Supervisory Control and Data Acquisition (SCADA) systems are widely used nowadays to monitor and control dispersed hardware components in industrial settings such as power plants, electrical power grids and water treatment. Often, they are used in critical infrastructures where security and safety are vital factors. For this reason, they have to comply with strict regulatory standards. Traditionally, SCADA systems are deployed in a monolithic way with a central datacenter and with a large amount of wiring required to connect the different hardware elements with the datacenter. Due to the restricted access to these wired elements, traditional security provision focuses primarily on physical protection measures. Recently, the use of WSAN technology has been acknowledged as promising for the CIP field. In addition, the ability to extend the radio range through multi-hop communications can be used to extend the reach of CIP systems by monitoring more points of interest in wider deployment areas. However, in order to take advantage of WSAN, traditional SCADA acquisition processes need to change in order to accommodate this new technology. For example, secure ways of delivering information from the sensors to the centralized SCADA must be implemented. Also, SCADAs normally integrate proprietary protocols, which make the integration with a general purpose WSAN unstraightforward, requiring the use of gateways. To tackle all these issues and to propose a generic solution to the integration problem between WSANs and SCADA was, in fact, one of the goals of the European project WSAN4CIP, in the context of which the solution presented in this chapter has been developed. TheWSAN4CIP project globally aimed to protect Critical Infrastructures by means of a secure WSAN system architecture.
Solution The solution proposed here is based on the use of open protocols that work over conventional networks, such as the Internet. More specifically, the system uses IP and web services together with an open-source and web-based SCADA called Mango. Two proof-of-concept demonstrators have been deployed in WSAN4CIP, one for monitoring drinking water distribution pipelines and the other for monitoring an electrical power grid. This chapter only focuses on the approach followed to integrate SCADA and WSAN and the way it has been applied to the latter demonstrator, henceforth designated the EDP demonstrator, which reflects the name (EDP) of the electricity distribution company.
We have mentioned that SCADAs used to be really complex and expensive programs with proprietary hardware, software and communication protocols. Currently, new open alternatives that make use of the common Internet protocols (TCP/IP), have proven to be a feasible solution. They offer flexibility and can work over previously existing networks and therefore can be accessed from any place where there is an Internet connection without the need to install and configure complex programs. In general terms, the architecture proposed in this section makes use of an open-source web-based SCADA, called Mango, which proves that the use of this kind of system in the CIP context is feasible, cost-efficient, easily accessible and simple to use. Regarding the SCADA-WSAN connection, the WSAN and SCADA communication has been decoupled by means of a gateway. The gateway is in charge of gathering the information from theWSAN and retransmitting it to the SCADA. Conversely, the gateway receives requests from the SCADA and processes them, disseminating the corresponding information into the WSAN.
The operator accesses the web-based SCADA through a conventional browser. The SCADA receives all the information from the gateway and stores it in a database. In a similar way the gateway collects all the information from the WSAN before sending it to the SCADA. The system supports the use of multiple gateways and, therefore, can receive information from a large number of disjoint WSANs.
Evaluation This integration solution has been tested using a web-based open source SCADA called Mango. Mango provides a browser-based SCADA that allows users to monitor and control devices over multiple protocols. Mango runs in Apache Tomcat as a server application and can be accessed from any conventional browser. In a Mango SCADA the application is divided into a set of screens each of which controls a certain aspect of the monitored system. Each of these screens is a simple web page with dynamic elements that shows the status of the monitored system and allows interaction between the SCADA and the WSAN. This allows the SCADA to be used from any conventional PC with an Internet connection. Access control is managed by means of user accounts that restrict the access depending on the user role. Mango comes with predefined modules that make it possible to communicate with devices running widely used protocols such as OPC, MBus and DNP3. However, the project aimed to widen the number of devices capable of communicating with the SCADA, for example, over the Internet, and after a study of possible alternatives, web services were chosen. Web services are principally run over the well known HTTP protocol. This, together with the fact that Mango SCADA also runs over this protocol, makes it a good choice to ensure seamless interoperability with a potentially very high number of devices. In order to allow Mango to use web services a new module was developed, which is composed of a web service server to accept requests or data and a web server client to send requests and notifications. In order to secure the communication at this point the secure version of HTTP protocol (HTTPS) has been used. Also, the system uses a white list of allowed IPs in order to block access from unwanted addresses.