Está en la página 1de 168

An Introduction To SCADA For Electrical

Engineers Beginners
http://electrical-engineering-portal.com/an-introduction-to-scada-for-electrical-engineers-
beginners

An Introduction To SCADA (Supervisory Control And Data Acquisition) For Beginners // On
photo Monitor iFIX By ServiTecno via FlickR
Control and Supervision
It is impossible to keep control and supervision on all industrial activities manually. Some
automated tool is required which can control, supervise, collect data, analyses data and generate
reports. A unique solution is introduced to meet all this demand is SCADA system.
SCADA stands for supervisory control and data acquisition. It is an industrial control system
where a computer system monitoring and controlling a process.
Another term is there, Distributed Control System (DCS). Usually there is a confusion between
the concept of these two.
A SCADA system usually refers to a system that coordinates, but does not control processes in real time,
but DCS do that. SCADA systems often have Distributed Control System (DCS) components.

Components of SCADA
1. Human Machine Interface (HMI)
It is an interface which presents process data to a human operator, and through this, the human
operator monitors and controls the process.
2. Supervisory (computer) system
It gathers data on the process and sending commands (or control) to the process.
3. Remote Terminal Units (RTUs)
It connect to sensors in the process, converting sensor signals to digital data and sending digital
data to the supervisory system.
4. Programmable Logic Controller (PLCs)
It is used as field devices because they are more economical, versatile, flexible, and configurable
than special-purpose RTUs.
5. Communication infrastructure
It provides connectivity to the supervisory system to the Remote Terminal Units.

SCADA System Concept
The term SCADA usually refers to centralized systems which monitor and control entire sites, or
complexes of systems spread out over large areas (anything between an industrial plant and a
country).
Most control actions are performed automatically by Remote Terminal Units (RTUs) or by
programmable logic controllers (PLCs).
Host control functions are usually restricted to basic overriding or supervisory level
intervention. For example, a PLC may control the flow of cooling water through part of an
industrial process, but the SCADA system may allow operators to change the set points for the
flow, and enable alarm conditions, such as loss of flow and high temperature, to be displayed and
recorded.
The feedback control loop passes through the RTU or PLC, while the SCADA system monitors
the overall performance of the loop.

A simple SCADA system with single computer
SCADA/PLC Video Introduction/Example
Waste Water Treatment SCADA System Raising your Plant IQ
https://www.youtube.com/watch?v=ZSFdOjxB-1I&feature=player_embedded
Cant see this video? Click here to watch it on Youtube.
Introducing students to Industrial Programmable Controllers
https://www.youtube.com/watch?v=lCYWuk034NI&feature=player_embedded
Cant see this video? Click here to watch it on Youtube.

Three generations of SCADA system
architectures

Generations
SCADA systems have evolved in parallel with the growth and sophistication of
modern computing technology.
The following sections will provide a description of the following three generations of SCADA
systems:
1. First Generation Monolithic
2. Second Generation Distributed
3. Third Generation Networked
- Waste Water Treatment Plant SCADA (VIDEO)

1. Monolithic SCADA Systems
When SCADA systems were first developed, the concept of computing in general centered on
mainframe systems. Networks were generally non-existent, and each centralized system stood
alone.
As a result, SCADA systems were standalone systems with virtually no connectivity to other
systems.
The Wide Area Networks (WANs) that were implemented to communicate with remote terminal units
(RTUs) were designed with a single purpose in mindthat of communicating with RTUs in the field and
nothing else. In addition, WAN protocols in use today were largely unknown at the time.
The communication protocols in use on SCADA networks were developed by vendors of RTU
equipment and were often proprietary.
In addition, these protocols were generally very lean, supporting virtually no functionality
beyond that required scanning and controlling points within the remote device. Also, it was
generally not feasible to intermingle other types of data traffic with RTU communications on the
network.
Connectivity to the SCADA master station itself was very limited by the system
vendor. Connections to the master typically were done at the bus level via a proprietary adapter
or controller plugged into the Central Processing Unit (CPU) backplane.
Redundancy in these first generation systems was accomplished by the use of two identically
equipped mainframe systems, a primary and a backup, connected at the bus level.

Figure 1 - First Generation SCADA Architecture

The standby systems primary function was to monitor the primary and take over in the event of
a detected failure. This type of standby operation meant that little or no processing was done on
the standby system. Figure 1 shows a typical first generation SCADA architecture.
Go to Content

2. Distributed SCADA Systems
The next generation of SCADA systems took advantage of developments and improvement in
system miniaturization and Local Area Networking (LAN) technology to distribute the
processing across multiple systems.
Multiple stations, each with a specific function, were connected to a LAN and shared
information with each other in real-time.
These stations were typically of the mini-computer class, smaller and less expensive than their first
generation processors.
Some of these distributed stations served as communications processors,
primarily communicating with field devices such as RTUs. Some served as operator
interfaces, providing the human-machine interface (HMI ) for system operators. Still others
served as calculation processors or database servers.

Remote terminal unit (RTU)
The distribution of individual SCADA system functions across multiple systems provided more
processing power for the systemas a wholethan would have been available in a single
processor. The networks that connected these individual systems were generally based on LAN
protocols and were not capable of reaching beyond the limits of the local environment.
Some of the LAN protocols that were used were of a proprietary nature, where the
vendor created its own network protocolor version thereof rather than pulling an existing one
off the shelf. This allowed a vendor to optimize its LAN protocol for real-time traffic, but
it limited (or effectively eliminated) the connection of network from other vendors to
the SCADA LAN.
Figure 2 depicts typical second generation SCADA architecture.

Figure2 - Second Generation SCADA Architecture

Distribution of system functionality across network-connected systems served not only
to increase processing power, but also to improve the redundancy and reliability of the system
as a whole. Rather than the simple primary/standby fail over scheme that was utilized in many
first generation systems, the distributed architecture often kept all stations on the LAN in an
online state all of the time.
For example, if an HMI station were to fail, another HMI station could be used to operate the
system, without waiting for fail over from the primary system to the secondary.
The WAN used to communicate with devices in the field were largely unchanged by
the development of LAN connectivity between local stations at the SCADA master.
These external communications networks were still limited to RTU protocols and were
not available for other types of network traffic.
As was the case with the first generation of systems, the second generation of SCADA systems was also
limited to hardware, software, and peripheral devices that were provided or at least selected by the
vendor.
Go to Content

3. Networked SCADA Systems
The current generation of SCADA master station architecture is closely related to that of the
second generation, with the primary difference being that of an open system architecture rather
than a vendor controlled, proprietary environment.
There are still multiple networked systems, sharing masterstation functions. There are still
RTUs utilizing protocols that are vendor-proprietary.
The major improvement in the third generation is that of opening the system architecture, utilizing
open standards and protocols and making it possible to distribute SCADA functionality across a WAN
and not just a LAN.
Open standards eliminate a number of the limitations of previous generations of
SCADA systems. The utilization of off-the-shelf systems makes it easier for the user to
connect third party peripheral devices (such as monitors, printers, disk drives, tape drives, etc.)
to the system and/or the network.
As they have moved to open or off-the-shelf systems, SCADA vendors have gradually
gotten out of the hardware development business. These vendors have looked to system vendors
such as Compaq, Hewlett-Packard, and Sun Microsystems for their expertise in developing the
basic computer platforms and operating system software.
This allows SCADA vendors to concentrate their development in an area where they can
add specific value to the system that of SCADA master station software.
The major improvement in third generation SCADA systems comes from the use of WAN
protocols such as the I nternet Protocol (I P) for Communication between the master station and
communications equipment. This allows the portion of the master station that is responsible for
communications with the field devices to be separated from the master station proper across a
WAN.
Vendors are now producing RTUs that can communicate with the master station using an
Ethernet connection.
Figure 3 represents a networked SCADA system.

Figure 3 - Third Generation SCADA System

Another advantage brought about by the distribution of SCADA functionality over a WAN is
that of disaster survivability. The distribution of SCADA processing across a LAN in second-
generation systems improves reliability, but in the event of a total loss of the facility housing the
SCADA master, the entire system could be lost as well.
By distributing the processing across physically separate locations, it becomes possible to build a SCADA
system that can survive a total loss of any one location.
For some organizations that see SCADA as a super-critical function, this is a real benefit.
Waste Water Treatment Plant SCADA (VIDEO)
https://www.youtube.com/watch?v=ZSFdOjxB-1I&feature=player_embedded
Cant see this video? Click here to watch it on Youtube.
Resource: Supervisory Control and Data Acquisition (SCADA) Systems Communication
Technologies, Inc.
Advantages Of IEC 61850
IEC 61850 - Advantages and Key Features

One of the significant challenges that substation engineers face is justifying substation
automation investments. The positive impacts that automation has on operating costs, increased
power quality, and reduced outage response are well known. But little attention is paid to how
the use of a communication standard impacts the cost to build and operate the substation.
Legacy communication protocols were typically developed with the dual objective of providing
the necessary functions required by electric power systems while minimizing the number of
bytes that were used by the protocol because of severe bandwidth limitations that were typical of
the serial link technology available 10-15 years ago when many of these protocols were initially
developed.
Later, as Ethernet and modern networking protocols like TCP/IP became widespread, these
legacy protocols were adapted to run over TCP/IP-Ethernet.
This approach provided the same basic electric power system capabilities as the serial link
version while bringing the advantages of modern networking technologies to the substation. But
this approach has a fundamental flaw: the protocols being used were still designed to minimize
the bytes on the wire and do not take advantage of the vast increase in bandwidth that modern
networking technologies deliver by providing a higher level of functionality that can
significantly reduce the implementation and operational costs of substation automation.
Top
Modern Networking Technologies
IEC 61850 is unique. IEC 61850 is not a former serial link protocol recast onto TCP/IP-Ethernet. IEC 61850
was designed from the ground up to operate over modern networking technologies and delivers an
unprecedented amount of functionality that is simply not available from legacy communications
protocols.
These unique characteristics of IEC 61850 have a direct and positive impact on the cost to
design, build, install, commission, and operate power systems. While legacy protocols on
Ethernet enable the substation engineer to do exactly the same thing that was done 10-15 years
ago using Ethernet, IEC 61850 enables fundamental improvements in the substation automation
process that is simply not possible with a legacy approach, with or without TCP/IP-Ethernet.
To better understand the specific benefits we will first examine some of the key features and
capabilities of IEC 61850 and then explain how these result in significant benefits that cannot be
achieved with the legacy approach.
Top
Key Features
The features and characteristics of IEC 61850 that enable unique advantages are so numerous
that they cannot practically be listed here. Some of these characteristics are seemingly small but
yet can have a tremendous impact on substation automation systems.
For instance, the use of VLANs and priority flags for GOOSE and SMV enable much more
intelligent use of Ethernet switches that in and of itself can deliver significant benefits to users
that arent available with other approaches. For the sake of brevity, we will list here some of the
more key features that provide significant benefits to users:
Use of a Virtualized Model
The virtualized model of logical devices, logical nodes, ACSI, and CDCs enables definition of
the data, services, and behavior of devices to be defined in addition to the protocols that are used
to define how the data is transmitted over the network.
Use of Names for All Data
Every element of IEC 61850 data is named using descriptive strings to describe the data. Legacy
protocols, on the other hand, tend to identify data by storage location and use index numbers,
register numbers and the like to describe data.
All Object Names are Standardized and Defined in a Power System Context
The names of the data in the IEC 61850 device are not dictated by the device vendor or
configured by the user. All names are defined in the standard and provided in a power system
context that enables the engineer to immediately identify the meaning of data without having to
define mappings that relate index numbers and register numbers to power system data like
voltage and current.
Devices are Self-Describing
Client applications that communicate with IEC 61850 devices are able to download the
description of all the data supported by the device from the device without any manual
configuration of data objects or names.
High-Level Services
ACSI supports a wide variety of services that far exceeds what is available in the typical legacy
protocol. GOOSE, GSSE, SMV, and logs are just a few of the unique capabilities of IEC 61850.
Standardized Configuration Language
SCL enables the configuration of a device and its role in the power system to be precisely
defined using XML files.
Top
Major Benefits
The features described above for IEC 61850 deliver substantial benefits to users that understand
and take advantage of them. Rather than simply approaching an IEC 61850 based system in the
same way as any other system, a user that understands and takes advantage of the unique
capabilities will realize significant benefits that are not available using legacy approaches.

Eliminate Procurement Ambiguity
Not only can SCL be used to configure devices and power systems, SCL can also be used to
precisely define user requirement for substations and devices. Using SCL a user can specify
exactly and unambiguously what is expected to be provided in each device that is not subject to
misinterpretation by suppliers.

Lower Installation Cost
IEC 61850 enables devices to quickly exchange data and status using GOOSE and GSSE over
the station LAN without having to wire separate links for each relay. This significantly reduces
wiring costs by more fully utilizing the station LAN bandwidth for these signals and construction
costs by reducing the need for trenching, ducts, conduit, etc.

Lower Transducer Costs
Rather than requiring separate transducers for each device needing a particular signal, a single
merging unit supporting SMV can deliver these signals to many devices using a single transducer
lowering transducer, wiring, calibration, and maintenance costs.

Lower Commissioning Costs
The cost to configure and commission devices is drastically reduced because IEC 61850 devices
dont require as much manual configuration as legacy devices. Client applications no longer need
to manually configured for each point they need to access because they can retrieve the points
list directly from the device or import it via an SCL file.
Many applications require nothing more than setting up a network address in order to establish
communications. Most manual configuration is eliminated drastically reducing errors and
rework.
Advertisement
Lower Equipment Migration Costs
Because IEC 61850 defines more of the externally visible aspects of the devices besides just the
encoding of data on the wire, the cost for equipment migrations is minimized. Behavioral
differences from one brand of device to another is minimized and, in some cases, completely
eliminated.
All devices share the same naming conventions minimizing the reconfiguration of client
applications when those devices are changed.
Lower Extension Costs
Because IEC 61850 devices dont have to be configured to expose data, new extensions are
easily added into the substation without having to reconfigure devices to expose data that was
previously not accessed. Adding devices and applications into an existing IEC 61850 system can
be done with only a minimal impact, if any, on any of the existing equipment.

Lower Integration Costs
By utilizing the same networking technology that is being widely used across the utility
enterprise the cost to integrate substation data into the enterprise is substantially reduced. Rather
than installing costly RTUs that have to be manually configured and maintained for each point of
data needed in control center and engineering office application, IEC 61850 networks are
capable of delivering data without separate communications front-ends or reconfiguring devices.

Implement New Capabilities
The advanced services and unique features of IEC 61850 enables new capabilities that are simply
not possible with most legacy protocols. Wide area protection schemes that would normally be
cost prohibitive become much more feasible.
Because devices are already connected to the substation LAN, the incremental cost for accessing
or sharing more device data becomes insignificant enabling new and innovative applications that
would be too costly to produce otherwise.

Conclusions
IEC 61850 is now released to the industry. Ten parts of the standard are now International
Standards (part 10 is a draft international standard). This standard addresses most of the issues
that migration to the digital world entails, especially, standardization of data names, creation of a
comprehensive set of services, implementation over standard protocols and hardware, and
definition of a process bus.
Multi-vendor interoperability has been demonstrated and compliance certification processes are
being established. Discussions are underway to utilize IEC 61850 as the substation to control
center communication protocol. IEC 61850 will become the protocol of choice as utilities
migrate to network solutions for the substations and beyond.
SOURCE: Ralph Mackiewicz SISCO, Inc. Sterling Heights, MI USA


Do Your Substation Devices Speak IEC
61850? They Should, Its Time.

Do Your Substation Devices Speak IEC 61850? They Should, It's Time. (photo by Siemens A..
- Siemens Trkiye)
Overview of IEC 61850
Since being published in 2004, the IEC 61850 communication standard has gained more and
more relevance in the field of substation automation.
It provides an effective response to the needs of the open, deregulated energy market, which
requires both reliable networks and extremely flexible technology flexible enough to adapt to
the substation challenges of the next twenty years.
IEC 61850 has not only taken over the drive of the communication technology of the office networking
sector, but it has also adopted the best possible protocols and configurations for high functionality and
reliable data transmission.
Industrial Ethernet, which has been hardened for substation purposes and provides a speed of
100 Mbit/s, offers bandwidth enough to ensure reliable information exchange between I EDs
(Intelligent Electronic Devices), as well as reliable communication from an IED to a substation
controller.
The definition of an effective process bus offers a standardized way to connect conventional as
well as intelligent CTs and VTs to relays digitally.
More than just a protocol, IEC 61850 also provides benefits in the areas of engineering and
maintenance, especially with respect to combining devices from different vendors.
Key features of IEC 61850
As in an actual project, the standard includes parts describing the requirements needed in
substation communication, as well as parts describing the specification itself.

SIPROTEC 5 - IEC 61850 is more than a substation automation protocol. It comprehensively
analyzes data types, functions, and communication in substation networks.
The specification is structured as follows:
An object-oriented and application-specific data model focused on substation automation.
This model includes object types representing nearly all existing equipment and functions in a
substation circuit breakers, protection functions, current and voltage transformers,
waveform recordings, and many more.
Communication services providing multiple methods for information exchange. These services
cover reporting and logging of events, control of switches and functions, polling of data model
information.
Peer-to-peer communication for fast data exchange between the feeder level devices
(protection devices and bay controller) is supported with GOOSE (Generic Object Oriented
Substation Event).
Support of sampled value exchange.
File transfer for disturbance recordings.
Communication services to connect primary equipment such as instrument transducers to
relays.
Decoupling of data model and communication services from specific communication
technologies.
This technology independence guarantees long-term stability for the data model and opens up
the possibility to switch over to successor communication technologies. Today, the standard
uses Industrial Ethernet with the following significant features:
100 Mbit/s bandwidth
Non-blocking switching technology
Priority tagging for important messages
Time synchronization
A common formal description code, which allows a standardized representation of a systems
data model and its links to communication services.
This code, called SCL (Substation Configuration Description Language), covers all communication
aspects according to IEC 61850. Based on XML, this code is an ideal electronic interchange
format for configuration data.
A standardized conformance test that ensures interoperability between devices. Devices must
pass multiple test cases: positive tests for correctly responding to stimulation telegrams, plus
several negative tests for ignoring incorrect information
IEC 61850 offers a complete set of specifications covering all communication issues inside a
substation
Support of both editions of IEC 61850 and all technical issues.



PLC Application For Speed Control of AC
Motors With Variable Speed (VS) Drive

PLC Application For Speed Control of AC Motors With VSD (on photo: Quadplex panel that
controls four total pumps, two 25HP and two 50HP pumps controlled by corresponding variable
frequency drives with filters. The 460V 3PH 4 wire 300A panel features a PLC based control
system with back up floats and intrinisically safe barriers for level sensors. by D&B Custom
Wiring)
AC Motor Drive Interface
A common PLC application is the speed control of AC motors with variable speed (VS) drives.
The diagram in Figure 1 shows an operator station used to manually control a VS drive.
The programmable controller implementation of this station will provide automatic motor speed
control through an analog interface by varying the analog output voltage (0 to 10 VDC) to the
drive.
The operator station consists of:
1. a speed potentiometer (speed regulator),
2. a forward/reverse direction selector,
3. a run/jog switch, and
4. start and stop push buttons.
The PLC program will contain all of these inputs except the potentiometer, which will be
replaced by an analog output.
The required input field devices (i.e., start push button, stop push button, jog/run, and forward/
reverse) will be added to the application and connected to input modules, rather than using the
operator stations components.
The PLC program will contain the logic to start, stop, and interlock the forward/reverse commands.

Figure 1 - Operator station for a variable speed drive

Table 1 shows the I /O address assignment tablefor this example, while Figure 2 illustrates the
connection diagram from the PLC to the VS drives terminal block (TB-1). The connection
uses a contact output interface to switch the forward/reverse signal, since the common must be
switched.
To activate the drive, terminal TB-1-6 must receive 115 VAC to turn ON the internal relay CR1.
The drive terminal block TB-1-8 supplies power to the PLCs L1 connection to turn the drive
ON. The output of the module (CR1) is connected to terminal TB-1-6. The drives 115 VAC
signal is used to control the motor speed so that the signal is in the same circuit as the
drive, avoiding the possibility of having different commons (L2) in the drive (the start/stop
common is not the same as the controllers common).
In this configuration, the motors overload contacts are wired to terminals TB-1-9 and TB-1-10,
which are the drives power (L1) connection and the output interfaces L1 connection. If an
overload occurs, the drive will turn OFF because the drives CR1 contact will not receive power
from the output module.
This configuration, however, does not provide low-voltage protection, since the drive and motor will
start immediately after the overloads cool off and reclose.
To have low-voltage protection, the auxiliary contact from the drive, CR1 in terminal TB-1-7,
must be used as an input in the PLC, so that it seals the start/stop circuit.


Table 1 - I/O address assignment


Figure 2 - Connection diagram from the PLC to the VS drives terminal block.
Figure 3 shows the PLC ladder program that will replace the manual operator station. The
forward and reverse inputs are interlocked, so only one of them can be ON at any given time
(i.e., they are mutually exclusive).
If the jog setting is selected, the motor will run at the speed set by the analog output when the
start push button is depressed. The analog output connection simply allows the output to be
enabled when the drive starts. Register 4000 holds the value in counts for the analog output to
the drive. Internal 1000, which is used in the block transfer, indicates the completion of the
instruction.
Sometimes, a VS drive requires the ability to run under automatic or manual control
(AUTO/MAN). Several additional hardwired connections must be made to implement this dual
control.


Figure 3 - PLC implementation of the VS drive

The simplest and least expensive way to do this is with a selector switch (e.g., a four-pole, single-throw,
single-break selector switch). With this switch, the user can select either the automatic or manual
option. Figure 4 illustrates this connection.
Note that the start, stop, run/jog, potentiometer, and forward/reverse field devices shown are
from the operator station. These devices are connected to the PLC interface under the same
names that are used in the control program (refer to Figure 3).
If the AUTO/MAN switch is set to automatic, the PLC will control the drive; if the switch is set
to manual, the manual station will control the drive.

Figure 4 - VS drive with AUTO/MAN capability
Resource: Introduction-to-PLC-Programming www.globalautomation.info
]
SCADA As Heart Of Distribution
Management System

SCADA The Heart Of Distribution Management System (DMS) - On photo: Fima UAB -
Dedicated control systems and SCADA (Supervisory Control and Data Acquisition) as well as
DMS (Distribution Management System) type of systems are offered for electricity, water and
gas supply companies, as well as telecommunication operators and manufacturing companies.
SCADA System Elements
At a high level, the elements of a distribution automation system can be divided into three
main areas:
1. SCADA application and server(s)
2. DMS applications and server(s)
3. Trouble management applications and server(s)

Distribution SCADA
As was stated in the title, the Supervisory Control And Data Acquisition (SCADA) system is the
heart of Distribution Management System (DMS) architecture.
A SCADA system should have all of the infrastructure elements to support the multifaceted
nature of distribution automation and the higher level applications of a DMS. A Distribution
SCADA systems primary function is in support of distribution operations telemetry, alarming,
event recording, and remote control of field equipment.
Historically, SCADA systems have been notorious for their lack of support for the import, and more
importantly, the export of power system data values.
A modern SCADA system should support the engineering budgeting and planning functions by
providing access to power system data without having to have possession of an operational
workstation.
The main elements of a SCADA system are:
1. Host equipment
2. Communication infrastructure (network and serial communications)
3. Field devices (in sufficient quantity to support operations and telemetry requirements of a
DMS platform)

Figure 1 - DA system architecture
Host Equipment
The essential elements of a distribution SCADA host are:
1. Host servers (redundant servers with backup/failover capability).
2. Communication front-end nodes (network based).
3. Full graphics user interfaces.
4. Relational database server (for archival of historical power system values) and data
server/Web server (for access to near real time values and events).
The elements and components of the typical distribution automation system are illustrated in
Figure 1 above.

Host Computer System
SCADA Servers
As SCADA has proven its value in operation during inclement weather conditions, service
restoration, and daily operations, the dependency on SCADA has created a requirement for
highly available and high performance systems. Redundant server hardware operating in a
live backup/failover mode is required to meet the high availability criteria.
High-performance servers with abundant physical memory, RAID hard disk systems, and
interconnected by 10/100 baseT switched Ethernet are typical of todays SCADA servers.

