SCADA reflects and reinvents

The cloud, IIoT, virtualization and other forces are reshaping supervisory control and data acquisition (SCADA) into new forms and functions, but can they do it securely?

By Jim Montague

2 of 2 1 | 2 > View on one page

Affordability aids adoption

Another of the unglamorous—but still crucial—advantages that cloud and virtualized computing add to SCADA systems is the fact that they can quickly help reduce operating costs after a relatively small investment at the beginning.

For example, to help smaller and rural water/wastewater utilities perform data acquisition, alarming, reporting and other SCADA functions on a budget, system integrator Perceptive Controls in Plainwell, Mich., recently developed its Perceptive Polaris cellular, cloud-based SCADA system and software, which employs SNAP PAC controls from Opto 22, and avoids using costly servers and hardware.

One of the key development challenges Perceptive's engineers faced was how to reduce data sent between lift stations on the SCADA network. “We knew that using cellular modems meant one of the most important requirements of this project would be the ability to

transmit the smallest data packets possible, with as much data in each packet as possible,” says Kevin Finkler, software engineer at Perceptive Controls. “We had to stay under the data caps of the cellular provider we planned to use.”  

The system integrator first tried posting data from a controller to a cloud-based server, but testing showed this method was too slow, and couldn't send configuration changes back to controller. While considering alternate options for transferring data, Perceptive's developers investigated SNAP PAC's Representational state transfer (RESTful) application programming interface (API) capabilities, which include a built-in, secure HTTP/S server with an open, documented API that creates a RESTful architecture. RESTful and its technologies, like HTTP/S and JavaScript Object Notation (JSON) are intrinsic to IoT and essential for web, data and mobile-based application development.

“After switching to the new RESTful API method, we now have a cloud-based software application running on a dedicated server that uses SNAP PAC’s RESTful API to request data directly from the controller, explains Finkler. “Requests are made over a private cellular network to avoid cybersecurity concerns, and avoid opening ports in firewalls. We store data in float tables on the PAC (about 44 indexes per table), and the software can grab up to 100 tables of data per request without slowing down communication performance.”

Perceptive's cloud application then uses the RESTful API to write back how many tables were retrieved, so the controller can delete the old data, and move everything up in the table with new data again at the top. This ensures that all data is received into the cloud application. “It’s more efficient to make the cloud application process large amounts of data, instead of making the controller do the work in addition to its normal operations,” adds Finkler. “This method saved an average of 5.8 kb per data set transmitted, which ended up saving us about 250 MB per day, adding up to significant savings in cellular data charges.”

A&E's Tommey adds, "We see a lot of lower-cost SCADA solutions at shows, but when you get down to it, their initial cost is still high for users. However, when OT and IT converge in the cloud, they can reduce SCADA and other costs, and turn many capital expenses into operating costs. Plus, today's subscriber-based fee structures can reduce costs even more, especially at the front-end where these expenses can be hard for users to swallow."

Special Report: Trends, technology enabling decision support with HMI/SCADA

For instance, Tommey reports that a typical SCADA project with three servers, wired and wireless networking, field devices and software licensing can add up fast to an average of $100,000, while an equivalent, subscriber-based version on the cloud may only cost $10,000 upfront with additional subscription fees on a monthly or annual basis. "This is a lot more approachable for users in their local budgets," says Tommey.

Despite this tenfold cost reduction, Tommey adds that many potential users remain reluctant to do SCADA in the cloud due to security concerns, worries that Internet links will go down, and anxiety that their data won't always be available to them. "As connectivity gets more reliable, more users will make the switch," he says.

To help users handle the transition from traditional SCADA to the cloud, Tommey adds that A&E is now designing hybrid systems with local, secure, second-by-second data storage using traditional HMI and historian software (such as Ignition, Wonderware, WinCC, OSI Pi or FactoryTalk), and then sends only certain pieces of data to the cloud for analysis. The cloud now allows this data and the analytical results to be more readily available via tablet PCs and smart phones. "This enables some remote data access, distributed alerting, machine learning and prescriptive maintenance without putting everything in the cloud," Tommey adds.

Tom Buckley, IoT business development manager at Iconics, adds that, "We think the biggest value proposition of bringing SCADA together with virtualization and the cloud is that they can bring together OT and IT people and technologies, and really bridge the gap between those formerly separate silos. In addition, once data is published to a cloud service and analyzed, smart gateway devices can bring intelligence and better algorithms back from the cloud to the edge to help operations strengthen predictive maintenance, making it proactive instead of reactive, reducing downtime, and improving overall efficiency."

Buckley adds that intelligent devices can distribute instructions to the edge with assistance from solutions, such as Iconics' new IoTWorX software, which supports multiple operating systems such as Microsoft Windows 10 IoT Enterprise and Windows 10 IoT, as well as Linux embedded operating systems like Ubuntu and Raspbian. "Our software can go into third-party manufacturing IoT gateways, attach to that hardware portfolio, and take high-end, cloud-based software and bring it to the edge for secure analytics and visualization," he explains.

