system, one may have to utilize a combination of several media types, carefully selected for each segment of the SCADA network. When designing the wireless communications between field-installed Remote Terminal Units (RTU) and the Master Control Center (MCC) computer, the system integrator must pay great attention to issues, which are particularly unique for the selected media. This paper focuses on three aspects of the SCADA communication technology, which refers to network-capable protocol, data reliability and network-wide data communication security, all which are very important subjects applicable to the SCADA industry.
Seven Layers Protocol As one cannot be an expert in all aspects of SCADA solutions, for a non-communication engineer it may be difficult to select the right communication architecture and distinguish between the available data protocols. These decisions may have to take into consideration the actual application as well as the system characteristics. Occasionally one must select a suitable data protocol for wireless communication and another protocol for connection to intelligent sensors, low hierarchy Programmable Logic Controllers (PLC), etc. Figure 1 below briefly outlines the key features of the sevenlayer Open System Interconnection / International Standard Organization (OSI/ISO) protocol concept. The key advantages of this method are that each layer has its
1
dedicated function and that changes in a specific layer have no effect on functions specified in another layer. •
The lowest level is the Physical Layer and it handles physical/electrical network interface definitions and the channel access mechanism. This layer is configured according to the utilized media; radio, fiber optics lines, satellite, etc., and it also participates in the error handling process, using the Cyclic Redundancy Check (CRC) code packed with each data frame.
•
The layer above the Physical layer is the data Link Layer, and its role is to establish and confirm the integrity of the transmitted frames between two entities (or sites).
•
The Network Layer provides truly important benefits to the system operation, as it allows seamless routing of the data frames across the network, directly from point to point as well as via multiple communication nodes.
•
The Transport Layer handles fragmentation and de-fragmentation of the messages (into frames) and provides means for connection management. It is also utilized to provide end-to-end confirmation to the source site that an error free message was received at the destination site. In addition, this layer may handle data security solutions as well.
•
The Session Layer enables conducting multiple simultaneous sessions/dialogues in the network between two entities. In practice, this feature helps to boost the overall data communication efficiency and to achieve better results within a given bandwidth.
•
The Presentation Layer is next the top level of the protocol stack. Here the data is packed or unpacked, ready for use by the running application. Functions such as protocol conversions, encryption/decryption and graphics expansion, etc., may take place here.
•
The top level Application Layer actually allows implementing the “real thing” related to the RTU operation such as file transfer, data access and management, diagnostics, programming and configuration document and message interchange, job transfer etc.
2
End user application process
Application Application Layer Layer
Includes all transactions related to SCADA system operation
Presentation Presentation Layer Layer
Provides means for protocol conversion, encryption/decryption
Session Session Layer Layer
Provides means for multiple entities to exchange data simultaneously
Transport Transport Layer .. Layer .. Network Network Layer Layer
Handles data fragmenting and confirming end to end data integrity
Link Link Layer Layer
Provides means to establish, maintain and terminate connections
Physical Physical Layer Layer
Provides redundancies and routing of messages via network links
Defines the physical and electrical interface to the network
Data communication network
Figure 1. Description of the ISO/OSI Protocol Stack
Networked Communications Operation of wide area SCADA systems often requires use of both a wireless and a physical link communication network. Here the Network Layer allows each RTU to act as a digital Store and Forward (S&F) repeater (linking sites over the same wireless channel) as well as allowing routing of the data via communications nodes (linking remote sites using different media). Some RTUs installed at the larger SCADA sites may communicate via Ethernet connection, fiber optic link or other quality wireless media enabling high-speed Internet Protocol (IP) connectivity using Serial Link IP (SLIP) connection or Point-to-Point Protocol (PPP). As shown in Figure 2 below, some of the RTUs are configured to serve as a data communication node for routing the monitored data and commands to and from other RTUs, which may use neither physical links nor a direct wireless communication link to the MCC. Most types of three-layer protocols, including the IEC 60870-5-101 or DNP 3.0, do not have the Network Layer and therefore RTUs cannot be utilized as a communication node. Using the seven-layer protocol these RTUs review the received frames whether they were directed to their site or were intended for resending to another RTU or the Front End Processor (FEP). RTUs, which are acting as an S&F repeater or as a communication node, will forward each one of the received frames to their final destination (or the next intermediate node). This transmission may also include frames, which belong to different unrelated simultaneous sessions. Once the data transaction among the sites is done and a complete message reaches its final destination (RTU site), the destination RTU will
3
send an “end-to-end” acknowledgement to the source RTU (or FEP, or vice versa) via the Transport Layer confirming the message integrity. Occasionally, if part of the network or a specific RTU (serving as a communication node) fails and it cannot communicate with the designated site, the transmission is not confirmed on the Transport Layer level. Prior to canceling that message, the Network Layer may reroute the related frames via a backup link as illustrated in Figure 2 below. Having such an advanced option embedded in the communication process provides an even higher level of data reliability, as messages may reach their destination in spite of temporary or permanent malfunction of a link. Primary MCC
