SCADA, SeCurity & AutomAtion newSletter...2010/05/05 · 150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • ClearSCADA

I ns ide Th is I ssue• WirelessEthernet• FreeSCADASeminars• ClearSCADASecurity• DHSCSETSecurityAssessments• ManagingyourSCADASoftware• BroadbandWirelessatOtayWD• NewCAWaterBills• KyoceraChargeControllers

Volume 20, Issue 1 • Spring/Summer 2010 A Publication of Sage Designs, Inc.

150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com

S C A DA , S e C u r i t y & Au to m At i o n n e w S l e t t e r

New from

RecognizingExcellenceinWaterandWastewaterApplicationEngineering,ControlMicrosystemsInc.(CMI)awardedtheir2009WaterandWastewaterInnovatorsAwardtoCaliforniaWaterServiceCompany(CalWater).CalWaterwasformedin1926andnowservesmorethan460,000customersthrough28CustomerandOperationsCentersthroughoutthe

state.Theirlatestprojectinvolvesinstallingastate-wideSCADAsystemthatwillcontinuetoprovidecustomerswiththehighestlevelofqualityandservice.FollowingacomprehensivereviewofallmajorSCADAprojects,CalWaterwastheobviouschoicetoreceivethe2009InnovatorsAwardinwaterandwastewaterapplicationengineering.ThecomplexSCADAsystemincludesfourprimaryoperationscenters,twelvedistrictoperationscenters,astate-widemicrowavebackbone,avarietyofdataacquisitionradios(950MHzlicensed,spread-spectrum,IP),and1200PLCs.InadditiontotraditionalSCADAfunctionsforremotemonitoringandcontrolofpumps,valves,andtanks,CalWaterwillimplementstate-widemeteringofpowerconsumptionandwaterflowtoprovideareal-timemeasureofoperationalefficiency.ControlMicrosystemsSCADAPack32andSCADAPack300Seriescontrollerswereselectedfortheirreliabilityandadvancedfeatures.ThelocalpumpefficiencycalculationsintheSCADAPackcontrollersarethebasisforCalWater’sremoteterminalunits,

Sage Designs presents Control microsystems’ Innovators award to Cal water SCADA Crew,lefttoright:DenaCornett(SageDesigns);JeffAmmons,SCADATechnician,TonySannella(SageDesigns);JeffEidemiller,SCADATechnician;ClydeMcMorrow,SCADAProgramManager;DonSillert,SCADATechnician;WilliamMichot(front),SCADAIntern;BrianNance(back),SCADAOperator;JanKooy,ElectricalEngineeringManager;RayFong,TessernetSCADAConsultant,(notpictured)DaveDonovan,SCADAEngineer.

SCADA Innovators California water Service Company Presented with the 2009 Innovators Award from Control microsystems

mAY SemINArSSageDesignsishostingtwofreeSCADAWiseseminarsinMay:oneinIrvineonMay5th,andoneinLivermoreonMay6th.TheseseminarsareonthesubjectofWirelessEthernetandwillfeaturefactorypersonnelrepresentingControlMicrosystemsTrioRadios,TeledesignSystemsradiosandFiretidewirelessmeshnetworks.Signupforaseminarusingtheformonpage3ortheoneontheeventspageofourwebsite,www.sagedesignsinc.com/events.

TM

Continued on page 7

Continued on page 6

TheuseofEthernetbasedProgrammableControllersandDataLoggershasbecomeverycommonplaceoverthelastfewyearsforcontrollingawidevarietyofSCADAsystems.KeyadvantagesofusingEthernetbasedproductsincludetheeaseofuseofastandardizeddatanetworkinterface,globalaccesstodataandsystemsconnectedthroughEthernetnetworkstotheinternet,avastamountofreadilyavailableapplicationprogramsdesignedforEthernetnetworks,andthefamiliarityofITdepartmentswithEthernetbasedsystemsforprocesscontrolanddistributionofinformation.Followingthistrend,manufacturersofProgrammableControllersandDataLoggershaveenhancedtheirproductofferingstotakeadvantageoftheflexibilityoftheEthernetinterface.Thisallowstheirproductstobemoreopenandaccessibletouserswhetheracrosstheroomoracrossthecontinent.Thesedevicesnowallowcompletereconfiguration,reprogramming,recalibration,remotefirmwareuploadandremoteinstallationofenhancedprocesscontrolalgorithmsviaasingleEthernetportandcommunicationsmedium.SincemostSCADAsystemsusedtocontrolthecollection,processinganddistributionofwater,wastewater,electricpower,oilandnaturalgascovergeographicallylargeareas,wirelesscommunications,asopposedtowiredbasedcommunications,istypicallyusedtointerconnectallofthekeypointsinthesystem.ForEthernetbasedSCADAsystems,terrestrialwirelessnetworkssupportingEthernetIPdatatraditionallyoperateinthe900MHz,2.4GHzand5.8GHzfrequencybands.SeveralwirelesstechnologiesincludingWiFi,BluetoothandZigbeesharethesebandswithwirelessSCADAEthernet.ThesefrequencybandsweresetasideyearsagobyseveraldifferentRFspectrum