Ongoing interface evolution

Surprisingly, once SCADA and the cloud—and their users—get familiar with each other, they begin to generate subsequent new capabilities that weren't apparent at first.

"There's been a move away from panel-mount SCADA because there's not as much reason to have local HMIs, but even after the initial jump to tablet PCs and smart phones, they were still tied to proprietary software," says Will Aja, customer operations VP at Panacea Technologies Inc., a CSIA-member system integrator in Montgomeryville, Pa. "More recently, we're seeing greater use of thin clients using software like ACP ThinManager that performs processing in the cloud, and serves up screens to workstations and their users wherever needed, which is incredibly convenient and provides a lot of functions." ThinManager is a division of Rockwell Automation.

"Panacea provides a service to migrate users from hardware SCADA and HMIs to virtualized infrastructures, and we offer it on all new projects, which can include hybrid, onsite clouds and thin clients," explains Aja. "Having a virtual infrastructure like this means you're set an don't have to worry about hardware updates for years because it's so easy and cheap to replace the monitors. It's also more secure because users can set up who gets access via a Windows domain, and they can also do geo-fencing or location resolving, which only grants access based on a user's physical location. This makes is possible to design a very secure system that only allows access to its components when a user is next to them, but terminates their session if they walk away, which means remote access isn't allowed."    

Beyond saving with thin clients, Aja reports that virtualization also make it easier for SCADA systems to perform less-costly testing and performance checks. "Many applications and plants do tests and testbeds to check performance," he explains. "It's like putting together an orchestra for a concert: you have to make sure each group is doing what it needs to. However, this can be a lot easier with virtual tools and a virtual development environment. These let users do their code ahead of time, and have what they need to migrate their application. We recently did a pharmaceutical process plant project with 70 HMIs, 34 servers and 45,000 tags in a facility running 34,000 recipes per year, and these kinds of virtual preparations let us migrate its whole SCADA structure in about two hours."

Likewise, Aja adds that enhancing SCADA with virtualization can impact every part of a business. "IT has more control over who can access the system; operations can simplify training; accounting can get rid of inventory by standardizing on devices; and plant management that previously had to migrate SCADA equipment every three to five years can extend their lifecycles to 10-15 years," he says. "In the future, I think we're going to integrate even more with virtual tools for SCADA. We've already signed up to maybe be a Google Glass partner, which should let the operators walk around, see  highlighted OEE data for equipment in front of them, and maybe fix it more easily. Plus, all the disparate SCADA technologies, such as alarm annunciation, data delivery and others, are going to going to come onto a common, standardized platform."   

Michael McEnery, president of McEnery Automation, which is a CSIA-certified system integrator in St. Louis, adds that, "SCADA vendors are realizing that users have to get the costs of implementing projects down. This means system integrators are becoming a bigger part of the equation because, while software costs have remained about the same or decreased, hourly rates and labor costs continue to increase. As a result, SCADA suppliers are trying to provide functions that work right out of the box, such as preconfigured PID faceplates and graphic objects with coordinating libraries of PLC function blocks. These tools really reduce our implementation time. I think our time to deliver an average project is approximately 50% less over the last 10 years."

Security underpins everything

While the many benefits of cloud-enabled and IIoT-aided SCADA are terrific, all these added connections to higher-level networks and the Internet come with increased risk of probes, intrusions and attacks, which demand updated cybersecurity and constant vigilance by staff.

"The big bugaboo impacting all these new technologies is cybersecurity, especially in the OT space," explains A&E's Tommey. "Cybersecurity must be addressed as a continuous cycle, but a lot of companies on the OT side don't understand this yet. They all did 20-30 years of continuous work on lean process improvement, and that continuous improvement thought process needs to be extended to cybersecurity."

Tommey reports that users must start by knowing themselves, their networks and everything that's attached to them. Next, they must learn to understand the threats out in the larger world, such as the currently active viruses and their attack profiles, and use this knowledge to determine what they must do to harden their individual networks and applications. This can include updating passwords and security polices, implementing network segmentation and firewalls, following security standards like NIST 800 and ISA/IEC 62443, and constantly monitoring network traffic with security information and event management (SIEM) software as a first step and intrusion detection system (IDS) and intrusion prevention system (IPS) software as a second step.

"The problem now is that this security monitoring piece doesn't exist in 95% of manufacturing facilities because they just have traditional air-gapped equipment or installed simple firewalls. There's more security monitoring on the IT side, but there's very little on the plant-floor side, and many small start-ups and larger suppliers are seeking to fill these gaps."

2 of 2 1 | 2 > View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments