Finally, Chapter 8 concludes with a summary of the various tools and methods described in this book to the extant body of research and suggests possible directions for future research.
Note
CHAPTER 2 Background
This chapter provides the readers with the necessary background to understand the various elements of this book. This includes an introduction to SCADA systems and their architectures and main components. In addition, the description of the relationship between the main components and three generations of SCADA systems are introduced. The classification of a SCADA‐based Intrusion Detection System (IDS) based on its architecture and implementation are also described.
2.1 SCADA SYSTEMS
SCADA (Supervisory Control And Data Acquisition) is an important computer‐controlled industrial system that continuously monitors and controls many different sections of industrial infrastructures such as oil refineries, water treatment and distribution systems, and electric power generation plants, to name a few. A SCADA system is responsible for supervising and monitoring industrial and infrastructure processes by gathering measurements and control data from the deployed field devices at the field level. The collected data are then sent to a central site for further processing and analysis. The information and status of the supervised and monitored processes can be displayed on a humanmachine interface (HMI) at the home station in a logical and organized fashion. If an abnormal event occurs, the operators can analyse the gathered data and put in place the necessary controls. Because these industrial systems are large and distributed complexes, it is necessary to continuously and remotely monitor and control different sections of the plant in order to ensure its proper operation by a central master unit.
2.1.1 Main Components
SCADA provides the facility of continuously supervising and controlling the industrial plant or process equipment. The main components of a typical SCADA system include the Master Terminal Unit (MTU), Programmable Logic Controller (PLC), Remote Terminal Unit (RTU), Communication Media, and Human–Machine Interface (HMI).
MTU is the core of a SCADA system that gathers the information from the distributed RTUs and analyses this information for the control process. The plant performance is evaluated through histogram generation, standard deviation calculation, plotting one parameter with respect to another, and so on. Based on the performance analysis, an operator may decide to monitor any channel more frequently, change the limits, shut down the terminal units, and so on. The software can be designed according to the applications and the type of analysis required. The human operator sometimes cannot find the best operating policy for a plant that will minimise the operating costs. Because of this deficiency caused by the enormous complexity of a typical process plant, the master computer station with a high speed and the programmed intelligence of the digital computer are used to analyse the situation and find out the best policy. The MTU monitors, controls, and coordinates the activities of various RTUs and sends supervisory control commands to the process plant.
Field devices (RTUs, PLCs, and IEDs) are computer‐based components, that are deployed at a remote site to gather data from sensors and actuators. Each field device may be connected to one (or more) sensors and actuators that are directly connected to physical equipment such as pumps, valves, motors, etc. The main function of such devices is to convert the electrical signals coming from sensors and actuators into digital values in order to be sent to the MTU for further processing and analysis using a communication protocol (e.g. Modbus). On the another hand, they can convert a digital command message, which is received from the MTU, into an electrical signal in order to control actuators that are being supervised and controlled. Even though these field‐level devices, RTUs, PLCs, and IEDs, are intended to be deployed at a remote site, they have different functionalities. RTUs collect data from sensors and send it back to the MTU and then the MTU takes a decision based on the this data and sends a command to the actuators. In addition to the same function of RTUs, PLCS can collect data from sensors and, based on the collected data, can send commands to actuators. That is, PLCs can process the data locally and take the decision without contacting the MTU. IEDs are part of control systems such as transformers, circuit breakers, sensors, etc., and can be controlled via PLCs or RTUs.
HMI provides an efficient human–machine interface through which the operator can monitor and control the end devices such as sensors and actuators. That is, the information of the current state of the supervised and controlled process can be graphically displayed to the user, and therefore s/he can be updated with alerts, warnings, and urgent messages. In addition, HMI allows the user to entirely interact with the system.
Historian is a database that is used to store all data gathered from the system, such as measurement and control data, events, alarms, operator's activities, etc. These data are used for historical, auditing, and analysis purposes.
2.1.2 Architecture
A SCADA network provides the communication infrastructure for different field devices, such as PLCs and RTUs on a plant. These field devices are remotely monitored and controlled throughout the SCADA network. To make the network communication more efficient and secure, many modern computing technologies have evolved from a monolithic system to a distributed system and to a current networked system.
Monolothic systems (First Generation)
Such systems are considered to be the first‐generation SCADA systems. At that time, the concept of networks were nonexistent in general, and therefore SCADA systems were deployed as stand‐alone systems and there was no connectivity to other systems. Figure 2.1 illustrates the typical architecture of this generation. Typically, a SCADA master uses Wide Area Networks (WANs) to communicate with field devices using communication protocols that were developed by vendors of field devices. In addition, these protocols had limited functionality and they could only do scanning and controlling points within RTUs. The communication between the master and field devices (e.g. RTUs) were performed at the bus level using a proprietary adapter. To avoid a system's failure, two identically equipped mainframe systems are used, one to be a primary with another as backup. The latter will take over when failure of the primary is detected.
Distributed systems (Second Generation)
Figure 2.2 depicts a typical second‐generation SCADA architecture. With the development of Local Area Networking (LAN) technologies, the SCADA systems of this generation distribute the processing to multiple systems and assigns a specific function for each station. In addition, multiple stations could be connected to an LAN in order to share information with each other in real time. For instance, the communication server can be set up to communicate with field devices such as PLCs and RTUs. Some stations are distributed as MTU, Historian, and HMI servers. The distribution of system functionality across network‐connected systems increases processing power, reduces the redundancy, and improves reliability of the system as a whole. In this generation, the system failure is addressed by keeping all stations on the LAN in an