Communication Front-End (CFE) Processors
The current state of host to field device communications still depends heavily on serial
communications.
This requirement is filled by the CFE. The CFE can come in several forms based on bus
architecture (e.g., VME or PCI) and operating system. Location of the CFE in relation to the
SCADA server can vary based on requirement. In some configurations the CFE is located on
the LAN with the SCADA server. In other cases, existing communications hubs may dictate that
the CFE reside at the communication hub.
The incorporation of the WAN into the architecture requires a more robust CFE application to
compensate for less reliable communications (in comparison to LAN).
I n general the CFE will include three functional devices:
1. A network/CPU board,
2. Serial cards, and
3. Possibly a time code receiver.
Functionality should include the ability to download configuration and scan tables. The CFE
should also support the ability to dead band values (i.e., report only those analog values that
have changed by a user-defined amount).
CFE, network, and SCADA servers should be capable of supporting worst-case conditions (i.e.,
all points changing outside of the dead band limits), which typically occur during severe system
disturbances.

Full Graphics User Interface
The current trend in the user interface (UI ) is toward a full graphics (FG) user interface. While
character graphics consoles are still in use by many utilities today, SCADA vendors are
aggressively moving their platforms to a full graphics UI.
Quite often the SCADA vendors have implemented their new full graphics user interface on low-
cost NT workstations using third-party applications to emulate the X11 window system.

SCADA - Full graphic display using Video Wall

Full graphic displays provide the ability to display power system data along with the electric
distribution facilities in a geographical (or semigeographical) perspective.
The advantage of using a full graphics interface becomes evident (particularly for distribution
utilities) as SCADA is deployed beyond the substation fence where feeder diagrams become
critical to distribution operations.

Relational Databases, Data Servers, and Web Servers
The traditional SCADA systems were poor providers of data to anyone not connected to the
SCADA system by an operational console.
This occurred due to the proprietary nature of the performance (in memory) database and its
design optimization for putting scanned data in and pushing display values out. Power system
quantities such as: bank and feeder loading (MW, MWH, MQH, and ampere loading), and bus
volts provide valuable information to the distribution planning engineer.
The availability of event (log) data is important in postmortem analysis. The use of relational databases,
data servers, and Web servers by the corporate and engineering functions provides access to power
system information and data while isolating the SCADA server from nonoperations personnel.

Host to Field Communications
Serial communications to field devices can occur over several mediums: copper wire, fiber,
radio, and even satellite. Telephone circuits, fiber, and satellites have a relatively high cost. New
radio technologies offer good communications value.
One such technology is the Multiple Address Radio System (MAS).
The MAS operates in the 900 MHz range and is omnidirectional, providing radio coverage in an
area with radius up to 2025 miles depending on terrain. A single MAS master radio can
communicate with many remote sites. Protocol and bandwidth limit the number of remote
terminal units that can be communicated with by a master radio. The protocol limit is simply the
address range supported by the protocol.
Bandwidth limitations can be offset by the use of efficient protocols, or slowing down the scan
rate to include more remote units. Spread-spectrum and point-to-point radio (in combination with
MAS) offers an opportunity to address specific communication problems.
At the present time MAS radio is preferred to packet radio (another new radio technology);
MAS radio communications tend to be more deterministic providing for smaller timeout values
on communication noresponses and controls.

Field Devices
Distribution Automation (DA) field devices are multi-featured installations meeting a broad
range of control, operations, planning, and system performance issues for the utility personnel.
Each device provides specific functionality, supports system operations, includes fault detection,
captures planning data and records power quality information. These devices are found in the
distribution substation and at selected locations along the distribution line. The multi-featured
capability of the DA device increases its ability to be integrated into the electric distribution
system.
The functionality and operations capabilities complement each other with regard to the control and
operation of the electric distribution system.
The fault detection feature is the eyes and ears for the operating personnel. The fault detection
capability becomes increasingly more useful with the penetration of DA devices on the
distribution line.
The real-time data collected by the SCADA system is provided to the planning engineers for
inclusion in the radial distribution line studies. As the distribution system continues to grow, the
utility makes annual investments to improve the electric distribution system to maintain adequate
facilities to meet the increasing load requirements.
The use of the real-time data permits the planning engineers to optimize the annual capital
expenditures required to meet the growing needs of the electric distribution system.
The power quality information includes capturing harmonic content to the 15th harmonic and
recording Percent Total Harmonic Distortion (%THD). This information is used to monitor the
performance of the distribution electric system.

Modern RTU
Todays modern RTU is modular in construction with advanced capabilities to support functions
that heretofore were not included in the RTU design.
The modular design supports installation configurations ranging from the small point count
required for the distribution line pole-mounted units to the very large point count required for
large bulk-power substations and power plant switchyard installations.

Modern RTU Scada

The modern RTU modules include analog units with 9 points, control units with 4 control pair
points, status units with 16 points, and communication units with power supply.
The RTU installation requirements are met by accumulating the necessary number of modern
RTU modules to support the analog, control, status, and communication requirements for the site
to be automated. Packaging of the minimum point count RTUs is available for the distribution
line requirement.
The substation automation requirement has the option of installing the traditional RTU in one cabinet
with connections to the substation devices or distributing the RTU modules at the devices within the
substation with fiberoptic communications between the modules.
The distributed RTU modules are connected to a data concentrating unit which in turn
communicates with the host SCADA computer system.
The modern RTU accepts direct AC inputs from a variety of measurement devices including
line-post sensors, current transformers, potential transformers, station service transformers, and
transducers. Direct AC inputs with the processing capability in the modern RTU supports fault
current detection and harmonic content measurements. The modern RTU has the capability to
report the magnitude, direction, and duration of fault current with time tagging of the fault event
to 1-millisecond resolution. Monitoring and reporting of harmonic content in the distribution
electric circuit are capabilities that are included in the modern RTU.
The digital signal processing capability of the modern RTU supports the necessary calculations
to report %THD for each voltage and current measurement at the automated distribution line or
substation site.
The modern RTU includes logic capability to support the creation of algorithms to meet specific
operating needs.
Automatic transfer schemes have been built using automated switches and modern RTUs with the logic
capability. This capability provides another option to the distribution line engineer when developing the
method of service and addressing critical load concerns.
The logic capability in the modern RTU has been used to create the algorithm to control
distribution line switched capacitors for operation on a per phase basis. The capacitors are
switched on at zero voltage crossing and switched off at zero current crossing.
The algorithm can be designed to switch the capacitors for various system parameters, such as
voltage, reactive load, time, etc. The remote control capability of the modern RTU then allows
the system operator to take control of the capacitors to meet system reactive load needs.
The modern RTU has become a dynamic device with increased capabilities. The new logic and
input capabilities are being exploited to expand the uses and applications of the modern RTU.

PLCs and IEDs
Programmable Logic Controller (PLC) and Intelligent Electronic Device (IED) are components
of the distribution automation system, which meet specific operating and data gathering
requirements.

PLC SCADA Panel

While there is some overlap in capability with the modern RTU, the authors are familiar with the
use of PLCs for automatic isolation of the faulted power transformer in a two-bank substation
and automatic transfer of load to the unfaulted power transformer to maintain an increased
degree of reliability.
The PLC communicates with the modern RTU in the substation to facilitate the remote
operation of the substation facility.
The typical PLC can support serial communications to a SCADA server. The modern RTU has the
capability to communicate via an RS-232 interface with the PLC.
I EDs include electronic meters, electronic relays, and controls on specific substation
equipment, such as breakers, regulators, LTC on power transformers, etc.
The IEDs also have the capability to support serial communications to a SCADA server.
However, the authors experience indicates that the IEDs are typically reporting to the modern
RTU via an RS-232 interfaceor via status output contact points.
As its communicating capability improves and achieves equal status with the functionality
capability, the IED has the potential to become an equal player in the automation communication
environment.
However, in the opinion of the authors, the limited processing capability for supporting the
communication requirement, in addition to its functional requirements (i.e., relays, meters, etc.),
hampers the widespread use of the IEDs in the distribution automation system.
Resource: Power System Operation and Control - George L. Clark and Simon W. Bowen

Basic Mechanical Terms used in Drives
Applications
Index
Terms below are the basic mechanical terms associated with the mechanics of DC drive
operation. Many of these terms are familiar to us in some other context.
1. Force
2. Net Force
3. Torque
4. Speed
5. Linear Speed
6. Angular (Rotational) Speed
7. Acceleration
8. Law of Inertia
9. Friction
10. Work
11. Power
12. Horsepower
Force
In simple terms, a force is a push or a pull. Force may be caused by electromagnetism, gravity,
or a combination of physical means. The English unit of measurement for force is pounds (lb).
Go to back to Index

Net Force
Net force is the vector sum of all forces that act on an object, including friction and gravity.
When forces are applied in the same direction they are added. For example, if two 10 lb forces
were applied in the same direction the net force would be 20 lb.


If 10 lb of force were applied in one direction and 5 lb of force applied in the opposite direction,
the net force would be 5 lb and the object would move in the direction of the greater force.


If 10 lb of force were applied equally in both directions, the net force would be zero and the
object would not move.

Go to back to Index

Torque
Torque is a twisting or turning forcethat tends to cause an object to rotate. A force applied to
the end of a lever, for example, causes a turning effect or torque at the pivot point.
Torque (tau) is the product of force and radius (lever distance).
Torque (tau) = Force x Radius
In the English system torque is measured in pound-feet (lb-ft) or pound-inches (lb-in). If 10 lbs
of force were applied to a lever 1 foot long, for example, there would be 10 lb-ft of torque.

An increase in force or radius would result in a corresponding increase in torque. Increasing the
radius to 2 feet, for example, results in 20 lb-ft of torque.

Go to back to Index

Speed
An object in motion travels a given distance in a given time. Speed is the ratio of the distance
traveled to the time it takes to travel the distance.
Speed = Distance / Time

Linear Speed
The linear speed of an object is a measure of how long it takes the object to get from point A to
point B. Linear speed is usually given in a form such as feet per second (f/s).
For example, if the distance between point A and point B were 10 feet, and it took 2 seconds to
travel the distance, the speed would be 5 f/s.

Go to back to Index

Angular (Rotational) Speed
The angular speed of a rotating object is a measurement of how long it takes a given point on the
object to make one complete revolution from its starting point. Angular speed is generally given
in revolutions per minute (RPM).
An object that makes ten complete revolutions in one minute, for example, has a speed of 10
RPM.

Go to back to Index

Acceleration
An object can change speed. An increase in speed is called acceleration. Acceleration occurs
when there is a change in the force acting upon the object. An object can also change from a
higher to a lower speed.
This is known as deceleration (negative acceleration).
A rotating object, for example, can accelerate from 10 RPM to 20 RPM, or decelerate from 20
RPM to 10 RPM.

Go to back to Index

Law of Inertia
Mechanical systems are subject to the law of inertia. The law of inertia states that an object will
tend to remain in its current state of rest or motion unless acted upon by an external force. This
property of resistance to acceleration /deceleration is referred to as the moment of inertia.
The English system of measurement is pound-feet squared (Ib-ft
2
).
If we look at a continuous roll of paper, as it unwinds, we know that when the roll is stopped, it
would take a certain amount of force to overcome the inertia of the roll to get it rolling. The force
required to overcome this inertia can come from a source of energy such as a motor.
Once rolling, the paper will continue unwinding until another force acts on it to bring it to a stop.

Go to back to Index

Friction
A large amount of force is applied to overcome the inertia of the system at rest to start it moving.
Because friction removes energy from a mechanical system, a continual force must be applied to
keep an object in motion. The law of inertia is still valid, however, since the force applied is
needed only to compensate for the energy lost.
Once the system is in motion, only the energy required to compensate for various losses need be
applied to keep it in motion.
I n the previous illustration, for example: these losses include:
Friction within motor and driven equipment bearings
Windage losses in the motor and driven equipment
Friction between material on winder and rollers
Go to back to Index

Work
Whenever a force of any kind causes motion, work is accomplished. For example, work is
accomplished when an object on a conveyor is moved from one point to another.


Work is defined by the product of the net force (F) applied and the distance (d) moved. If twice
the force is applied, twice the work is done. If an object moves twice the distance, twice the work
is done.
W = F x d
Go to back to Index

Power
Power is the rate of doing work, or work divided by time.
Power = (Force x Distance) / Time
Power = Work / Time
In other words, power is the amount of work it takes to move the package from one point to
another point, divided by the time.

Go to back to Index

Horsepower
Power can be expressed in foot-pounds per second, but is often expressed in horsepower (HP).
This unit was defined in the 18th century by J ames Watt. Watt sold steam engines and was asked
how many horses one steam engine would replace.
He had horses walk around a wheel that would lift a weight. He found that each horse would
average about 550 foot-pounds of work per second.
One horsepower is equivalent to 500 foot-pounds per second or 33,000 foot-pounds per
minute.

The following formula can be used to calculate horsepower when torque (lb-ft) and speed (RPM)
are known.
It can be seen from the formula that an increase of torque, speed, or both will cause a
corresponding increase in horsepower.
HP = (Torque x RPM) / 5250
Power in an electrical circuit is measured in watts (W) or kilowatts (kW).
Variable speed drives and motors manufactured in the United States are generally rated in
horsepower (HP); however, it is becoming common practice to rate equipment using the
I nternational System of Units (SI units) of watts and kilowatts.
Go to back to Index
Resource: Basics of DC Drives SIEMENS

Few Words About Frequency Converters

Introduction
Since the late 1960s, frequency converters have undergone extremely rapid changes, largely as a
result of the development of microprocessor and semi-conductor technologies and their reduction
in prices. However, the basic principles of frequency converters remains the same.
Frequency converters can be divided into four main components:

Figure 1 - Simplified frequency converter
1. Rectifier
The rectifier, which is connected to a single/three-phase AC mains supply and generates a
pulsating DC voltage. There are two basic types of rectifiers controlled and uncontrolled.

2. Intermediate circuit
The intermediate circuit. There are three types:
1. One, which converts the rectifier voltage into a direct current.
2. One, which stabilises or smoothes the pulsating DC voltage and places it at the disposal of the
inverter.
3. One, which converts the constant DC voltage of the rectifier to a variable AC voltage.

3. Inverter
The inverter which generates the frequency of the motor voltage. Alternatively, some inverters
may also convert the constant DC voltage into a variable AC voltage.

Control circuit
The control circuit electronics, which transmit signals to- and receive signals from the rectifier,
the intermediate circuit and the inverter. The parts that are controlled in detail depends on the
design of the individual frequency converter (see Figure 2).
What all frequency converters have in common is that the control circuit uses signals to switch the
inverter semi-conductors on or off. Frequency converters are divided according to the switching pattern
that controls the supply voltage to the motor.
I n figure 2, which shows the different design /control principles:
1. Is a controlled rectifier,
2. Is an uncontrolled rectifier,
3. Is a variable DC intermediate circuit,
4. Is a constant DC voltage intermediate circuit,
5. Is a variable DC intermediate circuit,
6. Is a PAM inverter and
7. PWM inverter.

Figure 2 - Different design / control principles of frequency converter

Current Source I nverter: CSI
(1 + 3 + 6)
Pulse-amplitude-modulated converter: PAM
(1 + 4 + 7) (2 + 5 + 7)
Pulse-width-modulated converter: PWM/VVC
plus

(2 + 4 + 7)
Direct converters, which do not have an intermediate circuit should also be briefly mentioned for
completeness. These converters are used in the Mega-watt power range to generate alow-
frequency supply directly from the 50 Hz mains and their maximum output frequency is about
30 Hz.
Resource: Fact Worth Knowing About Frequency Converters Danfoss

How to Select Right Frequency Converter for
Variable Speed Drive (VSD)?

Application: Brackish water - 3 APP 2,2 equiped with Danfoss inverters for flexible use at
universety. Place of installation: UK

Selecting of a frequency converter for variable speed drives requires a lot of experience. If the
experience is not available, it is often useful to visit either a reference plant with similar
applications, or exhibitions or trade shows.

Checklist
The following is a brief checklist of points that should be considered:
1. Details of the machine to be controlled
2. Environmental details
3. Mains
4. Maintenance, operation, personnel
5. Financial criteria
6. Protective measures for operators/converter/motor
7. Standards/regulations
8. Environmental considerations
9. Also important

VLT Drives Applications (VIDEOS)
Some of the interesting applications done with Danfoss VLT drives:
1. VLT drives in large desalination plant
2. VLT drives control cooling tower fans
3. VLT control optimizes spindle speed in Indian textile factory
4. VLT frequency converters drive bagage handling system
5. VLT Drives Save 78% Energy in Chester Zoo
1. Details of the machine to be controlled
1. Required plant/machine characteristics
2. Torque characteristics, stalling torque, acceleration torque
3. Speed control range, cooling
4. Power consumption of the converter and the motor
5. Operating quadrants
6. Slip compensation (dynamic)
7. Required ramp-up and ramp-down times
8. Required braking times, brake operating time
9. Direct drives, gears, transmission components, moment of mass inertia
10. Synchronisation with other drives
11. Operating time, controls
12. Computer linkage, interfaces, visualisation
13. Design and protection type
14. Possibility of integrating decentral intelligence in the frequency converter
2. Environmental details
1. Installation height, ambient temperature
2. Cooling requirements, cooling options
3. Climatic conditions, such as humidity, water, dirt, dust, gas-es
4. Special regulations, e.g. for mining, the chemical industry, the ship building industry, food
technology
5. Acoustic noise
3. Mains
1. Mains voltage, voltage fluctuations
2. Mains performance
3. Mains frequency fluctuations
4. Mains interference
5. Short-circuit and overvoltage protection
6. Mains drop-out
4. Maintenance, operation, personnel
1. Training and instruction of operators
2. Maintenance
3. Spare parts/spare units
5. Financial criteria
1. Purchase costs (components)
2. Space requirement, integrated installation, design
3. Installation costs
4. Commissioning of the system
5. Set-up costs
6. Operating costs
7. Efficiency of the system (frequency converter and machine)
8. Reactive power requirement and compensation for harmonic loads
9. Product lifetime
6. Protective measures for operators/converter/motor
1. Galvanic isolation in accordance with PELV
2. Phase drop-out
3. Switching at the converter output
4. Earth and short-circuit protection
5. Motor coils to reduce voltage rise times
6. Electronic thermal monitoring and connection of thermistors
7. Standards/regulations
1. National DIN, BS, UL, CSA, VDE, European EN
2. International IEC, CE, etc.

8. Environmental considerations
1. Ability to recycle the product
2. Manufacturing practice
3. Energy saving factors
Also important
Using this checklist a frequency converter can be selected which covers most of the items as
standard, but you should also double check whether:
The converter has mains or intermediate circuit chokes in order to greatly reduce mains
interference
A RFI filter for class A or B is standard or has to be purchased separately
Motor derating is required if a frequency converter is used
The converter itself is protected against earth and short-circuit
The converter reacts adequately in a fault situation.
VLT Drives Applications (VIDEOS)
1. VLT drives in large desalination plant
Cant see this video? Click here to watch it on Youtube.

2. VLT drives control cooling tower fans
Cant see this video? Click here to watch it on Youtube.

3. VLT control optimizes spindle speed in Indian textile factory
Cant see this video? Click here to watch it on Youtube.

4. LT frequency converters drive bagage handling system
Cant see this video? Click here to watch it on Youtube.

5. LT Drives Save 78% Energy in Chester Zoo
Cant see this video? Click here to watch it on Youtube.
Resource: Fact Worth Knowing About Frequency Converters Danfoss

Surge Protection for Frequency Converters

Figure 1 - Schematic diagram of a frequency converter

In principle a frequency converter consists of a rectifier, a d.c. link converter, an inverter and of
the control electronics (Figure 1 above).
At the input of the inverter the single phase or interlinked, three-phase a.c. voltage is
changed into a pulsating d.c. voltage and is pushed into the d.c. link converter that also serves as
energy store (buffer). Capacitors in the d.c. link converter and the LC networks connected to
earth in the a.c. line filter, can cause problems with the residual current devices (RCD)
connected in series.
The reason for this is often wrongly seen in the application of surge arresters.
The problems, however, result from the short-term induction of fault currents by the frequency
converter. These are sufficient to activate sensitive earth leakage circuit breakers (RCDs).
A surge-proof RCD circuit breaker available for a tripping current I
n
=30 mA and a min.
discharge capability of 3 kA (8/20 s) provides a remedy.

Figure 2 - EMC conforming shield connection of the motor supply line

By the control electronics, the inverter delivers a clocked output voltage. The higher the clock
frequency of the control electronics for the pulse-width-modulation, the more sinusoidal is the
output voltage. With each cycle, a peak voltageis created that is superimposed on the curve of
the fundamental frequency. This peak voltage reaches values of 1200 V and higher (according to
the frequency converter).
The better the simulation of the sine curve at the output, the better is the performance and control
response of the motor. This means, however, that the voltage peaks appear at the output of the
frequency converter more frequently.
For choosing of surge arresters, the maximum continuous operating voltage U
c
has to be taken
into account.
It specifies the maximum permissible operating voltage a surge protective device may be
connected to. This means that surge protective devices with a correspondingly higher U
c
are
used at the output side of the frequency converter.
This avoids faster ageing due to gradually heating of the surge protective device under normal
operating conditions and the consequential voltage peaks. This heating of the arrester leads to a
shorter service life and consequently to a disconnection of the surge protective device from the
system to be protected.
The voltage at the output of the frequency converter is variable and adjusted a little bit
higher than the nominal voltage at the input. Often it is approx. +5 % during continuous
operation, in order to compensate the voltage drop at the connected line, for example.

Figure 3 - Structure of a frequency converter with SPD

Example with Dehn devices
1 - DEHNguard S DG S 275
2 DEHNguard S DG S 600
3 BLITZDUCTOR XT
Otherwise, one can simply say that the maximum voltage at the input of the frequency converter
is equal to the maximum voltage at the output of the frequency converter.
The high clock frequency at the output of the frequency converter generates fieldborne
interferences and therefore, requires necessarily a shielded cabling so that adjacent systems are
not disturbed.
For shielding the motor power supply line, a bilateral shield earthing at the frequency
converter and the drive motor has to be ensured. The large-surface contacting of the shield
results from the EMC requirements.
Advantageous is here the use of constant force springs (Figure 2).
By means of intermeshed earth-termination systems, i.e. the earth-termination system the
frequency converters and the drive motor are connected to, potential differences are reduced
between the parts of the installation and thus equalising currents via the shield are avoided.
Figure 3 shows the example of use of surge protective devices Type DEHNguard on the power
supply side and type BLITZDUCTOR for 0 20 mA signals. The protective devices have to be
individually adapted according to the interface.
For the integration of the frequency converter into the building automation it is absolutely
essential that all evaluation and communication interfaces are connected with surge protective
devices in order to avoid system failures.
Resource: Lightning-Protection-Guide dehn.de

Basic Steps In PLC Programming

The first step in developing a control program is the definition of the control task. The control
task specifies what needs to be done and is defined by those who are involved in the operation of
the machine or process. The second step in control program development is to determine a
control strategy, the sequence of processing steps that must occur within a program to produce
the desired output control.
This is also known as the development of an algorithm.
A set of guidelines should be followed during program organization and implementation in order
to develop an organized system.
Approach guidelines apply to two major types of projects: new applications and modernizations
of existing equipment.
Flow charting can be used to plan a program after a written description has been developed. A
flowchart is a pictorial representation of the process that records, analyzes, and communicates
information, as well as defines the sequence of the process.
Logic gates or contact symbology are used to implement the logic sequences in a control
program. Inputs and outputs marked with an X on a logic gate diagram represent real I /O.
Three important documents that provide information about the arrangement of the PLC system are the
I/O assignment table, the internal address assignment table, and the register address assignment
table.
1. The I/O assignment table documents the names, locations, and descriptions of the real inputs
and outputs.
2. The internal address assignment table records the locations and descriptions of internal outputs,
registers, timers, counters, and MCRs.
3. The register address assignment tablelists all of the available PLC registers.
Certain parts of the system should be left hardwired for safety reasons. Elements such as emergency
stops and master start push buttons should be left hardwired so that the system can be disabled
without PLC intervention.
Special cases of input device programming include the program translation of normally closed
input devices, fenced MCR circuits, circuits that allow bidirectional power flow, instantaneous
timer contacts, and complicated logic rungs.
The programming of contacts as normally open or normally closed depends on how they are
required to operate in the logic program. In most cases, if a normally closed input device is
required to act as a normally closed input, its reference address is programmed as normally
open.
Master control relays turn ON and OFF power to certain logic rungs. In a PLC program, an END
MCR instruction must be placed after the last rung an MCR will control.
PLCs do not allow bidirectional power flow, so all PLC rungs must be programmed to operate
only in a forward path.
PLCs do not provide instantaneous contacts; therefore, an internal output must be used to trap
a timer that requires these contacts.
Complicated logic rungs should be isolated from the other rungs during programming.
Program coding is the process of translating a logic or relay diagram into PLC ladder program form.
The benefits of modernizing a relay control system include greater reliability, less energy
consumption, less space utilization, and greater flexibility.

