Data Reliability and Data Security Considerations for SCADA Systems

Dan Ehrenreich, Motorola Inc.

Presented at ENTELEC 2004 April 14-16, 2004

www.entelec.org San Antonio, Texas

Overview
Supervisory Control and Data Acquisition (SCADA) solutions provide a base for
improved monitoring and management of oil and gas installations such as pipelines,
production sites, valve installations, compressor stations and other remote sites.
Customers have learned over years that SCADA plays an important part in providing
means for upgrading their operating productivity, reducing maintenance costs,
minimizing the number of outages, helping to avoid difficult problems and leading to
safer operation of the entire infrastructure. To achieve these goals one must implement
a solution, which is based on reliable communications, and utilize a suitable data
protocol. Among the popular communication media used in these systems are fiber-
optic links, telephone and leased lines, VHF/UHF conventional radio including the 800
MHz trunked radio, analog and digital wireless networks, UHF Multiple Address
Systems (MAS), Spread Spectrum communication, microwave, satellite, etc. In a
complex system, one may have to utilize a combination of several media types,
carefully selected for each segment of the SCADA network.

When designing the wireless communications between field-installed Remote Terminal

Units (RTU) and the Master Control Center (MCC) computer, the system integrator
must pay great attention to issues, which are particularly unique for the selected media.
This paper focuses on three aspects of the SCADA communication technology, which
refers to network-capable protocol, data reliability and network-wide data
communication security, all which are very important subjects applicable to the SCADA
industry.

Seven Layers Protocol

As one cannot be an expert in all aspects of SCADA solutions, for a non-communication
engineer it may be difficult to select the right communication architecture and distinguish
between the available data protocols. These decisions may have to take into
consideration the actual application as well as the system characteristics. Occasionally
one must select a suitable data protocol for wireless communication and another
protocol for connection to intelligent sensors, low hierarchy Programmable Logic
Controllers (PLC), etc. Figure 1 below briefly outlines the key features of the seven-
layer Open System Interconnection / International Standard Organization (OSI/ISO)
protocol concept. The key advantages of this method are that each layer has its

1
dedicated function and that changes in a specific layer have no effect on functions
specified in another layer.

• The lowest level is the Physical Layer and it handles physical/electrical network
interface definitions and the channel access mechanism. This layer is configured
according to the utilized media; radio, fiber optics lines, satellite, etc., and it also
participates in the error handling process, using the Cyclic Redundancy Check
(CRC) code packed with each data frame.

• The layer above the Physical layer is the data Link Layer, and its role is to
establish and confirm the integrity of the transmitted frames between two entities
(or sites).

• The Network Layer provides truly important benefits to the system operation, as
it allows seamless routing of the data frames across the network, directly from
point to point as well as via multiple communication nodes.

• The Transport Layer handles fragmentation and de-fragmentation of the

messages (into frames) and provides means for connection management. It is
also utilized to provide end-to-end confirmation to the source site that an error
free message was received at the destination site. In addition, this layer may
handle data security solutions as well.

• The Session Layer enables conducting multiple simultaneous

sessions/dialogues in the network between two entities. In practice, this feature
helps to boost the overall data communication efficiency and to achieve better
results within a given bandwidth.

• The Presentation Layer is next the top level of the protocol stack. Here the data
is packed or unpacked, ready for use by the running application. Functions such
as protocol conversions, encryption/decryption and graphics expansion, etc.,
may take place here.

• The top level Application Layer actually allows implementing the “real thing”
related to the RTU operation such as file transfer, data access and management,
diagnostics, programming and configuration document and message
interchange, job transfer etc.

