Your questions answered: HMI/SCADA architecture considerations to meet evolving operations
Additional questions on improving HMI and SCADA architecture are addressed presented in an October 18 webcast, archived for a year.
Improving human-machine interface and supervisory control and data acquisition (HMI/SCADA) infrastructure was the focus of an October 18 Control Engineering webcast, “HMI/SCADA architecture considerations to meet evolving operations,” which included questions from the audience listening live. Answers to some questions not answered during the webcast follow. The webcast is archived for a year.
Additional answers include common obstacles with customers, cybersecurity and HMI/SCADA system redesign.
The expert in the webcast, Mike Brost, senior principal consultant, Presales, AVEVA, provided the extra answers below after covering the following learning objectives in the webcast:
Understand architectural considerations for scaling operations
What are the implications of remote access, cloud and mobility
Control system security best practices
Things to look out for when implementing control system security.
Question: What are common obstacles you encounter with customers when they’re trying to improve their HMI/SCADA architecture? And what has helped sway them?
Answer: The most common obstacle is fear. There is a great concern of exposure of cloud services to the control network. This is mostly driven from a lack of understanding of the advanced network topologies that are available to address these concerns. It is a fact the control network should not have direct access to the cloud. It’s access to the cloud should be directed to a demilitarized zone (DMZ) trough an origination only firewall on the operational technology (OT) network. This firewall should prevent any incoming connections from being originated on the DMZ into the OT network.
Question: Cybersecurity is a major focus for manufacturers now with IT/OT convergence. What are some of the challenges that come up when building the architecture?
Answer: The greatest threat you face is the authorized user, but there are several others to consider such as:
Certificates and TLS 1.2 encryption of all service to service communication should be in place on the OT network.
Client side connections should also be secured with certificates and TLS1.2 encrypted.
Network connections to devices need to be modeled so that only comm services are allowed to access a device.
The SCADA data model needs to be secured at the tag/element/attribute/item level so that regardless of the technology being used the SCADA security model cannot be bypassed.
Client interface engines (web, RDS, desktop) must be separate from core SCADA services.
All external access to the OT network must be through a DMZ and not directly to the SCADA system.
Domain isolation between the DMZ, business network, and cloud should be implemented.
100% user action logging must be in place in a write-once, unmodifiable logging system.
The list is not exhaustive and specific application requirements might need more measures.
Question: How do we redesign an HMI/SCADA system if we already have the SCADA products? Can we export the configuration from the old system to the new one? Or does it require a new configuration?
Answer: It depends on the vendor of the original system and the vendor of the new target system. Technology and information environments are rapidly changing, planning how to evolve along with them will be a key factor of HMI/SCADA implementations going forward. The purpose of this webinar was provide information around how these changes can and are affecting design and architectures, primarily topologies that leverage cloud. That being said, there are conversion tools that assist with migrations. However, no migration tool is 100% effective. It is not possible to take a flat tag model and convert it to an elegant object oriented design without some preparation, thought and intervention from the SCADA engineers, for example. There will be some inevitable redesign of existing systems depending on objectives and needs.
Question: What are some of the benefits and costs involved?
Answer: Benefit of implementation a secure information distribution to the necessary actors of an organization will exceed the costs by several orders of magnitude. Proper implementation is not expensive and can be scaled to the needs of the application.
Question: You described automation maturity at the beginning; can you explain that more?
Answer: Automation maturity is an assessment of how prepared an organization is for adopting more sophisticated architectural and software requirements. This can include in-house expertise, cultural readiness, and existing digital infrastructure, but limited to those.
Question: Does AVEVA allow use of load balancers and can it use NTP?
Answer: Yes to both of these.
Question: Is my SCADA information safe being stored in the cloud?
Answer: Yes, the cloud is a very safe and secure location. Data can be easily stored in triplicate and geo replicated to another data center more than 600 miles away. AVEVA takes additional security steps of separating metadata (tag description, scaling, UOM etc.) from process values. Each of these are stored in separate databases and encrypted. The process values are reduced to 0-1.0 so that all values look the same without the accompanying metadata.
Question: What are the risks of sending SCADA information to the cloud?
Answer: The risks are that the sending system gets replaced with another sender or the data is intercepted and modified before arriving. Decisions would then be made on incorrect information. With proper certificates bound to the sending entity and encryption and obfuscation of the data during transmission this is eliminated as a possibility.
Question: If SCADA stands for supervisory control, I do not see cloud based hierarchy services related to “control,” more for data acquisition.
Answer: That’s mostly correct, in that information usually demands that action be available to correct the situation. Cloud-based actions are usually never explicit control commands like starting a pump or closing a valve. Rather they are more on the lines of advice to optimize a process toward an economic or environmental goals. Or directing a facility to increase or decrease production quantities. Or changing a production lines schedule.
This can be orchestrated by people or systems, such as experts directing outcomes in a far off location, or systems providing guidance automatically alongside SCADA. So while cloud-based control is unlikely and even presents safety risks, enriching SCADA with cloud-based information is extremely valuable.
Question: Read-only allows me to navigate between SCADA screens, but I cannot change variables, or I can watch only?
Answer: Read only means that the value of the tag being viewed cannot be changed. Restriction of what is viewed is the responsibility of the visualization engine and relevant access permissions. Security to be enforceable and effective must be enforced at the destination of a command. This means all graphics, protocols, API’s or external access of any kind must follow the tags security demands regardless of command origination configuration.
Question: What is the best (and safest) method of replicating historized data from the OT to the IT network so users can analyze data on the business side?
Answer: Use a delivery engine on the OT network that can weave through the multiple levels of intrusion protection that exists between the OT and business or cloud. Compromising the isolation built into firewalls is unacceptable and should be resisted. This must support domain isolation and certificate based TLS 1.2 encryption. These are the techniques that can allow replication of data from the OT domain to the IT domain and potentially the cloud.
Question: The cloud was described as safe and is a small fortress; however, Mike stated his worry would be someone messing with the data in the cloud. Would you clarify what you mean by “safe” if in fact cloud information can be tampered with?
Answer: Two issues were being stated:
The physical security of a cloud based data center, which is robust and hardened.
The importance of encryption at rest and in motion to ensure the data cannot be altered on its way to the cloud or while it is stored there.
Question: When it comes to forward or reverse proxy, is there any difference in response time?
Answer: Response time of these should be imperceptible to the user or system.
Question: What are some good first steps a company can take to start on this journey to build their HMI/SCADA architecture?
Answer: Begin by sending information to the cloud in a robust, safe and secure way as described so important actors outside of the OT domain can utilize this valuable information.