Alert modeling on supervisory control and data acquisition system with remote terminal unit

Full text

(1)COPYRIGHT AND CITATION CONSIDERATIONS FOR THIS THESIS/ DISSERTATION. o Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. o NonCommercial — You may not use the material for commercial purposes.. o ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.. How to cite this thesis Surname, Initial(s). (2012) Title of the thesis or dissertation. PhD. (Chemistry)/ M.Sc. (Physics)/ M.A. (Philosophy)/M.Com. (Finance) etc. [Unpublished]: University of Johannesburg. Retrieved from: https://ujcontent.uj.ac.za/vital/access/manager/Index?site_name=Research%20Output (Accessed: Date)..

(2) ALERT MODELING ON SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEM WITH REMOTE TERMINAL UNIT By A.K.DEY Thesis Submitting to the Electrical & Electronics Engineer Department of “University of Johannesburg” Master of Engineering In Electrical Engineering June, 2015. . 1|Page.

(3) PREFACE. First and foremost, I would like to thank my supervisor, Prof. Bhekisipho Twala for guiding and supporting me throughout my research. Advice given by him has always been valuable in accomplishing the goal of my research and has helped me stay on an accurate path during the whole time of my research.. . 2|Page.

(4) ABSTRACT. Supervisory control and data acquisition (SCADA) systems have evolved over from standalone, compartmentalized operations into networked architectures that communicate across large distances. In addition, their implementations have migrated from custom hardware and software to standard hardware and software platforms. These changes have led to reduced development and operational as well as providing executive management with real-time information that can be used to support planning, supervision, and decision making. For reasons of efficiency, maintenance, data acquisition and control platforms have migrated from isolated in-plant networks security using proprietary hardware and software to Remote Terminal Unit using standard software, network protocols, and the Internet. Control engineering might be absorbed or closely integrated with the corporate software. Integrating SCADA data collection and alert monitoring with corporate customer data provides management with an increased ability to run the organization more efficiently and effectively. This thesis provides a conceptual analysis for the creation of a SCADA network security exploration alert. A framework application using common SCADA network security logic is created to provide a proof of concept. Development of a viable alert system for identifying SCADA network remotely will help improve critical infrastructure security by improving situational awareness for network managers.. . 3|Page.

(5) TABLE OF CONTENTS. 1.. FUNDAMENTAL SUPERVISOTY CONTROL & DATA ACQUISITION STSTEM.. . 1.1.. INTRODUCTION. 11. 1.2.. DATA LOGGING. 13. 1.3.. DISTRIBUTED DATA ACQUISITION SYSTEM. 14. 1.4.. I/O SYSTEM. 15. 2.. SCADA NETWORK SECURITY. 2.1.. INTRODUCTION. 25. 2.2.. SCADA NETWORK ATTACKS. 25. 2.2.1.. PASSIVE ATTACKS. 25. 2.2.2.. ACTIVE ATTACKS. 26. 2.3.. SYMMETRIC ENCRYPTION. 27. 2.4.. TRAFFIC PADDING. 28. 2.5.. MESSAGE AUTHORIZATION. 29. 2.6.. SECURITY SERVICE FOR SCADA. 30. 2.7.. SCADA NETWORK MANAGEMENT SYSTEM. 33. 2.8.. SIMPLE NETWORK MANAGEMENT PROTOCOL. 33. 2.9.. VIRTUAL NETWORK. 35. 2.10.. SECURITY IMPLEMENTATION. 37. 2.11.. EDGE SECURITY. 38. 3.. REMOTE TERMINAL UNIT BASE CONTROL. 3.1.. INTRODUCTION. 40. 3.2.. DIGITAL CONTROL SYSTEM. 40. 3.2.1.. HARDWARE CONFIGURATION. 42. 3.2.1.1.. SINGLE LOOP CONTROLLERS. 43. 3.2.1.2.. MULTIPLE-LOOP CONTROLLERS. 43. 3.2.2.. SOFTWARE CONFIGURATION. 44. 3.2.2.1.. ERROR. 45. 3.2.2.2.. PROPORTIONAL MODE. 45 4|Page.

(6) . 3.2.2.3.. INTEGRAL MODE. 47. 3.2.2.4.. DERIVATIVE MODE. 47. 3.2.2.5.. PID CONTROL MODE. 49. 4.. OBJECT LINK EMBEDDING DESIGN. 4.1.. OPEN PROCESS CONTROL. 51. 4.2.. OPC UNIFIED ARCHITECTURE. 54. 4.3.. COMPUTER AIDED TECHNILOGY. 55. 4.4.. WEB SERVICE. 56. 4.5.. NETWORK BASE SCADA SYSTEM. 59. 4.6.. WEB APPLICATION. 60. 4.7.. SQL SERVER. 61. 4.8.. WEB BROSER AND SERVER PROTOCOL. 62. 4.9.. FRAMEWORK FOR SOFTWARE DEVELOPMENT. 63. 4.10.. TRANSPORT LAYER SECURITY. 65. 4.11.. OPC ALERT OPERATION. 66. 5.. REMOTE TERMINAL UNIT INTERFACE. 5.1.. INTRODUCTION. 68. 5.2.. RTU ARCHITECTURE. 69. 5.3.. RTU PROTOCOL. 70. 5.4.. ASCII TRANSMISSION MODE. 71. 5.5.. RTU TRANSMISSION MODE. 71. 5.6.. PROTOCOL MESSAGE FRAMING. 71. 5.7.. RTU FRAMES. 72. 5.8.. RTU FUNCTION MODE. 73. 5.9.. RTU MODE ADDRESS. 74. 5.10.. RTU MODE FUNCTIONS. 75. 5.11.. RTU DATA FIELD FUNCTION. 75. 5.12.. TRANSMITTER PROTOCOL ERROR CHECKING. 76. 5.13.. MODELING PRINCIPLE. 76. 5.14.. RTU FRAME FORMATE. 78. 5.14.1.. RTU ENCODER MODULE. 80. 5.14.2.. RTU DECODER MODULE. 82 5|Page.

(7) . 5.15.. RTU DESIGN. 83. 6.. SCADA ALERT MODELING. 6.1.. INTRODUCTION. 85. 6.2.. SCADA NETWORK SECURE REQUIREMENT. 87. 6.3.. OUTLINE OF TRAP DETECTOR. 88. 6.4.. HONEYPOT SETUP. 90. 6.5.. PLC SIMULATION. 93. 6.6.. INDIVIDUAL DEVICE SIMULATION. 94. 6.7.. IMPLEMENTATION OF SCADA NETWORK. 95. 6.8.. HONEYPOT IMPLEMENATION. 99. 6.9.. SNMP CONFIGURATION. 100. 6.10.. EVALUATION LOGING CONTROL. 102. 6.11.. TERGET OF ATTACK. 105. 6.12.. OPERATION SYSTEM UPGRADE. 106. 6.13.. SIMULATION WITH LOGIC CONTROL. 108. 6.14.. LOGS SYSTEM FORMAT. 109. 6.15.. VULNERABILITY MODULES. 112. 6.16.. ALERT MONITORING. 113. 7.. REMARKS AND CONCLUSION. 115. 8.. REFERENCES. 118. 6|Page.