2
 End user application process

Application
Application Layer
Layer Includes all transactions related to SCADA system operation
Presentation
Presentation Layer
Layer Provides means for protocol conversion, encryption/decryption
Session
Session Layer
Layer Provides means for multiple entities to exchange data simultaneously
Transport
Transport
.. Layer
Layer Handles data fragmenting and confirming end to end data integrity
..
Network
Network Layer
Layer Provides redundancies and routing of messages via network links
Link
Link Layer
Layer Provides means to establish, maintain and terminate connections
Physical
Physical Layer
Layer Defines the physical and electrical interface to the network

Data communication network

Figure 1. Description of the ISO/OSI Protocol Stack

Networked Communications
Operation of wide area SCADA systems often requires use of both a wireless and a
physical link communication network. Here the Network Layer allows each RTU to act
as a digital Store and Forward (S&F) repeater (linking sites over the same wireless
channel) as well as allowing routing of the data via communications nodes (linking
remote sites using different media).

Some RTUs installed at the larger SCADA sites may communicate via Ethernet
connection, fiber optic link or other quality wireless media enabling high-speed Internet
Protocol (IP) connectivity using Serial Link IP (SLIP) connection or Point-to-Point
Protocol (PPP). As shown in Figure 2 below, some of the RTUs are configured to serve
as a data communication node for routing the monitored data and commands to and
from other RTUs, which may use neither physical links nor a direct wireless
communication link to the MCC.

Most types of three-layer protocols, including the IEC 60870-5-101 or DNP 3.0, do not
have the Network Layer and therefore RTUs cannot be utilized as a communication
node. Using the seven-layer protocol these RTUs review the received frames whether
they were directed to their site or were intended for resending to another RTU or the
Front End Processor (FEP).

RTUs, which are acting as an S&F repeater or as a communication node, will forward
each one of the received frames to their final destination (or the next intermediate
node). This transmission may also include frames, which belong to different unrelated
simultaneous sessions. Once the data transaction among the sites is done and a
complete message reaches its final destination (RTU site), the destination RTU will

3
send an “end-to-end” acknowledgement to the source RTU (or FEP, or vice versa) via
the Transport Layer confirming the message integrity.

Occasionally, if part of the network or a specific RTU (serving as a communication

node) fails and it cannot communicate with the designated site, the transmission is not
confirmed on the Transport Layer level. Prior to canceling that message, the Network
Layer may reroute the related frames via a backup link as illustrated in Figure 2 below.
Having such an advanced option embedded in the communication process provides an
even higher level of data reliability, as messages may reach their destination in spite of
temporary or permanent malfunction of a link.

Primary
Printer
MCC

RTU & Data

Local Ethernet
Comm. Node

IP
Main Gateway
Line ToolBox
Based IP Wireline Comm.

Remote Ethernet Backup

Prime Link Link

Secondary RTU & Data

Comm. Node TS RTU & Data
MCC
(SLIP) Comm. S&F
Backup
Link
Prime Link

Remote Wireline
ToolBox Comm.

RTU & Data

Comm. Node

RTU & Data

Prime Link Comm. Node

Figure 2. Network Communications in a SCADA System

Data Reliability Considerations

Use of efficient error handling is especially important for wireless SCADA systems,
which operate in “Report-by-Event” rather than “Polling” mode, as here at the same
time more than one RTU may detect the same problem. Should this occur, several
RTUs may send an unsolicited message to the FEP and as a result some of these
frames might “collide” over the network and get damaged.

The selected SCADA protocol must include a reliable error handling mechanism,
specifically optimized for the type of communications media used by the customer.
When dealing with wireless networks the following error handling mechanisms are
typically implemented:

4
 a) Forward Error Correction (FEC) method is widely used for non-critical mobile
wireless communications. Here the error correction code is packed along with the
data and it adds quite a large overhead to the message. Upon receiving the
message, the device at the destination is capable of detecting as well as
correcting the errors.

