SCADA stands for "Supervisory Control And Data Acquisition". There are
many implementations. Can you on your own think of any reasons one might
want to do that?
Jerry
--
Engineering is the art of making what you want from things you can get.
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Once you know what SCADA (Supervisory Control and Data Acquisiton) is, the
answer becomes obvious. A Google search will give you many good
explanations. It is used by facilities such as water treatment plants, that
are spread out over a large area or multiple buildings, to collect data and
control system operation on a supervisory level. In other words, after
looking at input data, it sends signals to the various PLCs and other
devices to adjust their operating parameters. It would probably not be very
useful or cost effective for a small factory in a single room.
Ben Miller
--
Benjamin D. Miller, PE
B. MILLER ENGINEERING
www.bmillerengineering.com
A SCADA/PLC system consists of a PLC doing the actual plant control,
with the field instrumentation and actuators wired to it, and the
SCADA being the human interface for it.
A DCS has the plant control and human interfacing combined in one
system.
A SCADA/PLC system is "normally" significantly cheaper than a DCS and
for many applications as good if not better than a DCS.
For some applications, like an oil refinery, a DCS is better, and for
these types of applications it is worthwhile to pay more.
Pieter Steenekamp
One disadvantage is that TCP/IP based SCADA systems are (extremely)
vulnerable to cyberwarefare/cyberterrorism attacks which, in the worst
scenario case, could cause not only financial loss but also loss of
life, directly or indirectly.
Source: Wikipedia
Doesn't the vulnerability of any system depend on how access to it is
controlled? Cyberthugs are likely to have a difficult time infiltrating
a SCADA system that uses in-plant wiring. Not every Ethernet connects to
internet.
> Not every Ethernet connects to
>internet.
I run into the same kind of thinking with WiFi. WiFi into a separate
LAN unconnected from the Internet is pretty damn secure. This warped
thinking limits many implementations of technology that would increase
productivity.
WiFi is a bit less secure than wire. A member of a local Masonic chapter
asked me to recommend a wireless microphone to use for their meetings. I
asked if he would be happy with someone parked at the curb being able to
tune to it and he dropped the idea.
You need the encrypted version.
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|
But a lot of them do, often indirectly (e.g. break in to something else
first, then hop through).
Use encryption and switch from TCP to SCTP and it could be a lot less
vulnerable, even over the open internet.
Without encryption, it wouldn't be secure at all.
The problem with these things is that you start out with an in-plant
Ethernet for control, and then somebody wants to put a Windows machine
on it so they can have a user interface for the factory floor workers.
Then people want to use the Windows machine for other purposes, or
the Windows machine insists on a connection to the Internet, and
somebody adds connection to the outside world. Then attacks on the
Windows machine open up a path into the internal control network.
John Nagle
Yes, it's a problem.. although you generally only need the connection long
enough to set the machine up the first time, training the operators _not_ to
play interactive Doom3 or similar on their operator stations can be a
problem.
One interesting "attack" I'd never thought of before: One of our customers
sites had their entire Ethernet MES taken out by lightning - up the internet
connection, of course. Idiots.. ;-)
Cameron:-)
...
>> Doesn't the vulnerability of any system depend on how access to it is
>> controlled? Cyberthugs are likely to have a difficult time
>> infiltrating a SCADA system that uses in-plant wiring. Not every
>> Ethernet connects to internet.
>
> The problem with these things is that you start out with an in-plant
> Ethernet for control, and then somebody wants to put a Windows machine
> on it so they can have a user interface for the factory floor workers.
> Then people want to use the Windows machine for other purposes, or
> the Windows machine insists on a connection to the Internet, and
> somebody adds connection to the outside world. Then attacks on the
> Windows machine open up a path into the internal control network.
Doesn't "Just say no" work any more?
We use wonderware at a county jail to talk to the door control PLCs. They
won't let me secure the cabinets that the HMI PCs reside in because they
have another PC in there that they encourage the user (Custody officer) to
hard reboot whenever they have issues. I already took the keyboards out so
they couldn't CTRL-ALT-DEL out of wonderware, now I have to disable or
physically remove the CDRom drives, USB ports and eny other connection to
the outside world to eliminate tampering. Great until I ned in in a hurry
to fix something. Already had to rebuild two hard drives due to Officers
rebooting the wrong PC. Not good in an operation that is nearly always
reading and writing to the HD.
Oh well, thats waht happens when been counter don't understand security or
technology!
-Will
"Jerry Avins" <j...@ieee.org> wrote in message
news:_8OdnSCy3f1YX3HY...@rcn.net...
The solution to that is to have the automation LAN isolated and separate
from the corporate LAN. That's what one of our clients has, and it works
very well for them. Except for the ABB Advant Unix boxes, all of the
automation PC's run Windows and their specific app - Xterminals,
DeltaV, Wonderware or iFix. There are also several Windows PC's
on the corporate LAN in the control rooms, and everyone has an
account on the domain. These are used for email, online training,
record keeping, and the other usual stuff.