regulatoryagenciesaroundtheglobespecificallyforlowtransmitpoweroperation,andweresetuptoallowmediumtohightransmissionbandwidthstosupportavarietyofhigherthroughputwirelessapplications.Withinthesebands,thehigherthefrequencyband,thehighertheavailablebandwidthtosupportlargeramountsofdata.Today,thesehigherthroughputsystemssupportnotonlycommandandcontroldatabutalsorelaygraphicalimagesandhighdefinition(HD)video.Althoughthe900MHz,2.4GHzand5.8GHzfrequencybandsprovidehighthroughputforhandlinglargeamountsofdata,theirhighbandwidth,combinedwithlowtransmitpowerrestrictions,limitsthecommunicationsrangetofairlyshortdistances.Inmanycases,trueLineofSight(LOS)conditionsmustexisttoachieveusablecommunications.ForSCADAsystemscoveringasmallgeographicalareatheselimitationscannormallybeovercomebyusingafewsecondarywirelessnodestorelaydatabetweentheprimarynodesinthenetwork.However,forSCADAsystemscoveringalargegeographicalarea,installingalargenumberofsecondarynodessolelytorelaydatabetweentheactivenodesinthenetworkcanbeimpractical,aswellasexpensive.Inmanycasesthesitelocationsneeded

Narrowband ethernet radio Solves IP Delivery to remote Applications


ClearSCADA SecurityHistoricallySCADAsystemshavebeenisolatedentities,notconnectedtoothersystems,wideareanetworks,ortheWorldWideWeb,butthisisnolongerthecase.ThekeyistouseprovenITsolutionsforsecuringnetworksandapplythemtoSCADAnetworks.Further,likeSCADAsystems,ITnetworkssystemsareonlyassecureastheresponsiblepeoplemakethem.

ThewaythatcomputersandITtechnologyhaverevolutionizedourdailyliveshasaffectedSCADAsystems,althoughsomewhatbelatedly.ThedemandonSCADAsystemsnowistosharedatawithotherparties,enablingremoteaccesswhilestillprovidingasafeandsecureenvironment.ModernSCADAshouldhavefeaturesandfunctionalityallowingthemtointegrateintoasecureITenvironment.ThisisparticularlythecasewhenSCADAsystemsareresponsiblefordealingwithassetsspreadoveralargegeographicalareaandwherestakeholdersintheSCADAsystem(operators,engineers,third-partydatabases)donotresideinthesamelocationastheSCADAsystem.ClearSCADAprovidesasecureenvironmentontwolevels.Firstly,forconnectivitybetweenSCADAserversandclientsintermsofarchitecture,thisincludesSCADAthickclients,webclientsandinterconnectivitytootherSCADAsystemsordatabases.ItalsoprovidessecuritythroughuseraccesstotheSCADAenvironmentitselfwithauserprofile.

Security in ArchitectureTheArchitectureofaSCADAsystemisfundamentaltohowaSCADAsystemisdeployed,andespeciallytruewhensecurityisconsidered.TraditionallyITdepartmentshavenotbeenresponsibleforcateringtoITneedsofSCADAsystems,mainlyduetothespecifictechnologysetandstandardsusedbySCADAsystems.TheClearSCADAhostsoftwareiscomposedofthreecorecomponents:

• TheClearSCADAServerApplication.• ViewX,themainintegration

developmentenvironmentandmainOperationtool.

• WebX,aselfpublishingoperationtoolusingstandardwebtechnology,InternetExplorer©.

ClearSCADA ServerTheClearSCADAserverusesasecuritymodelthatencapsulatesallinterfacestotheserverrequiringaUsernameand

Passwordfromeachbeforeallowingaconnectiontobemade.ClearSCADAalsousesTCP/IPinsteadofUDPforcommunicationsbetweenredundantserverandallclients.Thisprovidesasmallernetworkfootprintthatkeepstheserverhidden.EachClearSCADAServerhasadefinableportforexternalaccess;thisisrequiredsothatITsolutionscanprovidethesecureinterlinkingbetweentheViewXorWebXandtheClearSCADAserver.ManySCADAsystemmanufacturersrequirenotonlyproductsfrommultiplevendors,butmultipleserverstorunthispatchworkofproducts.TheonlytimethatClearSCADArequiresmultipleserversisinthecaseofredundantorperformanceservers.Whenmultipleserversareused,eachisacompleteClearSCADAimplementation,puttingmuchlessrelianceonWindowsServices,whichisoftenthetargetofsecurityattacks.

overview of ClearSCADA Architecture deploymentTheperformanceserverisusedonlargeClearSCADAsystemswherethereisarequirementforlargenumbersofclientaccessviaViewX,WebXorthird-partydatabases.ItisitselfafullimplementationofClearSCADA,exceptthatitisalwaysastandbyClearSCADAservertoaMainClearSCADAserver.Itprotectsthemainandredundantserver’sperformancebyprovidingtheresourcestomaintainlargenumberofclientconnectionsandthirdpartydatabaseaccessatacosttothemainClearSCADAserverofsynchronizingthedatatothepermanentstandbyserver.

TheperformanceserverhasDMZfunctionalityprovidingdataexchangesbetweenthemainClearSCADAserverandtheperformancestandbyserverthatareunidirectionaltothepermanentstandbyserver.Thisallowstheperformanceservertoresideonthe‘outside’ofafirewallandprotectsthemainClearSCADAserverandanyotherstandbyserversfromexternalthreatsshouldtheintegrityoftheperformanceserverbecompromised.