This principle works well subject to two conditions; a) the initial Bit Error Rate
(BER) level is very low b) failure to correct the digital string must not lead to a
critical/dangerous event. Another problem can rise should the correction code
itself be damaged. Consequently, one may consider using this method for
wireless fax, paging and voice and image communication but not for SCADA
communications.

b) Error handling by Frame Retry Mechanism is a more reliable process compared

to the FEC method. Here, all frames sent from one RTU (or data node) to
another RTU (or data node), or from an RTU to FEP, or vice versa are being
checked for errors at the Link Layer level. This process can provide a single
confirmation message that refers to all healthy frames regardless whether they
belong to the same message or different simultaneous sessions (which are
transmitted among the related nodes or sites). Upon receipt of a “partial
confirmation”, the sending site will resend only the faulty frames and the
receiving site will again test the integrity of the resent frames and reconfirm
receipt of the healthy frames.

Data Security Considerations

Today, more then ever before utilities and operators are concerned about secure
operation of their system, therefore data communications plays an important role in
modern SCADA systems. As mentioned above, data networking and data reliability
features of the selected protocol are extremely important for making the system properly
working. However one must not downplay the importance of communication security, as
SCADA is considered as part of critical infrastructure.

This is especially correct for oil and gas SCADA systems and pipelines, as control of
these systems require wireless communication over wide geographical area. When
discussing this subject, there are two major concerns to be considered; Illegal
monitoring of the SCADA system operation and intrusion to the SCADA system. A
solution to reduce these risks is provided using three possible security protection
measures as per the following:

a) Password Protection is the most basic security protection level, and it helps to
avoid not intended cross communication via RTUs between two not related
SCADA systems. Here, each message is equipped with a Password Code, which
eliminate such communications even if the involved RTUs use the same channel
and even if for whatever reason they use the same system address.

5
 Note: While dealing with data security on the MCC level, usually there are three
password levels; operator level, administrator level and programmer level. This
relates to a completely different issue, not covered in this paper.

b) Data Encryption is the next level SCADA system protection and its purpose is to
minimize the possibility that someone may “listen” to the communication channel
and monitor the system operation (i.e. transmitted data and commands). SCADA
systems typically utilize the Tiny Encryption Algorithm (TEA), and this method is
implemented with an 8 or 16-bit encryption key. Here, the encryption is
implemented on the “frame”, which smallest component in the data protocol. The
seven-layer protocol concept is especially suitable for implementing encryption
and this process can be implemented either in the Transport or the
Presentation layer of the seven-layer data protocol (see Fig. 1 above).

Correct receipt and processing of the received message requires use of the
particular “key”, stored in the RTU, which in highly critical system is periodically
replaced / changed.

c) Authentication is a higher security measure implemented for SCADA system

protection. The purpose of this method is to limit the time validity of the
transmitted message to few seconds from its first transmission. Of course
implementation of the Data Authentication requires that the utilized data protocol
will support transmission of time stamped messages as well as support network-
wide time synchronization of the clock embedded in the field RTUs.

Furthermore it is noted here that the Authentication process for the “Data” is
performed at the Link Layer level, while authentication of the “Time Stamp”
synchronization is performed at the Physical Layer level.

Note: The widely used data protocols DNP 3.0 and IEC 60870-5-101 are not
supporting authentication. The MODBUS protocol is even weaker from this point
of view, as it does not support transmission of time stamped messages.

Figure 3 below outlines a secured SCADA system, including both network

elements and RTUs, which are linked to unauthenticated as well as
authenticated (red frame) part of the network. As shown the Synchronized Server
(SS) RTU provides precise time reference to the Synchronized Client (SC)
marked RTUs. Some of RTUs in the system perform both SS and SC functions,
as they provide interface to the not secured part of the network.

Transmission of authenticated messages via the network will make it practically

impossible for anyone to intrude the SCADA system and cause a problem by
retransmission of a message, which was earlier illegally captured and
recorded.

6
 Encryption and Authentication methods are completely different and unrelated
processes aimed to increase the security of a SCADA system. Upon preference,
both methods can be combined in the same SCADA system. They may
simultaneously operate without interrupting each the other, thus further boosting
the SCADA system security level.