Mike
Mike
Baddly designed or just old SCADA systems can be vulnerable to
cyberwarefare/cyberterrorism attacks, no matter if they
use TCP/IP or not. A modern well designed SCADA system
based on TCP/IP protocols can be safer than many older systems
bacause uf the use of modern data encryption and authentication
tools.
That are many old system nowadays in use that have quite poor
security on their communications. There are many systems in use
that use radio communications with a protocol that does not
use any ancryption or reliable authentication. You just need
a suitable radio and modem to be able to control the devices
on the field (you need to get to know the used protocol and
device addresses). Not very secure.
--
Tomi Engdahl (http://www.iki.fi/then/)
Take a look at my electronics web links and documents at
http://www.epanorama.net/
For office IT networks, sure, but how many hackers would even know what an
Industrial Ethernet packet looked like, let alone how to manipulate it to
their own purposes? It would look like garbled rubbish to them even if
unencrypted and unauthenticated.
> That are many old system nowadays in use that have quite poor
> security on their communications. There are many systems in use
> that use radio communications with a protocol that does not
> use any ancryption or reliable authentication. You just need
> a suitable radio and modem to be able to control the devices
> on the field (you need to get to know the used protocol and
> device addresses). Not very secure.
Tomi, I think you've been watching too many movies..
I, for one, am not convinced that hacking into a radio network is as easy as
you say. You certainly need more than a radio and a modem. For starters,
you need to know:
1. The frequency band and specific frequencies in use and hope it doesn't
use spread-spectrum.
2. What brand/model of equipment is installed to know which protocols are
supported.
3. The configuration and addressing used on the network.
4. The configuration and routing for the field devices (I/O numbering, etc.)
Jamming it is easy - but then most radio-based systems would have some kind
of hard-wired fallback (eg. leased-line), so that won't do much except ring
alarm bells.
Even as the *designer* of many such systems, I'm not sure I could "hack in"
unless I had deliberately left a back door open somewhere and then later
remembered to document it someplace.
Cameron:-)
>I think it's possible to put a view client in the County
>Executive's office that can access the SCADA servers at any of the waste
>water treatment plants.
Well that was what the view software was advertised to do. I don't
think it is a bad thing in itself, you just have to look at failure
modes and build decent security. Who wants to take over a waste water
plant anyway?
Everyone seems to bring security issues up but how often has hackers
caused any problems in an industrial control situation? I am also not
saying to leave the door open either. I hear and suffer through a lot
of security installed because of trade secrets protection. I wonder
how much of this really goes on. Trade secrets tend to be inside jobs.
> Well that was what the view software was advertised to do. I don't
> think it is a bad thing in itself, you just have to look at failure
> modes and build decent security. Who wants to take over a waste water
> plant anyway?
See:
"Hacker jailed for revenge sewage attacks"
http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/
An Australian man was today sent to prison for two years after he was found
guilty of hacking into the Maroochy Shire, Queensland computerised waste
management system and caused millions of litres of raw sewage to spill out into
local parks, rivers and even the grounds of a Hyatt Regency hotel.
"Marine life died, the creek water turned black and the stench was unbearable
for residents," said Janelle Bryant of the Australian Environmental Protection
Agency.
John Nagle
"John Nagle" <na...@animats.com> wrote in message
news:bVsHh.1643$uo3....@newssvr14.news.prodigy.net...
"Jerry Avins" <j...@ieee.org> wrote in message
news:_8OdnSCy3f1YX3HY...@rcn.net...
Could yu reccomend me for drinking water scada a radio modem pls? what
do you recommend me half-duplex or full-duplex ?
Do you know the best one ?
thank you
>See:
>"Hacker jailed for revenge sewage attacks"
>
>http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/
This was someone who was involved in installing the control system.
That is a lot different from someone doing this cold. I mentioned
somewhere that most security breaches had an inside man involved, as
was this. Even the most secure systems can be defeated by someone
working on the inside to create holes in the system.
Like a mail-sorting system used by the USPS. Went around teaching all the
regional offices how to startup/use the machine, it included a PC interface.
First thing one guy did was 'prove' how unreliable it was by hitting F2
during the boot up, go into the PC bios and screw it all up. He wanted to
make the point that 'the new system let me screw it up!'
daestrom
This is in the U.S. Your local rules, available products and mileage will
vary.
Mike
..which probably explains why virtually every BIOS now includes password
protection. A no-cost adder that allows COTS equipment in "hostile
user" (as opposed to "user hostile") environments.
--Gene
SCADA systems allow one to monitor and control equipment from a remote
location. That's the advantage. The disadvantage is that they cost money
to install and maintain, add additional system failure modes and can be
a security loophole.
--
Paul Hovnanian mailto:Pa...@Hovnanian.com
------------------------------------------------------------------
The world is coming to an end ... SAVE YOUR BUFFERS!!!