ViewXViewXisapurposebuiltapplicationforClearSCADA.Itprovidesboththeintegrationdevelopmentenvironmentandthemainoperationsenvironment.SuccessfulconnectionwiththeClearSCADAServerrequiresalicensewhichprovidesafirstlayerofsecurity.OnceaViewXsessionconnectstoClearSCADA,usernamesandpasswordscredentialsarerequiredtoaccesstheSCADAsystem.TheViewXcomponentofClearSCADAcanresideonthesameserverastheClearSCADAServerapplicationoritcanbeplacedremotely.ThisisrequiredbySCADAusersonthemoveorwhoworkremotelyfromtheClearSCADAserver.ViewXhasdefinableportsforaccessingincomingdatafromtheClearSCADAserver.InconjunctionwithClearSCADAserverdefinableportsandITsolutionssuchasVPNconnections,remoteclientsconnectionscanbemadethataresecurefromexternalinfluences.

webXTheuseofWebtechnologyisamorerecentclientconnectiontechnologyemployedbySCADAsystems.DuetoSCADAsystemslaggingbehindintermsofSCADAsecurity,thisisviewedasthemostsusceptibleelementofaSCADAsystem.TheClearSCADAwebserverisaninnate,integratedpartoftheClearSCADAapplication.Itdoesnotrequiretheuseofanexternalwebserveroraseparateservermachine.ItisnotaWindowsService,butpartoftheClearSCADAserverapplication.ThewebserveritselfadoptsanumberofsecuritymeasurestoensurethattheSCADAsystemisnotcomprisedviaitsownwebserver:• Definableportsfor

bothsecureandnonsecureportsforHTMLandXMLinterfaces.

• SecureSocketlayerswithprivatekeysandcertificates.

Theseitemsarestandardwebtechnologyandfunctionalitythataresuccessfulatpreventingunlawfulaccessattemptsonwebservers.ThisisanotherexampleofhowClearSCADAusesintegratedfunctionalitywithITsolutionstoprovideasafeoperatingenvironment.

User ProfilesTheincorrectimplementationorthelaxsecuritysurroundinglegitimateusersorformerlegitimateusersisthelargestcauseforSCADAsecuritybreachesthathaveresultedinrealworldconsequences.Likeanyothersystemorsoftwaretool,ifsecurityisnot

I am from the Government and I am here to help. Noseriouslytheyreallyare!TheDepartmentofHomelandSecurity(DHS)isofferingonsite(over-the-shoulder)assistancetohelporganizationsperformaselfassessmentoftheircontrolsystemsusingasoftwaretoolcalledCyberSecurityEvaluationTool(CSET).Theassessmentstypicallytakeonetotwodaysandarefreetoallcompaniesthatsupportthenationscriticalinfrastructureincludingagriculturalirrigationdistricts,waterutilities,electricalutilities,powergeneratorsanddams,chemicalplants,criticalmanufacturingandrefineries.TolearnmoreabouttheCSETassessmentsgotohttp://www.us-cert.gov/control_systems/.Torequestanassessmentemailyourrequesttocssp@hq.dhs.govasidentifiedonthewebsite.

Why Your Business Should Migrate to ClearSCADAn Reduceengineering,operation,

andmaintenancecostsn Integrateopenstandardsinto

yourSCADAenvironment

Visit www.clearscada.comto learn more about the industry leading SCADA host software

CONTROLMICROSYSTEMS www.c ontrolmicrosystems .com

Represented by

Bakersfield.MillValley.NewportBeachContact us: 1-888-ASK-SAGE • www.SageDesignsInc.com

n Investinanarchitecturethatgrowsandadaptstoyourchangingneeds

n Flexiblerichclientandwebinterfaces

n CompellingROI

Continued on page 7


150 Shoreline Hwy. #8A � Mill Valley, CA 94941-3634 � 1-888-ASK-SAGE or 415-331-8826 � 1-888-FAX-SAGE � www.SageDesignsInc.com

F r e e S C A D A S e m i n a r

W i r e l e s s E t h e r n e t : A S p e c t r u m o f P o s s i b i l i t i e s

M a y 5 , 2 0 1 0 M a y 6 , 2 0 1 0 8AM – Noon 8AM – Noon

Irvine Marriott Doubletree - Livermore 18000 Von Karman Avenue 720 Las Flores Road Irvine, CA 92612 Livermore, CA 94550

8:00 – 8:15 Continental Breakfast & Introductions

8:15 - 8:45 A Spectrum of Possibilities From narrow-band to broadband mesh networks, Tony Sannella, President of Sage Designs, will discuss the relative merits of various wireless Ethernet solutions and what they will and won't do for you.

8:45 – 9:45 Narrowband Ethernet Radio Advancements Mark Hubbard, President of Teledesign Systems, will discuss the long range communications capabilities of new narrowband Ethernet radio solutions used to enable wide area networks to provide Ethernet level support to IP-based devices at very remote locations.

9:45 – 10:00 Break

10:00 – 11:00 900 MHz Spread Spectrum Ethernet Radios Jim Quist, Water/Wastewater Sales Manager for Control Microsystems, will discuss how Trio 900 MHz spread spectrum Ethernet Radios can fill the gap between the long-range capabilities of the narrow-band Ethernet solutions and the broad band capabilities of the high-frequency mesh network solutions.

11:00 - Noon Broadband Wireless Mesh Technology Jeff Butler, Systems Engineer for Firetide, will discuss: Taking your system architecture to the next level of performance. How a broadband infrastructure mesh topology can provide both the scalable and cost effective solution required to support your future application requirements of Video surveillance, VOIP, and high throughput WAN.

_____________________________________________________________________________________________________________________

Pre-registration Required

To Register: Call 1-888-275-7243 to reserve your seat. Then complete the information below and send to us via fax to 1-888-329-7243 or by email

[email protected]. A confirmation will be emailed to you. Hotel Directions can be found on the Events Page of our website: http://www.sagedesignsinc.com/events.