Example Of Simple Start/Stop Motor Circuit
Figure 1 shows the wiring diagram for a three-phase motor and its corresponding three-wire
control circuit, where the auxiliary contacts of the starter seal the start push button. To convert
this circuit into a PLC program, first determine which control devices will be part of the PLC
I /O system; these are the circled items in Figure 2. In this circuit, the start and stop push
buttons (inputs) and the starter coil (output) will be part of the PLC system.
The starter coils auxiliary contacts will not be part of the system because an internal will be
used to seal the coil, resulting in less wiring and fewer connections.

Figure 1a - Wiring diagram of three phase motor


Figure 1b - Relay control circuit for a three-phase motor


Figure 2 - Real inputs and outputs to the PLC
Table 1 shows the I /O address assignment, which uses the same addressing scheme as the
circuit diagram (i.e., inputs: addresses 000 and 001, output: address 030).

I/O Address

Module Type Rack Group Terminal Description
Input
0 0 0 Stop PB (NC)
0 0 1 Start PB
0 0 2 -
0 0 3 -
Output 0 3 0 Motor M1
0 3 1 -
0 3 2 -
0 3 3 -
To program the PLC, the devices must be programmed in the same logic sequence as they are in
the hardwired circuit (see Figure 3). Therefore, the stop push button will be programmed as an
examine-ON instruction (a normally open PLC contact) in series with the start push button,
which is also programmed as an examine-ON instruction.
This circuit will drive output 030, which controls the starter.

Figure 3 - PLC implementation of the circuit in Figure 1

If the start push button is pressed, output 030 will turn ON, sealing the start push button and
turning the motor ON through the starter. If the stop push button is pressed, the motor will turn
OFF.
Note that the stop push button is wired as normally closed to the input module. Also, the starter
coils overloads are wired in series with the coil.
Resource: Introduction to PLC Programming and Implementationfrom relay logic to PLC
logic

DC Motor Drive Explained In Few Words

Figure 1 - Control loop of a DC Motor Drive (ABB)

In a DC motor, the magnetic field is created by the current through the field winding in the
stator. This field is always at right angles to the field created by the armature winding. This
condition, known as field orientation, is needed to generate maximum torque. The commutator-
brush assembly ensures this condition is maintained regardless of the rotor position.
Once field orientation is achieved, the DC motors torque is easily controlled by varying the
armature current and by keeping the magnetising current constant.
The advantage of DC drives is that speed and torque the two main concerns of the end-user
are controlled directly through armature current: that is the torque is the inner control loop and
the speed is the outer control loop (see Figure 1).

Features of DC Motor Drive
1. Field orientation via mechanical commutator
2. Controlling variables are Armature Current and Field Current, measured DIRECTLY from the
motor
3. Torque control is direct

Advantages of DC Motor Drive
1. Accurate and fast torque control
2. High dynamic speed response
3. Simple to control
Initially, DC drives were used for variable speed control because they could easily achieve a
good torque and speed response with high accuracy.
A DC machine is able to produce a torque that is:
Direct the motor torque is proportional to the armature current: the torque can thus be
controlled directly and accurately.
Rapid- torque control is fast; the drive system can have a very high dynamic speed response.
Torque can be changed instantaneously if the motor is fed from an ideal current source. A
voltage fed drive still has a fast response, since this is determined only by the rotors electrical
time constant (i.e. the total inductance and resistance in the armature circuit)
Simple field orientation is achieved using a simple mechanical device called a
commutator/brush assembly. Hence, there is no need for complex electronic control circuitry,
which would increase the cost of the motor controller.
Drawbacks
1. Reduced motor reliability
2. Regular maintenance
3. Motor costly to purchase
4. Needs encoder for feedback
The main drawback of this technique is the reduced reliability of the DC motor; the fact that
brushes and commutators wear down and need regular servicing; that DC motors can be costly to
purchase; and that they require encoders for speed and position feedback.
While a DC drive produces an easily controlled torque from zero to base speed and beyond, the
motors mechanics are more complex and require regular maintenance.
Resource: ABB Technical Guide Direct Torque Control

Using MODBUS for Process Control and
Automation (1)

The Schneider Electric Modicon Quantum is a versatile PLC used in a wide variety of sectors
including manufacturing, water/wastewater, oil and gas, chemical and more.

Advertisement
MODBUS is the most popular industrial protocol being used today, for good reasons. It is
simple, inexpensive, universal and easy to use. Even though MODBUS has been around since
the past century nearly 30 years, almost all major industrial instrumentation and automation
equipment vendors continue to support it in new products.
Although new analyzers, flowmeters and PLCs may have a wireless, Ethernet or fieldbus
interface, MODBUS is still the protocol that most vendors choose to implement in new and old
devices.
Another advantage of MODBUS is that it can run over virtually all communication media,
including twisted pair wires, wireless, fiber optics, Ethernet, telephone modems, cell phones and
microwave. This means that a MODBUS connection can be established in a new or existing
plant fairly easily. In fact, one growing application for MODBUS is providing digital
communications in older plants, using existing twisted pair wiring.
In this white paper, well examine how MODBUS works and look at a few clever ways that
MODBUS can be used in new and legacy plants.

What is MODBUS?
MODBUS was developed by Modicon (now Schneider Electric) in 1979 as a means for
communicating with many devices over a single twisted pair wire. The original scheme ran over
RS232, but was adapted to run on RS485 to gain faster speed, longer distances and a true multi-
drop network. MODBUS quickly became a de facto standard in the automation industry, and
Modicon released it to the public as a royalty free protocol.
Today, MODBUS-IDA (www.MODBUS.org), the largest organized group of MODBUS users
and vendors, continues to support the MODBUS protocol worldwide. MODBUS is a master-
slave system, where the master communicates with one or multiple slaves. The master
typically is a PLC (Programmable Logic Controller), PC, DCS (Distributed Control System) or
RTU (Remote Terminal Unit).
MODBUS RTU slaves are often field devices, all of which connect to the network in a multidrop
configuration, Figure 1.
When a MODBUS RTU master wants information from a device, the master sends a message
that contains the devices address, data it wants, and a checksum for error detection. Every other
device on the network sees the message, but only the device that is addressed responds.

Figure 1. A MODBUS RTU network consists of one master, such as a PLC or DCS, and up to
247 slave devices connected in a multi-drop configuration

Slave devices on MODBUS networks cannot initiate communication; they can only respond. In
other words, they speak only when spoken to. Some manufacturers are developing hybrid
devices that act as MODBUS slaves, but also have write capability, thus making them pseudo-
Masters at times.
The three most common MODBUS versions used today are:
1. MODBUS ASCII
2. MODBUS RTU
3. MODBUS/TCP
All MODBUS messages are sent in the same format. The only difference among the three
MODBUS types is in how the messages are coded.
In MODBUS ASCII, all messages are coded in hexadecimal, using 4-bit ASCII characters. For
every byte of information, two communication bytes are needed, twice as many as with
MODBUS RTU or MODBUS/TCP. Therefore, MODBUS ASCII is the slowest of the three
protocols, but is suitable when telephone modem or radio (RF) links are used. This is because
ASCII uses characters to delimit a message. Because of this delimiting of the message, any
delays in the transmission medium will not cause the message to be misinterpreted by the
receiving device. This can be important when dealing with
slow modems, cell phones, noisy connections, or other difficult transmission mediums.
In MODBUS RTU, data is coded in binary, and requires only one communication byte per data
byte. This is ideal for use over RS232 or multi-drop RS485 networks, at speeds from 1,200 to
115Kbaud. The most common speeds are 9,600 and 19,200 baud. MODBUS RTU is the most
widely used industrial protocol, so most of this paper will focus on MODBUS RTU basics and
application considerations.
MODBUS/TCP is simply MODBUS over Ethernet. Instead of using device addresses to
communicate with slave devices, IP addresses are used. With MODBUS/TCP, the MODBUS
data is simply encapsulated inside a TCP/IP packet. Hence, any Ethernet network that supports
TCP/IP should immediately support MODBUS/TCP.
More details regarding this version of MODBUS will be covered in a later section entitled
MODBUS Over Ethernet.
To be continued
Resource: Using MODBUS for Process Control and Automation Moore Industries

Using MODBUS for Process Control and
Automation (2)

The Schneider Electric Modicon Quantum is a versatile PLC


Continued from first part of article Using MODBUS for Process Control and Automation (1)
MODBUS RTU Basics
To communicate with a slave device, the master sends a message containing:
Device Address
Function Code
Data
Error Check
The Device Address is a number from 0 to 247. Messages sent to address 0 (broadcast messages)
can be accepted by all slaves, but numbers 1-247 are addresses of specific devices. With the
exception of broadcast messages, a slave device always responds to a MODBUS message so the
master knows the message was received.

Figure 2 Function Codes
Command Function Code
01 Read Coils
02 Read Discrete Inputs
03 Read Holding Registers
04 Read Input Registers
05 Write Single Coil
06 Write Single Register
07 Read Exception Status
08 Diagnostics
.

xx Up to 255 function codes, depending on the device
The Function Code defines the command that the slave device is to execute, such as read data,
accept data, report status, etc. (Figure 2). Function codes are 1 to 255. Some function codes have
sub-function codes.
The Data defines addresses in the devices memory map for read functions, contains data values
to be written into the devices memory, or contains other information needed to carry out the
function requested. The Error Check is a 16-bit numeric value representing the Cyclic
Redundancy Check (CRC). The CRC is generated by the master (via a complex procedure
involving ORing and shifting data) and checked by the receiving device. If the CRC values do
not match, the device asks for a retransmission of the message. In some systems, a parity check
can also be applied.
When the slave device performs the requested function, it sends a message back to the master.
The returning message contains the slaves address and requested function code (so the master
knows who is responding), the data requested, and an Error Check value.

MODBUS Memory Map
Each MODBUS device has memory, where process variable data is stored. The MODBUS
specification dictates how data is retrieved and what type of data can be retrieved. However, it
does not place a limitation on how and where the device vendor maps this data in its memory
map.
Below would be a common example of how a vendor might logically map different types of
process variable data. Discrete inputs and coils are one-bit values, and each has a specific
address. Analog inputs (also called Input Registers) are stored in 16-bit registers. By utilizing
two of these registers MODBUS can support the IEEE 32-bit floating point format. Holding
Registers are also 16-bit internal registers that can support floating point.
Figure 3
The literature or operation manuals of most MODBUS compatible devices, such as this TMZ
Temperature Transmitter from Moore Industries, publish the addresses of key variables in the
MODBUS Memory Map. The TMZs addresses conform to the MODBUS spec.
Table Addresses Type Table Name
1-9999 Read or Write Coils
10001-19999 Read Only Discrete Inputs
30001-39999 Read Only Input Registers
40001-49999 Read or Write Holding Registers
Data in the memory map is defined in the MODBUS specification. Assuming that the device
vendor followed the MODBUS specification (not all do), all data can easily be accessed by the
MODBUS master, which follows the specification. In many cases, the device vendor publishes
the memory locations (Figure 3), making it easy for the person programming the master to
communicate with the slave device.

Reading and Writing Data
MODBUS has up to 255 function codes, but 01 (read coils), 02 (read discrete inputs), 03 (read
holding registers) and 04 (read input registers) are the most commonly used read functions that
are used to collect data from MODBUS slaves. For example, to read three 16-bit words of analog
data from device 5s memory map, the master sends a command that looks something like this:
5 04 2 3 CRC
Where 5 is the device address, 04 says to read input registers, 2 is the starting address (address
30,002), 3 means to read three contiguous data values starting at address 30,002, and CRC is the
error check value for this message.
The slave device, upon receiving this command, sends back a response that looks something like
this:
5 04 aa bb cc CRC
Where 5 is the devices address; 04 is the repeated read command; aa, bb and cc are the three 16-
bit data values; and CRC is the error check value for this message.
Reading and writing digital inputs and outputs is done in a similar manner using different read
and write functions.
Assuming that the device follows the MODBUS specification, it is a simple programming task to
set up the master to read and write data, check status, obtain diagnostic information and perform
various control and monitoring functions.

Connecting MODBUS Devices
One of the easiest ways to bring field devices into a process control system, PLC or industrial
computer is to simply connect digital and analog I/O into a distributed I/O system that has
MODBUS communication capability.
For example, the NCS (NET Concentrator System) from Moore Industries allows a user to
connect analog and digital signals remotely, which can then be connected to a MODBUS master
via twisted pair cable.
Multiple NCS systems can be installed in several locations throughout the plant, all linked by
MODBUS (Figure 4).

Figure 4 - Home Run Wiring vs MODBUS

Figure 4 In most plants, field instruments connect to the control system with individual home
run twisted pairs (below). When the instruments are wired into a distributed I/O system, such as the
NCS from Moore Industries (center), more devices can be added, but only a single twisted pair is needed
to transmit all the data to the MODBUS master. Multiple NCS systems can be networked (bottom) over
the same MODBUS network, so the entire plant can be converted from home run wiring to MODBUS.
This solution works for both new and existing plants. In many existing plants, field instruments
typically connect to the DCS or PLC via home run wiring, where each device is connected
with individual twisted pairs that carry analog signals. With the NCS, one of those twisted pairs
can be used for the MODBUS signal. This is particularly useful if the plant wants to add
additional field instruments, but does not want to run more wiring (at an installed cost of $100
per foot). A distributed I/O system can accommodate all of the existing I/O, or it can be used just
to send data from all the new field instruments.
In some cases, the control system is not able to deal with a MODBUS signal. It may be that the
legacy control system is accustomed to dealing with 4-20mA analog I/O and directly wired
digital I/O, and reprogramming the old system to accommodate MODBUS data would be
difficult. Often, users would like to add new remote signals to their system without having to run
wire or buy expensive MODBUS interface cards that require extensive re-programming. In that
case, a peer-to-peer solution works best.
For example, the CCS (Cable Concentrator System) and the NCS (NET Concentrator System)
from Moore Industries both have peer-to-peer communication abilities. The NCS and CCS are
similar to a distributed I/O module, but have more built-in intelligence and can be set up in either
a peer-to-peer or peer-to-host configuration.

Figure 5 - Peer-to-Peer Wiring
Figure 5 - In some cases, the control system is not able to deal with a MODBUS signal. In that
case, a peer-to peer solution with two NCS systems simply replaces all the home run wiring with
a single MODBUS cable. Analog outputs from the control room NCS are then wired directly into
the host systems I/O card.
With a peer-to-peer NCS system (Figure 5), two concentrators are used: one in the field and one
in the control room. Field instruments connect to the remote NCS, which connects to the control
room NCS via a single twisted pair wire. Then, outputs from the control room NCS are wired
into the control systems existing analog I/O panel. In this way, the analog signals from the new
field transmitters can be seen in their original analog state through the plants existing analog I/O
cards. This makes programming and commissioning of the new signals less difficult than
programming new digital interface cards.
These peer-to-peer solutions can also accommodate bi-directional communication in which both
sides of the system can have inputs and outputs.
To be continued
Resource: Using MODBUS for Process Control and Automation Moore Industries

Why do we find electric motor drive very
important?

Altivar 61 plus Enclosed drive solution (Schneider Electric) - Designed for harsh environmental
conditions and meets the most common power monitoring and active-energy reduction needs
facing industries including; controlled torque, dynamic braking, quick start-up and power
regeneration.
Electric Motors
Electric motors impact almost every aspect of modern living. Refrigerators, vacuum cleaners, air
conditioners, fans, computer hard drives, automatic car windows, and multitudes of other
appliances and devices all use electric motors to convert electrical energy into useful mechanical
energy. In addition to running the common place appliances that we use every day, electric
motors are also responsible for a very large portion of industrial processes.
Electric motors are used at some point in the manufacturing process of nearly every
conceivable product that is produced in modern factories.
Because of the nearly unlimited number of applications for electric motors, it is not hard to
imagine that there are over 700 million motors of various sizes in operation across the world.
This enormous number of motors and motor drives has a significant impact on the world because
of the amount of power they consume.
The systems that controlled electric motors in the past suffered from very poor performance and
were very inefficient and expensive. In recent decades, the demand for greater performance and
precision in electric motors, combined with the development of better solid-state electronics and
cheap microprocessors has led to the creation of modern ASDs.
An ASD is a system that includes an electric motor as well as the system that drives and
controls it.
Any adjustable speed drive can be viewed as five separate parts: the power supply, the power electronic
converter, the electric motor, the
controller, and the mechanical load.
The power supply is the source of electric energy for the system. The power supply can provide
electric energy in the form of AC or DC at any voltage level. The power electronic converter
provides the interface between the power supply and the motor. Because of this interface, nearly
any type of power supply can be used with nearly any type of electric motor.
The controller is the circuit responsible for controlling the motor output. This is accomplished by
manipulating the operation of the power electronic converter to adjust the frequency, voltage, or
current sent to the motor. The controller can be relatively simple or as complex as a
microprocessor.
Should you replace old motor drive?
The electric motor is usually, but not always, a DC motor or an AC induction motor. The
mechanical load is the mechanical system that requires the energy from the motor drive. The
mechanical load can be the blades of a fan, the compressor of an air conditioner, the rollers in a
conveyor belt, or nearly anything that can be driven by the cyclical motion of a rotating shaft.
Electric motor drive technology is constantly evolving and expanding to new applications.
More advanced electric motor drives are now replacing older motor drives to gain better
performance, efficiency, and precision. Advanced electric motor drives are capable of better
precision because they use more sophisticated microprocessor or DSP controllers to monitor and
regulate motor output. They also offer better efficiency by using more efficient converter
topologies and more efficient electric motors.
The more advanced drives of today also offer a performance boost by utilizing superior
switching schemes to provide more output power while using lighter motors and more compact
electronics.

Using VLT AQUA Drive in submersible
pump application

Using VLT AQUA Drive in submersible pump application

The system consists of a submersible pump controlled by a Danfoss VLT AQUA Drive and a
pressure transmitter.
The transmitter gives a 4-20 mA feedback signal to the VLT AQUA Drive, which keeps a
constant pressure by controlling the speed of the pump. To design a drive for a submersible
pump application, there are a few important issues to take into consideration.
Top
Therefore the drive used must be chosen according to motor current.
1
The motor is a so called Can motor with a stainless steel can between the rotor and stator.
There is a larger and a more magnetic resistant air-gap than on a norma l motor hence a weaker
field which results in the motors being designed with a higher rated current than a norm motor
with similar rated power.
2
The pump contains thrust bearings which will be damaged when running below minimum speed
which
normally will be 30 Hz.
3
The motor reactance is nonlinear in submersible pump motors and therefore Automatic Motor
Adaption (AMA) may not be possible. However, normally submersible pumps are operat ed with
very long motor cables that might eliminate the nonlinear motor reactance and en able the drive
to perform AMA.
If AMA fails, the motor data can be set from parameter group 1-3* (see motor datasheet). Be
aware that if AMA has succeeded the drive will compensate for voltage drop in the long motor
cables, so if the Advanced motor data are set manually, the length of the motor cable must be
taken into considerations to optimize system performance.
4
It is important that the system is operated with a minimum of wear and tear of the pump and
motor.
A Danfoss Sine-Wave filter can lower the motor insulati on stress and increase lifetime (check
actual motor insulation and VLT AQUA Drive du/dt specification). It is recommended to use a
filter to reduce the need for service.
5
EMC performance can be difficult to achieve due to the fact that the special pump cable which is
able to withstand the wet conditions in the well normally is unscreened.
A solution could be to use a screened cable above the well and fix the screen to the well pipe if it
is made of steel (can also be made of plastic). A Sine-Wave filter will also reduce the EMI from
unscreened motor cables.

Unique bearing systems, application

The special can motor is used due to the wet installation conditions. The drive needs to be
designed for the system according to output current to be able to run the motor at nominal power.
To prevent damage to the thrust bearings of the pump, it is important to ra mp the pump from
stop to min. speed as quick as possible. Well-known manufacturers of submersible pumps
recommend that the pump is ramped to min. speed (30 Hz) in max. 2 -3 seconds. The new VLT
AQUA Drive is designed with Initial and Final Ramp for these applications.
The Initial and Final ramps are 2 individu al ramps, where Initial Ramp , if enabled, will ramp
the motor from stop to min. speed and automatically switch to normal ramp, when min. speed is
reached. Final ramp will do the opposite from min. speed to stop in a stop situation.

VLT AQUA Drive - Wiring Diagram And Data

Pipe-Fill mode can be enabled to pr event water hammering. The Danfoss VLT AQUA Drive is
capable of filling vertical pipes using the PID controller to slowly ramp up the pressure with a
user specified rate (units/sec). If enabled the drive will, when it reaches min. speed after startup,
enter pipe fill mode.
The pressure will slowly be ramped up until it reaches a user spec ified Filled Set Point, where
after the drive automatically disables Pipe Fill Mode and continues in normal closed loop
operation. This feature is designed for irrigation applications.

Pipe-Fill mode can be enabled to prevent water hammering

Some of the benefits of using VLT AQUA Drive:
Reduces harmonic disturbace with inbuilt DC coils
Proper operation with proper EMC up to 150m screened cable, or 300m unscreened cable
Installation almost everywhere with IP20/21/55 and 66 enclosures
Operation in high ambient temp, up to 50C
operation in wet and polluted areas with coating option to level 3C3 acc. to IEC60721-3 for
operation in wet and polluted areas
Includes PTC thermistor input
Protection against water hammering
Thrust bearings protected wi th initial and final ramp
Run dry protection, to prevent the pump fr om being damaged in case of no water
End of curve, to stop the pump in case of a large leakage, reduces the water loss
Sleep mode to stop the drive, when ther e is no flow in order to save energy
More details of VLT AQUA Drive, on technical literature page.

Ladder Diagrams And The PLC

PLCs hardwired in panelboard (Curtesy of Richmond Engineering Works)

The ladder diagram has and continues to be the traditional way of representing electrical
sequences of operations. These diagrams represent the interconnection of field devices in such a
way that the activation, or turning ON, of one device will turn ON another device according to a
predetermined sequence of events.
Figure 1 illustrates a simple electrical ladder diagram.

Figure 1 - Simple electrical ladder diagram

The original ladder diagrams were established to represent hardwired logic circuits used to
control machines or equipment. Due to wide industry use, they became a standard way of
communicating control information from the designers to the users of equipment. As
programmable controllers were introduced, this type of circuit representation was also
desirable because it was easy to use and interpret and was widely accepted in industry.
Programmable controllers can implement all of the old ladder diagram conditions and much
more. Their purpose is to perform these control operations in a more reliable manner at a lower
cost. A PLC implements, in its CPU, all of the old hardwired interconnections using its software
instructions. This is accomplished using familiar ladder diagrams in a manner that is transparent
to the engineer or programmer. Knowledge of PLC operation, scanning, and instruction
programming is vital to the proper implementation of a control system.
Figure 2 illustrates the PLC transformation of the simple diagram shown in Figure 1 to a PLC
format. Note that the real I/O field devices are connected to input and output interfaces, while
the ladder program is implemented in a manner, similar to hardwiring, inside the programmable
controller (i.e., softwired inside the PLCs CPU instead of hardwired in a panel).
As previously mentioned, the CPU reads the status of inputs, energizes the corresponding circuit
element according to the program, and controls a real output device via the output interfaces.

Figure 2 - PLC implementation of Figure 1

As you will see later, each instruction is represented inside the PLC by a reference address, an
alphanumeric value by which each device is known in the PLC program. For example, the push
button PB1 is represented inside the PLC by the name PB1 (indicated on top of the instruction
symbol) and likewise for the other devices shown in Figure 2.
These instructions are represented here, for simplicity, with the same device and instruction
names. Example 1-1 illustrates the similarity in operation between hardwired and PLC circuits.
Top
Example 1
In the hardwired circuit shown in Figure 1, the pilot light PL will turn ON if the limit switch
LS1 closes and if either push button PB1 or limit switch LS2 closes. In the PLC circuit, the same
series of events will cause the pilot lightconnected to an output moduleto turn ON.
Note that in the PLC circuit in Figure 2, the internal representation of contacts provides the
equivalent power logic as a hardwired circuit when the referenced input field device closes or is
pushed. Sketch hardwired and PLC implementation diagrams for the circuit in Figure 1
illustrating the configurations of inputs that will turn PL ON.
Solution
Figure 3 shows several possible configurations for the circuit in Figure 1. The highlighted blue
lines indicate that power is present at that connection point, which is also the way a
programming or monitoring device represents power in a PLC circuit.
The last two configurations in Figure 3 are the only ones that will turn PL ON.