(8) FIGURE LIST. . 1.1.. Basic Data Acquisition System. 14. 1.2.. 256 channel data acquisition with single microprocessor.. 15. 1.3.. A wireless I/O system.. 16. 1.4.. Topology. 20. 1.5.. Transmitted signal.. 22. 1.6.. Received signal.. 23. 1.7.. (a) Transmitter, (b) Receiver of the FHSS system.. 24. 2.1.. Message Authentication using MAC. 30. 2.2.. SSL protocol Stack.. 31. 3.1.. Direct digital control.. 41. 3.2.. Basic microprocessor-based control system.. 42. 3.3.. Smart Sensor based single loop controller.. 44. 3.4.. Multiple- loop controllers.. 46. 3.5.. Flow chart for Proportional mode.. 48. 3.6.. Exact integral.. 58. 3.8.. Flow chart for derivative mode.. 50. 4.1.. OPC automation interface wrapper link.. 51. 4.2.. OPC overview.. 54. 7|Page.

(9) . 4.3.. Architecture of OPC-DA and XML-DA transformation.. 58. 4.4.. Network overview.. 65. 4.5.. OPC SNMP structure.. 67. 5.1.. Transmission control protocol frame format.. 74. 5.2.. Basic Gateway Connections.. 77. 5.3.. Flowchart summarizes the entire solution setup.. 79. 5.4.. RTU encoder flowchart.. 81. 5.5.. RTU Decoder Flowchart.. 83. 5.6.. RTU node communication architecture.. 84. 6.1.. Logging Structure.. 91. 6.2.. Data Historian DZM. 97. 6.3.. Trap set detector link with RTU and logic control device.. 98. 8|Page.

(10) ABBREVIATION. 1.. ADSL: Asymmetric Digital Subscriber line.. 2.. AJAX: Asynchronous Java Script and XML.. 3.. API: Application Programming Interface.. 4.. CAD: Computer Aided Design.. 5.. CAM: Computer Aided Manufacturing.. 6.. COM: Component Object Model.. 7.. CORBA: Common Object Resource Broker Architecture.. 8.. DCOM: Distributed Common Object Model.. 9.. DLL: Dynamic Link Library.. 10.. ERP: Enterprise Resource Planning.. 11.. FEP: Front End Processor.. 12.. GUI: Graphical User Interface.. 13.. HTML: Hyper Text Makeup Language.. 14.. HTTP: Hyper Text Transfer Protocol.. 15.. IDL: Interface Definition Language.. 16.. IRL: Interoperable Replication Logic.. 17.. ISP: Internet Service Provider.. 18.. OBR: Object Request Broker.. 19.. OMA: Object Management Group.. 20.. OLE: Object Linking and Embedding.. 21.. OMG: Object Modeling Group.. 22.. OPC: Object Linking Embedding process control.. 23.. OPC-UA: Object Linking Embedding Process control-Unified Architecture.. . 24.. RPC: Remote Procedure Call.. 25.. SCADA: Supervisory Control And Data Acquisition.. 25.. SOA: Service Oriented Architecture.. 26.. SOAP: Simple Object Access Protocol.. 27.. SSL: Secure Sockets Layer.. 28.. STL: Standard Transform Language.. 29.. TCP: Transmission Control Protocol. 9|Page.

(11) 30.. TLS: Transport Layer Security.. 31.. URL: Uniform Resource Locator.. 32.. XML: Extensible Makeup Language.. 33.. XSL: XMP Style Sheet Language.. 34.. XSS: Cross-site Scripting.. 35.. WS: Web Service.. . . 10 | P a g e.

(12) CHAPTER: 1. FUNDAMENTAL. SUPERVISOTY. CONTROL AND DATA ACQUISITION STSTEM 1.1. INTRODUCTION A SCADA (Supervisory Control & Data Acquisition) system is a common process automation system which is used to gather data from sensors and instruments located at remote sites and to transmit data at a central site for either control or monitoring purposes. The collected data is usually viewed on one or more SCADA host computers located at the central or master site. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. The SCADA system includes the following components: * One or more field data interface devices usually called Remote Stations, Remote Terminal Units (RTUs), or Programmable Logic Controllers (PLCs), which interface to field sensing devices and local control switchboxes and valve actuators. * A communications system used to transfer data between field data interface devices and control units and the computers in the SCADA central host. The system can be radio, telephone, cable, satellite, and so on, or any combination of these. * A central host computer server or servers (sometimes called a SCADA Centre, master station, master terminal unit, or MTU).. . 11 | P a g e.

(13) * A communications system to support the use of operator workstations that may be geographically remote from the central host computer. * A collection of standard and/or custom software [sometimes called Human Machine Interface (HMI) software or Man Machine Interface (MMI) software] systems used to provide the SCADA central host and operator terminal application, support the communications system, and monitor and control remotely located field data interface devices. The SCADA system is used for monitoring and controlling of industrial processes from remote areas. The need to monitor the process and possibly control the operation of industrial systems from virtually anywhere is becoming an important issue. However, with different types of platforms used in present SCADA systems, incompatibility has become the main obstacle. Other problems include security, accessibility, system integration, data integrity, and consistency. Many organization are considering SCADA systems to provide access to real time data display, alarming, trending, and reporting from remote equipment by using different communication media such as Internet, private leased line, dial-up connection, satellite, and radio modem[1]. Programmable logic controls have their origins in the automation industry and therefore are often used in manufacturing and process plant applications. The need for PLCs to connect to communication channels was not great in these applications, as they often were only required to replace traditional relay logic systems or pneumatic controllers. SCADA systems, on the other hand, have origins in early telemetry applications, where it was only necessary to know basic information from a remote source. The RTUs connected to these systems had no need for control programming because the local control algorithm was held in the relay switching logic. As PLCs were used more often to replace relay switching logic control systems, telemetry was used more and more with PLCs at the remote sites. It became desirable to influence the program within the PLC through the use of a remote signal. This is in effect the “Supervisory . 12 | P a g e.

(14) Control” part of the acronym SCADA. Where only a simple local control program was required, it became possible to store this program within the RTU and perform the control within that device [2]. At the same time, traditional PLCs included communications modules that would allow PLCs to report the state of the control program to a computer plugged into the PLC or to a remote computer via a network. 1.2.. DATA LOGGING. The data distribution portion of a feedback control system, (see in Figure 1.1), is the reverse of the data acquisition system. The computer, based on the inputs of the data acquisition system, must close the loop on a process and control it by means of output control functions. These control outputs are in digital form and must, therefore, be converted into analog form in order to drive the process. The conversion is accomplished by a series of D/A converters. Each D/A converter is coupled to the computer data bus by means of a register, which stores the digital word until the next update. The registers are activated sequentially by a decoder and control circuit, which is under computer control [3]. The D/A converter outputs then drive actuators that directly control the various process parameters such as temperature, pressure, and flow. Thus, the loop is closed on the process and the result is a complete automatic process control system under computer control [5]. . 13 | P a g e.