□ Register me for the free seminar in Irvine on Wednesday, May 5, 2010

□ Register me for the free seminar in Livermore on Thursday, May 6, 2010

Name (please print):

Title:

Company:

Phone:

Address:

Fax:

Email:

City/State/Zip:

Dietary Restrictions:

* * * Registration Deadline: April 30, 2010 * * *

There is no charge for this event, but we would appreciate notification if you must cancel your reservation.


ClearSCADA Training Coursemay 24-27, 2010 - mill Valley, CA fall 2010 - mill Valley, CA (TBA)

Day1(8AM–4PM) InstallingClearSCADA,IntroductiontoClearSCADA, Components,UsingViewX,UsingWebX,ClearSCADAHelp

Day2(8AM-4PM) ConfiguringusingViewX,DatabaseOrganization,BasicTelemetryConfiguration,CreatingMimics,CreatingTrends

Day3(8AM-4PM) ConfiguringusingViewX,Templates&Instances,LogicLanguages,Security,CommunicationsDiagnostics

Day4(8AM-4PM) Reports,SystemConfiguration,SystemArchitecture,Questions

Cost: ClearSCADATrainingCourse $1,800

SCADAPack TelePACe Studio Training Coursemay 10-12, 2010 - mill Valley, CA August 10-12, 2010 - reno, NV fall 2010 - mill Valley, CA (TBA)An optional SCADAPack 350, SCADAPack 334 or SCADAPack 32 is available at a special price* with the course—an excellent way to get started using Control Microsystems’ Controllers.

Day1(8AM-4PM) SCADAPackcontrolleroperation,Series5000I/O,TelePACEStudiointroduction

Day2(8AM-4PM) TelePACEStudioadvancedprogrammingtechniquesandadvancedfunctions

Day3(8AM-2PM) Controllercommunications,ModbusMaster/Slaveprotocol,Diagnostics,Modems

Cost: SCADAPackTelePACEStudioCourse$1,275*OptionalSCADAPack350TrainingKit–adds$990*OptionalSCADAPack334TrainingKit–adds$990*OptionalSCADAPack32TrainingKit–adds$1,060

Instructors: ClearSCADA&SCADAPackTelePACEclasseswillbetaughtbyTonySannellla,SageDesigns,aControlMicrosystems’Factory-CertifiedInstructor.TheClearSCADATestDriveswillbeconductedbyIanMetcalfe,USClearSCADASales,ControlMicrosystems.Location:Seeindividualcourseregistrationform.Thoserequiringovernightaccommodationsshouldcallthehoteldirectlyforreservations.

what should I bring?LaptopcomputerwithminimumofWin2KorXPwith15mbfreediskspace,CDROM,mousewithascrollwheel,workingserialport,andnecessarypermissionstoinstallsoftwareonyourcomputer.

what is provided?Lunchandcoffee,softdrinksandsnackseachday.

*optional Training Kits at special course pricing (TelePACe class only): Limit one (1) for every two (2) students per organization. Training Kits will be shipped N/C to training facility, provided your registration is received approximately 4 weeks before the first day of the course, or shipped to you after the course when available. Training kits include a SCADAPack 350, SCADAPack 334 or SCADAPack 32 Controller, TelePACE Studio Software, Hardware Manual (on CD-ROM), I/O Simulator board, AC/2 Transformer, & programming cable. Prices do not include applicable California sales taxes.

TM Training Classes

Download the registration form at: http://www.sagedesignsinc.com/events/index.htm

Please send me the Registration Form ClearSCADA: ❑ may 24-27, 2010 ❑ fall 2010 (TBA) SCADAPack TelePACE: ❑ may 10-12, 2010 ❑ August 10-12, 2010 ❑ fall 2010 (TBA)

Name(please print): Title:Company: Phone:Address: Fax:

Email:City/State/Zip:

* * * Registration Deadline: 3 weeks before 1st day of course * * *Allregistrationsaresubjecttocancellationfees.Aconfirmationnoticewillbesenttoallregistrantsonorbeforethedeadlinedate.

August 17 (Northern CA)August 19 (Southern CA)

free Hands-on Test DriveCalltoRegisterorScheduleyourOwnCall 1-888-ASK-SAGeemail:[email protected]


wireless ethernet A Spectrum of PossibilitiesasTeledesignSystems’canpunchrightthroughheavyfoliageincludingRedwoodorPineforestsandstillgetoveroraroundhills,leaptallbuildingsandotherobstructions,toreachoutseveralmilestoconnecttoaremotesite,andwhilethespeedmaybelimited,youstillgettheadvantagesofanEthernetbasedsystem.Thenextmoveupthespectrumtakesyoutothetraditional900MHzSpreadSpectrumwhereyouget500timesmorespeed.Therangeandabilityofthesesystemstoshootthroughtreesoroverhillsisprettylimited,althoughatrueline-of-sightpathisnotnecessaryinmanycases.WithaproductliketheTrioJ-Seriesradio,youwillfindthatthethroughputismorethanadequateforyourSCADAsystem’sneeds,withveryfastpolltimesandplentyofbandwidthforon-lineprogrammingofremotes.TheproblemwiththetraditionalSpreadSpectrumperformanceis:even500Kbpsto2Mbpsspeedsofferedfallfarshortofwhatyouwillwanttohaveifyouplantotransmitvideowithyoursystem.Ifthisisthecase,youwillwanttotakealookatthetrulyhigh-speedradiosystemssuchaswhatFiretideoffers.Withovertheairthroughputintherangeof30–200Mbps,evenhigh-resolutionvideocanbesupportedwithoutnoticeabledegradationofyourSCADAsystem’sperformance.Thetwolimitingfactorstothissolutionaretheneedforatrueline-of-sightpath(exceptintherarecircumstance),andtheincreasedcostoftallerandmoreexpensiveantennastructuresandhardware,andtheneedformorerepeatersinatypicalsystem.Ifnoneoftheseproductsofferasolution,therearestillsatelliteandcellular-basedsolutions,ifyoudon’tmindrecurringfeesandmakingyoursystemreliantonthingsbeyondyourcontrol.Inanyofthesecases,acarefulanalysisofyourapplicationandconditionsonthegroundwillpointtooneormoresolutions.