Printer
RTU & Data Comm. Node
Local Ethernet
Line Based IP
IP Gateway
Main ToolBox
Wireline Comm. Remote Ethernet Prime Link
Secondary MCC
RTU & Data Comm. Node (SLIP)
TS
RTU & Data Comm. S&F Backup Link
Prime Link Remote ToolBox
Backup Link
Wireline Comm. RTU & Data Comm. Node
Prime Link
RTU & Data Comm. Node
Figure 2. Network Communications in a SCADA System
Data Reliability Considerations Use of efficient error handling is especially important for wireless SCADA systems, which operate in “Report-by-Event” rather than “Polling” mode, as here at the same time more than one RTU may detect the same problem. Should this occur, several RTUs may send an unsolicited message to the FEP and as a result some of these frames might “collide” over the network and get damaged. The selected SCADA protocol must include a reliable error handling mechanism, specifically optimized for the type of communications media used by the customer. When dealing with wireless networks the following error handling mechanisms are typically implemented: 4
a) Forward Error Correction (FEC) method is widely used for non-critical mobile wireless communications. Here the error correction code is packed along with the data and it adds quite a large overhead to the message. Upon receiving the message, the device at the destination is capable of detecting as well as correcting the errors. This principle works well subject to two conditions; a) the initial Bit Error Rate (BER) level is very low b) failure to correct the digital string must not lead to a critical/dangerous event. Another problem can rise should the correction code itself be damaged. Consequently, one may consider using this method for wireless fax, paging and voice and image communication but not for SCADA communications. b) Error handling by Frame Retry Mechanism is a more reliable process compared to the FEC method. Here, all frames sent from one RTU (or data node) to another RTU (or data node), or from an RTU to FEP, or vice versa are being checked for errors at the Link Layer level. This process can provide a single confirmation message that refers to all healthy frames regardless whether they belong to the same message or different simultaneous sessions (which are transmitted among the related nodes or sites). Upon receipt of a “partial confirmation”, the sending site will resend only the faulty frames and the receiving site will again test the integrity of the resent frames and reconfirm receipt of the healthy frames.
Data Security Considerations Today, more then ever before utilities and operators are concerned about secure operation of their system, therefore data communications plays an important role in modern SCADA systems. As mentioned above, data networking and data reliability features of the selected protocol are extremely important for making the system properly working. However one must not downplay the importance of communication security, as SCADA is considered as part of critical infrastructure. This is especially correct for oil and gas SCADA systems and pipelines, as control of these systems require wireless communication over wide geographical area. When discussing this subject, there are two major concerns to be considered; Illegal monitoring of the SCADA system operation and intrusion to the SCADA system. A solution to reduce these risks is provided using three possible security protection measures as per the following: a) Password Protection is the most basic security protection level, and it helps to avoid not intended cross communication via RTUs between two not related SCADA systems. Here, each message is equipped with a Password Code, which eliminate such communications even if the involved RTUs use the same channel and even if for whatever reason they use the same system address.
5
Note: While dealing with data security on the MCC level, usually there are three password levels; operator level, administrator level and programmer level. This relates to a completely different issue, not covered in this paper. b) Data Encryption is the next level SCADA system protection and its purpose is to minimize the possibility that someone may “listen” to the communication channel and monitor the system operation (i.e. transmitted data and commands). SCADA systems typically utilize the Tiny Encryption Algorithm (TEA), and this method is implemented with an 8 or 16-bit encryption key. Here, the encryption is implemented on the “frame”, which smallest component in the data protocol. The seven-layer protocol concept is especially suitable for implementing encryption and this process can be implemented either in the Transport or the Presentation layer of the seven-layer data protocol (see Fig. 1 above). Correct receipt and processing of the received message requires use of the particular “key”, stored in the RTU, which in highly critical system is periodically replaced / changed. c) Authentication is a higher security measure implemented for SCADA system protection. The purpose of this method is to limit the time validity of the transmitted message to few seconds from its first transmission. Of course implementation of the Data Authentication requires that the utilized data protocol will support transmission of time stamped messages as well as support networkwide time synchronization of the clock embedded in the field RTUs. Furthermore it is noted here that the Authentication process for the “Data” is performed at the Link Layer level, while authentication of the “Time Stamp” synchronization is performed at the Physical Layer level. Note: The widely used data protocols DNP 3.0 and IEC 60870-5-101 are not supporting authentication. The MODBUS protocol is even weaker from this point of view, as it does not support transmission of time stamped messages. Figure 3 below outlines a secured SCADA system, including both network elements and RTUs, which are linked to unauthenticated as well as authenticated (red frame) part of the network. As shown the Synchronized Server (SS) RTU provides precise time reference to the Synchronized Client (SC) marked RTUs. Some of RTUs in the system perform both SS and SC functions, as they provide interface to the not secured part of the network. Transmission of authenticated messages via the network will make it practically impossible for anyone to intrude the SCADA system and cause a problem by retransmission of a message, which was earlier illegally captured and recorded.