(15) . Sensors. Signal conditioner module. Digital Input Module. Analog input module. . Process. Switches & pulses. Timer/ counter module. Micro-processor + memory. Display module. Serial interface module. Alarm annunciator module. Figure: 1.1. Basic Data Acquisition System.. 1.3.. DISTRIBUTED DATA ACQUISITION SYSTEM. SCADA encompasses the transfer of data between a SCADA central host computer and a number of remote sites (Remote Terminal Units or RTUs), and the central host and the operator terminals. In figure 1.2. a generic SCADA system that employs some form of data multiplexing (MUXs) between the central host and the RTUs [4]. These multiplexers serve to route data to and from a number of RTUs on a local network, while using one or very few physical links on a Wide Area Network (WAN) backbone to pass data back to the central host computer.. . 14 | P a g e.

(16) Mux 1. . RTU Mux 2 RTU . Mux 17. ADC. . D A T A. Input. . Output. B U S. A D D R E S S. Micropr ocessor. B U S. . Mux 16 RTU. . Clock driver. Address decoder. . Memory. Timer/ counter. Figure: 1.2. 256 channel data acquisition with RTU. 1.4.. I/O SYSTEM. In process control system or plants this adoption covers data transmission from flow, pressure, level, temperature processes, control signal for actuation of the final control elements, alarm signals for annunciation and much more. Because of high frequency transmission through wireless medium, the I/O (terminal) devices are to be modified. The range of frequencies chosen is license free and the design is done through spread spectrum radio technology such that integration of remote assets and SCADA is made. A typical wireless I/O system is shown in figure: 1.3 (one master and one slave). It may be mentioned that installing additional I/O slaves with the same master sending the command may. . 15 | P a g e.

(17) increase capacity. In case the communication link between the master and the slave fails, the output of the I/O slave will be at its fail safe preprogrammed position-which may be on, off or steady [7]. Also, alarms are there which make the users aware of the failure. . Control equip.. . Wireless I/O Slave. Processor Signal processor. Central Supervisory control station Wireless I/O Master . Analog input. Digital output. Figure: 1.3. A wireless I/O system For implementation of wireless I/O system the wireless network topology and architecture should be considered with respect to the proper hardware devices. The job starts with the site survey, and then features, data throughput and the rates at which the network needs to be updated are determined. Security is an important consideration. Accuracy of transmission and recovery is very important methodology especially for any transmission error factors. The essential items in the SCADA system network: A. Instrumentation device with radio i.e. wireless instrumentation. B. Gateway or the access point receiver that can receive communication from the wireless device. . 16 | P a g e.

(18) The physical characteristics of the site should satisfy the feasibility of implementation of the wireless network. Communication protocols are already available in conformity with the emergent standard of wireless and radio like: WIFI (IEEE802.11g), ISA (100.11a), Bluetooth (IEEE 802.15.1) etc. A wireless network can be added to an existing process unit for which the interface process of the host system is of prime significance as this dictates the type of the gateway needed [11]. Appropriate system has to be selected on the requirement of the plant. The requirement is dependent on: 1. The process area to be covered, the number of control loops 2. The SCADA system to be brought under the scheme 3. Topology of the network The common topologies are: a. Point to point configuration b. Expanded from of point to point configuration c. Multipoint configuration d. Mesh or meshed instrument configuration e. Mesh node configuration. The nodes are high-powered repeaters like relay stations. The configurations are indicates in figure: 1.4-a-e. The Figure 1.4-a indicates that one radio at the wireless process transmitter is paired with one gateway radio [8]. The Figure 1.4-b is an extension of the system shown in Figure 1.4-a where multiple I/O points or transmitters transmit-receive through a single radio. The figure 1.4-c indicates variations of the multiple individual transmitters (I/O points) are connected by wireless protocol system. Gateway capacity limits the I/O point numbers. Type of protocol is also important in the situation. The figure 1.4-d indicates the method devices topology where the power and protocol are chosen to allow each transmitter to transmitreceive data with other transmitters till the data are received by the access. . 17 | P a g e.

(19) point (gateway or host). The clock is common and each device is allowed to turn on or off to transmit or receive to and from other devices. This is a self-organizing network in which the protocol provides the following features: A. The mesh networking is self-configuring. B. When one device fails or RF interference occurs the others for data transmission adjust the path; the failure is reported to the gateway. C. Network size is limited by the capacity of the gateway and the communication protocol. PCS: process control system GW: Gateway TR: transmitter RAD: radio . . PCS. GW. RAD TR. Figure: 1.4. (a) . . . 18 | P a g e.

(20) . PCS. GW. RAD TR. TR. . TR. Figure: 1.4. (b). . . . RAD TR. PCS. GW. RAD TR. RAD TR Figure: 1.4. (c).. 19 | P a g e.

(21) TR TR. . GW. PCS. . TR TR. Figure: 1.4. (d). . NODE TR. PCS. TR. GW. NODE . TR. Figure: 1.4. (e) . . Figure: 1.4. (a-e) Topology. 20 | P a g e.

(22) The meshed-node configuration of figure 1.4-e is more complex where nodes have been provided which communicate with the I/O devices, other nodes as also the gateway. Individual instruments are not permitted to do so-they can only report data and their power requirement is thereby reduced. Nodes are often externally powered like the host (gateway) to make them high-powered. There may be redundancy in the gateway and thence the system becomes very robust. This is a configuration for large number of instruments. For bidirectional transport of data, as in loop control and monitoring, the requirements are used to settle the data formats and data exchange rates. Security is an important aspect and features are to be incorporated to prevent access of unauthorized personnel. Coding is so made that such ‘penetration’ is prevented. Data receive from the wireless devices must be available to be used at present and feature times. Wireless measurement and control system required a host system: wireless smart gateway, which essentially is a control network node, the network (self-organizing, mesh, wi-fi etc.) and the trans-receiver I/O devices/instruments. Protocols as specified also vary: different vendors use some Modbus, TCP/IP, OPC or HTML. Transmission of data takes help of spread spectrum broad banding technique, which is a type of modulation and multiplexing technique. It distributes the signal and sidebands over a wide (spread out) band width and it is now very commonly used in LAN’s and now in wireless I/O’s. Its main advantage is resistance to narrowband interference. The power density-frequency plot of the signal to be sent after broad banding and also the receive signal with adequate filtering are shows in figure 1.5-a-b-c and 1.6-a-b respectively. The signal is broad banded as describe in figure: 1.5-b, the area under the plots in figure 1.5-a-b remain the same. Power level now is less, but loss of data is not there. In figure 1.5-c additional broad brand and narrowband interference are there with the signal. This is received, as . 21 | P a g e.

(23) show in figure 1.6-a where it is dispread and converted into a narrowband signal while the narrow band interference is spread. This is now passed through a band pass filter and the actual output is show in figure 1.6-b. the signal has high power and it can be used to reconstruct the original signal. This technique is extendable to a number of channels all of which may use the same frequency band, with code division multiplexing (CDM) for separating them in the receiving side. Spreading of the narrowband is done by using a code channel has its own code; the same code has to be used for recovery. The coding process is considered in the following but before that it is pertinent to discuss that there are two types of spread spectrums: 1.The direct sequence spread spectrum (DSSS) and 2. The frequency hopping spread spectrum (FHSS)- the DSSS is not well suited for industrial wireless I/O system. . 𝑑𝑝 𝑑𝑓. 𝑑𝑝 𝑑𝑓. Signal . f . f . . Figure: 1.5(b) . Figure: 1.5. (a). . 𝑑𝑝 !𝑑𝑓 . Narrow band interference . Signal . Broad band interference . f. Signal . . Figure: 1.5. (c) Figure: 1.5. Transmitted signal.. . 22 | P a g e.