Communication... any way you want itn BlackBerryoperatorinterfacewith

alarms,status,andcontrolfunctionsn Webinterfacewithcontrol,monitoring,

andconfigurationcapabilityn GPRScellularmodemforSMSandemail

alarmnotificationsandacknowledgment

CONTROLMICROSYSTEMSwww.controlmicrosystems .com

the complete pump station controller

Sage advice

WithdemandsfornotonlymoreinformationfromyourSCADAsystem,butfortheabilitytomovedataaroundyoursystemwithouttheconstraintsoftraditionalSCADAcommunicationsmedia,moreandmoreusersarelookingtoEthernetradiosforsolutions.NotonlycananEthernetsystemallowyourPLC/RTUstoexchangedatadirectly,butyoucanusemultipleprograms,suchasprogramming/configurationsoftwareoverthesamechannelasyourSCADAhostsoftware.Asremoteequipment,whetherdrives,analyzers,sensorsortreatmentequipment,becomemoreandmoresophisticated,itisbecomingrarenottoseeanEthernetconnectionavailableonwhateverprocessortheequipmentincludes.Theseinterfacesallowyoutocollectmoredetailedinformationaboutthehealthandperformanceofyourequipment,aswellasyourprocesses,helpingyoumakebetterdecisionsaboutcontrolsandallocationofresources.Fortunately,thevarietyofwirelessEthernetsystemsisgrowing,providingasolutiontoalmostanysituation.Forradio-basedsystems,youcanchoosefromnarrow-bandVHFandUHFsystems,traditionalSpreadSpectrumorhighperformancemicrowaveequipment,eachofwhichmay,ormaynot,workinagivenapplication.

How to Choose:ThemostobviouswaytoselecttheproperWirelessEthernetsystemisbylookingatyourterrainandfindingafrequencywhichwillperforminyourapplication.WhileitistruethatlowerfrequencysystemssuchasVHFandUHFhavemuchbettersignalpropagation,you’llfindthatthenarrow-bandsystemssuchasthesewillhaveprettylimitedthroughput.Ifyouconsiderthattheserialversionsoftheseradiosgenerallyrunat9600baudorless,Ethernetwithitsadditionaloverheadwillmakethingsevenslower.Ontheotherhand,aVHFsignalfromasystemsuch

Speed mattersTheOtayWaterDistricthasabout125squaremilesofserviceareaand60,000customersandhasbeeninbusinessservingourcustomersformorethan50years.Manyofourmorethan50remotefacilities,reservoirs,pump/hydrostations,countyconnections,etc.,areingeographicallyisolatedandnon-denselypopulatedareas.Asaresult,optionsforgettinglandmethodcommunicationstothesesites(T1,DSL,Cableetc)wasrealisticallycostprohibitive,withsomebidscominginashighasnearly$100,000amonth.

Duringaverydifficulttrialphasewithanotherwirelessvendor,westumbledaroundforayearormoretryingtogetanacceptablebandwidth.Ourgoalwas30MB+toeachofoursites,enoughtohandleSCADA,securityincludingvideosurveillance,andlocalWiFiaccessateachsiteforouroperatorsandotherstaff.Asitturnsout,weabandonedouroriginalvendorandcalleduponSageDesignsinpartnershipwithFiretidetoprovideuswithademo.Withoutanyhesitation,KenVandeVeerfromSageDesignsandJeffButlerfromFiretidewereworkingwithinourdistrict,climbingtanksandladdersandinstallingaproofofconceptdesignforOtay.Withinabout3weeks,wehadachievedrealspeedsinthe100MBrangeutilizing802.11Ntechnology.SageDesignsrecommendedthenewFiretide7200MIMOoutdoorradiosforthedemonstration.The

radiosandantennasweremountedat4sitesinalinearmodetoaccomplishthelinkfromTreatmentPlanttotheAdministrationBuilding.Oncetheinstallationwascomplete,FiretideprovidedLinuxLaptopstoperformindustrystandardiPerftesting.ForsomeoftheWaterWellandBoosterStationswheretreesmakeitimpossibletousetheupperfrequencies5.2MHzand5.8MHz,wehaveusedtheFiretide6200-900.ThisdualRadiohasoneradioat900Mhzandoneradioatthehigherfrequencies.Themoreforgiving900Mhz

frequencyisusedtohelpovercometheobstaclessuchasvegetationandtrees,andwillbeusedtosendthedatatohigherelevationsatthereservoirs.Oncethe900MhzreachestheReservoirs,thesecondradioonthe6200-900whichusestheupperfrequencies5.2and5.8tosendthedatabacktothecontrolroom.WehavesincesenttwoofourengineerstoFiretideheadquartersfortrainingandhappilysettleduponFiretideradiospartneredwithSageDesignsInc.asthesolutionforconnectingOtayWaterDistrictfacilities.Wehaverolledthisouttomorethan12sitesto-date,creatingapointtomulti-pointdesignthathasexceededourexpectations.—Bruce Trites, Network Engineer, Otay Water District, Spring Valley, CA