6
Encryption and Authentication methods are completely different and unrelated processes aimed to increase the security of a SCADA system. Upon preference, both methods can be combined in the same SCADA system. They may simultaneously operate without interrupting each the other, thus further boosting the SCADA system security level.
SCADA Central
Legend IP Network Unauthenticated Link
IP GATEWAY
RS-485 (Authenticated Link) RS-232
(Line 1) (Unauthenticated IP Link)
SC
SC/SS SS
Authenticated sub-network Radio (Authenticated RF Link)
Authenticated Link SC Synchronized Client SS Synchronizing Server SC/SS Client/Server
RS-232 (Authenticated Link) Dial (Unauthenticated PSTN Link)
SC RS-485 (Authenticated Link)
SC SC
SC/SS SC
SC
Figure 3. Authenticated Data System
Summary and Conclusions Communications reliability and data networking play a major role in SCADA systems, which utilize wireless communication. The advanced features achieved by using the ISO/OSI compatible seven-layer protocol produce enhanced Data Reliability Networked Communications and Data Security. These subjects were specifically highlighted in this paper since SCADA engineers, who are lacking the necessary expertise in data communications, might overlook the importance of selecting the optimal communications media and the data protocol. Experience shows that implementation of an error handling method based on Frame Retry Mechanism minimizes the probability of a faulty message passing through the SCADA network and reaching its destination without being detected and properly handled. Furthermore each of the layers validates the data integrity, hence providing enhanced system operation reliability. Another major advantage of this concept is that occasional modifications in the communication network structure will neither affect the application program nor risk the
7
functioning of the SCADA application. Furthermore, this method allows convenient implementation of additional functions such as system diagnostics, remote calibration, smart RTU decisions based on imported data from other RTUs, update of programs via the network, download and upload of new operating parameters, etc. While some three-layer protocols such as DNP 3.0 or IEC 60870-5-101 may perform similar SCADA system processes achieved by application layer programming, in sevenlayer ISO/OSI protocols these functions are “built-in” within the Link Layer, Network Layer and Transport Layers. In addition it is noted here that the variable length sevenlayer protocol is more secure compared to a fixed length protocol such as MODBUS. Consequently, the integration of advanced seven-layer communication protocols optimized for wireless communications generates major operating and cost benefits to the customer and more than justifies the additional investment. Note: Transmission of encrypted data messages (en in private data systems) is in some countries subject to government regulation, and operators must obtain permission prior investing into implementation of such system.
References 1. Implementation of Intelligent Data Communications in DA Systems, John Grothman, Dan Ehrenreich, DA/DSM’93, Palm Springs, January 1993 2. Data on Trunking Considerations, David Lum, Motorola Inc. DA/DSM’94 Orlando, Florida, January 1994 3. Cost Benefits resulting from use of Integrated Communications for Distribution Automation, Dan Ehrenreich, Shlomo Liberman, DA/DSM’95 Asia, and Singapore 1995. 4. Operating benefits achieved by use of advanced communications Protocols for DA/DSM systems, Dan Ehrenreich, Dr. Salomon Serfaty, DA/DSM Europe, Vienna 1996. 5. Dual RF channels improve grid operations, Dan Ehrenreich, Utility Automation Europe, Vol. 1, No.1 Summer 1996 6. Integration of RF communications for Distribution Automation with Dual Redundancy, Dan Ehrenreich, Samuel Katar, DA/DSM 97 Asia, Singapore 1997. 7. Data Communications for Oil and Gas SCADA Systems. Dan Ehrenreich, Shlomo Liberman, PETROMIN magazine October 1999. 8. Wireless IP Networks Serve Distribution Automation Systems, Dan Ehrenreich, Utility Automation Magazine, August 2000.
8
About the Author Dan Ehrenreich is the Marketing Manager for SCADA Business development in Motorola. Dan’s tasks include development of MOSCAD based solutions for Electricity and Oil and Gas automation systems, establishment of alliances with business partners, market studies, and development of new applications. Dan has a Bachelor degree in Electronics Engineering from the University of Ben-Gurion in Israel, and during the last 20 years he is involved with marketing and supporting customers for SCADA and Data communications. He has been with Motorola since 1991, and he also provides sales support for Motorola SCADA solutions to Central and Latin America based customers. Dan can be contacted via email:
[email protected]
9