(24) FHSS systems the available bandwidth is split into a number of channels of lesser bandwidth with appropriate guard spaces provided for. The technique is similar to frequency division multiplexing (FDM). Each channel of lesser bandwidth is then used in the time division-multiplexing (TDM) scheme [9]. Thus a transmitter uses one such channel and the corresponding receiver for a specified pried of time at the end of which another channel is used ‘hopped in’. The sequence in which the channels are used by a single set of trans-receiver is called the ‘hopped sequence’ and the period of time a particular channel is used ‘dwell time’. Hopping may be slow or fast. The different frequencies of hopping have different interference characteristics. Slow hopping is high tolerance and it also less immune to narrowband interference. Fast hopping, on the contrary, is complex and synchronization is to be with more stringent limits but it is more immune to narrow band interference. As it sticks to a frequency for a very short period of time there is no frequency selective fading. When the hopping is fast it may be expressed as hops/bit for slow hopping it may be expressed as bits/hop. Figure: 1.7-a-b indicate the schemes of the transmitters and receivers receptively of the EHSS system. . 𝑑𝑝 𝑑𝑓. 𝑑𝑝 𝑑𝑓. signal Broad band interference Narrow band interference . . f . f Figure: 1.6. Received signal. The narrow band signal has two frequencies, 𝑓! for 0 and 𝑓! for 1. The PSN code generator gives the sequence which goes to frequency synthesizer and generates the carrier 𝑓! so that the spread signal has now 𝑓! -𝑓! for 0 and 𝑓! +𝑓! for 1 respectively. The number of FHSS may be quite. . 23 | P a g e.

(25) high as said, without overlapping the transmission is possible to be made interference free for which each carrier 𝑓! has to be different. Thus FHSS can be given collision-free access for which specific time slot and frequency may be allotted for transmission. This technique can be combined with error detection and automatic repeat requests (ARQ) for increasing reliability [10]. Frequency hopping is still proprietary and is, therefore, inherently secure. Transmit signal . . data . . F.H sequence GEN. CLK. . . FSK Modulat or. Figure: 1.7 (a) Transmitter of the FHSS system. . Received data data . . Frequency synthesizer. . . . RF Amplifier. Modulator. CLK. Original data. Narrowband. Demodulator. F.H. Sequence Gen. . Demodulator. Frequency synthesizer. Figure: 1.7 (b) Receiver of the FHSS system.. 24 | P a g e.

(26) CHAPTER:2. SCADA NETWORK SECURITY 2.1.. INTRODUCTION. The requirement of information security within an SCADA system have undergone two major changes in the last several decades. Before the widespread use of data processing equipment, the security of information felt to be valuable to a system was provided primarily by physical an administrative means. With the introduction of SCADA network, the need for automated tools for protection files and other information stored on the server become evident. This is especially the case for a shared system, such as time sharing system, and the need is even more acute for systems that can be accessed over data network. The name for collection of tools designed to protect data and to thwart hackers is SCADA security [12]. Another major change that affected security is the introduction of distributed systems and used of networks and communications facilities for carrying data between terminal user and host and between hosts. Network security measures are needed to protect data during their transmission and to guarantee that the data transmissions are authentic. 2.2.. SCADA NETWORK ATTACKS. A useful means of classifying security attacks is in terms of passive attacks and active attacks. A passive attacks attempts to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation. 2.2.1.. PASSIVE ATTACKS. Passive attacks are in the nature of eavesdropping on, or monitoring of transmissions. The goal of the opponent is to obtain information that is . 25 | P a g e.

(27) being transmitted. Traffic analysis, suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. Even with encryption protection in place, an opponent might still be able to observe the pattern of these message. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place. Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically, the message traffic is sent and receive in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the message or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection. 2.2.2.. ACTIVE ATTACKS. Active attacks involve some modification of data stream or the creation of a false stream and can be subdivided into four categories: masquerade, reply, modification of messages, and denial of service. A masquerade takes place when one entry pretends to be a different entry. A masquerade attack usually includes one of the other forms of active attack. Authentication sequence can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity that has those privileges to obtain extra privileges by impersonating an entry that has those privileges [13]. Reply involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. Modification of message simply means that some portion of a legitimate message is altered, or that. . 26 | P a g e.

(28) message are delayed or relocated, to produce unauthorized effect. The denial of service prevents or inhibits the normal use or management of communication facilities. This attack may have a specific target. Another form of service denial is the disruption of an entry network or a server, either by disabling the network server, or by overloading it with message so as to degrade performance. The active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because to do so would require physical protection of all communications facilities and paths at all times. 2.3.. SYMMETRIC ENCRYPTION. The universal technique for providing confidentiality for transmitted data in symmetric encryption. A symmetric encryption scheme has some ingredients: Plaintext: this is the original message or data that is fed into the algorithm as input. Encryption. algorithm:. The. encryption. algorithm. performs. various. substitutions and transformations on the plaintext. Secret Key: The secret key is also input to the encryption algorithm. The exact substitutions and transformations performed by the algorithm depend on the key. Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For given message, two different keys will produce two different ciphertexts. Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key and produces the original plaintext [14]. The most powerful and common approach to counting the threats to SCADA network security is encryption. With link encryption, each vulnerable communication link is equipped on both ends with an . 27 | P a g e.

(29) encryption device. Thus, all traffic over all communication links is secured. Although this requires a lot of encryption devices in a large network, it provides a high level of security. One disadvantage of this approach is that the message must be decrypted each time it enters a packet switch; this is necessary because the switch must read the address in the packet header to route the packet. Thus, the message is vulnerable at each switch. If this is public packet switching network, the user has no control over the security of the nodes. With end to end encryption, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data. The data, in encrypted form, are then transmitted unaltered across the network to the destination host. The destination shares a key with the source and so is able to decrypt the data. This approach would seem to secure the transmission against attacks on the network links or switches. When both form are employed, the host encrypts the user data portion of a packet using an end to end encryption key. The entry packet is then encrypted using a link encryption key [15]. As the packet traverses the network, each switch decrypts the packet using a link encryption key to read the header and then encrypts the entire packet again for sending it out on the next link. Now the entire packet is secure except for the time that the packet is actually in the memory of a packet switch, at which time the packet header is in clear. 2.4.. TRAFFIC PADDING. With the user of link encryption, packet headers are encrypted, reducing the opportunity for traffic analysis. It is still possible in those circumstances for an attacker to access the amount the traffic on a SCADA network and to observe the amount of traffic entering and leaving each end system. An effective countermeasure to this attack is traffic padding. Traffic padding is a function that produces ciphertext output continuously, even in the absence of plaintext. A continuous random data stream is generated. . 28 | P a g e.

