SCADA Level 3

ICS for Cyber Geeks: Dive into SCADA Level 3

Cybersecurity Musings
Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela
CTO, SynSaber

SCADA Level 3 (the Plant Level) contains many distinct elements, some of which I touched on in my previous SCADA post. In today’s blog, I wanted to take a deeper dive into the Plant Level to explain the acronyms and terms you may encounter in your industrial control system (ICS) cybersecurity journey. Keep in mind that each environment is unique, so no two security architectures are the same, but these terms and explanations should give you a good baseline understanding of what you’ll typically find within the Plant Level.

SCADA Level 3 – the Plant Level

Depending on the vertical, the Plant Level may also be called the Management Level or Production Control Level (what’s that saying about a level by any other name still smelling as sweet?🌹). No matter the label or preferred term, Level 3 is the happenin’ place where processes and targets are monitored but not directly controlled. Here you will typically find components such as human-machine interfaces (HMIs), engineering & operator workstations, alarm handling systems, and safety systems. 

Human-machine interface (HMI)

The human-machine interface or HMI is the place where an operator interacts with the plant control system. These can include operator workstations, engineering workstations, or other devices that allow an operator to view and manipulate data within the ICS environment. The HMI gives an operator a window into viewing the data coming from levels 0-2. There are many different types of HMI configurations, and RealPars has an insightful video covering the basics:

Engineering Workstation (EWS)

An engineering workstation or EWS is a computer or device connected to the SCADA network that allows engineers to monitor and manage equipment from their desks. An engineer can use the EWS for real-time monitoring, scheduling, and controlling equipment. The EWS may also contain some graphical user interfaces to facilitate data analysis. There tend to be much fewer EWSs than OWSs, because EWSs are there to make changes to the process/controllers. Access is typically restricted to engineers/plant managers.

Operator Workstation (OWS)

An operator workstation or OWS is a computer or device connected to a SCADA network that allows operators to perform maintenance tasks on equipment. It can be used to schedule and track jobs, view alarms, and perform other functions. Some OWSs are designed to be more flexible than others. For example, they may have additional features such as the ability to run batch processes or other tasks. There tend to be more OWSs in a control center, with multiple operators monitoring/controlling different areas of the process, sometimes called “Areas of Responsibility.” These are the monitor banks often seen in control center pictures, with the EWSs hidden away in a separate room.

Alarm Management

In SCADA Level 3, there are two types of alarms: critical and noncritical. Critical alarms are those that require immediate attention by the operator. Noncritical alarms are those that do not need immediate action.

Critical Alarms

There are three types of critical alarms: high priority, medium priority, and low priority. High priority alarms are those that will halt production if ignored. Medium priority alarms could cause downtime if ignored, and low priority alarms only affect the operation of the process but don’t directly impact the quality or quantity of production. An example of a critical alarm would be a fire alarm system. You guessed it, the heroes over at RealPars have a fantastic video that walks through the setup for a fire alarm system:

Noncritical Alarms

There are four types of noncritical alarms: warning, caution, notification, and informational. Warning alarms indicate that something is wrong. Caution alarms indicate that something might be about to happen. Notification alarms tell the operator when something has happened. Informational alarms let the operator know what is happening without telling them why.

SCADA Level 3 Safety Systems

Industrial systems may contain potentially hazardous environments and risk elements. SCADA Level 3 includes the workstations that monitor safety instrumented systems (SIS)/safety control systems (SCS) to minimize and mitigate these risks. The SIS/SCS themselves should reside in a separate network. Check out this great video from RealPars explaining, “What is a Safety Instrumented System?”

Additional Resources

Here are some additional educational resources if you’re interested in learning more about the components contained within SCADA Level 3:

RealPars video “What is an Emergency Shutdown System?”:

(Aged, but still interesting) video from INGAA pipelines with a peek at their supervisory systems:

(starting at the 1:06 mark) GalcoTV video with some examples of HMIs and supervisory systems:

I like this quote from the GalcoTV video: “Communication is the absolute most essential link for a SCADA system to operate properly. However, how well the system manages communication from HMIs to RTUs and PLCs fundamentally determines how successful a SCADA system can be.”

And in case you missed the first two parts of this blog series:

ICS for Cyber Geeks: Processes & Automation
ICS for Cyber Geeks: SCADA

~Ron 💜🚀