New California water Bills require more monitoringmeasurementandreportingofwatersuppliesandusagearekeytotheplansuccesses.Withoutaccuratereporting,therewouldbenowaytogaugeprogressorcompliancewiththeprovisionsofthebillsandfailuretoaccuratelymeasureandreportthisinformationcanresultinineligibilityofwaterretailerstoreceivestategrantsorloans.NoneofthesemeasuresbythemselveswillmeananendtothewatercrisisinCalifornia,butgoodplanningrequiresgooddataandthesebillsacknowledgetheneedformoredetailedandaccurategatheringofinformation.

FivenewbillswerepassedbytheCaliforniaLegislaturewhichwillhavefar-reachingeffectsonmonitoringpracticesinwaterandirrigationdistrictsthroughoutthestate.Whileoneofthemeasuresisfortheissuanceforover$11Billionofbondstofundwaterconveyance,storageandconservationprojects,accuratemeasurementofwaterdiversions,groundwaterdrawdown,deliveriesanddrainagearealladdressedinthese5bills.While$11Billionsoundslikealot,itisclearthatadditionalfeesandincreasedwaterratesaregoingtobenecessarytofullyfundtheambitiousplanslaidoutbytheState.Inareviewofsomeofthelanguageofthesebills,itiseasytoseethataccurate


managing your SCADA Software Purchases• Formost,thereisnograceperiod

betweenthelapseofsupportandreinstatementfees

• SupportformostincludesbothTechSupportandVersionUpgrades.

• Licenseisoftenassignedtointegratorandmustbetransferredtoenduserwhichcanbeadifficultprocess.

Foracomparison,youcanseethatClearSCADAhasroughlysimilarpolicies:• Supportnotincludedinpurchase

pricewiththeexceptionofCSIntegrationPartnerswhoget90daysofsupportwitheverynewlicense.

• NoformallapsegraceperiodbutyourRepresentativecangetyousometimetoprocesspaperworkifneeded.

• Supportincludesversionupgradeandtechsupportalthoughtechsupportisgenerallyavailableeventothosewithlapsedornosupportcontracts.

• Licenseisalwaysinend-user’sname,notransferisrequired.

Asyoucansee,failingtoallowforsupportandproperlicenseregistrationinbidspecificationscanresultinextraworkandheftyfees.Inmyexperience,fingersgetpointedinanumberofdirectionsandnoonegoesawayhappy.Besurethatyourbidspecificationscalloutforsupportcontractsforanysoftwaretobesuppliedasapartoftheworkandthatalllicensesberegisteredintheend-user’sname.

Sage advice

Oneofthethingsaboutbidspecificationsthathasbecomeasorepointformeisthatalltoooften,theyfailtorequiresoftwaresupportlicensestobeincludedinbidpricesforprojects.Thiscanresultinsignificantadditionalcostsfortheenduser,asmostofthemanufacturersaddchargestotheirsupportfeesiftherehasbeenalapseofsupportcoverage.Thisisoftenthecaseiftheintegratorpurchasesthelicensetodeveloptheprojectandisnotrequiredtospendtheroughly15%extratogetayear’scoverage.Withoutcontinuouscoverage,mostofthemanufacturerswillchargeupto50%ofthelicensepricetoreinstitutethesupport,mainlytopreventsomeonefrombuyingsupporteverythirdyearinordertogetupgradedtocurrentversionsforcheap.TheendresultisthattheendusermustscrambletogetanunexpectedPOtogethertothemanufacturersothattheycanhavecontinuoussupportandavoidreinstatementcharges.Anotherrelatedissueisthatthespecificationshouldbesuretocallfortheregistrationofallsoftwareusedinaproject,belicensedintheend-user’sname.Thisincludes;HMIs,PLCprogrammingsoftwareandothersoftwareproductsusedintheprojectasthetransferoftheselicensescanbedifficultandshouldnotbeoverlooked.Inveryroughdetail,belowarethetermsofthemajorprovidersofHMI/SCADAhostsoftware:• Supportisnotincludedinthe

purchaseofSCADAsoftwarewithfewexceptions

forthesecondaryrelaynodesarenotcontrolledorownedbythenetworkowner.Thecosttonegotiatelandgrantsorleasetowerspace,prepareconstructionpermits,andtheninstallandmaintainthesecondarynodescansometimesbemorecostlythantheprimarynetworkitself.Tosolvethisproblem,anewclassofwirelessEthernetcommunications,commonlyreferredtoasNarrowbandEthernetRadio,hasemergedasalongrangecommunicationssolutionforwirelessEthernetnetworks.NarrowbandEthernetRadiotakesitsnamefromtheRFspectrumwhereitoperates.Severalfrequencybandsbelow900MHz,2.4GHzand5.8GHzareallocatedstrictlyfornarrowbandoperation.Theselowerfrequencybandshaveadvantagesthatallowthemtosupportlongerrangecommunications.First,theRFpropagationcharacteristicsoftheselowerfrequenciesallowtheirsignalstopenetratefoliage,hillyormountainousterrain,andurbanenvironmentsmuchbetterthantheirhighfrequencycounterparts.Becauseofthesecharacteristics,theselowerfrequencybandscanprovidestableandreliablecommunicationsinnon-LOSconditions.Second,thelowtransmitpowerlimitationsofthehigherfrequencybandsdonotapplytotheselowerfrequencies.Thetransmitpowerlevelsallowedontheselowerfrequencybandscan,insomecases,bemorethan200timesgreaterthanthepowerallocationsallowedonthehigherfrequency,widebandwidthbands.Andthird,thelowerfrequencybandsrequirelesstransmitenergyperbyteofdatatocommunicatethesamedistanceasabyteofdatatransmittedonthehigherfrequencybands.Theseadvantagesaddupto