(30) When the plaintext is available, it is encrypted and transmitted. When input plaintext is not present, the random data are encrypted and transmitted. This make it impossible for an attacker to distinguish between true data flow and noise and therefore impossible to deduce the amount of traffic [16]. 2.5.. MESSAGE AUTHORIZATION. Encryption protests against passive attack, a different requirement is to protect against active attack. The protection against such attacks is known as message authentication. A data is said to be authentic when it is genuine and came from its alleged source. Message authentication is a procedure that allows communicating parties to verify that receive messages are authentic. The two impotent aspects are to verify that the contents of the message have not been altered and that the source is authentic. We may also verify a message’s timeliness and sequence relative to other messages flowing between two parties. It is possible to perform authentication simply by the use of symmetric encryption. If sender and receiver share a key, then only the genuine sender would be able successfully to encrypt a message for the other participant [17]. If the message includes an error detection code and a sequence number, the receiver is assured that no alternations have been made and that sequencing is proper. If the message also includes a timestamp, the receiver is assured that the message has not been delayed beyond the normally expected for SCADA network transit. (See Figure: 2.1). One authentication technique involves the use of a secret key to generate a small block of data, known as a message authentication code (MAC) that is appended to the message. This technique assumes that two communication parties, say X and Y, share a common key𝐾!" . When x has a message M send to Y, it calculates the message authentication code as a function of the message and the key:𝑀𝐴𝐶! = F(𝐾!" , M) [18]. The . 29 | P a g e.

(31) message plus code are transmitted to the intended recipient. The recipient performs the same calculation on the receive message, using the same secret key, to generate new message, using the same secret key, to generate a new message authentication code. The receive code is compared to the calculated code. . Message. . Message . Message. MAC . MAC. MAC. Compare . MAC. Figure: 2.1. Message Authentication using code. 2.6.. SECURITY SERVICE FOR SCADA. One of the most widely used security service is the secure sockets layer (SSL) and the follow on internet standard known as transport layer security (TLS). SSL is the general purpose service implemented as a set of protocols that rely on TCP. SSL could be provided as part of the underlying protocol suite and therefore be transparent to applications. Alternatively, SSL can be embedded in specific packages [19][20]. SSL record protocol provides a reliable end to end secure service. SSL is not a single protocol but rather two layers of protocols. The SSL record protocol provides basic security services to various higher layer protocols. The Hypertext transfer protocol (HTTP), which provides the transfer service for web client or server interaction, can operate on top of SSL. Three higher layer protocols are defined as part of SSL: the handshake protocol alert protocol. These SSL specific protocols are used in the. . 30 | P a g e.

(32) management of SSL exchanges and are examined later in this section. Figure shown in figure`; 2.2. . SSL handshake protocol. SSL alert protocol. SSL change cipher spec protocol. HTTP. SSL Record Protocol. TCP. IP. Figure: 2.2. SSL protocol Stack. A connection is a transport that provides a suitable type of service. For SSL, such connections are peer to peer relationships. The connections are transient. Every connection with one session. An SSL session is an association between a client and a server. Sessions are created by the handshake protocol. SSL record protocol provides service for SSL connections: The handshake protocol defined a shared secret key that is used for symmetric encryption of SSL payloads. And defined a shared secret key that is used to form a message authentication code [21]. Alert Protocol: The alert protocol is used to convey SSL related alerts to the peer entity. As with other applications that use SSL, alert messages are compressed and encrypted. Each message in this protocol consists of two bytes. The first byte takes the value warning to convey the severity of the message. If the level is fatal, SSL immediately terminates the. . 31 | P a g e.

(33) connection. Other connections on the same session may continue, but no new connections on this session may be established. The second byte contains a code that indicates the specific alert. Fatal alert consider as an incorrect MAC. Non-fatal alert is a close notify message, which notifies the recipient the sender will not send any more message on this connection. 2.7.. SCADA NETWORK MANAGEMENT SYSTEM. A SCADA network management system is a collection of tools for network monitoring and control that is integrated in the following senses; A single operator interface with a powerful but user-friendly set of commands for performing most or all SCADA network management tasks. A minimal amount of separate equipment. That is most of the hardware and software required for SCADA network management is incorporated into the existing user equipment. A SCADA network management system consists of incremental hardware and software additions implemented among existing network components.. The. software. used. in. accomplishing. the. network. management tasks resides in the host and communication routers. A SCADA network management system is designed to view the entire network as a unified architecture, with addresses and labels assigned to each point and specific attributes of each element and link known to the system. The active elements of the SCADA network provide regular feedback of status information to the network control centre. At least one host in the SCADA network is designed as the network control host, or manager. In addition to the network management entity software, the network control host includes a collection of software is network management application. The network management application includes an operator interface to allow an authorized user to manage the network. The network management application responds to user commands by displaying information or by issuing commands to network management entity throughout the SCADA network. This communication . 32 | P a g e.

(34) is carried out using an application level network management protocol that employs the communication architecture in the same design as any other distributed application [22]. Each other node in the SCADA network that is part of the network management system includes a network management entity and for purpose of network management, is referred to as an agent. Agent include end systems that support user application as well as nodes that provide a communication service, such as front end processors, controllers and routers. 2.8.. SIMPLE NETWORK MANAGEMENT PROTOCOL. SNMP was developed for use as a network management tool for networks and internetwork operating TCP/IP. It is actually used to refer to a collection of specifications for network management that include the protocol itself and the definition of a database. The model of SCADA network management that is used for SNMP includes the Management station and agent. The management station is typically a standalone device, but may be capability implemented on a shared system. The management station service as the interface for the operator network manager into the SCADA network management system. The other active element in the SCADA network management system is the management agent. Key platforms, such as hosts, firewall and hubs, may be equipped with agent software so that they may be managed from a management station. The agent responds to requests for information from a management station, responds to requests for actions from the management station, and may asynchronously provide the management station with important but unsolicited information. To manage resources in the network, each resource is represented as an object. An object is essentially, a data variable that represents one aspect of the managed agent. The collection of objects is referred to as a management information base (MIB)[23]. The MIB functions as a collection of access points at the agent for the management station. These . 33 | P a g e.

(35) object are standardized across systems of a particular class. A management station performs the monitoring function by retrieving the value of MIB objects. A management station can cause an action to take place at an agent or can change the configuration settings of an agent by modifying the value of specific variables. The management statin and agents are liked by a network management protocol. The protocol used for the management of TCP/IP networks in the simple network management protocol. SNMP is an application level protocol that is part of the TCP/IP protocol suite. It is intended to operate over the user datagram protocol (UDP). For a standalone management station, a manager process controls access to a central MIB at the management station and provides an interface to the network manager. The manager process achieves network management by using SNMP, which is implemented on the top of UDP, IP and the SCADA network dependent protocols. Each agent must also implement SNMP, UDP and IP, there is an agent process that interprets the SNMP message and controls the agent’s MIB. For an agent device that supports other application, such as FTP, TCP as well as UDP is required. From a management station, three types of SNMP message are issued on behalf of a management application: GetRequst, GetNextRequest, and SetRequest. The first two are two variations of the get function. All three message are acknowledged by the agent in the form of GetResponse message, which is passed up to the management application. An agent may issue a trap message in response to an event that affect the MIB and the underlying managed resources. Management requests are sent to UDP port 161, while the agent sends traps to UDP port 162. Because SNMP relies on UDP, which is connectionless protocol, SNMP is itself connectionless. No ongoing connections are maintained between a management station and its agents. Each exchange is a separate transaction between a management station and an agent [24]. It defines a limited, easily implemented . 34 | P a g e.