Figure 3 - Possible configurations of inputs and corresponding outputs
SOURCE: Programmable Controllers Theory and Implementation by L. A. Bryan

PROFIBUS at a Glance

PROFIBUS is an open, digital communication system with a wide range of applications,
particularly in the fields of factory and process automation.
PROFIBUS is suitable for both fast, time-critical applications and complex communication
tasks. PROFIBUS communication is anchored in the international standards IEC 61158 and IEC
61784. The application and engineering aspects are specified in the generally available
guidelines of the PROFIBUS User Organization.
.
This fulfills user demand for manufacturer independence and openness and ensures
communication between devices of various manufacturers.
The history of PROFIBUS goes back to a association venture project supported by the public
authorities, which began in 1987 in Germany. Within the framework of this venture, 21
companies and institutes joined forces and created a strategic fieldbus project. The goal was the
realization and establishment of a bit-serial fieldbus, the basic requirement of which was the
standardization of the field device interface.
For this purpose, the relevant member companies of the ZVEI (Central Association for the
Electrical Industry) agreed to support a mutual technical concept for factory and process
automation.

Technical system structure PROFIBUS

A first step saw the specification of the complex communications protocol PROFIBUS FMS
(Fieldbus Message Specification), which was tailored to demanding communication tasks. A
further step in 1993 saw completion of the specification for the more simply configured and
faster PROFIBUS DP protocol (Decentralized Periphery).
This protocol is now available in three functionally scaleable versions DPV0, DP-V1 and DP-
V2.
Top
Market Position
Building on these two communications protocols, coupled with the development of numerous
application- oriented profiles and a fast growing number of devices, PROFIBUS began ist
advance, initially in factory automation and, since 1995, in process automation.
Today, PROFIBUS is the fieldbus world market leader with more than a 20% share of the
market, approx. 500,000 equipped applications and more than 5 million nodes. Today, there are
more than 2000 PROFIBUS products available from a wide range of manufacturers.
Top
Organization
The success of PROFIBUS stems in equal measures from its progressive technology and the
success of its non-commercial PROFIBUS User Organisation e.V. (PNO), the trade body of
manufacturers and users founded in 1989.
Together with the 22 other regional PROFIBUS associations in countries around the world, and
the international umbrella organization PROFIBUS International (PI) founded in 1995, this
organization now boasts more than 1,100 members worldwide. Objectives are the continuous
further development of PROFIBUS technology and increased acceptance worldwide. As well as
sponsoring the wide range development of technology and its acceptance, PI also undertakes
additional tasks for the worldwide support of members (users and manufacturer) with advice,
information and procedures for quality assurance as well as the standardization of technology in
international standards. PI forms the largest fieldbus user association in the world.
This represents future opportunities and responsibility in equal measure, opportunity to continue
creating and establishing leading technologies that are useful to users and responsibility for those
at the head of these user associations to be unwavering in their endeavors to target openness and
investment protection for PROFIBUS in the future.
SOURCE: PROFIBUS Technology and Application (Profi Bus)

When we started to use PLCs after all?

Allen Bradley PLCs

Modular Digital Controller (MODICON)
PLCs (Programmable Logic Controllers) were first introduced in the 1960s.
The primary reason for designing such a device was eliminating the large cost involved in
replacing the complicated relay based machine control systems. Bedford Associates (Bedford,
MA) proposed something called a Modular Digital Controller (MODI CON) to a major US car
manufacturer.
The MODICON 084 brought the worlds first PLC into commercial production.
When production requirements changed so did the control system. This becomes very expensive
when the change is frequent. Since relays are mechanical devices they also have a limited
lifetime because of the multitude of moving parts. This also required strict adhesion to
maintenance schedules.
Troubleshooting was also quite tedious when so many relays are involved. Now picture a
machine control panel that included many, possibly hundreds or thousands, of individual relays.
The size could be mind boggling not to mention the complicated initial wiring of so many
individual devices.
These relays would be individually wired together in a manner that would yield the desired
outcome. The problems for maintenance and installation were horrendous. These new
controllers also had to be easily programmed by maintenance and plant engineers.
The lifetime had to be long and programming changes easily performed.

Allen Bradley - Modicon 084

They also had to survive the harsh industrial environment. The answers were to use a
programming technique most people were already familiar with and replace mechanical parts
with solid-state ones which have no moving parts.
Communications abilities began to appear in approximately 1973. The first such system was Modicons
Modbus. The PLC could now talk to other PLCs and they could be far away from the actual machine they
were controlling.
They could also now be used to send and receive varying voltages to allow them to use analog
signals, meaning that they were now applicable to many more control systems in the world.
Unfortunately, the lack of standardization coupled with continually changing technology has
made PLC communications a nightmare of incompatible protocols and physical networks.
The 1980s saw an attempt to standardize communications with General Motors manufacturing
automation protocol (MAP). It was also a time for reducing the size of the PLC and making them
software programmable through symbolic programming on personal computers instead of
dedicated programming terminals or handheld
programmers.
The 1990s saw a gradual reduction in the introduction of new protocols, and the modernization
of the physical layers of some of the more popular protocols that survived the 1980s. PLCs can
now be programmable in function block diagrams, instruction lists, C and structured text all at
the same time. PCs are also being used to replace PLCs in some applications.
The original company who commissioned the MODICON 084 has now switched to a PC
based control system.
PLC Training Introduction to PLC Ladder Logic (VIDEO)
Cant see this video? Click here to watch it on Youtube.


GIS control system

For ease of operation and convenience in wiring the GIS back to the substation control room, a
local control cabinet (LCC) is provided for each circuit breaker position (Figure 1). The control
and power wires for all the operating mechanisms, auxiliary switches, alarms, heaters, CTs, and
VTs are brought from the GIS equipment modules to the LCC using shielded multiconductor
control cables.
In addition to providing terminals for all the GIS wiring, the LCC has a mimic diagram of the
part of the GIS being controlled. Associated with the mimic diagram are control switches and
position indicators for the circuit breaker and switches. Annunciation of alarms is also usually
provided in the LCC. Electrical interlocking and some other control functions can be
conveniently implemented in the LCC.
Although the LCC is an extra expense, with no equivalent in the typical AIS, it is so well
established and popular that attempts to eliminate it to reduce cost have not succeeded. The LCC
does have the advantage of providing a very clear division of responsibility between the GIS
manufacturer and user in terms of scope of equipment supply.
Switching and circuit breaker operation in a GIS produces internal surge voltages with a very
fast rise time on the order of nanoseconds and a peak voltage level of about 2 per unit. These
very fast transient overvoltages are not a problem inside the GIS because the duration of this
type of surge voltage is very short much shorter than the lightning impulse voltage.
However, a portion of the VFTO will emerge from the inside of the GIS at any place where there
is a discontinuity of the metal enclosure for example, at insulating enclosure joints for external
CTs or at the SF6-to-air bushings.
The resulting transient ground rise voltage on the outside of the enclosure may cause some
small sparks across the insulating enclosure joint or to adjacent grounded parts.
These may alarm nearby personnel but are not harmful to a person because the energy content is
very low. However, if these VFT voltages enter the control wires, they could cause faulty
operation of control devices. Solid-state controls can be particularly affected. The solution is
thorough shielding and grounding of the control wires.
For this reason, in a GIS, the control cable shield should be grounded at both the equipment and
the LCC ends using either coaxial ground bushings or short connections to the cabinet walls at
the location where the control cable first enters the cabinet.

KNX automation makes buildings more
efficient

In light of climate change and increasingly scarce resources, the energy-efficient operation of
buildings is gaining in importance. Essential requirements for this are an energy-efficient
architectural design, an insulated building exterior and modern installation engineering with a
high level of efficiency. Ultimately, the consumption of energy for lighting, heating and cooling
depends on both the building use and user behaviour. These are indefinite factors for determining
the level of consumption which can scarcely be met using conventional methods.
However, with a dynamic management system, the energy usage can be optimally matched to
demand during operation. Building automation with KNX offers the best preconditions for this.
It ensures the economical use of energy and thus increases the energy efficiency of the building.
Bus devices regulate and control the generated heating and cooling capacity in line with demand.
Lighting installations are operated more efficiently using sensors and timer programs. The
integrated automation system spans all the trades and also enables links with daylight systems,
sun protection systems, ventilation flaps and other systems whereby further energy-saving
potentials can be exploited.
Intelligent capture of consumption data (Smart Metering) as well as coupling with intelligent
networks (Smart Grid) opens up new possibilities for further optimisation and increased energy
efficiency both today and in the future.
Top
Persuasive savings rates
Energy Savings with KNX:
- up to 40 % with KNX shading control
- up to 50 % with KNX individual room control
- up to 60 % with KNX lighting control
- up to 60 % with KNX ventilation control
Since the building system technology is available for the electrical installation, KNX functions
guarantee savings in energy costs for artificial lighting, heating, air conditioning and ventilation
systems as well as other loads. With the further development of the system which has already
been in existence for 20 years, the open- and closed-looped control systems have been refined
and thus increasingly better results are achieved.
Nowadays, the savings rates that have been achieved in practice are up to 60 percent and more
for the lighting while up to 50 percent is possible for individual room control as a practical study
shows. Of course these types of comparisons assume a connection to conventional methods. In
the case of renovations in which the building has been improved in terms of its energy efficiency
and the installation engineering has been modernised, the control technology contributes to the
efficiency gain by at least 5 to 20 percent.
As often occurs in practice, if optimisation of the energy consumption has only been carried out
some time after the initial occupation of the building and after experiencing day-to-day
operations, the concrete results are persuasive.
Top
Rapid amortisation
In the case of at least two projects, direct investment costs for optimising the energy flow are
amazingly low compared to the results. An amortisation was carried out immediately. This is
linked to the integrated approach and multiple use of the system. Building automation with KNX
offers all kinds of benefits: a flexible electrical installation for changes of use and extensions,
more efficiency in the management and maintenance of the building, increased security for
material assets and people, a higher level of comfort and well-being in the workplace, both in
public and residential buildings.
The management of energy savings is therefore only one of these. The total investment costs are
thus spread across many benefits. Once the installations and functions have been integrated,
further reductions in the energy consumption can often be achieved simply through
programming, without the need for additional hardware and installations.
In the projects that have been put forward, almost all of them feature possible savings measures
with KNX which often simultaneously serve comfort, safety and economical operational flow.
Top
Switching off and dimming
Saving energy means switching the light off when you dont need it. This sounds so simple but it
is rarely achieved in practice in more extensive buildings with large numbers of people coming
and going.
In office buildings, schools, factories, warehouses, hotels, car parks and many other buildings,
artificial lighting is left switched on for many reasons. In the case of building automation with
KNX, the duty cycle can for example be adapted to the actual lighting requirement with the help
of a timer program. This measure alone can achieve high savings which can be further optimised
depending on the room use and building type, for example through using daylight and automatic
cutoff when there is sufficient external brightness. A further enhancement of the automation is
constant lighting control which guarantees a comfortable lux value at the workplace through
optimum use of daylight.
Presence-dependent and thus accurate demand-based control systems are increasingly being
applied ideal for staircases, corridors or other spontaneously used areas of the building. Lights
with presence detectors can also be operated with increased energy efficiency in offices, schools
etc. They then become elements of the room automation, are integrated with the blinds, room
temperature control and ventilation and thus offer multiple benefits.
Top
Regulating the heating and cooling
Electronic individual room temperature control promises a clear saving potential. It is therefore
the most efficient method of using the heating and cooling energy generated via the heating
system or air conditioning system. Demand-based energy use can be achieved via a timer
program with a temperature profile or even via the presence signal.
As the temperature variables of all the rooms are available centrally throughout the KNX system,
heating and cooling energy can be generated according to demand and with a high level of
efficiency.
In modern, purpose-built buildings with glass facades, fully-automatic sun protection systems are
indispensable. Their primary tasks are shading and cooling to ensure the well-being of the people
in the building. As these are likewise controlled with KNX, additional functions for improving
the energy efficiency are provided in combination with room temperature control and lighting
control.
For example: daylight redirection, use of solar energy in winter and automatic night cooling in
the summer.
SOURCE: KNX Journal 2011 (http://bit.ly/f83pcJ)

Information flow in the human-machine
interface

Operators play an important part in the human-machine dialogue.They must use the information
they have to perform actions that make the machines and installations run properly without
endangering safety and availability. It is therefore crucial that the interfaces and dialogue
functions are designed to ensure that operations can be performed reliably in all circumstances.
A human-machine interface uses two information flows in two directions:
Machine >Human and Human >Machine

These flows are independent yet linked.
Independent
Because their content can be on different levels. The levels are defined by the designer of the
automation system according to the requirements of the process and what the user wants, such
as discrete signals from the operator to the machine, alphanumerical or animated diagram
messages from the machine to the operator.
Top
Linked
Because the automation system interprets an operator action on a control interface as a
specifically defined action and, in return, emits information that depends on whether the action
was properly performed or not.
The operator can either act by his own decision (stop production, modify data, etc.) or in
response to a message from the machine (alarm, end of cycle, etc.).
Top
Role of the operator
The operating interface includes all the functions required for controlling and supervising the
operation of a machine or installation. Depending on the requirements and complexity of the
process, the operator may have to perform.
Regular process run tasks
stop and start the process; both steps may include start and stop procedures that are automatic
or manual or semi-automatic and controlled by the operator;
operate the controls and make the adjustments required for regular process run and monitor its
progress.
Tasks to deal with unexpected events
detect abnormal situations and undertake corrective action before the situation disturbs the
process further (e.g. for early warning of motor overload, restoring normal load conditions
before the overload relay trips);
deal with system failure by stopping production or implementing downgraded operation using
manual controls instead of automatic ones to keep production running;
ensure safety of people and property by operating safety devices if necessary.
The scope of these tasks shows how important the operators role is. Depending on the
information he has, he may have to take decisions and perform actions that fall outside the
framework of the regular procedures and directly influence the safety and availability of the
installation.
This means the dialogue system should not be confined to mere exchange of information
between human and machine but should be designed to facilitate the task of the operator and
ensure that the safety of the system in all circumstances.
SOURCE: Schneider Electric

Analog signals in measurement and control
of physical processes

ressure Transducer provides analog and digital output
Instrumentation
Instrumentation is a field of study and work centering on measurement and control of physical
processes. These physical processes include pressure, temperature, flow rate, and chemical
consistency. An instrument is a device that measures and/or acts to control any kind of physical
process.
Due to the fact that electrical quantities of voltage and current are easy to measure, manipulate,
and transmit over long distances, they are widely used to represent such physical variables and
transmit the information to remote locations.
A signal is any kind of physical quantity that conveys information. Audible speech is certainly a
kind of signal, as it conveys the thoughts (information) of one person to another through the
physical medium of sound. Hand gestures are signals, too, conveying information by means of
light.
This text is another kind of signal, interpreted by your English-trained mind as information about
electric circuits. In this article, the word signal will be used primarily in reference to an electrical
quantity of voltage or current that is used to represent or signify some other physical quantity.
An analog signal is a kind of signal that is continuously variable, as opposed to having a limited
number of steps along its range (called digital). A well-known example of analog vs. digital is
that of clocks: analog being the type with pointers that slowly rotate around a circular scale, and
digital being the type with decimal number displays or a second-hand that jerks rather than
smoothly rotates. The analog clock has no physical limit to how finely it can display the time, as
its hands move in a smooth, pauseless fashion.
The digital clock, on the other hand, cannot convey any unit of time smaller than what its display
will allow for. The type of clock with a second-hand that jerks in 1-second intervals is a
digital device with a minimum resolution of one second.
Both analog and digital signals find application in modern electronics. For now, we will limit the scope of
this discussion to analog signals, since the systems using them tend to be of simpler design.
With many physical quantities, especially electrical, analog variability is easy to come by. If
such a physical quantity is used as a signal medium, it will be able to represent variations of
information with almost unlimited resolution.
In the early days of industrial instrumentation, compressed air was used as a signaling medium to
convey information from measuring instruments to indicating and controlling devices located
remotely. The amount of air pressure corresponded to the magnitude of whatever variable was
being measured. Clean, dry air at approximately 20 pounds per square inch (PSI) was supplied
from an air compressor through tubing to the measuring instrument and was then regulated by
that instrument according to the quantity being measured to produce a corresponding output
signal.
For example, a pneumatic (air signal) level transmitter device set up to measure height of
water (the process variable) in a storage tank would output a low air pressure when the tank
was empty, a medium pressure when the tank was partially full, and a high pressure when the
tank was completely full.

Pneumatic (air signal) level transmitter device

The water level indicator (LI) is nothing more than a pressure gauge measuring the air pressure in the
pneumatic signal line.
This air pressure, being a signal, is in turn a representation of the water level in the tank. Any
variation of level in the tank can be represented by an appropriate variation in the pressure of the
pneumatic signal. Aside from certain practical limits imposed by the mechanics of air pressure
devices, this pneumatic signal is infinitely variable, able to represent any degree of change in the
waters level, and is therefore analog in the truest sense of the word.
Crude as it may appear, this kind of pneumatic signaling system formed the backbone of many
industrial measurement and control systems around the world, and still sees use today due to its
simplicity, safety, and reliability. Air pressure signals are easily transmitted through inexpensive
tubes, easily measured (with mechanical pressure gauges), and are easily manipulated by
mechanical devices using bellows, diaphragms, valves, and other pneumatic devices.
Air pressure signals are not only useful for measuring physical processes, but for controlling
them as well. With a large enough piston or diaphragm, a small air pressure signal can be used to
generate a large mechanical force, which can be used to move a valve or other controlling
device.
Complete automatic control systems have been made using air pressure as the signal medium. They are
simple, reliable, and relatively easy to understand. However, the practical limits for air pressure signal
accuracy can be too limiting in some cases, especially when the compressed air is not clean and dry, and
when the possibility for tubing leaks exist.
With the advent of solid-state electronic amplifiers and other technological advances, electrical
quantities of voltage and current became practical for use as analog instrument signaling media.
Instead of using pneumatic pressure signals to relay information about the fullness of a water
storage tank, electrical signals could relay that same information over thin wires (instead of
tubing) and not require the support of such expensive equipment as air compressors to operate:

Pneumatic pressure signals using electrical signals to relay same information over thin wires

Analog electronic signals are still the primary kinds of signals used in the instrumentation world
today (January of 2001), but it is giving way to digital modes of communication in many
applications (more on that subject later). Despite changes in technology, it is always good to
have a thorough understanding of fundamental principles, so the following information will
never really become obsolete.
One important concept applied in many analog instrumentation signal systems is that of live zero, a
standard way of scaling a signal so that an indication of 0 percent can be discriminated from the status
of a dead system.
Take the pneumatic signal system as an example:
Advertisement
If the signal pressure range for transmitter and indicator was designed to be 0 to 12 PSI, with 0
PSI representing 0 percent of process measurement and 12 PSI representing 100 percent, a
received signal of 0 percent could be a legitimate reading of 0 percent measurement or it could
mean that the system was malfunctioning (air compressor stopped, tubing broken, transmitter
malfunctioning, etc.). With the 0 percent point represented by 0 PSI, there would be no easy way
to distinguish one from the other.
If, however, we were to scale the instruments (transmitter and indicator) to use a scale of 3 to 15
PSI, with 3 PSI representing 0 percent and 15 PSI representing 100 percent, any kind of a
malfunction resulting in zero air pressure at the indicator would generate a reading of -25 percent
(0 PSI), which is clearly a faulty value. The person looking at the indicator would then be able to
immediately tell that something was wrong.
Not all signal standards have been set up with live zero baselines, but the more robust signals
standards (3-15 PSI, 4-20 mA) have, and for good reason.
Conclusions:
A signal is any kind of detectable quantity used to communicate information.
An analog signal is a signal that can be continuously, or infinitely, varied to represent any small
amount of change.
Pneumatic, or air pressure, signals used to be used predominately in industrial
instrumentation signal systems. This has been largely superseded by analog electrical
signals such as voltage and current.
A live zero refers to an analog signal scale using a non-zero quantity to represent 0 percent of
real-world measurement, so that any system malfunction resulting in a natural rest state of
zero signal pressure, voltage, or current can be immediately recognized.
Resource: Lessons in Electric Circuits Volume I DC

How Stuxnet (PLC virus) spreads Part 1

The Stuxnet worm is a sophisticated piece of
computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC
WinCC and PCS 7 control systems. The worm used both known and previously unknown
vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-
practice security technologies and procedures.
Since its discovery, there has been extensive analysis of Stuxnets internal workings. What has
not been discussed is how the worm might have migrated from the outside world to supposedly
isolated and secure industrial control systems (ICS). Understanding the routes that a directed
worm takes as it targets an ICS is critical if these vulnerable pathways are to be closed for future
worms.
To help address this knowledge gap, this White Paper describes a hypothetical industrial site that
follows the high security architecture and best practices defined in vendor documents. It then
shows the ways that the Stuxnet worm could make its way through the defenses of the site to
take control of the process and cause physical damage.
It is important to note that the analysis presented in this paper is based on a security model that,
though it is accepted in industry as a best practice, is often not implemented in practice. System
architectures in the real world are typically much less secure than the one presented in this paper.
The paper closes with a discussion of what can be learned from the analysis of pathways in order
to prevent infection from future ICS worms. Key findings include the following:
A modern ICS or SCADA system is highly complex and interconnected, resulting in multiple
potential pathways from the outside world to the process controllers.
Assuming an air-gap between ICS and corporate networks is unrealistic, as information
exchanges are essential for process and business operations to function effectively.
All mechanisms for transfer of electronic information (in any form) to or from an ICS must to be
evaluated for security risk. Focusing security efforts on a few obvious pathways (such as USB
storage drives or the Enterprise/ICS firewall) is a flawed defense.
Industry must accept that the complete prevention of ICS infection is probably impossible and
that instead of complete prevention, industry must create a security architecture that can
respond to the full life cycle of a cyber breach.
Industry must address the containment of attacks when prevention fails and aggressively
segment control networks to limit the consequences of compromise. In particular, securing last-
line-of-defense critical systems, such as safety integrated systems (SIS), is essential.
Combining control and safety functionality in highly integrated ICS equipment exposes systems
to common-cause security failures. For critical systems, diversity is important.
Providing security by simply blocking or allowing entire classes of protocols between
manufacturing areas is no longer sufficient. Stuxnet highlights the need for the deep packet
inspection (DPI) of key SCADA and ICS protocols.
The Remote Procedure Call (RPC) protocol is an ideal vector for SCADA and ICS attacks because
it is used for so many legitimate purposes in modern control systems.
Industry should start to include security assessments and testing as part of the system
development and periodic maintenance processes in all ICS.
There is a need to improve the culture of industrial security among both management and
technical teams.
If the critical infrastructures of the world are to be safe and secure, then the owners and operators
need to recognize that their control systems are now the target of sophisticated attacks. Improved
defense-in-depth postures for industrial control systems are needed urgently. Waiting for the next
worm may be too late.

Introduction
The Stuxnet worm is a sophisticated piece of computer malware designed to sabotage industrial
processes controlled by Siemens SIMATIC WinCC, S7 and PCS 7 control systems. The worm
used both known and previously unknown vulnerabilities to spread, and was powerful enough to
evade state-of-the-practice security technologies and procedures.
Since the discovery of the Stuxnet worm in July 2010, there has been extensive analysis by
Symantec, ESET, Langner and others of the worms internal workings and the various
vulnerabilities it exploits. From the antivirus point of view, this makes perfect sense.
Understanding how the worm was designed helps antivirus product vendors make better malware
detection software. What has not been discussed in any depth is how the worm might have
migrated from the outside world to a supposedly isolated and secure industrial control system
(ICS).
To the owners and operators of industrial control systems, this matters. Other worms will follow in
Stuxnets footsteps and understanding the routes that a directed worm takes as it targets an ICS is
critical if these vulnerable pathways are to be closed. Only by understanding the full array of threats and
pathways into a SCADA or control network can critical processes be made truly secure.
It is easy to imagine a trivial scenario and a corresponding trivial solution:
Scenario:
Joe finds a USB flash drive in the parking lot and brings it into the control room where he plugs
it into the PLC programming station.
Solution:
Ban all USB flash drives in the control room.
While this may be a possibility, it is far more likely that Stuxnet travelled a circuitous path to its
final victim. Certainly, the designers of the worm expected it to they designed at least seven
different propagation techniques for Stuxnet to use. Thus, a more realistic analysis of penetration
and infection pathways is needed.
This White Paper is intended to address this gap by analyzing a range of potential infection
pathways in a typical ICS system. Some of these are obvious, but others less so. By shedding
light on the multitude of infection pathways, we hope that the designers and operators of
industrial facilities can take the appropriate steps to make control systems much more secure
from all threats.