theabilityoftheselowerfrequenciestosupportnodetonoderadiolinksinexcessof100milesforsomebands.Thetradeoffforlongrangecommunicationsontheselowerfrequencybandsisnetworkthroughput.ThenarrowbandnatureofthisspectrumlimitsthespeedatwhichtheEthernetnodescancommunicate.ForsomewirelessEthernetapplications,wherehighthroughputisamusttosupportstreamingvideoorbulkdatatransfers,thespeedprovidedbythenarrowbandspectrumisinadequateforpracticaloperation.However,forEthernetbasedSCADAsystemscontrollingthemovementofnaturalresources,monitoringweatherconditions,relayingremotestreamgagemeasurementsorprovidingbackupmonitoringofwideareacontrolsystems,thethroughputspeedofthesenarrowbandnetworksisveryadequateforreliablesystemoperation.Formanyoftheseapplications,dataupdateratesaremeasuredinseconds,whereastolerabledelaysinstreamingvideoandhighspeedfiletransfersaremeasuredinmicroseconds.AnexampleofaSCADAsystemthatdirectlybenefitsfromtheadvantagesofanarrowbandEthernetnetworkisawideareafloodcontrolsystembasedinCaliforniaandoperatedbytheUSArmyCorpsofEngineers.Thissystemconsistsofseveralfloodcontroldams,numerousweatherstations,streamflowgages,dammonitoringandcontrolsitesanddatacollectionpoints.Theweatherstationsareusedtotrackshorttermandannualrainandsnowlevelsandtoestimatepotentialfloodconditionsbasedontemperatureandweathervariations.Thestreamflowgagessensenormalandabnormalflowsalongriversfeeding

Narrowband ethernet radio Continued from page 1

intoandoutofthedams.Manyofthemonitoringandcontrolsitesareinveryremotelocationsonlyaccessiblebyfoot,horsebackorhelicopter.Thesesitesarelocatedincanyons,mountainouswatershedandbackcountryvalleyswhereLOScommunicationsisimpossible.And,sincemanyofthemonitoringsitesarelocatedwithinnationalparks,theconceptofinstallingdozensofsecondarynodestorelayhighspeedEthernetintotheseregionsisnotpossibleduetotheregulationsandpermitrequirementsleviedbytheparkservicetopreservetheparks.

WiththedemandsofthistypeofSCADAsystem,thebenefitsofusingremoteIPbaseddataloggersandmonitoringequipmentthatcanberemotelyupdatedandreconfiguredviaanIPbasedwirelessnetworkpayshugedividendsinnotrequiringexpensivetripstothebackcountryforoperationalchangestotheequipment.ThenarrowbandEthernetnetworkutilizedbytheCorpswillprovideITlevelnetworkingtoalloftheremotesitesandusersinthesystem.—Mark Hubbard, President, Teledesign Systems


correctlydefinedandadministered,itisnosecurityatall.AlthoughitisimpossibleforanySCADAproducttocomeupwithanallencompassingsecuritythatresolvesnoorlowsecuritystandards,ClearSCADAhasemployedmanysecurityusercredentialtoolstohelpasystemadministratordefineandsetsecuritystandardsacrosstheSCADAsystemandtoalwaysbeincontrolofwhoaccessthesystemandhow.UserprofilesidentifyanddefinelegitimateusersonaSCADAsystem.Theusercanbedefinedasaperson(OperatororEngineer),oraprocesssuchasathirdpartydatabasethatrequiresdatafromtheSCADAsystem.ThesystemAdministratorcanalsoeasilyremovetheprivilegessetoutforanyuser.ClearSCADAusesthefollowingtoolstodefineauserandhisaccess:• Intermsofaccess,auserisprovided

withaseriesofprivilegesthatwillgrantthemaspecificlevelofaccesstotheSCADAsystem.ItalsoprovidesaccessorrestrictiontoparticularareasoftheClearSCADAdatabase.Soaccessisdefinedasaseriesofprivilegestospecificareasofthedatabase.Further,userscanhavedifferentsecurityprivilegesetsfordifferentpartsofthedatabase.

• TheUserprofilealsodefineshowauserorstakeholdergainsaccesstotheClearSCADAsystem,viaViewX,WebXorphonedialin.IfausertriestoaccesstheClearSCADAserverviaamethodtheyarenotpermittedbytheiruserprofile,theywillnotbeabletogainaccessviathatinterface.

• Thereareaseriesoftoolswithin

ViewXthatprovideauserwithfunctionalitywithinClearSCADA:• AccessandusingAlarms.• Accessandusingengineering

andoperationaltoolbars.• Rulesandfunctionsforuser

passwords.Theseitemsarenormallyconfiguredbyasystemadministrator.UsingthesetoolslimitsaccesstofunctionalityencapsulatedbyViewX.SosecurityoftheViewXapplicationitselfisprovidedinpartbyconfiguringuserfunctionality.