(36) management information base (MIB) of scalar variables and two dimensional tables and it defines a streamlined protocol to enable a manager to get and set MIB variables and to enable an agent to issue unsolicited notifications, is traps. This simplicity is the strength of SNMP. SNMP is easily implemented and consumes modes processor and network resources and the structure of the protocol and the MIB are sufficiently straightforward that it is not difficult to achieve interoperability among management stations and agent software from a mix vendors. 2.9.. VIRTUAL NETWORK. Virtual Networks deploy customizable network protocols by leasing the required. infrastructure. resources. from. multiple. SCADA. network. infrastructures. Each virtual network is a combination of multiple virtual routers and links. When initiating a service, the virtual network confines to Service Level Agreements with set of SCADA network infrastructures and receives the requested resources. Each virtual network then instantiates the service on the allocated resources to form a virtual network topology by connecting end-users to the network and can provide its users with a custom set of protocols and security features. Both virtual networks deploy their customized network services on the shared infrastructure components and establish end-toend connectivity between end users. Once deployed, each Virtual network can then operate the control plane security functional on the network infrastructure resources and direct the SCADA network infrastructure to perform the required data packet forwarding. Despite the various advantages, hosting multiple virtual networks on a shared network infrastructure introduces new security challenges unlike seen in the current SCADA network. The Virtual network cannot assume inherent provision of security features by the hosting SCADA network infrastructure and is oblivious to the malicious activities of the infrastructure. In addition, with the infrastructure resources being shared . 35 | P a g e.

(37) among multiple virtual networks it presents an opportunity for attackers to co-host malicious network services and attack the legitimate virtual networks. For the SCADA network infrastructure, the hosted virtual networks should not launch attacks or access privileged information on the infrastructure [25]. Therefore, to understand the possible security issues in detail this dissertation focuses on identifying the attacks and vulnerabilities that are unique to the virtualized network infrastructure environment. For a successful adaptation of the technology for the future Internet, it is important to address the security issues with effective defence mechanisms. Any honest-but curious SCADA network infrastructure component can snoop on traffic sent by the virtual networks. Such activities can identify the communicating entities in each packet, what routes are used inside a virtual network, etc. Revealing such information is undesirable since it compromises the privacy and confidentiality of both users and virtual networks. Therefore, we require a technique that avoids such inferences about traffic while allowing the NI components to perform the data plane functionalities. This introduces the need to forward packets based on the encrypted forwarding address information. A confidential packet forwarding functionality is proposed that protects user privacy when network traffic is forwarded by third-party network infrastructures. In a typical virtualized network, the SCADA infrastructure and the virtual network instance may be managed by different administrative entities that may not trust each other. In such a scenario, the virtual network operator might hesitate to disclose network configuration or control information (e.g., source and destination addresses of network traffic, routing information, etc.) to the SCADA infrastructure provider. However, the network infrastructure provider does need sufficient information to implement the packet forwarding functionality within the virtual network. Therefore, it is important to develop mechanisms that protect a virtualized network’s operational . 36 | P a g e.

(38) information, while allowing an efficient implementation on the SCADA network infrastructure [26]. 2.10. . SECURITY IMPLEMENTATION . Establishment of a security perimeter, layered defence-in-depth, segmentation, authentication and authorization are essential components of an effective security policy. Industrial control system networks often lend themselves to segmentation by function. The industrial control system network must be segmented to isolate it from other less secure plant or substation networks, the corporate network, and other less secure networks, individual control canters, regional control centres, and possibly remote stations. Firewalls must be deployed to enforce a mutually untrusting policy at these subnet perimeters.. Segmentation using subnets and firewalls helps in limiting the extent of damage caused by any cyber event. In order to protect applications, application-aware network devices such as intrusion detection system must be deployed. Since each application represents an attack vector, disallowing non-essential applications such as point to point, instant messaging, and video streaming improves the security posture of the industrial control system network. Such application level restrictions also require network enforcement elements that are application aware. As applications and protocols become port agnostic, application-aware deep inspection devices and augment the firewall’s ability to allow only permissible traffic. For example, while a firewall may open a hole for port 502, the inspection device can ensure that all non-MODBUS traffic over that port is stopped.. A prerequisite to enforcing an access policy on an industrial control system is to have mechanisms for authentication and authorization. These mechanisms must verify a user’s identity, provide access to devices based. . 37 | P a g e.

(39) on that user’s role and privilege level, and log all access attempts in order to audit any infringement [27]. Most control system field devices such as RTUs and PLCs fall short on most of these basic security requirements. Industrial control system protocols such as OPC and MODBUS currently have very weak authentication mechanisms. Further, such systems seldom provide adequate administration capabilities including granularity with role-based access. A user has access to perform all operations with no restrictions once authenticated. Due to limited memory, most control devices do not keep or maintain logs of cyber events. This lack of logging has prevented actual cyber incidents from being analysed and also keep electric utilities from meeting several of the NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) logging and event monitoring requirements. The policy must provision methods for secure remote access, and role-based access to assets and operations. An important requirement for incident forensics as well as regulatory compliance is the ability to establish the identity of users who made changes to the control systems. 2.11.. EDGE SECURITY. To access control networks from the corporate network or in some cases from the Internet, it is essential to create a strong defense perimeter. A perimeter firewall must create at least three security zones— a secure zone for the control system network elements, a demilitarized zone (DMZ), and an insecure zone. Even if all access to the control network is through the corporate network, the perimeter firewall must treat the corporate network as insecure and have a mutually non-trusting policy. The DMZ contains secure access authentication devices, workstations, and servers that are accessible from the insecure network. Any device in the secure zone should be accessible only through one of the DMZ devices. By ensuring that the devices in DMZ are properly protected and continuously monitored, a control network administrator can significantly . 38 | P a g e.

(40) reduce the probability of a network-based attack. It is key that the perimeter device not only provide security zones and flow-based firewalls, it must also be aware of protocols and applications it is protecting. Remotely monitor equipment status, an ISO may need to collect current production data, or a vendor may have to diagnose and fix operational problems. In order to minimize the probability of unintentional misuse or tampering, users should be limited only to functions for which they are authorized. For example, a vendor logging in to update a patch must not be able to run any control system commands. If a contractor’s system contains spyware is not up to date, that contractor should not be allowed access to the control system network. . SSL (Secure Sockets Layer) appliances are based on the Instant Virtual Extranet (IVE) platform, which uses SSL, the security protocol found in all standard Web browsers. The use of SSL eliminates the need for clientsoftware deployment, changes to internal servers and costly ongoing maintenance and desktop support [29]. Enhanced remote access methods enable the enterprise to provision access by purpose for virtually any resource. . . 39 | P a g e.

(41) CHEPTER: 3. REMOTE. TERMINAL. UNIT. BASED. CONTROL 3.1.. INTRODUCTION. Modern control system implementations are carried out using computers which are digital. The measurement, final control operations, the strategy for control and the modes of controller action are still the same as what we have already aware under analogs controllers. But the functions of the controller have been taken over PLC/RTU control system. The system input measurement data, determines the error, solves the controller mode equations to determine the feedback, and transmits this feedback to the final control element. The technology of networks and networks communication has become handy to exchange information between RTU control systems over networks. The widely used networks are local area networks (LAN), wide area networks (WAN) and worldwide network. This concept has been carried over to control systems in the name of field buses. This has led to the development of Supervisory control and data accusation system wherein sensors, remote terminal unit, and final control operation signals are exchanged over a common network or field bus. There are still situations in control systems wherein the control system can provide the needed action. Single variable and multivariable alarms, two position control etc. are some such examples. 3.2.. DIGITAL CONTROL SYSTEM. Processor base controller is the most important element in a modern process control systems. Measurement data from the plant process like temperature, pressure, flow, level, concentration, density etc. are input of . 40 | P a g e.