Methodology
The first part of the analysis starts with an introduction to the Siemens SIMATIC PCS 7 product
line, since this was the target of the Stuxnet worm.
In the second part, we provide an overview of the worm and how it infects a system. We outline
how it spreads between computers as it attempts to locate its ultimate victim. Finally, we briefly
describe how the worm affects a control system using Siemens SIMATIC products.
In the third part of the paper, we propose a hypothetical high security site that is the target of
Stuxnet or the next generation of Stuxnet-like worms. The architecture used in the paper assumes
this fictitious site is following all the guidance provided in Siemens SIMATIC Security Concept
PCS 7 and WinCC Basic Document. From a security point of view, this assumption is
probably optimistic, as the gap between guidance and reality in the ICS world is often large.
However, it is a good model for two reasons it provides a conservative starting point and it
highlights that current best practices in ICS security might still have a way to go.
Part four proposes several ways Stuxnet could move from an infected computer of little
importance on the corporate network to deep inside the control system. We also look at how the
Peer-to-Peer (P2P) and Command and Control (CC) components of Stuxnet could be effective in
an otherwise isolated industrial plant.
Finally, we close with a brief analysis of what this means for the security of industrial control
systems in the longer term. In particular, we discuss how other non-Siemens systems should
consider the vulnerabilities exploited by Stuxnet on a Siemens architecture and prepare for
dealing for the next generation worm that could exploit other ICS platforms.
What is SIEMENS PCS 7 Industrial Control Systems A Primer
In order to understand the directed attack Stuxnet performed against Siemens ICS systems, a
brief overview of the Siemens SIMATIC PCS7 architecture is in order.
SIMATIC is a comprehensive term used by Siemens, which includes their complete portfolio of
industrial automation solutions ranging from machine vision to distributed I/0 systems and
programmable controllers. SIMATIC WinCC is a specialized process visualization system that
comprises the core Supervisory Control and Data Acquisition System (SCADA). It can be used
with Siemens-branded control equipment, such as the S7 line of programmable logic controllers
(PLC) or it can be used independently with other control products.

Figure 1: Some Products in the Siemens SIMATIC line. including PLC's. Operator Stations mut
Engineering Stations
The SIMATIC STEP 7 software environment is used specifically for the programming of the
Siemens S7 line of controllers. An integrated solution, composed of S7 PLCs, WinCC
visualization software, and STEP 7 configuration software, is then referred to as SIMATIC PCS
7. All computer software components run on Microsoft Windows operating systems, including
XP, Server 2003 and Windows 7.
In understanding the SIMATIC PCS 7 system, it is important to separate the functional
components that are called systems from their platform components that commonly carry
names like stations or servers.
The basis of the SIMATIC PCS 7 control system is divided into three functional components as
shown in Figure 2:
Operator System (OS)
Automation System (AS)
Engineering System (ES)

Figure 2: Core Functional Components of the Siemens SIMATIC PCS 7 Control System

The Operator System (OS) permits the secure interaction of the operator with the process under
control of PCS 7. Operators can monitor the manufacturing process using various visualization
techniques to monitor, analyze and manipulate data as necessary. The Operator System
architecture is highly flexible, but always consists of a client and server function, which may be
implemented on the same or separate physical platforms.
The Automation System (AS) is the name given to the class of programmable logic controllers
(PLC) used with PCS 7. This includes both the Microbox solution based on a software controller
running on a standard computer, and the S7-300 and S7-400 lines of hardware controllers.
The Engineering System (ES) consists of software that is responsible for configuring the
various PCS 7 system components. The ES is further broken down into the engineering software
required to configure either the Operator System (OS) or Automation System (AS), since the OS
requires different engineering software for configuration than the AS. The ES allows for
configuration and management of the following PCS components and functions:
Control system hardware including I/O and field devices
Communication networks
Automation functionality for continuous and batch processes (Application System engineering
via STEP 7 software)
HMI functionality (Operator System engineering via WinCC software)
Safety applications (Safety Integrated for Process Automation)
Diagnostics and asset management functionality
Batch processes, automated with SIMATIC BATCH
Material transport, controlled by SIMATIC Route Control
Cooperation with host CAD/CAE planning tools (import and export of process tags and example
solutions)
Since the ES functions are so broad, and cover such a wide range of tasks, Figure 3 below helps
clarify the individual components of the ES.

Figure 3: Components of the SIMATIC PCS 7 Engineering System
Advertisement
A few Siemens SIMATIC PCS 7 software or platform components that are important to note in
understanding this paper include the following:

SOURCE: How Stuxnet Spreads A Study of Infection Paths in Best Practice Systems by: Eric
Byres, P. Eng. ISA Fellow, Andrew Ginter, CISSP, Joel Langill, CEH, CPT, CCNA
(www.tofinosecurity.com www.abterra.ca www.scadahacker.com) Develop best practice
guidelines to certify the security and reliability of your infrastructure and information
assets[/fancy_box]

How Stuxnet (PLC virus) spreads Part 2
Continued from How Stuxnet (PLC virus) spreads Part 1 Read here
Stuxnet is a computer worm designed to infect Siemens SIMATIC WinCC and S7 PLC
products, either installed as part of a PCS 7 system, or operating on their own. It starts by taking
advantage of vulnerabilities in the Windows operating systems and Siemens products. Once it
detects a suitable victim, it modifies control logic in specific models of Siemens PLCs. The
objective appears to be to sabotage a specific industrial process using two vendors variable-
frequency drive controllers, along with a supervising safety system for the overall process. While
there has been much speculation on Stuxnets intended target, recent information suggests it was
Irans nuclear program and more specifically, its uranium enrichment process.
Stuxnet is capable of infecting both unsupported/legacy and current versions of Windows
including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows
Server 2008 and Windows 7. It also infects the Siemens STEP 7 project files in such a way that it
automatically executes when the STEP 7 project is loaded by an uninfected Siemens system.
How Does Stuxnet Spread?
Stuxnet is considered by many to be one of the most complex and well-engineered worms ever
seen. It took advantage of at least four zero-day vulnerabilities and showed considerable
sophistication in its exploitation of both the Windows platform and the Siemens systems. Some
of the important characteristics of the worm are:
It propagates slowly between sites, typically via USB flash drives and other removable media,
It propagates quickly within a site via multiple network pathways,
It searches for many vendors anti-virus technologies on machines being attacked and modifies
its behavior to avoid detection,
It contacts a command and control server on the Internet for instructions and updates,
It establishes a peer-to-peer network to propagate instructions and updates within a site, even
to equipment without direct Internet connectivity,
It modifies PLC programming logic, causing physical processes to malfunction,
It hides the modified PLC programs from control engineers and system administrators who are
trying to understand why their system has malfunctioned,
It is signed with certificates stolen from one of two major hardware manufacturers, so that no
warnings are raised when the worm is installed, and
If a particular machine is not the intended target, the worm removes itself from the machine
after it has replicated itself to other vulnerable media and machines.
The worm propagates using three completely different mechanisms:
1. Via infected Removable Drives (such as USB flash drives and external portable hard disks);
2. Via Local Area Network communications (such as shared network drives and print spooler
services), and
3. Via infected Siemens project files (including both WinCC and STEP 7 files).
Within these three, it uses seven different vulnerability exploitation techniques for spreading to
new computers in a system. The worm:
1. Exploits a zero-day vulnerability in Windows Shell handling of LNK files; a vulnerability present in
all versions of Windows since at least Windows NT 4.0,
2. Uses several techniques to try to copy itself to accessible network shares and spread from there
if at all possible,
3. Copies itself to printer servers using a zero-day vulnerability,
4. Uses an older Conficker RPC vulnerability to propagate through unpatched computers,
5. Contacts Siemens WinCC SQLServer database servers and installs itself on those servers via
database calls, and
6. Puts copies of itself into Siemens STEP 7 project files to auto-execute whenever the files are
loaded.
7. An earlier version of the worm used a variant of the old autorun.inf trick to propagate via USB
drives.
In addition to the propagation techniques described above, the worm used two zero-day
vulnerabilities to escalate privilege on targeted machines. This provided the worm with system
access privileges so it could copy itself into system processes on compromised machines.
What Does Stuxnet do to Control Systems?
When first installed on a computer with any STEP 7 software installed, Stuxnet attempts to
locate Siemens STEP 7 programming stations and infect these. If it succeeds, it replaces the
STEP 7 DLL routines on the programming stations, so that any person viewing a PLCs logic
would not see any changes Stuxnet later makes to the PLC. These actions occur on all computers
with STEP 7 software installed, irrespective of whether the compromised computers are
connected to PLCs.
Stuxnet then looks for specific models of Siemens PLCs (6ES7-315-2 and 6ES7-417). If it is
able to connect to one of these two models, it fingerprints the PLC by checking for the
existence of certain process configurations and strings in the PLC. If Stuxnet finds what it is
looking for in the PLC, it starts one of three sequences to inject different STEP 7 code
payloads into the PLC. The PLCs PROFIBUS driver is replaced and the main PLC program
block (Organizational Block 1) and the primary watchdog block (Organizational Block 35) are
significantly modified. As well, depending on which sequence is selected, between 17 and 32
additional function blocks and data blocks are injected into the PLC.
Two of Stuxnets injected payloads are designed to change the output frequencies of specific
Variable Frequency Drives (VFDs) and thus the speed of the motors connected to them,
essentially sabotaging an industrial process. A third payload appears to be designed to control the
overall safety system for the centrifuges.
This payload takes the inputs coming from the PLCs I/O modules and modifies them so that the
PLC safety logic uses incorrect information. The Stuxnet logic then tells the PLCs outputs to do
what it wants. This is possibly to prevent a safety system from alarming on or overriding the
changes the worm is making to the VFD operations.
The Target A High-Security Site
In this part of the analysis, we propose a hypothetical site that is the worms target. As noted
earlier, we assume this site is following all the guidance provided for high security sites in
Siemens Security Concept PCS 7 and WinCC Basic Document.
It is important to note that the Siemens recommendations for protecting control systems were
selected both because the Stuxnet worm specifically targeted Siemens PLCs and because the
Siemens recommendations are a good example of existing best-practice recommendations.
Nothing in this discussion is intended to imply that Siemens control systems are less secure than
competing control system solutions. In fact, it is the opinion of the authors that a majority of industrial
sites are protected much less thoroughly than is the hypothetical Siemens site described in this paper.
Networks at a High Security Site
According to the Siemens documentation, the high security site is separated into at least four
security zones as illustrated in Figure 4:
The pink Enterprise Control Network zone is the corporate network, which hosts most
business users and business accounting and planning systems, such as Enterprise Resource
Planning (ERP) systems. The Enterprise Control Network may itself be separated into additional
sub-networks, each with their own protections. Such segmentations and protections are
typically established and managed by the corporate IT group.

Figure 4: The Hypothetical ICS Network Architecture
The yellow Manufacturing Operations Network zone hosts the SIMATIC IT servers, which
exchange information between the control system, the ERP system, and other important
applications on the Enterprise Control Network.
The brown Perimeter Network zone hosts servers that manage equipment in the control
system, and servers that provide information to end users on the Enterprise Control Network.
This is a common location for servers responsible for providing software patches and updates,
including Windows security updates and anti-virus updates. Many of the servers within this zone
provide information to end users via web servers and web services. People sometimes refer to
this zone as a demilitarized zone or DMZ.
The green security zone hosts two networks: the green Process Control Network and the blue
Control System Network. The Process Control Network hosts the 247 plant operators on
their Human Machine Interface (HMI) workstations, and is also connected to the WinCC/PCS 7
control system servers. The Control System Network is connected to a number of Programmable
Logic Controllers (PLCs) and is also connected to the WinCC/PCS 7 control system servers.
In a large facility, there are frequently multiple green zones, one for each control center or
operating area. For example, a large chemical plant may have as many as twenty or thirty
operating areas, each with their own SIMATIC PCS 7 system, and each controlling a large
portion of the facility with both input and output storage facilities to help decouple operational
disturbances between areas. These areas are able to operate independently of other portions of
the large facility for some period of time. The facility may have many control rooms and
corresponding server rooms, each hosting one or more control centers or operating areas.
The corporate wide area network (WAN) connects sites to one another, and connects different
kinds of security zones within sites. Corporate IT manages the various enterprise networks and
the corporate firewalls which protect enterprise network segments.
Note that while the Process Control Network and the Control System Network are different
networks, they are both in the same security zone. WinCC and PCS 7 control system servers
have at least two network interfaces, one for each kind of network. The two networks are
separated for performance and technological reasons, not security reasons.
In other words, the Control System Network is dedicated to traffic specifically related to
automation and control such as traffic to/from process controllers/PLCs and servers, while
traffic on the Process Control Network is utilized for information and display such as that
between HMIs and servers.
Internet Security and Acceleration (ISA) Servers
In the recommended architecture, Microsoft Internet Security and Acceleration (ISA) Servers
protect the plant zones from the WAN. They also protect zones from each other. All traffic
between security zones passes through an ISA server. Each ISA server hosts a number of
functions, such as firewall services, network address translation, web proxies, virus scanning and
secure web server publishing.
All of the ISA servers are configured by default to block connections originating in less-trusted
networks, such as the corporate WAN. The ISA servers allow connections, such as web services
connections, from clients on less-trusted networks to selected servers, such as web servers, in the
Perimeter Network. Servers that receive connections from less-trusted networks are specifically
hardened. The ISA servers manage connections to servers in the Perimeter Network, and allow
VPN and web connections only for authorized users with legitimate credentials via the WAN.
The ISA servers are also configured to allow machines inside the protected networks to initiate
connections outward to specific machines and services on less trusted networks. Those
connections may pass through the corporate WAN to external servers such as vendor websites on
the public Internet. However, connections from protected equipment to arbitrary sites on the
Enterprise Control Network or the Internet are not allowed. Just like inbound connections, the
outbound connections through the ISA firewalls are deny by default, with only specific,
approved connections to external servers permitted.
It should be mentioned that Windows ISA Server was originally introduced in 2001 to run on the
Windows 2000 platform. It was enhanced over the years with new editions released in 2004 and
in 2006, with both releases designed for the Windows Server 2003 platform. The Siemens
Security Concept document is based on the ISA Server 2006 platform. Today, Microsoft offers
the Forefront Threat Management Gateway which was released in 2009 and builds upon the ISA
2006 platform offering new features including support for the Windows Server 2008 and 2008R2
platforms. For additional information on ISA and Forefront TMG, please consult Microsofts
product documentation.
Virtual Private Network Connections
The ISA servers also mediate Virtual Private Network (VPN) connections into protected
networks. From time to time, workstations and laptops whose security is managed by third
parties are allowed to connect to protected networks through the ISA servers. Such connections
are labeled as support stations in Figure 4. Support stations are used most commonly for
remote engineering activities or vendor support activities. The stations may be at the site, or at a
remote corporate site, connected indirectly to the corporate WAN, with their access into
corporate networks other than the WAN mediated by either corporate firewalls or the ISA
servers. The vendors may also be at other noncorporate remote sites, connecting directly to the
ISA servers from quarantine zones served by routers.
When these support stations access protected network zones through an ISA firewall, the firewall
authenticates the VPN connection. If the vendor uses WinCC or other process applications that
require access to the Process Control Network, the firewall allows a small number of
connections, including WinCC and STEP 7 database connections, to protected servers. For
broader access to protected networks, the ISA server allows only VPN connections to remote
access servers running Microsoft Terminal Services or Remote Desktop Services. These are
sometimes referred to as jump hosts, and are intended to provide isolation between the
untrusted hosts, such as support laptops, and the trusted hosts such as the servers and
workstations on protected networks.
Host Hardening and Malware Prevention
In addition to the firewall and perimeter protections the ISA servers provide, a variety of host
hardening and malware prevention mechanisms are also in place, as specified by the Siemens
security architecture. On the Enterprise Control Network, all hosts are part of a comprehensive
patch management program that provides automated and managed installation of critical
software patches and hot fixes. All hosts have anti-virus and anti-spyware products installed, and
signatures for these products are distributed to all hosts immediately upon receipt from the anti-
malware vendors.
Hosts have only those applications installed and services enabled that are essential to business
functions. Enterprise workstations have access to the open Internet, but all web, ftp and email
traffic into the Enterprise Control Network is scanned for spam and malware at the Enterprise
Control Network firewall. Select workstations on the Enterprise Control Network have VPN
access configured to hosts on the Manufacturing Operations Network and hosts on the Perimeter
Network, but no workstations on the Enterprise Control Network have VPN access directly into
the Process Control or Control System Networks.
On the Manufacturing Operations Network and the Perimeter Network all hosts are part of the
security program implemented at the corporate level. All hosts are current with Siemens patches,
Microsoft operating system and application patches, third party application patches, anti-virus
and anti-spyware signatures, and all hosts have been reviewed to ensure that only applications
and services needed for the correct operation of the host and appropriate network are running. On
the Process Control Network and Control System Network, hosts are hardened and are running
antivirus software, but the hosts are not part of the corporate patch management system.
Operations manages patches on these critical networks, and subjects new Siemens, Microsoft and
third-party patches to a rigorous testing process before approving the patches for deployment on
critical system components.
The Microsoft Windows Server Update Services (WSUS) servers manage deployment of
approved patches, and such deployment is staged so that if unexpected problems arise when
patches are deployed, the affected equipment can be taken offline and rolled back without
impacting the overall performance of the control system. In addition, operations manages the
anti-virus servers for
Process Control and Control System Networks, testing all new signature sets before approving
them for deployment, and staging deployment of signature sets just like patch deployment is
staged. The WSUS servers also provide management of the deployment of patches allowing
users to configure the specific hosts and their timing and sequencing of installation in order to
minimize any risk associated with patch rollout. This ensures that equipment that develops
unexpected problems because of new patches and signature sets can be taken offline and repaired
without affecting the overall performance of the control system.
To be continued soon! Subscribe and be informed HERE

How Stuxnet (PLC virus) spreads Part 3

Continued from How Stuxnet (PLC virus) spreads Part 2 Read here
Compromising the Network
Given the well-secured industrial control
system described above, how could a worm like Stuxnet ever penetrate all the way to the PLCs?
Yet clearly it did Siemens reports that it is aware of at least 22 sites that experienced infected
control systems and certainly there were other sites, such as sites with other vendors products,
who would have not reported infections back to Siemens. Suggesting possible answers to this
question is the goal of this paper.
For this analysis, assume that the date is May 1, 2010. At that date, the Stuxnet worm had been
refined over the course of about 12 months into its mature form, using the shortcut or LNK
vulnerability rather than autorun.inf to propagate via USB drives. No patches existed for the
zeroday vulnerabilities the worm used. No anti-virus signatures existed for the worm.
No security researchers knew the worm existed. With the variety of propagation technologies
available to the worm, many scenarios would lead to the state-of-the-practice network described
in the previous section to be compromised.
The discussion that follows illustrates one way the target ICS could have been infiltrated. At
each stage, alternative pathways are also noted.

Figure 5: Compromising the Sites Networks

Initial Handoff of the Worm
v

v
Analysis by Symantec indicates that the worm was initially handed off by its developers to at least five separate organizations inside Iran. Severally of these
organizations were repeatedly targeted over a period of a year.
Advertisement
In our primary scenario, a company employee returns from an off-site visit to a contractors
facility with an infected USB flash drive. The employee has been given the infected drive
deliberately by a saboteur employed at the contractor facility.
Alternative pathways: the infected drive may have been simply targeted at the contractor with
the assumption that the worm would eventually be transferred to the target site. Most
contractor/client relationships are well known in the industry, making selection of a suitable
contractor relatively easy. The initial handoff of the worm to an employee of the target company
could also occur at industry tradeshows. Free branded USB flash drives are commonly used as
give-aways by vendors or as an alternative to CDs for distribution of conference materials.
In the past year, one of the authors of this paper was given a new USB drive at a major control
vendor tradeshow as a gift. The USB drive was infected!
The worm could have also been sent to the organization through a targeted email that contained a
special dropper program designed to install Stuxnet. For example, the authors have been able to
construct a proof-of-concept dropper for of Stuxnet that is based on an infected PDF.
Infection of Initial Enterprise Computer
Once the employee inserts the infected USB flash drive into his workstation and navigates to the
drive using Windows Explorer, the workstation is immediately infected. Anti-virus on the
workstation does not generate any alerts, because there are no signatures for the Stuxnet worm at
this time. The fact that the workstation is fully patched is of no help, because the LNK
vulnerability on shortcut files that the worm uses to infect the machine has no patch at this point
in time. Nor do the escalation of privilege vulnerabilities the worm uses to gain system-level
access on the workstation. The worm is also able to install what is called rootkit software that
hides the files used by the worm when browsing the infected flash drive.
Alternative pathways: The initial infection of a computer on the target company network could
also occur by the contractor supplying PLC project files that are infected. Due to the nature of
contractor/client relationships and the need for continuous collaboration, a variety of project files
are freely exchanged between team members. These files not only include the PCS 7 project files
that the Stuxnet worm could piggy back on, but also other potentially vulnerable file formats
including drawing, spreadsheet, database and PDF files that future worms could exploit.
It is unlikely that the transfer of these files can be completely prevented, since many are essential
to the engineering design process.
Propagation to other Enterprise Computers
As noted earlier, once on a network, Stuxnet is designed to spread aggressively. Thus within a
few hours, the worm would likely spread to printer servers and file servers on the Enterprise
Control Network connected directly or indirectly to the compromised workstation.
At this point, the worm might lay dormant, infecting new USB flash drives as they are inserted
into compromised equipment, waiting for someone to carry such a flash drive and the worm to a
protected network. Alternatively, it may request new instructions from a command and control
server see the section Peer-to-Peer Networking below. All personnel carrying and using
infected flash drives would be unaware that the worm is installed on their drives, because the
rootkit hides the worms files from the user.
Alternative pathways: Some additional alternative paths for infection of the Enterprise Control
Network include:
The employee may have attached an approved external drive to an infected machine while
visiting a contractor and subsequently brought this drive back into the company network.
The employee may have connected his or her laptop to a compromised network offsite, and
thus infected the laptop and then subsequently connected it to the Enterprise Control Network
on his or her return.
A contractor may have visited the site, bringing and using a compromised external drive on the
site network.
A contractor may have visited the site, bringing and using a compromised laptop on the site
network.
A contractor or employee at another facility may have used a file share at this site over the WAN
and so compromised the Enterprise Control Network.
Penetrating the Perimeter Network
In our primary scenario, we will assume that one of the workstations on the Enterprise Control
Network belongs to an employee who occasionally interacts with the person who manages the
historian server on the Perimeter Network. As is commonly done in the industry, the manager
has a file share configured on his workstation, as do most employees in that group.
The control system team uses the shares on their own workstations to exchange large files with
each other over the Enterprise Control Network, rather than exchange the files via the space-
limited file servers located on the Enterprise Control Network. Of course, only specific domain
accounts are permitted to
access these shares. Stuxnet uses the domain credentials of the user logged into the compromised
machine to send a copy of itself to the managers workstation and activates that copy,
compromising that workstation.
In many power plants, the historian manager would routinely access the Siemens WinCC
Central Archive Server (CAS) historian server from his workstation over a VPN.
Typically, the administrator uses both the web interface and Siemens OS Client to the historian
to access the CAS server. The web interface provides a view of functionality that the historian
exposes to users, and the OS Client allows the administrator to access advanced features of the
historian, used primarily for configuration and administration tasks.
Since the managers workstation is now compromised, the Stuxnet worm contacts the local
instance of the SQLServer database client on the compromised workstation and discovers the
OS Clients connection to the WinCC database that is installed as part of all CAS servers. The
worm contacts the WinCC SQLServer database on the CAS server and propagates to the CAS
server on the Perimeter Network through that database connection. The worm installs itself on
the CAS server by manipulating both the CAS database contents and stored procedures within
the database. The worm now has a foothold on the Perimeter Network.
Alternative pathways: Some alternate paths of infection of the Perimeter Network include:
o At many real world sites, the Perimeter Network hosts are not patched routinely. As a
result, any VPN connection from a compromised host on the Enterprise Control Network
to a host on the Perimeter Network using common Windows RPC communications is at
risk. Specifically any host on the Perimeter Network with no patch for the 2008 MS08-
067 vulnerability would allow the worm to compromise the Perimeter Network.
o While it does not follow the Siemens security recommendations, it is not unusual for the
VPN connections from Enterprise Control Network workstations to the Perimeter
Network to not aggressively restrict communications to specific ports and hosts. Often
workstations with VPN connections to the Perimeter Network can communicate with
any port on any host on the Perimeter Network. In such cases, any Enterprise Control
Network workstation with a VPN connection to the Perimeter Network puts at risk every
server or workstation on the Perimeter Network with file sharing enabled or a printer
connected.
o A contractor or vendor using a remote access mechanism to provide assistance with the
support of hosts on the Perimeter Network may remotely access that network from a
compromised laptop or workstation. If the contractor can communicate with any
exposed file shares or print spoolers on the Perimeter Network, that would permit
compromise of those hosts. If the contractor or vendors workstation can communicate
with any unpatched hosts exposing the MS08-067 vulnerability, that channel also
permits compromise of hosts on the Perimeter Network.
While this does not follow the Siemens security recommendations, site administrators on the
Enterprise Control Network are known to use file shares to exchange information with servers
on the Perimeter Network. Such file shares expose the Perimeter Network to compromise.

