SCADA - ICS for Cyber Geeks
Blog

ICS for Cyber Geeks: SCADA

Cybersecurity Musings
Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela
CTO, SynSaber

In part 1 of the “ICS for Cyber Geeks” series, we shared a few videos to learn the basics of Processes and Automation. Let’s now go to another foundational ICS topic: SCADA (Supervisory Control And Data Acquisition). SCADA is a centralized system that monitors and controls a process across entire sites in energy, oil/gas, water, manufacturing, and many other industries. A SCADA system at a high level consists of four functions:

  1. Networks
  2. Data acquisition
  3. Presentation of data
  4. Control

These four functions are frequently depicted across a number of levels. Figure 1 is from the Wikipedia article on SCADA (https://en.wikipedia.org/wiki/SCADA), which is also a good read.

What’s important to note here is that the further up in the levels you are (say level 3/4), the more IT-like the systems are. That’s right, while most of the ICS systems are indeed PLCs, RTUs, sensors, actuators, valves, and other industrial devices, their monitoring and control is mostly Windows workstations, IP switches/routers, and servers.

Field Level / Level 0

Here are where your sensors, valves, and other instrumentation lives. When you think of all the processes that need to be monitored and controlled, this is the level where that data is coming from. Before digitization/modernization, this is how the process was run: Read a dial, turn a wrench, read the dial again. As technology improved, a wrench turn became the push of a button to control a motor or actuator on a valve.
Then came level 1…

Device Level / Level 1

Now levels 1 and 0 often get merged together because with modernization came consolidation. While level 0 is technically just “the process,” sensors, actuators, and valves started to become smarter. Today level 0 control by level 1 devices are typically digital in nature, interacting with higher-level systems. When folks mention going to “manual operations mode,” they are often speaking of direct process control at this level or level 2. Speaking of…

Local Control Level / Level 2

Plant level supervisory systems monitor and perhaps direct control numerous level 1 devices. In current field deployments, this may be a local HMI (human-machine interface) where the operator can monitor and control that local process. (example shot below)

SCADA Human Machine Interface HMI

Plant Level / Level 3

Going up the stack, level 2 is local control of many level 0/1 subsystems; then level 3 is plant-level control of level 2 systems. This usually comes in the form of a control room/center. What’s a control center? Well, it can be as elaborate as multiple operator workstations (HMI/OWS), a video wall, engineering workstations (EWS), and other support systems all in one room. 

Level 3 is the collection of systems (workstations and servers) needed to monitor and control the entire plant process. From a hardware and software sense, this is where ICS looks a lot like enterprise (no, not that Enterprise πŸ––): Windows workstations, Cisco networking gear, Linux servers, etc. All of your main memes and myths about “herpaderp SCADA doesn’t patch” are here too, but that’s a story for another time.

SCADA Control Center for ICS

Everything Else Level / SCADA Level 3.5/4/5

If you thought the bottom of the stack was converging, let me tell you about the top. Note this is typical but not always:

  • Level 3.5 – The DMZ (demilitarized zone) between the plant level 3 and enterprise systems. Like all DMZs, you put the systems in here that you need for sharing/accessing the enterprise but without direct connectivity to SCADA. Historians, AD, fileshares, jumphosts all live in 3.5.
  • Level 4 – Sometimes characterized differently than “the enterprise” proper, level 4 can be just the local plant level business networks. These are the local networks where operators get their business email and general access to enterprise systems. If there are any level 4 to 3 connections, (hopefully) these are controlled through a level 3.5 DMZ.
  • Level 5 – The Enterprise. This level encompasses the entire business network. In some use cases, centralized ERP, MES, and other management systems may need to collect data from each plant level 3s (via 3.5!) for business and operational intelligence.

And that’s it for now! Please, please, please know that SCADA and the oft-mentioned “Purdue Model” (https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture) vary greatly depending on the industrial vertical and level of modernization in the plant. While “words matter,” understanding the intent and implementation of this segmented model is more important!

Additional SCADA Resources

Here is an excellent RealPars video overview on SCADA to reinforce what you have just read:

But wait! Is the Purdue Model dead? S4x19 quick discussion and context (spoiler alert: network-wise, it’s dead — but functionally may still be relevant)

2 min: https://www.youtube.com/watch?v=Oa5HJqMDpOI  

Long-form: https://www.youtube.com/watch?v=KfxPF9xjFrE 

~Ron πŸ’œπŸš€