(42) the system. The system performs all the calculations for controller modes. The output from process control is converted into a suitable signal to operate the final control element in the field. Such an application is. Sensor 1. Serial I/O MUX. ADC. Microprocessor. DAC Memory. Sensor n. Timer/ counter Clock . Figure: 3.1. Direct digital control historically referred to as direct digital control (DDC). The DDC directly interfaces to the process for data acquisition and control purpose. It has necessary hardware for directly interfacing (signal conditioner, ADC etc.) and reading the data from the process. It should have memory and arithmetic capability to execute required P, PI and PID control strategy. At the same time, the interface to control valve (final control element) should also be part of DDC. Figure 3.1 shows the various functional blocks of a direct digital control system [30]. The function blocks in combination with microprocessor are shown. The multiplexer acts like a switch under microprocessor control. It switches and presents at its output the analog signal from a sensor / transmitter. The analog to digital converter converts the analog signal to digital signal value. The microprocessor performs the following tasks:. . 41 | P a g e.

(43) 1. It reads the various process variables from different transmitters through multiplexer and ADC. 2. It determines the error for each control loop executes control strategy for each loop. 3. It outputs the correction value to control valve through DAC. We will explore the hardware and software configuration of typical process control system. 3.2.1 HARDWARE CONFIGURATIONS A simplified microprocessor-based control system with a standard array of device in indicates in figure 3.2. The ROM (Read only memory) a nonvolatile memory, holds the programs that the processor executes. The RAM (Random access memory) is used to hold the transient results of calculations and other results of data processing. The data I/O typically consists of ADCs and DACs as well as digital I/O channels. The network interface card provides for serial communication of the control system over a serial field bus or LAN [29].. ROM. RAM. Data Micro processor. Network. Network Interface Card. Control Address. Analog data. Digital Data I/O. Figure: 3.2. Basic microprocessor-based control system. . . 42 | P a g e.

(44) 3.2.1.1. SINGLE LOOP CONTROLLER. A single loop controller basically controls single variable. It measures the error occurring in one plant variable and attempts to correct it by applying a change to the operating level of one and only one plant control variable. Here a number of single loop controllers are required to control a process. These controllers can be located in the centralized room and receive analog inputs from the sensors and output the analog output signal to the final control elements in the field. Controller simply does comparison, solves the control mode requirements and supplies the necessary output for the parameter concerned [31]. Smart Sensors: It is also possible to embed the controller processor directly into the sensor to make it smart sensor. Figure 3.3 indicates one possible implementation of such a system for controlling flow rate through a process pipeline. The sensor and processor are housed directly at the site of the measurement. The feedback signal is delivered to the valve via the standard 4-20 mA current transmission. Operation of the flow control loop is monitored via the serial interface, which is also used to update the set point, controller mode gains, and the operating parameters. It is also possible to eliminate the 4-20 mA connection if the signal conditioning system of the control valve actuator contains a network interface circuit so that it can be connected to the serial bus. In this case the smart sensor sends feedback information to the valve via serial bus. 3.2.1.2. MULTIPLE-LOOP CONTROLLER A single PLC/RTU system can be used for controlling more number of process control loops instead of controlling only one loop as in single loop controller. This helps to take care of interactions between loops in a process. Such multi-loop control is feasible as the computers are fast enough to take care of process variations. Multiplexers and Demultiplexers are used to allow the system to read from various sensors and direct outputs to the right control elements. The network interface . 43 | P a g e.

(45) allows the remote terminal unit to communicate with the other remote terminal unit so that operating parameters of the plant can be updated. The field buses to serially carry information between remote terminal unit, sensors and feedback elements [32]. . . . ADC. Controller. 4-20 mA. DAC S/C. S/C DP . Actuator. Orifice. Pipeline. Control valve. Figure: 3.3. Smart Sensor based single loop controller. 3.2.2 SOFTWARE CONFIGURATION When a PLC/RTU is used as the controller, the system must be able to solve the control equations. The needed software is available as a control package when the system control is implemented on a general-purpose technique. In the case of smart sensors and the other dedicated control mainframes the control equations are built into the embedded coordination. External commands can be used to select the desired mode (P, PI or PID etc.) and the gains for each mode.. . 44 | P a g e.

(46) 3.2.2.1 ERROR The system accepts an input of the controlled variable from an ADC or over the bus from the sensor, encoded as a binary number. In describing the algorithms we assume the measurement range of the controlled variable is known, 𝑏!"# to 𝑏!"# . The error as percentage of span as reproduced below: !!!. 𝑒! =. !!"# !!!"#. ×100. 3.1. For the purposes of algorithm description we will assume the variable has been converted from a binary encoding to its actual value as a floatingpoint variable (temperature, pressure, etc.) in the control program. In the program the error will be used as a fractional quantity rather than a percent. Furthermore, the variable value and hence error are only available as samples taken every △ 𝑡 seconds. Thus the error will be expressed as, 𝑒! = !. !!!!. 3.2. !"# !!!"#. Again, we assume that when the binary number is brought into the unit it is passed to a floating-point processor (i.e. 𝑏! is a base 10, floatingpoint number). This is typical of PLC/RTU system. With these assumptions about the input value and expressing the error sample as function of range, let us consider the three modes of control: proportional, Integral and Derivative. The equations developed will provided a functional number (0 to 1) representing what function of the controlling variable range should be sent to the final control element. 3.2.2.2 PROPORTIONAL MODE The proportional mode controller action is defined by a terms that is directly proportional to the error. The equation for proportional mode is: p = 𝐾! 𝑒! +𝑝!. 3.3. Where 𝐾! = Proportional gain. 𝑒! = Error. 𝑝! = Controller output with no error. 𝑝= Controller output. . 45 | P a g e.

(47) . Display. Operator. Network. Process controller. Data Acquisition. De- Multiplexer. ADC. . DAC. Multiplexer. Process. Figure: 3.4 Multiple- loop controllers. The unit in the form of an algorithm that simply calculates equation of P directly easily implements this mode. The proportional mode is provided through the software by an equation. Because I am expressing the error as a fraction of range, what is calculated is the fraction of the maximum output P = PO + KP * DE. 3.4. POUT = P * ROUT. 3.5. Where PO = Fraction of output with no error KP = Proportional gain P = Fraction of output with error ROUT = Maximum output POUT = Output DE = Error from equation (3.2) = DSP – DV (set point/Reference – Input) . 46 | P a g e.