How Stuxnet (PLC virus) spreads Part 4

Continued from How Stuxnet (PLC virus) spreads Part 3 Read here
Propagation to other Perimeter Network Computers
Once the worm has a foothold in the Perimeter
Network, it would attempt to infect any print servers and file servers it could discover. Next, the
worm would identify the WinCC software installed on the Web Navigation and CAS Servers,
and would likely infect these local databases.
It is also possible that if the Web Navigation Server is configured to use Terminal Services for
remote access, there could also be STEP 7 software installed on this host, offering the worm the
opportunity to install itself inside the STEP 7 project files.
Propagation to Process Control Network and Control System Network
Once the worm takes over the PCS 7 servers in the Perimeter Network, it is then trivial to utilize
the network connections that exist to the servers located in the Process Control Network to infect
the servers within this zone.
Furthermore, once the STEP 7 project files are infected, it is only a matter of time before an
authorized user copies a project file to the Process Control or Control System Networks. In
addition, if an administrator were to copy these files to another plant at another site and use the
files there, these STEP 7 project files would lead to compromise of that new site by the Stuxnet
worm.
In addition, the WinCC Central Archive Server (CAS) on the Perimeter Network has database
connections configured through the ISA server, so that the historian server can request historical
data from Operator System (OS) Servers on the Process Control Network. The Stuxnet worm can
propagate over these connections into these OS Servers and infect all servers on the Process
Control Network which expose either print servers, file servers or which have WinCC or STEP 7
software installed on them. STEP 7 is typically installed on engineering stations, while WinCC is
common on both operator and engineering stations.
Some of the compromised OS Servers manage connections to the S7 PLCs that control the
physical process. The worm connects to those PLCs and modifies the programming in all the
PLCs that match the worms selection criteria. It also installs a special driver on the STEP 7
hosts effectively hiding any modified code from administrators or engineers querying the PLCs,
making the worm invisible once it is installed on the PLC.
Alternative pathways: Alternative paths for infection of the Process Control and Control System
Networks include:
File shares or print spoolers may be exposed to hosts on the Perimeter Network. Even if a site
did not mean to expose such services on the Process Control Network to the Perimeter
Network, WinCC components on the Perimeter Network make heavy use of Windows RPC
communications to interact with components on the Process Control Network. Print spooling
and file sharing use RPC communications. Any path through the ISA firewall that permits RPC
communications would permit connections to print spoolers and file shares, regardless of
whether such connections were anticipated by personnel designing ISA firewall rules.

For example, if an OPC Classic server (such as OPC Data Access) on the Process Control Network
serves information to an application on the Perimeter Network, that connection exposes the
RPC communications path since it is the foundation of the OPC Classic protocol.
Most servers on the Perimeter Network use database connections to servers on the Process
Control Network to acquire data for presentation to enterprise users. If any of those servers or
workstations becomes compromised, the worm can propagate over that machines database
connection to the Process Control Network.
PLC programming projects may routinely be carried out on test beds for which security
measures are weaker than those applied to production networks. Such test beds may become
compromised by removable drives, remote vendors, connections to compromised enterprise
hosts or other means. If those infected project files are communicated to hosts on Process
Control and Control System Networks, the worm compromises those new hosts.
A contractor or vendor using a remote access mechanism to provide assistance with the support
of hosts on the Process Control Network may remotely access that network from a
compromised laptop or workstation. If the contractor can communicate with any exposed file
shares or print spoolers on the Process Control Network that would permit compromise of those
hosts. If the contractor or vendors workstation can communicate with any unpatched hosts
exposing the MS08-067 vulnerability, that channel also permits compromise of hosts on the
Process Control Network.
Using an infected external drive on any single host on the Process Control Network would
compromise that host and the other computers on that network.
Peer-to-Peer Networking
At this point in the scenario, the physical process may or may not immediately malfunction. The
Stuxnet worm was designed to contact one of two command and control (C&C) servers over the
Internet for new instructions and updates. The worm exchanges information with these servers
over the HTTP protocol, on port TCP/80. The payload of communications with those servers is
encrypted, but the envelope for the communications is plain-text HTTP. None of the contents
of the HTTP traffic matches anti-spam or anti-malware rules in corporate Internet firewalls or
intrusion monitoring systems (IPS/IDS), and so the traffic to the C&C servers is permitted
through to the Internet.
The defense-in-depth posture of the example site however, forbids communication from any ISA
protected network with any machine on the open Internet, outside of a list of specifically
authorized machines. The C&C servers are not approved destinations, and direct communication
between the infected hosts on the trusted internal control networks and the C&C servers is
effectively blocked. Stuxnet works around this defense with a peer-to-peer (P2P) networking
capability built into the worm, illustrated in Figure 6.
The P2P network uses Windows remote procedure calls (RPC) as its transport the same
protocol used by Windows file sharing, windows print spooling, OPC, and a number of Siemens
proprietary data exchange protocols. RPC communications must be enabled within local area
networks for the PCS 7 system to function. Thus, all of the infected equipment on the Process
Control and Control System Networks are interconnected by the P2P capability.
In this scenario, we will assume that one of the machines on the Process Control Network is used
routinely by a control system administrator on the Enterprise Control Network. The
administrator connects to the machine through a VPN connection configured to allow only
Remote Desktop (RDC) traffic encrypted within the VPN tunnel. This way, a virus or worm on
the administrators machine has minimal opportunity to propagate into the protected network.
This administrator, however, routinely prints information from the OS Client machine on the
Process Control Network while using the machine remotely. The printer is mapped to the
administrators Enterprise Control Network-connected workstation, and so an RPC connection
has been allowed through the ISA firewalls from the OS Client to the administrators
workstation.
Unfortunately, this open RPC connection allows all RPC traffic, including the P2P RPC network
that Stuxnet uses. The administrators workstation, being on the Enterprise Control Network, has
no restrictions on connectivity with new sites on the Internet. Since at the proposed time of this
scenario (i.e. May 2010), no security researcher has yet discovered Stuxnet or the C&C servers;
those server addresses are not included in any list of banned sites on the corporate firewall.

Figure 6: Command and Control Communications

Stuxnet takes over the administrators workstation using the zero-day print spooler vulnerability,
and uses the RPC connection with that workstation to extend the P2P network to the Enterprise
Control Network. The P2P network now includes hosts that have contact with the C&C server,
and the entire network of compromised machines is put in contact with the Stuxnet authors
command and control servers.
It is important to point out that this path is successful because of the primary difference in
philosophy between the deny by default policy employed in the configuration of firewalls that
interface to trusted control system networks and the allow outbound by default policy
commonly used in firewalls that connect corporate networks to the Internet.
Some of the capabilities of the C&C servers have been determined through an examination of the
Stuxnet worm software, but nothing further has been published about any investigations into
those servers. We know the Stuxnet worms C&C communications and RPC communications
software are capable of receiving new versions of the worm and distributing those versions
throughout the P2P network. We also know the worm is capable of receiving new executables of
any type, including PLC program function blocks, over those communications channels and is
capable of executing them locally.
No information is yet available as to what executables, besides new versions of the worm, may
have been transmitted to infected sites. This ability to receive and run executables may have
assisted in the development of new versions of the worm, and could be used to help propagate
the worm through specific target networks. That said, but nothing definitive has been published
about how the ability to run arbitrary files was in fact used.
Alternative pathways: Alternative paths of communications with command and control servers
include:
WinCC components on the Perimeter Network make heavy use of Windows RPC
communications to interact with components on the Process Control Network. All such
communications paths through the ISA firewall, including OPC Classic connections, permit RPC
P2P communications as well.
While not described in the Siemens security recommendations, at many sites administrators on
the Enterprise Control Network use file shares to exchange information with servers on
Perimeter Network. Paths through the ISA firewall that permit such communications also permit
Stuxnet P2P traffic.
While not described in the Siemens security recommendations, at many sites the VPN
connections from Enterprise Control Network workstations to the Perimeter Network do not
aggressively restrict communications to specific ports and hosts; most workstations with VPN
connections to the Perimeter Network can communicate with any port on any host on the
Perimeter Network. In such cases, any compromised host on the Enterprise Control Network
with a VPN connection to the Perimeter Network exposes its P2P communications capability to
all compromised hosts on the Perimeter Network.
Even if communications with command and control servers are successfully blocked, any route
the original infection either used or could have used can serve as a route through which updates
to the worm are propagated. When new versions of the worm are installed on compromised
machines, they re-propagate just as the original worm did. This kind of communication path,
however, can only be used to update copies of the worm, not to interactively and remotely
execute arbitrary files on compromised hosts.
SOURCE: How Stuxnet Spreads A Study of Infection Paths in Best Practice Systems by: Eric Byres, P.
Eng. ISA Fellow, Andrew Ginter, CISSP, Joel Langill, CEH, CPT, CCNA (www.tofinosecurity.com
www.abterra.ca www.scadahacker.com) Develop best practice guidelines to certify the security and
reliability of your infrastructure and information assets


Thinking About Security Considerations in
SCADA Systems (1)

Security Considerations in SCADA Systems

SCADA System can be affected by a number of threats, which may be natural or intentional. So
it is very much important to focus on security aspects of SCADA Systems.
SCADA Threats
In this article, I will focus on various types of threats which must be considered in order to plan
the security management of a SCADA system.
Threats may be of following types:
1. Environmental threats
2. Electronic threats
3. Physical threat (in next article)
4. Threat via Communication and information networks (in next article)
5. Threats to Software Management and documentation (in next article)

1. Environmental threats
SCADA equipment installed in C4I SR facilities must be of such design or otherwise protected to
withstand seismic effects as well as shock (ground motion) and overpressure effects of weapons.
A detailed dynamic analysis should be made of the supporting structure(s) of the equipment
enclosures to evaluate the magnitude of motion and acceleration established at the mounting
points for each piece of SCADA equipment. Where accelerations exceed the allowable limits of
equipment available, the equipment should be mounted on shock isolation platforms.
1.a
SCADA equipment should be protected from the effects of dust, dirt, water, corrosive agents,
other fluids and contamination by appropriate location within the facility or by specifying
enclosures appropriate for the environment.
Care should be taken that installation methods and conduit and tubing penetrations do not compromise
enclosure integrity.
Go Back To SCADA Threats Index
- 1.b -
Central computer or control rooms should be provided with dry agent fire protection systems or
double-interlocked pre-action sprinkler systems using cross-zoned detection, to minimize the
threat of accidental water discharge onto unprotected equipment.
- 1.c -
Sensors, actuators, controllers, HMI, UPS and other SCADA equipment located throughout the
facility should utilize enclosures with a minimum environmental protection level of IP66 per EN
60529 or Type 4 per NEMA 250.
Where thermal management issues or other equipment requirements prevent use of such
enclosures, alternate means should be provided to protect the equipment from environmental
contaminants.
- 1.d -
Facility design must ensure that any facility chemical, biological, radiological, nuclear or
explosive (CBRNE) protection warning, alert, or protection systems also protect SCADA
systems and utility equipment areas if the mission requires the facility to remain operational in a
CBRNE environment.
Appropriate coordination and systems integration must occur between SCADA and CBRNE
protection systems so that appropriate facility environmental conditions are maintained if the
facility experiences a CBRNE attack or incident.

2. Electronic threats
Electronic threats to SCADA systems include voltage transients, radio-frequency (RF)
interference (RFI), RF weapons, ground potential differenceand electromagnetic pulse (EMP).
These threats can all be largely mitigated by proper design of the systems.
Go Back To SCADA Threats Index
- 2.a -
Advertisement
SCADA controllers and field devices are vulnerable to voltage transients coupled through the
facility power system from atmospheric (thunderstorm and lightning) effects, transmission and
distribution system switching events, and switching of capacitors or inductive loads within the
facility.
Transient voltage surge suppression (TVSS) should be provided on the power supply circuits to
all SCADA equipment and TVSS or optical isolation should be provided on all metallic control
and communication circuits transiting between buildings.
To avoid the effects of voltage transients, fiber optic cable should be used for all circuits
entering or leaving a facility.
Fiber media are available for most network applications at the supervisory and control levels.
Field devices typically require metallic conductors, and where these must be run outside or
between facilities, they should be provided with TVSS where they cross the facility perimeter.
TVSS should be specified to comply with the testing requirements of ANSI C62.34 and should
be installed in accordance with I EEE 1100.
Selection of TVSS locations and connections should consider that it is most effective when
connected directly to the terminals of the device to be protected and provided with a direct low-
impedance path to the facility ground system. Incorrect installation methods can readily render
TVSS protection ineffective.
Protected and unprotected circuits should be physically segregated to avoid capacitive and inductive
coupling that may bypass the TVSS.
Go Back To SCADA Threats Index
- 2.b -
C4I SR facilities often contain powerful radio frequency sources which may interfere with
control system operation if coupled into control circuits. Other ambient sources of RFI may also
exist including commercial signals, electronic counter measures (ECM), and radiated RFI from
other equipment within the facility.
Design and operation of SCADA systems should address measures to protect against RFI ,
including:
Use of shielded twisted pair or twisted triple conductors for low-level signals.
Installation of SCADA wiring in continuous metallic conduit systems.
Use of metallic controller enclosures with RFI-gasketed doors.
RFI-shielded control rooms and computer rooms.
Maintenance practices that maintain the integrity of enclosures.
Go Back To SCADA Threats Index
- 2.c -
Effective shielding to limit RFI to within the required limits for C4ISR facilities is dependent
upon the grounding and bonding practices required to provide a unified facility ground.
The grounding practices for the earth electrode system, the building structure, the lightning
protection system, the power system, and the signal reference system must be integrated to
achieve a unified ground system.
The particular grounding practices for each of these subsystems are illustrated in MI L-HDBK-
419A, Grounding, Bonding, and Shielding for Electronic Equipment and Facilities.
Additionally, specifications and installation designs for new equipment should include
requirements to assure electromagnetic compatibility (EMC) between the equipment and the
operating environment.
These requirements should serve to minimize the susceptibility of the new equipment to EMI that may
be present in the operating environment as well as to limit radiated emissions by the equipment to the
environment and to existing equipment.
1. Ground potential differences within a facility that may affect SCADA systems are mitigated by
proper connection of equipment to the unified grounding system that is required to be provided
for all C4ISR facilities. This system ties the electrical service, lightning protection, and all other
facility grounds together into a single low-impedance ground grid. Additional grounding
requirements for C4ISR facilities may be found in TM 5-690, Grounding and Bonding in C4ISR
facilities.
2. Each electrical room within the C4ISR facility which contains electrical equipment should be
provided with a ground bus, connected to the unified ground system. SCADA equipment
enclosures and internal ground buses should be connected directly to this ground bus, and
should not rely solely on an equipment grounding conductor installed with the power supply
circuit.
3. All exterior metallic components which penetrate the building, such as metal piping, conduits,
and ducts, should be grounded at the point of penetration. All conductive SCADA circuits
entering the facility from outside should be provided with TVSS, effectively grounded to the
ground grid at the point of entry.
4. Low-voltage shielded cables must be installed to avoid ground loops, which can induce
interfering currents on the signal common conductor. Unless otherwise dictated by the
equipment manufacturer, cable shields should be grounded at the controller end only, with the
instrument end left floating and insulated.
5. On large multi-facility sites potential differences between the different facilities ground systems
caused by atmospheric electrical activity and electrical system faults cannot be prevented, in
spite of their common connection through the facility primary electrical distribution grounding
system. SCADA circuits installed between facilities on these sites should always utilize fiber
optic cables or optical signal isolation at the facility perimeter.
Go Back To SCADA Threats Index
- 2.d -
EMP protection requires magnetically continuous ferrous shielding which is not provided by the
enclosures of typical SCADA sensors, controllers and actuators.
For this reason, all electronic SCADA components must be assumed vulnerable to EMP and must be
protected by location, external shielding, or replacement with pneumatic components.
1. Whenever possible, all SCADA components should be located inside the C4ISR HEMP shield.
Components that must be located outside the shield, such as sensors at an external fuel storage
tank, may be provided with a local HEMP-shielded enclosure and circuits routed back to the
facility within a shielded conduit system or using pneumatic lines or optical fiber cable.
2. EMP protection for non-conductive penetrations of the facility shield such as pneumatic tubing
and fiber optic bundles uses the principle of waveguide below cutoff in which the lines
penetrate the facility shield through a high aspect-ratio cylinder or waveguide. The waveguide
must be made of a conductive material and must be continuously welded or soldered to the
primary EMP shield so that current flowing on the waveguide can be discharged to the primary
EMP shield.
3. The maximum inside diameter of a penetration must be 4 inches or less to achieve a cutoff
frequency of 1.47 GHz for a rectangular penetration and 1.73 GHz for a cylindrical penetration.
The unbroken length of conducting material adjacent to the penetration must be a minimum of
five times the diameter of the conducting material (i.e., pipe, duct) to attenuate by at least 100
dB at the required frequencies.
4. The wave guide filter will be specified in terms of the attenuation over a specified range of
frequencies in accordance with TM 5-858-5, Designing Facilities to Resist Nuclear Weapons
Effects: Air Entrainment, Fasteners, Penetration Protection, Hydraulic Surge Protection Devices,
and EMP Protective Devices.
Go Back To SCADA Threats Index
- 2.e -
Equipment located in electrical substations or other areas where electrical systems over 600V
exist may be subject to particularly harsh transient voltage and transient electrical field
conditions associated with power system faults, lightning strikes, and switching surges.
This equipment should be qualified to the industry standards applicable to the withstand capability of
protective relays, ANSI C37.90.1, C37.90.2 and C37.90.3, which apply to surge voltage, radiated EMI
and ESD, respectively.
Testing has shown that both STP and coaxial network communications circuits are subject to
communications errors in high transient electric field conditions. For this reason, all network
communication within the substation environment should be over fiber optic circuits. Even with
a fiber communication circuit, the network equipment connected to the fiber may be susceptible
to radiated fields or to conducted interference at the power supply.
This equipment should be qualified to I EEE 1613, which requires automatic recovery from
transient-induced communications disruptions with no false operation and no human
intervention.
- 2.f -
Portable RF weapons of van size down to brief-case size are now commercially available.
Many of the above factors will also provide varying levels of protection against this emerging
threat.
For example, a HEMP shield should provide protections from RF Weapons external to the
shield. However, it will provide no protection from an RF Weapon inside the shield.
Thus, a critical aspect of protection from this threat is ensuring physical security protection
plans, measures, and procedures recognize this threat and mitigate it. Examples of this are to
insure that facility guards or security personnel are trained on this threat, are able to recognize
RF Weapons, and that procedures are instituted for random or mandatory checks of all items
entering the facility.
To be be continued

Thinking About Security Considerations in
SCADA Systems (2)
Thinking About Security Considerations in SCADA Systems - Part 2 (photo by scadalink.com)

Continued from previous part: Thinking About Security Considerations in SCADA Systems (1)

SCADA Threats
In this part of technical article, I will focus on various types of threats which must be considered
in order to plan the security management of a SCADA system. Some of them (first two) were
described in the previous part, so focus will be on physical threats, threats via communication
and threats to software management.
Threats may be of following types:
1. Environmental threats (previous part)
2. Electronic threats (previous part)
3. Physical threat
4. Threat via Communication and information networks
5. Threats to Software Management and documentation

3. Physical security
In general, SCADA system equipment should be located inside secured areas having the same
degree of security deemed appropriate for the supported systems. However, the electronic nature
of these systems provides opportunities for compromise from both inside and outside the secured
area that must be addressed.
- 3.a -
HMI devices for controllers that provide access to the entire SCADA system shall use password
protected screen access with multiple levels of access control, and automatic logout
routines with short time settings.
Password policies for screen savers shall be in compliance with established Do D policies (CJCSI
6510.01D).
- 3.b -
Equipment enclosures and pull and junction boxes should be kept locked or secured with tamper
resistant hardware. Doors and covers should be provided with tamper switches or other means
of detecting attempted intrusion, connected to the site security system.
Tamper detection devices should be designed to detect the initial stages of access such as
removal of fasteners, unlatching of doors, etc.
- 3.c -
Raceways and enclosures for SCADA circuits external to the secured area should be designed to
resist entry by unauthorized persons. Access to field wiring circuit conductors can potentially
provide back-door entry to controllers for damaging over-voltages or transients.
Outside raceways should consist of rigid steel conduits with threaded and welded joints and cast
junction boxes with threaded hubs and tamper proof covers.
- 3.d -
Conduits exiting the secured area should also be sealed to prevent them from being used to
introduce hazardous or damaging gases or fluids into enclosures within the secured area.
Go Back To SCADA Threats Index

4. Communication and information networks
Connections from SCADA systems to networks extending beyond the C4I SR facility or
between facilities on a common site introduce the threat of attacks.
- 4.a -
These attacks are of several types:
1. Unauthorized user access (hacking).
2. Eavesdropping; recording of transmitted data.
3. Data interception, alteration, re-transmission.
4. Replay of intercepted and recorded data.
5. Denial of Service; flooding the network with traffic.
- 4.b -
The best defense against these threats is to entirely avoid network connections with other networks
within or external to the facility.
If they must be used, data encryption techniques should be applied to all network traffic.
The following additional means of enhancing security should also be considered:
1. Physically disconnect when not in use; applicable to dial-up connections for vendor service.
2. Use fiber optic media which cannot be tapped or intercepted without loss of signal at the
receiving end.
3. One-way traffic; alarm and status transmission only with no control permitted.
Go Back To SCADA Threats Index

5. Software management and documentation
With the modern complexity and exposure to intentional software damage that can occur in
modern industrial controls systems, it is a good practice to implement a Software Management
and Documentation System (SMDS).
- 5.a -
A SMDS system is software which resides on a dedicated computer on the plant network that
monitors all activities of the control system. Such a system should be required for the control
system in an important and complex military facility.
I t allows the facility administrator to do the following:
1. Control who may use any SCADA application software and what actions can be performed
2. Maintain a system-wide repository for historical storage of the application configuration
files
3. Identify exactly who has modified a control system configuration or application parameter, what
they changed, where they changed it from, and when the change was made
4. Assure that the control system configuration thought to be running the facility actually is
5. Support application restoration following a catastrophic event
6. Generate views into the Software Management System for more detailed analysis of
configuration changes
- 5.b -
Software Management and Documentation systems are available now from the major suppliers
of industrial control systems.
Having such a system provides the following additional benefits:
1. Avoids maintaining incorrect or incompatible software versions
2. Assures that there are not multiple versions of software on file
3. Prevents multiple users from causing a conflict somewhere on the system
4. Prevents legitimate changes from being reversed or overwritten
5. Supports the availability of the system at its maximum
5.c
Among the specific software that such a system would secure are:
1. PLC programs
2. HMI screens
3. SCADA configurations
4. CAD drawings
5. Standard Operating Procedures (SOPs) (6) Network Configurations

