Bridging the IT and OT gap for a power service company
A power service company and system integrator collaborated to merge information technology (IT) and operational technology (OT) to create a secure platform for the power service company’s operations in Chile.
NovaSource Power Services (NSPS) is the insight and operations and management (O&M) services partner for owners of renewable assets ready to fuel smart growth. They manage the largest solar projects in the world, and deliver turnkey support across the renewables project lifecycle and work to prevent and solve problems (see Figure 1).
The NovaSource team has worked in the renewables industry for more than 20 years and manages more than 16 GW of residential, commercial, industrial and utility-scale projects. They work on design, maintenance and manage off-grid power to utility-scale projects around the world.
Chilean project challenge, SCADA migration
In 2018, NovaSource Chile faced the challenge of creating the Chilean Remote Operation Control Center (CROCC), located in La Serena, Chile (see Figure 2). The control center was conceived to cover the business needs NovaSource managed and maintained in the country.
Taking advantage of the new control center project, the project scope also included the migration of old supervisory control and data acquisition (SCADA) systems (see Figure 3), existing in a few plants, which due to their lack of robustness meant inherent cyber risks linked to outdated technologies and high maintenance operational costs were preventing NovaSource from managing these assets.
The project’s main objective was aggregating all of the data to one platform that allowed the standardizing the solution for every plant. The aim was to increase reliability, scalability and usability. The platform also needed to harness new technologies to share information with third-party applications and stakeholders via Industrial Internet of Things (IIoT) protocols.
NovaSource worked with the system integrator, Trekkor, which has experience in not only working for renewable energy plants, where they have taken part in projects accounting for more than 2 GW of installed power, but also in pharma and food and beverage industries.
Robust and secure
To meet project requirements, Trekkor implemented N3uron, a web-based industrial application platform with integrated tools for building solutions in human-machine interface (HMI), SCADA and IIoT solutions, a software it has used for more than five years (see Figure 4).
Trekkor designed and deployed a distributed, redundant and scalable architecture including two local nodes in every plant, each of them connected to its corresponding redundant node in the CROCC.
Given the modular nature of the software, every node runs the necessary modules according to the project requirements. Modbus and DNP3 are used to communicate with field devices such as inverters, weather stations, trackers, substations and more. Message queuing telemetry transport (MQTT) and scripting are used to exchange data with third-party applications, and derived tags are used to make calculations and data aggregation.
One of the major drawbacks of previous SCADA systems was the frequent data loss, considering a typical site has around 700 devices that amount to more than 20,000 input/output (I/O) tags per site, which is a lot of data. The impact on the management of the power plants was considerable. This issue was overcome thanks to the built-in store and forward mechanism the communication between nodes provides. This means any data, either real time or historical, which is not delivered due to a communication failure between the nodes, is stored locally and automatically sent once the connection is restored.
Another major advantage of the communication between nodes, called links, is data integrity and security are provided since the connection is initiated by the local node, which is configured as an outbound connection. This entails that it is not necessary to allow any inbound port in the firewall, thus preventing critical infrastructures from being exposed to cyber attacks.
On the other hand, all data exchanges between nodes are secured using the transport layer security (TLS) protocol. To enable communication, nodes must exchange digital certificates with each other that must be previously validated manually in the nodes with which they are intending to communicate. Regardless of what node starts the communication, bidirectional data exchange is possible, if it is enabled when configuring the link.
An extra security layer consisting of creating security zones also was implemented so clients in each zone can exclusively access the necessary data. To create this zone separation, depending on the information to be accessed, the software allows configuring groups of variables called views, in addition to, the read/write permissions for each variable. This enables any potentially dangerous actions to be blocked, regardless of whether it’s malicious or accidental.
The system also makes use of the TLS protocol to ensure secure and confidential communications over unsecured networks. Apart from preventing malicious third-party access to data, this measure also protects against the known vulnerability to session hijacking, which involves exploiting a valid session to gain unauthorized access to information or services.
Bridging the IT/OT gap
Another major project requirement was the need to exchange operational data from the operational technology (OT) infrastructure with a cloud-based asset performance management (APM) solution that integrates key data needed to monitor, manage and optimize the performance of the solar plants. Integrating both technologies was straightforward due to the use of the MQTT module. These connections also use the TLS protocol, thereby, establishing a secure and private connection with the APM platform that requires the exchange and approval of security certificates.
On the other hand, it is mandatory to exchange some data from every plant with the Chilean system operator (Coordinador Eléctrico Nacional, or CEN). In this regard, communication is carried out with the REST API Server the CEN provides.
Continued migration to new SCADA software
NSPS is moving all its photovoltaic power plants to the SCADA system, which provides improvements in efficiency, maintenance, data access, forecasting and mobility. “Trekkor is…helping us perform secure and reliable remote monitoring of the fleet that handles NSPS in Chile, and we currently control and monitor 30 sites with a total installed capacity of more than 620 MW….[The software] is a useful tool for the management and control of our clients’ assets, which allows us to be alert and react in time to possible failures,” said Claudio Pavez, site manager CROCC for Nova Source Chile.
NSPS has the information needed. Users and developers can access the platform from any device using the web browser of their choice, with an HMI that helps identify and resolve failures and provides alarms.
Scalable and cost-effective SCADA for utilities
In development, Trekkor created a standard to integrate and commission each new solar site. Templates and object-oriented configuration simplify the instantiation and configuration of objects and screens while maintaining the flexibility required in the application. The outcome was a drastic reduction in the development time. The utility and system integrator also created a project of templates to have a common repository available with all templates used in the application.