In essence, a SCADA (Supervisory Control And Data Acquisition) solution is a set of systems for controlling distributed physical equipment. Operators control and monitor the physical processes via the centralized system which in turn is communicating with more local systems until the physical equipment is reached.
If you are familiar with SCADA environments, this article will mainly be a repetition of what you already know. If so, you are welcome to skip down to the end where you can download the securiCAD SCADA model.
The model described here was developed by the SEGRID research project that used securiCAD to perform vulnerability assessments of a use case for operation of distributed renewable energy. It involved both threat modeling experts from the Royal Institute of Technology in Sweden, as well as experts with thorough experience within the power distribution domain.
This material will guide you through the SEGRID material to show how a SCADA system is typically represented in securiCAD.
General SCADA structure
A SCADA solution is not only one single component, but instead a structure of systems for distribution of control commands and collection of status information and similar data. There are of course several different suppliers of SCADA systems on the market, but the main structure tend to be similar and the intention with this material is to show the basics. This reference architecture will be a good starting point when identifying what areas that would need adjustments to match your particular setup.
The SEGRID Project came up with the following high level map of a SCADA environment.
The case described is power distribution including distributed generation of renewable energy. The SCADA system is only a part of this larger ICT (Information and Communication Technology) infrastructure for power distribution, which also includes AMI (Automatic Metering Infrastructure), Energy Supplier, Data Hub and Households. However in this material we will focus on the SCADA environment.
When analyzing a particular environment, it might also be the case that you would like to limit the scope of the analysis so that the external solution provider’s network or the external power plants/generation networks are not part of the analysis. So, strictly speaking, the SEGRID study (and the corresponding securiCAD model) covers more than just the SCADA solution itself.
Looking at the high-level map, there are several zones depicted. The following sections will present a short explanation of each zone’s purpose.
SCADA Zone and Process Zone
The SCADA zone is the most essential part of the structure. This is where commands from operators are delivered and then distributed to the actual equipment (substations).
The SCADA zone contains the HMI (Human Machine Interface) workstations which operators use to interact with the SCADA system. The SCADA database is the main information repository holding an up to date representation of the process being controlled and monitored. Historian is a database system for collecting statuses, database changes, issued commands and similar data.
The process zone contains systems responsible for the communication with the substations. The systems in the SCADA zone shall not need to communicate with the field equipment/zones but instead let systems in the process zone handle that task.
SCADA DMZ Zone
The SCADA DMZ zone is, except from the process zone, the only zone connected to the SCADA zone. This means that it is acting as an intermediate zone for the data transfer between the SCADA zone and the Office zone. It has got connections to the Office zone where the office staff are working with statistics and status information like for instance power outages and it has got VPN connections to the external HW/SW Vendor. Data is transferred via the Replicated SCADA and Replicated Historian systems in the SCADA DMZ zone.
Looking to the left of the SCADA zone, we have the Engineering zone. This is where the power system structure is defined. This definition is then fed into the SCADA system and will determine what operations that can be done to different parts of the power grid.
Software and firmware updates arrive in the Vendor File Transfer Server before being transferred to the live systems in the SCADA zone.
The Office LAN is where the staff not working with operating the process is located. They are for instance working with SCADA environment statistics collected in the Replicated Historian system in the SCADA DMZ zone.
This zone is representing regular office communication with Internet and is in our model represented with a mail server.
DSO WAN and Primary Substation
Below the DSO (Distribution System Operator) area, we have the DSO WAN zone and the Primary Substation zone. The DSO WAN is in this example representing a dedicated communication channel managed by the DSO. It might be a communications fiber piggybacking on a high voltage power line and therefore only primary substations are connected this way. A substation zone is in most cases assumed to contain systems that are labelled “RTU” (Remote Terminal Unit). These are in turn connected to the actual hardware, or, as in the case with larger, primary, substations, there are additional control systems between the RTU and the hardware. These are represented with the IED (Intelligent Electronic Device) host in the SCADA model.
Telecom Operator and Secondary Substation
For communication with secondary substations, the option of using a dedicated and DSO-owned communication channel is not feasible due to the secondary substations being many more and often not close to the main power grid. Therefore, the communication is often carried out by the telecom operators.
Typically, an AMI zone contains systems for collecting readings of energy consumption from household and industrial end customers as well as allowing the office staff to query meter status and in some environments send switching commands to specific customers when needed. This zone holds Data Concentrator systems managing the communication with the vast number of customer end points.
Energy supplier zones
The energy supplier zones represent systems related/belonging to an external power supplier, not part of the DSO system. Here, it consists of an administrative office zone in the top right corner and a DER (Distributed Energy Resource) substation zone at the bottom which in turn contains system for managing the power generation related systems.
HW/SW vendor, TSO and Data hub zones
These zones are related to the SCADA solution because they are fetching or delivering data to/from the Engineering Zone and/or the SCADA DMZ zone. The HW/SW vendor is providing software updates to the SCADA solution, the TSO (Transmission System Operator) is providing load forecast data based on statistics to the SCADA system (via the SCADA DMZ) and the Data hub is collecting (and processing) historical data on power consumption for different reasons.
Now we know what systems belong the SCADA environment and some of the systems closely related to them. In addition to the physical layout of the environment, the reference architecture also contains system communication in terms of data flows between the different clients and services run on the various systems.
Next, we are interested in information on what systems are communicating with each other within the model and also what external communication is generally taking place. This is represented by dataflows between clients and services.
In the SEGRID work, several dataflows were detailed. Some of them are encrypted, some of them not and some of them use proprietary or domain-specific protocols.
General comment on domain specific systems and applications
Since the simulations see the environment from an attacker’s point of view, the main interest is around how exploitable a certain asset is. Therefore, it is more interesting to look at what additional opportunities each asset will give the attacker, rather than what exact piece of asset it actually is.
The same applies to the attacker’s achievements; the analysis will tell if and when the attacker manage to reach a certain point in the environment, and how it could happen. What effect those achievements will have on the actual power grid, or business processes, is more of a consequence analysis done outside securiCAD.
Reuse of this model
Yes, a significant amount of work was put in to the complete SEGRID model. Thus, we believe that this model is a good starting point for many when modeling SCADA and control system environments to save and gain momentum. Of course, the SEGRID model is a description of all and no particular system, so it has to be modified for each individual specific case.
In the Recommended modeling workflow guide, we present how to take on modeling a SEGRID-size environment using components.
Downloads and references
The detailed map of the environment outlined by the SEGRID project, where the above screen shots are coming from, is available for download here.
The securiCAD model coming from the SEGRID project is available for download here.
The complete description of the SEGRID use case is available at the project website.
The work has also been published in the Load balancing of renewable energy: a cyber security analysis research paper by Alexandre Vernotte, Margus Välja, Matus Korman, Gunnar Björkman, Mathias Ekstedt and Robert Lagerström, published on 26 July 2018.
It has received funding from the EU FP7 under grand agreement no.607109 (SEGRID), Swedish Centre for Smart Grids and Energy Storage (SweGRIDS), the Swedish National Grid, as well as the Swedish Civil Contingencies Agency through the research centre Resilient Information and Control Systems (RICS).