SCADA communication vulnerabilities

Cyber security engineering is expensive. However, the presence of vulnerabilities requires it. In
this section we list vulnerabilities we typically see in SCADA systems. The order in the list of
vulnerabilities does not reflect a priority in terms of likelihood of occurrence or severity of
impact. Typical vulnerabilities in SCADA systems are listed below. The vulnerabilities are
grouped in the categories, policy/procedure/configuration management, system, network, and
platform to assist in determining how to provide the best mitigation strategy.
Typical vulnerabilities in SCADA systems
Policy/Procedure/Configuration Management
The SCADA system has no specific documented security policy or security plan.
There is no formal configuration management and no official documented procedures.
Hence, there are neither formal requirements, nor a consistent approach of configuration
management.
There is neither formal security training nor official documented security procedures.
System
Sensitivity levels for SCADA data are not established, making it impractical to identify which
communication links to secure, databases requiring protection, etc.
No security perimeter has been defined for the existing system that defines access points to the
system that should be secured.
Physical security alarms reside on the SCADA system; hence, a failure in the SCADA system
affects the integrity of the physical security.
Critical monitoring and control paths are not identified, in order to determine necessary
redundancy or contingency plans.
Network
Dial-up access exists on individual workstations within the SCADA network.
The dial-up access into the SCADA network utilizes shared passwords and shared accounts.
Administrative and SCADA networks utilize the same IP subnet. (This removes the possibility to
implement extranets, data diodes, filtering, etc.)
Inadequate data protection exists as the SCADA data traverse other networks, both as data is
transferred to other SCADA segments and as the data is sent to servers on the administrative
network. The data is used for a variety of purposes, including public display and engineering
efforts.
Wireless bridging used without strong mutual authentication and/or data integrity protection on
supported data flows.
Wireless LAN technology used in the SCADA network without strong authentication and/or data
protection between clients and access points.
There is inadequate physical protection of network equipment.
There is no security monitoring on the SCADA network.
Platform
Default OS configurations are utilized, which enables insecure and unnecessary services.
There is no regular virus checking.
A PC is allowed connection to both the SCADA network and the Internet.
There are no time limit, character length, or character type requirements for the passwords.
OS security patches are not maintained as part of a formal procedure of process.
This security policy also guides the integration of technology and the development of security
procedures. Again we iterate all the SCADA vulnerabilities discussed in this document are
attributable to the lack of a well-developed and meticulously practiced security policy.
As pointed out in the beginning of the paper, we are focused on system level vulnerabilities, not
point security problems, such as physical security or a particular protocol like WEP or SNMP. A
well-developed security policy balances operational performance and security requirements, and
is necessary for sustained security. This security policy also guides the integration of technology
and the development of security procedures.
Again we iterate all the SCADA vulnerabilities discussed in this article are attributable to the
lack of a well-developed and meticulously practiced security policy.
SOURCE: COMMUNICATION VULNERABILITIES AND MITIGATIONS IN WIND POWER SCADA SYSTEMS
American Wind Energy Association WINDPOWER 2003 Conference Austin, Texas

iFIX Scada Features

iFIX offers a robust SCADA engine, rich set of connectivity options, open architecture and
highly scalable and distributed networking model. Used in a variety of applications across
diverse industries, it is ideally suited for applications as simple as typical HMI applications such
as manual data entry and validation to very complex SCADA applications like batching,
filtration and distributed alarm management.
It also complies with industry standards-making it ideal as part of more IT-focused real time data
management system.
Providing a window into your total operations cycle, iFIX enables faster, better intelligent
control and visibility into your operations.
Failover And Database Synchronization
iFIX SCADA servers support replication and failover of database and alarms between the
primary and backup SCADA servers ensuring that you have high availability and continuous
control. Every aspect of the iFIX database is replicated, including adding/deleting tags, run time
modifications, alarm generation, acknowledgement and database storage.
All of the E-Signature configuration and audit trails can also be replicated.
Secure Networking
Network Encryption and Controlled Topology. To protect your data assets, iFIX offers a high
degree of network security with a proprietary set of communications, a layer of network
encryption and the ability to explicitly define communications with remote nodes.
In addition to enabling communications with any requesting node, iFIX offers a communication
table for defining nodes that are allowed to communicate.
Integrated Change Management
iFIX tightly integrates with our Proficy Change Management software to provide you with
additional security and disaster recovery capability. You can report differences between
databases, graphics, graphic scripts, dynamos, global variables, security configuration and other
important system files; you can also track audit trails of system changes in real time. Click here
for more information on Proficy Change Management.
Electronic Signatures
You can easily configure e-Signatures, while creating the tag database. E-Signatures work
together with iFIXs Alarm & Event engine to record runtime changes made to the system and
create an audit trail to help you meet regulatory compliance standards such as 21 CFR Part 11
and NERC.
Flexible Charting and Trending
iFIX provides flexible options with support for real time, historical, SPC, histogram and
logarithmic charts enabling you to customize the data. Within each chart type, iFIX provides
options for arranging data through several plotting methods, different legend selections,
exporting options and auto-scaling for best-fit charts.
Advanced and Distributed Alarm and Event Management
iFIX offers you maximum flexibility in configuring alarms. This powerful component enables
distributed alarm management where you can divide your solution into functional areas and
distribute alarms across these areas. iFIX also delivers advanced alarm management which
enables you to define alarm delays, alarm inhibit factors, alarm suspension factors and re-
alarming time.
In addition, iFIX includes alarm statistics and counters which provide further insight into the alarm and
operator behavior.

SCADA Security Attacks

SCADA systems are used to control and monitor physical processes, examples of which are
transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic
lights, and other systems used as the basis of modern society.
The security of these SCADA systems is important because compromise or destruction of these
systems would impact multiple areas of society far removed from the original compromise. For
example, a blackout caused by a compromised electrical SCADA system would cause financial
losses to all the customers that received electricity from that source. How security will affect
legacy SCADA and new deployments remains to be seen.
A number of types of security challenges to which SCADA systems may be vulnerable are
recognized in the industry.
Top
The list includes:
AUTHORISATION VIOLATION
an authorized user performing functions beyond his level of authority.
EAVESDROPPING
gleaning unauthorized information by listening to unprotected communications.
INFORMATION LEAKAGE
authorized users sharing information with unauthorized parties.
INTERCEPT/ALTER
an attacker inserting himself (either logically or physically) into a data connection and then
intercepting and modifying messages for his own purposes.
MASQUERADE (SPOOFING)
an intruder pretending to be an authorized entity and thereby gaining access to a system.
REPLAY
an intruder recording a legitimate message and replaying it back at an inopportune time. An
often-quoted example is recording the radio transmission used to activate public safety warning
sirens during a test transmission and then replaying the message sometime later.
An attack of this type does not require more than very rudimentary understanding of the
communication protocol.
DENIAL OF SERVICE ATTACK
an intruder attacking a system by consuming a critical system resource such that legitimate users
are never or infrequently serviced.
Top
Security by Obscurity
The electric utility industry frequently believes that the multiplicity and obscurity of its SCADA
communication protocols make them immune to malicious interference. While this argument
may have some (small) merit, it is not considered a valid assumption when security is required.
An often-quoted axiom states that security by obscurity is no security at all.
In the same way that the operation of door locks is well understood but the particular key is kept
private on a key ring, it is better to have well-documented and tested approaches to security in
which there is broad understanding of the mechanisms but in which the keys themselves are kept
private.
Top
Encryption

Encryption of information - Security techniques
Security techniques discussed in this section are effective against several of the attacks
discussed above, including eavesdropping, intercept/alter, and masquerade (spoofing). They
can also be effective against replay if they are designed with a key that changes based upon some
independent entity such as packet sequence number or time.
The OSI reference model separates the function of data-link integrity checking (checking for
transmission errors) from the function of protecting against malicious attacks to the message
contents. Protection from transmission errors is best done as close to the physical medium as
possible (data-link layer), while protection from message content alteration is best done as close
to the application layer as possible (network layer or above). An example of this approach is the
IP Security Protocol (ipsec), which is inserted at the IP (Internet Protocol) level in the protocol
stack of an Internet-type network.
For those instances where packet routing is not required, it is possible to combine error checking
and encryption in the physical or data-link layer. Commercial products are being built to
intercept the data stream at the physical (or sometimes data link) layer, add encryption and error
detection to the message, and send it to a matching unit at the other end of the physical
connection, where it is unwrapped and passed to the end terminal equipment. This approach is
particularly useful in those situations where it is required to add information security to existing
legacy systems. If such devices are employed in a network where message addressing must be
visible, they must be intelligent enough to encrypt only the message payload while keeping the
address information in the clear.
For systems in which the packets must be routed through a wide-area network, the addition of a
physical-layer device that does not recognize the packet structure is unusable. In this case, it is
more appropriate to employ network-layer or above security protection to the message.
This can be accomplished using either proprietary (e.g., many virtual-private-network schemes)
or standards-based (e.g., the IP Security Protocol [ipsec]) protection schemes that operate at the
network layer or above in the OSI model.
SOURCE: Daniel E. Nordell

An Overview Of Smart Power Grid

Abstract

Figure 1 - Tree limbs create a short circuit during a storm, typically resulting in a power outage
The present electric grids use the technology of 1970s. But with the advancement in various
concepts of power generation, problems associated with power outages and thefts, and also due
to increase in demand, we require a modernized grid to avail all the needs of customers even in
the situations of hype, which can be called a smart grid.
The smart grid performs various functions such that it increases grid stability, reliability,
efficiency and ultimately reduces line losses.
Also the smart grids are designed to allow the two-way processing of electricity from consumers
that have distributed generation. Various technologies like sensing and measurement, usage of
advanced components are to be used for successful functioning of the grid. In this paper, smart
grid, its functions, technologies used in smart grids are discussed.

Introduction to Electric Grid
The electric grid generally refers to all or the smart grid, in a nutshell, is a way to transmit and
distribute electricity by electronic means. The electric grid delivers electricity from points of
generation to consumers. The electricity delivery network functions via two primary networks:
the transmission system and the distribution system. The transmission systems deliver electricity
from power plants to distribution substations, while distribution systems deliver electricity from
distribution substations to consumers.
The grid also encompasses myriads of local area networks that use distributed energy resources
to several loads and/or to meet specific application requirements for remote power, municipal or
district power, premium power, and critical loads protection.

Introduction to Smart Grid
Smart grid lacks a standard definition, but enters on the use of advanced of technology to
increase the reliability and efficiency of the grid, from transmission to distribution. The Smart
Grid is a vision of a better electricity delivery infrastructure.
Smart Grid implementation dramatically increases the quantity, quality, connectivity, automation and
Coordination between the suppliers, consumers and networks, and use of data available from advanced
sensing, computing, and communications hardware and software.
In addition to being outdated, power plants and transmission lines are aging, meaning they have
difficulty handling current electricity needs, while demand may not be reduced any time, but it
can still be increasing continuously. One solution could be to add more power lines, but the
aging system would still be overwhelmed.
So instead of a quick fix, a more reliable, permanent solution is needed. Perhaps the most
fundamental aspect of transitioning to a smarter electricity system is the smart meter.
Top
Why Modernization of Electric Grid is required?
The major driving forces to modernize current power grids can be divided in four, general
categories:
Increasing reliability, efficiency and safety of the power grid.
Enabling decentralized power generation so homes can be both an energy client and supplier
(provide consumers with interactive tool to manage energy usage).
Flexibility of power consumption at the clients side to allow supplier selection (enables
distributed generation, solar, wind, and biomass).
Increase GDP by creating more new, green collar energy jobs related to renewable energy
industry manufacturing, plug-in electric vehicles, solar panel, and wind turbine generation,
energy conservation and construction.

Smart grid delivery
Smart Grid Functions
The integrated system of the smart grid has two scopes.
One scope is transmission monitoring and reliability and includes the following capabilities:
Real time monitoring of grid conditions.
Improved automated diagnosis of grid disturbances, and better aids for the operators who must
respond to grid problems.
Automated responses to grid failure that will isolate disturbed zones and prevent or limit
cascading blackouts that can spread over a wide area.
Plug and play ability to connect new generating plants to the grid, reducing the need for the
time consuming interconnection studies and physical upgrades.
The automatic restoration of power would be accomplished by a combination of sensors,
computer analysis and advanced substation components, as well as by the ability to reroute
power to outage locations.
Enhancing ability to manage large amounts of solar and wind power.
The second scope is consumer energy management:
At a minimum, the ability to signal homeowners and businesses that power is expensive and/or
tight in supply. This can be done, via special indicators or through web browsers or personal
computer software. The expectation is that the customer will respond by reducing its power
demand.
The next level of implementation would allow the utility to automatically reduce the consumers
electricity consumption when power is expensive or scarce. This would be managed through the
link between the smart meters and customers equipment or appliances.
The smart grid system would automatically detect distribution line failures, identify the specific
failed equipment, and help determine the optimal plans for dispatching crews to restore service.
The smart grid would automatically attempt to isolate failures to prevent local blackouts to
spread over that area.
The smart grid would make it easier to install distributed generation such as rooftop solar
panels, and to allow net metering, a rate making approach that allows operators of distributed
generators to sell surplus power to utilities. The smart grid would also manage the connection of
millions of plug-in hybrid electric vehicles into the power system.
Hence the functions of smart grid can be summarized into the following terms as selfhealing, consumer
participation, resist attack, high quality power accommodate generation options, enable electricity
markets, optimize assets, enable high penetration of intermittent generation options.

Technology- Initial Focus
Smart Grids rely on information technology advancements across telecommunications and
operations. Utilities apply these technologies both to grid operations transmission and
distribution wires and associated equipment and to the customer site-meters, customer owned
energy technology equipment and appliances, and home area networks (HANs).

Wires

High temperature superconductor (HTS) wire enables power transmission and distribution cables
with three to five times the capacity of conventional underground AC cables and up to ten times
the capacity of DC cables. Fault current management capability when using Fault Blocker cable
systems.

Wires-focused Smart Grid projects commonly involve:
One of the components to smart grid would be the replacement of the aging power lines with
high-temperature superconducting lines.
The new wires could be installed underground to avoid cluttering up the already congested
cityscapes.
New telecommunications and operational (sense and control) technologies: These improve
delivery performance and resilience.
New sensor and control technologies. These, when combined with distributed intelligence,
make it possible to report and resolve grid issues in real time (self healing).
Transmission and distribution intelligent electronic devices. These alert operators, automatically
respond to problems, and integrate generation from renewable resources.

Sensing and Measurement

Smart Grid - Advanced Metering Infrastructure (AMI)

Core duties are evaluating congestion and grid stability, monitoring equipment health, energy
theft prevention, and control strategies support. Technologies include smart meters, sensing
systems, advanced switches and cables, digital protective relays etc In all these, smart meters
play a vital role.
In Smart Metering, an Advanced Metering I nfrastructure (AMI ) of interval meters and two-way
communications systems serves as a gateway for utility/customer interaction. Smart Metering
has the potential to reduce both customer and utility costs.
If you take a look at your current electricity meter, you will see that it is very mechanical,
humming along blindly, waiting to be read by a technician, to determine the amount of electricity
used in a given month, at the end of which you receive a bill. A smart meter utilizes what is
known as real-time monitoring (RTM). A display lets the consumer know how much electricity
is used and even when it is less expensive to use it.
Studies have shown that when people are made aware of how much power they are using, they reduce
their use by about 7%. A smart grid also prevents the entire system from becoming overloaded,
lessening the chance for a power outage.

Advanced Components
Innovations in superconductivity, fault tolerance, storage, power electronics, and diagnostics
components are changing fundamental abilities and characteristics of grids.
Technologies within these broad R&D categories include: flexible alternating current
transmission system devices, high voltage direct current, first and second generation
superconducting wire, high temperature superconducting cable, distributed energy generation
and storage devices, composite conductors, and intelligent appliances.
Top
Renewable Energy and the Smart Grid

Renewable Energy and the Smart Grid
The smart grid can be seen as an alternative energy source, certainly a change from the current
way of doing things. In addition to rerouting electricity, the smart grid would be able to fill in the
gaps of these alternative energy power sources. One way this could be accomplished,
surprisingly enough, is with another alternative energy technology the electric car, specifically,
the plug-in electric hybrid (PHEV).
This would work through the concept of energy storage, in the case of the PHEV, specifically
referred to as V2G or vehicle to grid. This use of alternative energy sources, like wind and solar
reduces the nations dependence on foreign oil and helps keep pollution from car exhaust and
power plants to a minimum.

Other Technologies
Integrated communications will allow for real-time control, information and data exchange to
optimize system reliability, asset utilization, and security.
Conclusion
The major source of energy for human beings is electricity. Without electricity, no technology
or science could have been possibly developed. But there are many problems associated with
effective functioning of the electric grids which cause a serious loss of power and may even
create severe scarcity in future. Also, the latest advancements in generation of electricity from
renewable sources also require a means for effective utilization.
So, keeping in view of these, for better performance of the grid, smart grids should be developed
all over the world So that we have a more transparent, reliable system that allows consumers to
save money and utility companies to more accurately control electricity.
Thus Smart Grid technology paves way for increased utilization of green power.

Smart Grid Communications Overview

Solutions for powerline, wireless, and serial communications (Maxim, www.maxim-
ic.com/communications)
Overview
An electricity grid without adequate communications is simply a power broadcaster. It is
through the addition of two-way communications that the power grid is made smart.
Smart grid communications enables utilities to achieve three key objectives:
1. Intelligent monitoring,
2. Security, and
3. Load balancing.
Using two-way communications, data can be collected from sensors and meters located
throughout the grid and transmitted directly to the grid operators control room. This added
communications capability provides enough bandwidth for the control room operator to actively
manage the grid.
The communications must be reliable, secure, and low cost. The sheer scale of the electrical grid
network makes cost a critical consideration when implementing a communications technology.
Selecting a solution that minimizes the number of modems and concentrators needed to cover
the entire system can dramatically reduce infrastructure costs.
At the same time, the selected technology must have enough bandwidth to handle all data traffic
being sent in both directions over the grid network.

Communications networks and protocols
Communications in the smart grid can be broken into three segments:
Wide area network (WAN)
It covers long-haul distances from the command center to local neighborhoods downstream.
Neighborhood area network (NAN)
It manages all information between the WAN and the home area network using medium-voltage
lines.
Home area network (HAN)
It extends communication to endpoints within the end-user home or business.
Each segment is interconnected through a node or gateway: a concentrator between the WAN
and NAN and an e-meter between the NAN and HAN. Each of these nodes communicates
through the network with adjacent nodes. The concentrator aggregates the data from the meters
and sends that information to the grid operator.
The e-meter collects the power-usage data of the home or business by communicating with the
home network gateway or functioning as the gateway itself.

The smart grid communications architecture

Each segment can utilize different communications technologies and protocols depending on the
transmission environments and amount of data being transmitted. In addition to the architecture
choice between wireless and powerline communications (PLC), there are a variety of wireless
and PLC protocols to choose among (Table 1).
Network Protocol Advantages Disadvantages Recommendation
WAN Wireless (2G/3G/LTE cellular, GPRS)
Extensive cellular
infrastructure is
readily available; large amount
of aggregated data can be
communicated over a long
Utility must rent the
infrastructure from
a cellular carrier for a
monthly access fee;
utility does not own
Wireless usually works
best
haul infrastructure
HAN
Wireless ISM
Long range; leaps
transformers
Currently proprietary;
dead spots
complicate installation
and maintenance
Useful in some
topologies, such as in
the U.S.
IEEE 802.15.4g
Long range; leaps
transformers
Not yet an accepted
standard
Useful in some
topologies
ZigBee
Low cost; low power
consumption allows battery
operation; well-known
standard
Low data rate; very short
range; does
not penetrate structures
well
Unlikely to be used in
NANs
First generation PLC (FSK, Yitran, Echelon) Low cost
Unreliable; low
bandwidth
Bandwidth and
reliability inadequate
for the smart grid
Early generation narrowband OFDM
Better range, bandwidth, and
reliability than FSK
Does not cross
transformers; does not
coexist with first-
generation PLC
Not recommended for
new designs due
to cost and
compatibility concerns
Broadband PLC High data rate
Does not cross
transformers
Increases
infrastructure cost,
making it too costly
for most large-scale
deployments
G3-PLC
Highly reliable long-range
transmission; crosses
transformers,
reducing infrastructure costs;
data rate supports frequent
two-way
communications; coexists with
FSK; open standard; supports
IPv6
Not yet an accepted
standard
Excellent for NAN
worldwide
HAN
ZigBee
Well-known standard that
offers low cost and low power
Very short range; does
not penetrate structures
well
Well suited for
communication
between water and
gas meters
Wi-Fi
Popular technology with high
data rates
Medium range; does not
penetrate
cement buildings or
basements
Good for consumer
applications, but
no provisions for
meeting utility
objectives
First-generation PLC (FSK, Yitran, Echelon) Low cost
Not reliable in home
environments
Unlikely to be used in
homes due to
high levels of
interference
Early generation narrowband OFDM
Better range, bandwidth, and
reliability than FSK
Does not cross
transformers; does not
coexist with first-
generation PLC
Not recommended for
new designs due
to cost and
compatibility concerns
Broadband PLC High bandwidth
Short range is not
sufficient for NAN
Good for consumer
applications, but
no provisions for
meeting utility
objectives
G3-PLC
Highly reliable; sufficient data
rate; IPv6 enables networking
with many devices
Not yet an accepted
standard
Excellent for HAN
worldwide
The WAN is the communications path between the grid operator and the concentrator. The
WAN can be implemented over fiber or wireless media using Ethernet or cellular protocols,
respectively.
Cellular or WiMAXis most commonly used between the grid operator and the concentrator.
The NAN is the path between the concentrator and the meter. It uses either wireless or PLC.
Typically, the concentrator communicates with anywhere from a few to hundreds of meters,
depending on the grid topology and the communications protocol used.
Today, there is no standard for this portion of the network, so most implementations use
proprietary wireless or PLC technologies. Several standards bodies are currently working with
utilities and technology providers to define standards for wireless and PLC protocols.
The I EEE 802.15.4g standard targets wireless; the I EEE P1901, OPEN meter, and I TU-T
G.hnemstandards are being developed for PLC (Table 2).
Region WAN NAN HAN
North America Cellular, WiMAX
G3-PLC, HomePlug, IEEE 802.15.4g, IEEE
P1901, ITU-T G.hnem, proprietary wireless, Wi-
Fi
G3-PLC, HomePlug, ITU-T G.hn, Wi-Fi,
ZigBee, Z-Wave
Europe Cellular G3-PLC, IEEE P1901, ITU-T G.hnem, PRIME, Wi-Fi
G3-PLC, HomePlug, ITU-T G.hn, Wi-Fi,
Wireless M-Bus, ZigBee
China
Cellular, band
translated WiMAX
G3-PLC, RS-485, wireless to be determined G3-PLC, RS-485, Wi-Fi, to be determined
Rest of the World Cellular, WiMAX
G3-PLC, HomePlug, IEEE 802.15.4g, IEEE
P1901, ITU-T G.hnem, PRIME, RS-485, Wi-Fi
G3-PLC, HomePlug, ITU-T G.hn, RS-485,
Wi-Fi, Wireless M-Bus, ZigBee, Z-Wave
The HAN is used by utilities to extend the reach of their communication path to devices inside
the home. This network can support functions such as cycling air conditioners off during peak
load conditions, sharing consumption data with in-home displays, or enabling a card-activated
prepayment scheme.
The arrival of electric/plug-in hybrid electric vehicles (EV/PHEVs) presents a special communications
scenario for HANs.
Standards bodies are defining PLC protocols for communicating with vehicle charging systems.
In addition to supporting the data requirements for smart grid activities, a HAN might also
include: peer-to-peer (P2P) communications between devices inside the home; communications
with handheld remote-control devices, lighting controls, and gas or water meters; as well as
broadband traffic.
Protocols such as RS-485, ZigBee, Z-Wave, and HomePlug are used for this network. If there
is a separate home gateway, it is possible that additional protocols could be used to communicate
with appliances, thermostats, and other devices.
Communications alternatives in the HAN can often coexist, but utility support will probably be
limited to technologies needed to support the utilitys primary objectives.
Advertisement
Resource: Maxim (solutions for powerline, wireless, and serial communications); www.maxim-
ic.com/communications

Smart Grids and The New Age of Energy

Smart grid requirements:
1. Network planning
2. Power electronics (HVDC/FACTS)
3. Bulk renewable integration
4. Energy Management System (EMS)
5. Smart substation automation and protection
6. Integrated Substation Condition Monitoring (ISCM)
7. Communication Solutions
8. Distribution Management System (DMS)
9. Distribution automation and protection
10. Distributed Energy Resources (DER)
11. Decentralized Energy Management System (DEMS)
12. Smart metering solutions
13. Conclusion
1. Network planning

Smart grid - A vision for the future, a network of integrated microgrids that can monitor and heal
itself

Building Smart Grids is a highly complex task that begins with a detailed quantitative
assessment of the system requirements, definition of actual targets and their required
performance levels, and specification of system concepts and equipment.
As a result, a comprehensive strategy for building Smart Grids is necessary including the part
of the network that addresses power supply systems.
The foundation for designing an efficient Smart Grid is a detailed analysis of the systems required
performance. This is the key task for strategic network planning.
Keeping a rigorous focus on the system as a whole ensures that the architecture and
configuration deliver the necessary performance levels, and meet other requirements as well. The
solution will integrate the most innovative technologies for power generation, transmission,
distribution and consumption, while taking into account each systems individual history and
current condition.
In most cases, the transition from todays power supply system to the future Smart Grid cannot
be made in one step; instead it requires stepbystep modification plans.
Go back to Content