(48) (Figure 3.5) A general flow chart for the proportional mode from which software can be developed. 3.2.2.3 INTEGRAL MODE The integral or reset mode calculates a controller output that depends on the history of the controlled variable error. In a mathematical sense, history is measured by an integral of the error as shows in equation (3.6). P = 𝐾!. ! 𝑒 dt + p (0) 3.6 ! !. To use this mode in system control, we need a way of evaluating the integral of error. Many algorithms have been developed to do this, all of them only approximate, as only samples of the error in time are available [33]. The integral equation (3.6) is merely the net area of the 𝑒! curre from 0 to t as in figure 3.6. ! 𝑒 ! !. dt = net area = (area of 𝑒! >0) – (area of 𝑒! <0). 3.2.2.4 DERIVATIVE MODE The derivative controller mode, also called rate, derives a controller output that depends on the instantaneous rate of change of the error [35]. !". P = 𝐾! !"! 3.7 𝐾! = Derivative gain !"! !". = Rate of error change.. The expresses the percentage controller output for each percent/ second change in error. This mode is implemented in process control by calculating an approximate derivative if the error from the data samples. A derivative is defined as the rate of which a quantity is changing at an instant in time.. . 47 | P a g e.

(49) Input DV. DE = DSP - DV. CORR = KP + DE. P = PO + CORR. OUTPUT P. Figure: 3.5 Flow chart for Proportional mode. 3 2 1 0. 𝑒! -‐1 . 1 2 3 4 5 6 7 8 9 10 t . Figure: 3.6. Exact integral We can calculate only the rate at which it is changing over the sample period ∆ t, which is therefore only an approximation. In terms of an equation, we can express !"!" !". = . !!" !!!"!! ∆!. . Where 𝑒!" = Present error sample 𝑒!"!! = Previous error sample. . 48 | P a g e.

(50) ∆𝑡 = time between sample. The set of equations for the derivative output can be developed directly from the definitions. DDE = DE – DEO DEO = DE PD = KD * DDE/DT The flow chart for this mode is in figure 3.8. 3.2.2.5 PID CONTROL MODE The optimum control mode is a composite of the three modes namely proportional (p), Integral (I), and Derivative (D). With system based control, a composite mode is developed by simply combining three mode equations into the computation of the fractional output. According to the principles of PID control, the proportional gain should multiply all three forms. The controls equations can be write as below: DDE = DE – DEO DEO = DE SUM = SUM + DE PI = KP * KI* DT* SUM. 3.8. PD = KP * KD * DDE/DT. 3.9. P = KP * DE + PI + PD 3.10 POUT = P * ROUT These equations are then programed into the control software for determination of the required output [34]. All alternative expression for the PID output can be constructed by using errors to provide corrections to the current output. To develop this, adopt a convention that a subscript will denote a particular sample.. . 49 | P a g e.

(51) INPUT DV DE = DSP - DV DDE = DE DEO DEO = DE. PD = KD * DDE/DT. OUTPUT PD START DELAY DT. TIME UP. Figure: 3.8 Flow chart for derivative mode Thus, 𝐷𝐸! is the ith sample, and 𝑃! is the functional output for that sample. The output for the 𝑝!!! sample, according to equation (3.10) can be write in the form 𝑃!!! = KP*D𝐸!!! + KP*KI*DT*[SUM + 𝐷𝐸!!! ] + KP*KD*[𝐷𝐸!!! -‐ 𝐷𝐸!!! ]/DT . . 50 | P a g e.

(52) CHAPTER: 4. OBJECT LINK EMBEDDING DESIGN 4.1.. OPEN PROCESS CONTROL. OPC, stands for is Open Process Control. OPC server is a software application that acts as an application programming interface or protocol converter. An OPC server will connect to device such as a PLC, DCS, RTU or a data source such a database or user interface, and translate the data into a standard based OPC format. OPC compliant applications such as an HMI, historian, spreadsheet etc., can connect to the OPC server and use it to read and write device data. OPC servers are based on Server/client Architecture. To improve OPC using C/C++, use custom interface, and to implement it in a Visual Basic application, use automation interface [36]. To establish communication between OPC server and OPC client that are programmed in different language, we can use OPC Automation wrapper shown in figure: 4.1. It represent connecting link between an OPC server programmed in C/C++ and in application in Visual Basic. The SCADA systems support a standard communication mechanism of OPC. OPC automation wrapper. VB application OPC interface. OPC interface C++ application. Remote OPC Server. Figure: 4.1. OPC automation interface wrapper link.. . 51 | P a g e.

(53) An OPC interface allows third party OPC compliant software to interface with the SCADA system through either the database server or the HMI. This interface is particularly valuable when the logic model base design approach is applied. Third party software could be used to create a dynamical real time model of the industrial process that is to be controlled. The I/O of the model could be communicated to the SCADA system database from which the individual RTU controllers could process the data and provide the feedback control signals back to the model. Systems designed to work in this manner must incorporate a provision for the RTUs to either read or write to the physical I/O or to read and write from the SCADA database internal I/O. This interface is supported by almost all SCADA, visualization, and process control systems. Visualization is the main factor for OPC server through HMI. SCADA, there are two parts to an OPC system. The first is the OPC server. There are number of Modbus OPC servers available depending on the functionality required. It is the OPC server‘s responsibility to send/receive data from the SCADA system. The OPC was mostly created to enable interoperability at the SCADA level. Several PLCs and/or RTUs that use different protocols need to communicate, this can be solved in several ways. One solution is to use gateways to translate between different protocols. Another solution is to install an OPC server. The solution with gateways is usually a larger investment than the solution with an OPC server. Currently, OPC is a widely accepted industrial communication standard that enables the exchange of data without any proprietary restrictions between multivendor devices and control software (horizontal integration) as well as between different software applications (vertical integration). All SCADA systems can be configured to be the OPC Server for higher levels of the plant. The control and diagnostic systems – even now the performance of most PLC devices is too small to perform advance control and diagnostic algorithms. In most cases SCADA level is a higher level of . 52 | P a g e.

(54) control, the basic control is being executed on a PLC. For example, PID algorithm is performed on the PLC and PID settings are optimized by the advance control algorithm at the SCADA level. Sometimes it is not possible to separate a complex control algorithm into two parts and control on the field level is required. In those cases it is necessary to use a dedicated device or more sophisticated Programmable logic control. PLC devices have two Ethernet interfaces, one can be intended only for communication within the field level, second can be designed for vertical integration with SCADA level [38]. It is the most common way of separating the levels in small and medium control systems. There are two types of OPC Servers: in-process and out-process. Inprocess OPC servers are very rare. They are written in form of a Dynamic Link Library (DLL) loaded in the OPC Client’s process space. For this kind of server only one client can be connected, because each OPC Client application manages its own Server instance. The communication between the client and the server is being done inside one process, so it much faster. Generally in-process OPC do not offer remote OPC connections. Out-process OPC servers are those we will meet in most cases. They are separate applications. The OPC client can request data with higher rate than it was specified by the group refresh time. The server should make a best effort to keep the client informed about data changes, but it should never send data to a client at a rate faster than the client requests. The OPC server has also its refresh rate. Usually this parameter is hidden in the server’s configuration. OPC users should be familiar with it and setting OPC group refresh rate faster than OPC server refresh rate causes that the real OPC group refresh rate will be equal to server’s refresh rate. (In figure: 4.2.) OPC server are included in hardware supplies of an ever increasing number of manufactures of programmed automats and technology control systems. Similarly, an ever-increasing number of manufactures of visualization. . 53 | P a g e.

No results found