SCADA
Central Legend
IP Network
IP Unauthenticated Link
GATEWAY RS-485 (Authenticated Link)
Authenticated Link
(Line 1) RS-232 SC Synchronized Client
(Unauthenticated IP Link) SC SS Synchronizing Server
SC/SS
SC/SS Client/Server
RS-232
SS (Authenticated
Link)
Authenticated Dial
sub-network (Unauthenticated PSTN
Link)
Radio SC
(Authenticated RF Link)
RS-485
(Authenticated Link)
SC
SC SC/SS
SC SC

Figure 3. Authenticated Data System

Summary and Conclusions

Communications reliability and data networking play a major role in SCADA systems,
which utilize wireless communication. The advanced features achieved by using the
ISO/OSI compatible seven-layer protocol produce enhanced Data Reliability
Networked Communications and Data Security. These subjects were specifically
highlighted in this paper since SCADA engineers, who are lacking the necessary
expertise in data communications, might overlook the importance of selecting the
optimal communications media and the data protocol.

Experience shows that implementation of an error handling method based on Frame

Retry Mechanism minimizes the probability of a faulty message passing through the
SCADA network and reaching its destination without being detected and properly
handled. Furthermore each of the layers validates the data integrity, hence providing
enhanced system operation reliability.

Another major advantage of this concept is that occasional modifications in the

communication network structure will neither affect the application program nor risk the

7
functioning of the SCADA application. Furthermore, this method allows convenient
implementation of additional functions such as system diagnostics, remote calibration,
smart RTU decisions based on imported data from other RTUs, update of programs via
the network, download and upload of new operating parameters, etc.

While some three-layer protocols such as DNP 3.0 or IEC 60870-5-101 may perform
similar SCADA system processes achieved by application layer programming, in seven-
layer ISO/OSI protocols these functions are “built-in” within the Link Layer, Network
Layer and Transport Layers. In addition it is noted here that the variable length seven-
layer protocol is more secure compared to a fixed length protocol such as MODBUS.
Consequently, the integration of advanced seven-layer communication protocols
optimized for wireless communications generates major operating and cost benefits to
the customer and more than justifies the additional investment.

Note: Transmission of encrypted data messages (en in private data systems) is in some
countries subject to government regulation, and operators must obtain permission prior
investing into implementation of such system.

References
1. Implementation of Intelligent Data Communications in DA Systems, John
Grothman, Dan Ehrenreich, DA/DSM’93, Palm Springs, January 1993
2. Data on Trunking Considerations, David Lum, Motorola Inc. DA/DSM’94 Orlando,
Florida, January 1994
3. Cost Benefits resulting from use of Integrated Communications for Distribution
Automation, Dan Ehrenreich, Shlomo Liberman, DA/DSM’95 Asia, and
Singapore 1995.
4. Operating benefits achieved by use of advanced communications Protocols for
DA/DSM systems, Dan Ehrenreich, Dr. Salomon Serfaty, DA/DSM Europe,
Vienna 1996.
5. Dual RF channels improve grid operations, Dan Ehrenreich, Utility Automation
Europe, Vol. 1, No.1 Summer 1996
6. Integration of RF communications for Distribution Automation with Dual
Redundancy, Dan Ehrenreich, Samuel Katar, DA/DSM 97 Asia, Singapore 1997.
7. Data Communications for Oil and Gas SCADA Systems. Dan Ehrenreich,
Shlomo Liberman, PETROMIN magazine October 1999.
8. Wireless IP Networks Serve Distribution Automation Systems, Dan Ehrenreich,
Utility Automation Magazine, August 2000.

8
About the Author
Dan Ehrenreich is the Marketing Manager for SCADA Business
development in Motorola. Dan’s tasks include development of
MOSCAD based solutions for Electricity and Oil and Gas
automation systems, establishment of alliances with business
partners, market studies, and development of new applications.
Dan has a Bachelor degree in Electronics Engineering from the
University of Ben-Gurion in Israel, and during the last 20 years
he is involved with marketing and supporting customers for
SCADA and Data communications. He has been with Motorola
since 1991, and he also provides sales support for Motorola SCADA solutions to
Central and Latin America based customers. Dan can be contacted via email:
B10002@motorola.com