2. Power electronics (HVDC/FACTS)

Reinhausen solutions for optimized High-voltage Direct Current Transmission (HVDC)

Power electronic solutions for High Voltage Direct Current transmission (HVDC) and Flexible
Alternating Current Transmission Systems (FACTS) address the greatest challenges in power
transmission.
FACTS devices can significantly increase the power transmission capacity of existing alternating
current (AC) systems and extend maximum AC transmission distances by balancing the variable
reactive power demand of the system.
Reactive power compensation is used to control AC voltage, increase system stability, and
reduce power transmission losses.
State-of-the-art FACTS devices include Fixed Series Compensators (FSC) and Thyristor
Controlled Series Compensators (TCSC), orStatic VAR Compensators (SVC) for dynamic shunt
compensation.
The latest generation of Siemens SVC devices is called SVC PLUS. These are highly standardized compact
devicesthat can easily be implemented in demanding network environments; for example, to allow
connection of large offshore wind farms.
AC technology has proven very effective in thegeneration, transmission and distribution of
electrical power. Nevertheless, there are tasks that cannot be performed economically or with
technical precision using AC.
These include power transmission over very long distances, as well as between networks
operating asynchronously or at different frequencies. In contrast, a unique feature of HVDC
systems is their ability to feed power into grids that cannot tolerate additional increases in short
circuit currents.
The transmission capacity of a single HVDC transmission system has recently been extended by
Siemens Ultra High Voltage Direct Current transmission system (UHVDC).
With a capacity of more than seven gigawatts and low rate of loss, UHVDC transmission is the
best way to ensure highly efficient power transmission of 2,000 kilometers or more. Electrical
Super Grids based on UHVDC transmission can interconnect regions across climate and time
zones, allowing seasonal changes, time of day and geographical features to be used to maximum
advantage.
Go back to Content

3. Bulk renewable integration

Solutions for Renewable Energy Integration (S&C)

In order to begin fulfilling the climate protection requirements of 2020, we need to use energy
efficiently and reduce CO
2
emissions. Power generation needs to change accordingly.
Large power plants will continue to ensure basic supplies, but there will also be renewable
energy sources that fluctuate locally depending on weather and other conditions.
Go back to Content

4. Energy Management System (EMS)

Smart Grid Distribution Network - Energy Management System (EMS)

At power plants, the focus is on ensuring reliable supply, using generation resources efficiently,
and reducing transmission losses.
As Energy Management System (EMS) handles these by balancing the demands of the
transmission system, generating units, and consumption. I ntelligent Alarm Processors (I APs)
reduce the critical time needed to analyze faults in the grid and take corrective action, as well as
the risk of incorrect analysis.
I nnovative Voltage Stability Analysis (VSA) applications running automatically
and independently alert the operator before critical situations that jeopardize static
system voltage stability occur, giving the operator time to take preventive action rather
than having to react under stress. Increased grid reliability is provided by Optimal Power
Flow (OPF) applications that continuously work to keep the systems voltage level high
and eliminate invalid voltage conditions.
Any control measures that must be taken can be automatically executed in a closed-loop-control
procedure.
Go back to Content

5. Smart substation automation and protection
The automation and protection of substations must be enhanced to securely meet the extended
requirements of future Smart Grids. The substation is in the process of becoming a node on the
utility IT network for all information from the distribution substation to the customer.
For example, data from the feeder automation units, power quality, meters, decentralized energy
resources and home automation systems will be collected and analyzed to improve the system.
Besides the new Smart Grid challenges, the usual task of protection, control and automation have to
remain as reliable and efficient as ever.
The objectives for substations are beginning to cross departmental boundaries, encompassing
operations, maintenance and security requirements. Smart substation solutions and their
individual components should be designed with this overarching vision and framework in mind.
Smart Substation Automation Systems support the following goals:
1. Secure and reliable power supply
2. Guaranteed high levels of protection for facilitiesand people
3. Reduction of manual interactions to enhance rapid self-healing operations
4. Implementation of intelligent remote error monitoring, detection, reporting
5. Enabling condition-based predictive maintenance
6. Support for engineering and testing through plug-and-play functionality
7. Proactively distributing substation information to all relevant stakeholders
8. Reduced costs for installation and maintenance.

6. Integrated Substation Condition Monitoring (ISCM)
I ntegrated Substation Condition Monitoring (I SCM) is a modular system for monitoring all
relevant substation components, from the transformer and switchgear to the overhead line and
cable.
Based on known, proven telecontrol units and substation automation devices, ISCM provides a
comprehensive solution perfectly suited to substation environments.
It integrates seamlessly into the existing communication infrastructure so that monitoring
information from the station and the control center is displayed.

7. Communication Solutions
The new Age of Electricity is characterized by a mix of both central and decentralized power
generation, which requires bidirectional energy flows including power from smart buildings
and residential areas where consumers are becoming prosumers.
A key prerequisite for this paradigm shift is a homogeneous, end-to-end communication network
that provides sufficient bandwidth between all grid elements.
Telecommunication systems for power grid transmission have a long history in the utility
industry. In todays transmission grids, almost all substations are integrated into
a communication network that allows online monitoring and controlling by an
Energy Management System (EMS).
In a distribution grid, the situation is quite different. Whereas high voltage substations are often
equipped with digital communication, the communication infrastructure at lower distribution levels is
weak.
In most countries, fewer than ten percent (10%) of transformer substations and ring main units
(RMUs) are monitored and controlled remotely. Communication technologies have continued to
develop rapidly over the past few years, and the Ethernet has become the established standard in
the power supply sector.
International communication standards like I EC 61850 will further simplify the exchange of data
between different communication partners. Serial interfaces will, however, continue to play a
role in the future for small systems.
An important element in creating and operating Smart Grid is comprehensive,
consistent communication using sufficient bandwidth and devices with IP/Ethernet capability.
Networks of this kind must eventually extend all the way to individual consumers, who will be
integrated into them using smart metering. Consistent end-to-end communication helps meet the
requirement for online monitoring ofall grid components and, among other things, creates
opportunities to develop new business models for smart metering and integrating distributed
power generation.
Go back to Content

8. Distribution Management System (DMS)

Distribution Management System (DMS)

Todays distribution grid operation is primarily characterized by manual procedures that rely on
the expertise of an aging workforce.
Using Spectrum Power Distribution Management System (DMS) will create a smart, self-
healing grid by providing the following enhancements:
1. Reduction of the occurrence and duration of outagesthrough the application of advanced fault
location and network reconfiguration algorithms.
2. Minimization of losses through improved monitoring.
3. Optimized utilization of assets through management of demand and distributed generation.
4. Reduction of maintenance costs through online condition monitoring.
The smart management of power distribution grids is one of the key success factors for achieving
ambitious Smart Grid goals.
Go back to Content

9. Distribution automation and protection
The prerequisite for comprehensive automation and protection design is determining the
required levels of automation and functionality for distribution substations and RMUs.
This could differ among the RMUs in one distribution grid or in the same feeder because
of different primary equipment or communication availability. However, with or
without limited communication access, a certain level of automation and Smart Grid
functionality can still be realized, as can a mix of functions inone feeder automation system.
The following levels of distribution automation can serve as a roadmap for grid upgrades moving
toward the implementation of a Smart Grid:
Local Automation (without communication)
Sectionalizer (automated fault restoration by usingswitching sequences)
Voltage regulator (automated voltage regulation for long feeders)
Recloser controller (auto-reclose circuit breaker for overhead lines)
Monitoring only (one-way communication to distribution substation or control center)
Messaging box (for example, short-circuit indicators with one-way communication to distribution
substation to control center for fast fault location)
Control, monitoring, and automation (two-way communication to distribution substation
or control center)
Distribution Automation RTU (DA RTU) with powerful communication and automation
features applicable to Smart Grid functions, for instance:
o Automated self-healing routines
o Node station for power quality applications
o Data concentrator for smart metering systems
o Node station for decentralized power generation
o Node station for demand response applications
Protection, control, monitoring, and automation (two-way communication to
distribution substation or control center)
Recloser controller for overhead lines, plus auto reclose breaker with enhanced protection
functionality and advanced communication and automation features.
Go back to Content

10. Distributed Energy Resources (DER)

Different configurations for managing DER

The integration of distributed energy resources (DER) calls for a completely new concept: the
virtual power plant. A virtual power plant connects many small plants that participate in the
energy market in a completely new way.
It makes it possible to use sales channels that otherwise would not be available to the operators
of individual plants.
Linked together in the network, the power plants can be operated even more efficiently and therefore
more economically than before, benefiting the operators of decentralized generating facilities.
In the virtual power plant, decentralized energy management and communication with the
generating facilities play a special role, and thanks to the Siemens products Decentralized
Energy Management System (DEMS) and DER Controller, are optimally supported. The
centerpiece is DEMS, which enables the intelligent, economical and environmentally friendly
linkage of decentralized energy sources.
The DER Controller facilitates communications, and is specifically tailored to the requirements
of decentralized energy sources.
Go back to Content

11. Decentralized Energy Management System (DEMS)
DEMS, the core of the virtual power plant, is equally appropriate for utilities,
industrial operations, operators of functional buildings, energy self-sufficient communities,
regions and energy service providers.

Decentralized Energy Management System (DEMS) - Scheme

DEMS uses three tools to optimize power:
1. Predictions,
2. Operational planning and
3. Real-time optimization.
The prediction tool anticipates electrical and heat loads; for example, as a function of the weather
and the time of day. Predicting generation from renewable energy sources is also important, and
is based on weather forecasts and the unique characteristics of the plants.
Short-term planning to optimize operating costs of all installed equipment must comply with
technical and contractually specified background conditions every 15 minutes for a maximum of
one week in advance.
The calculated plan minimizes the costs of generation and operation, while DEMS also manages
cost efficiency and environmental considerations.
Go back to Content

12. Smart metering solutions

A B.C. Hydro smart meter, which uses short bursts of radio waves to communicate with the
electricity grid.

The Automated Metering and I nformation System (AMIS) records the power consumption of
each individual consumer over time, and in turn, consumers are given detailed information about
their power consumption.
Experts estimate that the use of smart meters can save up to ten terawatt-hours of electricity, or
almost two percent of total energy consumption.
Conclusion
There is no doubt that the future belongs to the Smart Grid, and that power
generation will change significantly by the time it becomes a reality.
Large power plants will continue to ensure the basic supply, but there will also be renewable
energy sources, causing fluctuations in the grid. In the not too distant future, flexible
intermediate storage of temporary excess power in the grid will be possibleusing electric vehicles
and stationary storage units.
Sensors and smart meters will switchthese units on or off, ensuring efficient load management.
Go back to Content
References: SIEMENS Power Engineering Guide

Smart Grid Concept and Characteristics

Figure 1 - Smart grid - evolutionary character of smart grids.

A smart grid is an electricity network that uses digital and other advanced technologies to
monitor and manage the transport of electricity from all generation sources to meet the varying
electricity demands of end-users. Smart grids co-ordinate the needs and capabilities of all
generators, grid operators, end-users and electricity market stakeholders to operate all parts of
the system as efficiently as possible, minimising costs and environmental impacts while
maximising system reliability, resilience and stability.
For the purposes of this roadmap, smart grids include electricity networks (transmission and
distribution systems) and interfaces with generation, storage and end-users.
While many regions have already begun to smarten their electricity system, all regions will
require significant additional investment and planning to achieve a smarter grid. Smart grids are
an evolving set of technologies that will be deployed at different rates in a variety of settings
around the world, depending on local commercial attractiveness, compatibility with existing
technologies, regulatory developments and investment frameworks.
Smart grid concepts can be applied to a range of commodity infrastructures, including water, gas,
electricity and hydrogen.
Rationale for smart grid technology
The worlds electricity systems face a number of challenges, including ageing infrastructure,
continued growth in demand, the integration of increasing numbers of variable renewable energy
sources and electric vehicles, the need to improve the security of supply and the need to lower
carbon emissions.
Smart grid technologies offer ways not just to meet these challenges but also to develop a cleaner
energy supply that is more energy efficient, more affordable and more sustainable.
These challenges must also be addressed with regard to each regions unique technical, financial
and commercial regulatory environment. Given the highly regulated nature of the electricity
system, proponents of smart grids must ensure that they engage with all stakeholders, including
equipment manufacturers, system operators, consumer advocates and consumers, to develop
tailored technical, financial and regulatory solutions that enable the potential of smart grids
(Figure 2).

Figure 2 - Smart grids can link electricity system stakeholder objectives
Smart Grid Characteristics
The main characteristics of smart grids are explained below:
Enables informed participation by customers
Consumers help balance supply and demand, and ensure reliability by modifying the way they
use and purchase electricity. These modifications come as a result of consumers having choices
that motivate different purchasing patterns and behaviour. These choices involve new
technologies, new information about their electricity use, and new forms of electricity pricing
and incentives.
Accommodates all generation and storage options
A smart grid accommodates not only large, centralised power plants, but also the growing array
of customer-sited distributed energy resources. Integration of these resources including
renewables, small-scale combined heat and power, and energy storage will increase rapidly all
along the value chain, from suppliers to marketers to customers.
Enables new products, services and market
Correctly designed and operated markets efficiently create an opportunity for consumers to
choose among competing services. Some of the independent grid variables that must be
explicitly managed are energy, capacity, location, time, rate of change and quality. Markets can
play a major role in the management of these variables. Regulators, owners/operators and
consumers need the flexibility to modify the rules of business to suit operating and market
conditions
Provides the power quality for the range of needs
Not all commercial enterprises, and certainly not all residential customers, need the same quality
of power. A smart grid supplies varying grades (and prices) of power. The cost of premium
power-quality features can be included in the electrical service contract. Advanced control
methods monitor essential components, enabling rapid diagnosis and solutions to events that
impact power quality, such as lightning, switching surges, line faults and harmonic sources.
Optimises asset utilisation and operating efficiency
A smart grid applies the latest technologies to optimise the use of its assets. For example,
optimised capacity can be attainable with dynamic ratings, which allow assets to be used at
greater loads by continuously sensing and rating their capacities. Maintenance efficiency can be
optimised with condition-based maintenance, which signals the need for equipment maintenance
at precisely the right time.
System-control devices can be adjusted to reduce losses and eliminate congestion. Operating
efficiency increases when selecting the least-cost energy-delivery system available through these
types of system-control devices.
Provides resiliency to disturbances, attacks and natural disasters
Resiliency refers to the ability of a system to react to unexpected events by isolating problematic
elements while the rest of the system is restored to normal operation. These self-healing actions
result in reduced interruption of service to consumers and help service providers better manage
the delivery infrastructure.
Reference: Technology roadmap Smart grids by International Energy Agency

Smart grid deployment, what weve done so
far

Figure 1 - Smart grid technology areas
Smart grid technologies
The many smart grid technology areas each consisting of sets of individual technologies span
the entire grid, from generation through transmission and distribution to various types of
electricity consumers. Some of the technologies are actively being deployed and are considered
mature in both their development and application, while others require further development and
demonstration.
KEY POINT Smart grids encompass a variety of technologies that span the electricity system.
A fully optimised electricity system will deploy all the technology areas in Figure 1 above.
However, not all technology areas need to be installed to increase the smartness of the grid.

Wide-area monitoring and control
Real-time monitoring and display of powersystem components and performance, across
interconnections and over large geographic areas, help system operators to understand and
optimise power system components, behaviour and performance. Advanced system operation
tools avoid blackouts and facilitate the integration ofvariable renewable energy resources.
Monitoring and control technologies along with advanced system analytics including wide-area
situational awareness (WASA), wide-area monitoring systems (WAMS), and wide-area adaptive
protection, control and automation (WAAPCA) generate data to inform decision making, mitigate
wide-area disturbances, and improve transmission capacity and reliability.

Information and communications technology integration
Underlying smart grid communications infrastructure, whether using private utility
communication networks (radio networks, meter mesh networks) or public carriers and networks
(I nternet, cellular, cable or telephone), support data transmission for deferred and real-time
operation, and during outages.
Along with communication devices, significant computing, system control software and
enterprise resource planning software support the two-way exchange of information
between stakeholders, and enable more efficient use and management of the grid.

Renewable and distributed generation integration
Integration of renewable and distributed energy resources encompassing large scale at the
transmission level, medium scale at the distribution level and small scale on commercial or
residential building can present chalenges for the dispatchability and controllability of
these resources and for operation of the electricity system.
Energy storage systems, both electrically and for themally based, can alleviate such problems by
decoupling the production and delivery of energy. Smart grids can help through automation of control
of generation and demand (in addition to other forms of demand response) to ensure balancing of
supply and demand.

Transmission enhancement applications
There are a number of technologies and applications for the transmission system.
Flexible AC transmission systems (FACTS) are used to enhance the controllability of
transmission networks and maximise power transfer capability. The deployment of this
technology on existing lines can improve efficiency and defer the need of additional investment.
High voltage DC (HVDC) technologies are used to connect offshore wind and solar farms to
large power areas, with decreased system losses and enhanced system controllability, allowing
efficient use of energy sources remote from load centres.
Dynamic line rating (DLR), which uses sensors to identify the current carrying capability of a
section of network in real time, can optimise utilisation of existing
transmission assets, without the risk of causing overloads.
High-temperature superconductors (HTS) can significantly reduce transmission losses and
enable economical fault-current limiting with higher performance, though there is a debate
over the market readiness of the technology.

Distribution grid management
Distribution and sub-station sensing and automation can reduce outage and repair time, maintain
voltage level and improve asset management. Advanced distribution automation processes real-
time information from sensors and meters for fault location, automatic reconfiguration of
feeders, voltage and reactive power optimisation, or to control distributed generation.
Sensor technologies can enable condition and performance-based maintenance of network
components, optimising equipment performance and hence effective utilisation of assets.

Advanced metering infrastructure
Advanced metering infrastructure (AMI ) involves the deployment of a number of technologies
in addition to advanced or smart meters that enable two-way flow of information, providing
customers and utilities with data on electricity price and consumption, including the time and
amount of electricity consumed.
AMI will provide a wide range of functionalities:
1. Remote consumer price signals, which can provide time-of-use pricing information.
2. Ability to collect, store and report customer energy consumption data for any required time
intervals or near real time.
3. Improved energy diagnostics from more detailed load profiles.
4. Ability to identify location and extent of outages remotely via a metering function that sends a
signal when the meter goes out and when power is restored.
5. Remote connection and disconnection.
6. Losses and theft detection.
7. Ability for a retail energy service provider to manage its revenues through more effective cash
collection and debt management.

Electric vehicle charging infrastructure
Electric vehicle charging infrastructure handles billing, scheduling and other intelligent
features for smart charging (grid-to-vehicle) during low energy demand. In the long run, it is
envisioned that large charging installation will provide power system ancillary services such as
capacity reserve, peak load shaving and vehicle-to-grid regulation.
This will include interaction with both AMI and customer-side systems.

Customer-side systems
Customer-side systems, which are used to help manage electricity consumption at the
industrial, service and residential levels, include energy management systems, energy storage
devices, smart appliances and distributed generation.
Energy efficiency gains and peak demand reduction can be accelerated with in-home
displays/energy dashboards, smart appliances and local storage.
Demand response includes both manual customer response and automated, price-
responsive appliances and thermostats that are connected to an energy management system or
controlled with a signal from the utility or system operator.

Summary
Technology
area
Hardware Systems and software
Wide-area
monitoring
and control
Phasor measurement units (PMU) and
other sensor equipment
Supervisory control and data
acquisition (SCADA), wide-area monitoring
systems (WAMS), wide-area adaptive
protection, control and automation
(WAAPCA), widearea situational awareness
(WASA)
Information
and
communication
technology
integration
Communication equipment (Power line
carrier, WIMAX, LTE, RF mesh network,
cellular), routers, relays, switches,
gateway, computers (servers)
Enterprise resource planning software (ERP),
customer information system (CIS)
Renewable and Power conditioning equipment for bulk Energy management system
distributed
generation
integration
power and grid support, communication
and control hardware
for generation and enabling
storage technology
(EMS), distribution management system
(DMS), SCADA, geographic
Information system (GIS)
Transmission
enhancement
Superconductors, FACTS, HVDC
Network stability analysis,
automatic recovery systems
Distribution grid
management
Automated re-closers, switches and
capacitors, remote
controlled distributed generation and
storage, transformer sensors, wire and
cable sensors
Geographic information system
(GIS), distribution management system
(DMS), outage management system
(OMS), workforce management system
(WMS)
Advanced
metering
infrastructure
Smart meter, in-home displays, servers,
relays
Meter data management system (MDMS)
Electric vehicle
charging
infrastructure
Charging infrastructure, batteries,
inverters
Energy billing, smart grid-to-vehicle charging
(G2V) and discharging vehicle-to-grid (V2G)
methodologies
Customer-side
systems
Smart appliances, routers, in-
home display, building automation
systems, thermal accumulators, smart
thermostat
Energy dashboards, energy
management systems, energy applications
for smart phones and tablets
Resource: Technology Roadmap Smart Grids (iea International Energy Agency)

Key Cyber Security Purposes for the Smart
Grid

In the Smart Grid, there are two key purposes for cyber security:

Power system reliability
Keep electricity flowing to customers, businesses, and industry. For decades, the power system
industry has been developing extensive and sophisticated systems and equipment to avoid or
shorten power system outages.
I n fact, power system operations have been termed the largest and most complex machine in
the world.
Although there are definitely new areas of cyber security concerns for power system reliability
as technology opens new opportunities and challenges, nonetheless, the existing energy
management systems and equipment, possibly enhanced and expanded, should remain as key
cyber security solutions.

Confidentiality and privacy of customers
As the Smart Grid reaches into homes and businesses, and as customers increasingly participate
in managing their energy, confidentiality and privacy of their information has increasingly
become a concern.
Unlike power system reliability, customer privacy is a new issue.

Critical issues for the security requirements of power system
Power system operations pose many security challenges that are different from most other
industries. For instance, most security measures were developed to counter hackers on the
Internet.
The Internet environment is vastly different from the power system operations environment.
Therefore, in the security industry there is typically a lack of understanding of the security
requirements and the potential impact of security measures on the communication requirements
of power system operations.
In particular, the security services and technologies have been developed primarily for industries
that do not have many of the strict performance and reliability requirements that are needed by
power system operations.
Security services for instance:
Operation of the power system must continue 247 with high availability (e.g. 99.99% for SCADA
and higher for protective relaying) regardless of any compromise in security or the
implementation of security measures which hinder normal or emergency power system
operations.
Power system operations must be able to continue during any security attack or compromise (as
much as possible).
Power system operations must recover quickly after a security attack or compromised
information system.
The complex and many-fold interfaces and interactions across this largest machine of the world
the power system makes security particularly difficult since it is not easy to separate the
automation and control systems into distinct security domains. And yet end-to-end security is
critical.
There is not a one-size-fits-all set of security practices for any particular system or for any
particular power system environment.
Testing of security measures cannot be allowed to impact power system operations.
Balance is needed between security measures and power system operational requirements.
Absolute security may be achievable, but is undesirable because of the loss of functionality that
would be necessary to achieve this near perfect state.
Balance is also needed between risk and the cost of implementing the security measures.
Advertisement
How can security requirements for smart grid interfaces be determined?
There is no single set of cyber security requirements and solutions that fits each of the Smart Grid
interfaces. Cyber security solutions must ultimately be implementation-specific, driven by the
configurations, the actual applications, and th e varying requirements for security of all of the functions
in the system.
That said, typical security requirements can be developed for different types of interfaces
which can then be used as checklists or guidelines for actual implementations.
Typically, security requirements address the integrity, confidentiality, and availability of data.
However, in the Smart Grid, the complexity of stakeholders, systems, devices, networks, and
environments precludes simple or one-size-fits-all security solutions. Therefore, additional
criteria must be used in determining the cyber security requirements before selecting the cyber
security measures.
These additional criteria must take into account the characteristics of the interface, including the
constraints and issu es posed by device and network technologies, the existence of legacy
systems, varying organizational structures, regulatory and legal policies, and cost criteria.
Once these interface characteristics are applied, then cyber security requirements can be applied
that are both specific enough to be applicable to the interfaces, while general enough to permit
the implementation of different cyber security solutions that meet the cyber security
requirements or embrace new security technologies as they are developed. This cyber security
information can then be used in subsequent steps to select c yber security controls for the Smart
Grid.
Reference: White Paper: Cyber Security Issues for the Smart Grid Frances Cleveland,
Xanthus Consulting International