Security StandardsSCADAsecurityisunderthemicroscopefollowinghighprofileSCADAsystemfailures,discussionathighpoliticallevelsandthethreatofespionagebyforeignagencies.Asaresult,confusionreignsoverwhatSCADAsecurityis.SCADAsystemoperatorsareconfrontedbyanarrangementofstandardsthatoffersolutionstoSCADAsecurity.ThisleadstoconfusiononwhatsecurityreallyisandtherealdangerousclaimthataparticularSCADAproductiscomplianttoaparticularSCADAsecuritystandard.Nomatterwhatsecuritystandardisdiscussed,itisnotaSCADAhostproductitselfthatiscomplianttoastandardbutthewholeSCADAsystemitself.SecurityisappliedtoaSCADAsystemfromnotjusttheSCADAhostsoftwarebutincombinationwithITsolutions,systemadministratorsandusers.ItisdefiningaprocessoraseriesofprocessesthatdictatehowtheSCADAHostsoftware,networkandusersworktogethertoproduceasecureSCADAenvironment.ThisalsoextendsintotrainingandplanningthatareoftenforgottenelementsofaSCADAsystem.— Ian Metcalfe, US ClearSCADA Sales, Control Microsystems

ClearSCADA Security Continued from page 2 Solar SystemsUNDer THe HooDTheotherdayIwasaskedaquestionaboutashuntcontroller.Itgotmethinkingthatmanypeopledonotknowwhatis“underthehood”ofthemyriadofchargecontrollerscurrentlyonthemarket.Sohereisaquickrun-downonthemostcommontypesandtheirprimaryuses.Themostbasicchargecontrollerisanon/offswitchandahumanhand.Whenthebatteryisfull,thehumanturnsthesolarmodulesoff.Thedownfallofthismethodisthehuman.Theyareexpensivetomaintain,unreliableandhardtokeepfocused.ThesecondmostbasiccontrolleristheSHUNTcontroller(liketheASClinefromSCI).TheSHUNTisbasicallyanelectronicswitch.Whenthebatteryreachesthehighvoltagesetpoint,theswitchisengagedtoshortcircuitthesolararray,stoppingtheflowofcurrenttothebattery.Theseunitsareveryreliableandinexpensivebutnotveryefficientinthelast20%ofthechargingcycle.ThethirdtypewewillcovertodayisthePulseWidthModulated(PWM)seriestypecontrollers.Thisclassincludesthevastmajorityofcontrollersavailableontoday’smarket.Examplesofkin-under-the-skincontrollerinthiscategoryareMorningstarsentireline,fromthelittleSunGuardtothemightyTriStar.Alsointhisclassarethe“C”seriescontrollersfromXantrex,andtheentirelineofStecacontrollers.PWMcontrollersworklikeallothercontrollersforthebulkpartofthechargingcycle.Theyjustpassallofthecurrentandwatchthebatteryvoltagefortheirchancetostrike.Whenthevoltagereachesapredeterminedpoint,thecontrollerbeginstotaperoffthecurrentflowtomaintainthatvoltage.Theydothisbyswitchingthecircuitonandoff,atfirsttheyusewiderpulses(onforalongerperiodoftime)topasshighercurrents.Asthebattery“topsup”thepulsesgetnarrower,taperingthecurrentflow.Iliketheanalogyoffillingacupwithsoda.Atfirst,youletitgofullblast,butasitnearsthetopofthecupyouhavetostoptheflowandwaitforthebubblestosettlebeforepushingtheleverandblastingitagain.Ifyouarepersistentaboutgettingthecupfulltothetop,youwillsoonbehittingitwithquickerandquickershotsfromthetap.Formanyyearsnow,PWMwasconsideredtheultimatechargingmethod.AndthencameMPPT.MaximumPowerPointTracking(MPPT)takesadvantageofcrystallinesolarmoduledesigntogethigherperformancefromasolararray.Inthebeginning,thevastmajorityofsolararrayswereusedforchargingbatteries.A12voltfloodedleadacidbatteryneeds

tohave14.5voltstobefullychargedandatleast15.5forequalization.Thisforcedthemoduledesignerstouse36cellssothatnomatterhowhotthemodulegot(crystallinemoduleslosevoltageastheygethotter)youcouldalwaysgetenoughvoltagetomaintainyourbattery.Thismeantthatforagoodpercentageofthetime,youwereleavingpower(excessvoltage)onthetable.Thankstoelectroniccomponentsgettingcheaper,controllermanufacturerscannowtakeadvantageofanyexcessarrayvoltagetocreateusablecurrentatacostthatthebuyeroftoday’slargesolarsystemscanafford.Nowonthosesunnybutcooldays,youcangetsignificantlymorepowerfromyourarrayandgetmoreoftheWattsthatyoupaidfor.ExamplesofthisnewbreedofchargecontrolleraremanufacturedbyBlueSkyEnergyandOutBackPowerSystems.Thesecontrollershaveonemorebigplustooffer.Let’simaginethatyouhavea12voltbatterybankandyouwanttoincreasethesizeofyourarray.Firstyouhavetheproblemofyourpresentwirebeingsizedfortheamountofcurrentthatyouarealreadyproducing.Toaddtoyourarray,youwillhavetorunanotherwire,right?Wrong!IfyouuseanMX-60,youcanre-wireyourarraytoahighervoltage,say60volts,andwhenitgetstotheMX-60andyourbatterybank,thecontrollerwilldropthe60voltsbackto12volts(DittoBlueSkybutwithasmallervoltagerange).Youhavenowsavedthecostandlabortobuyandburyanotherwire.Ain’ttechnologygrand?Bynecessity,Ihaveleftoutthingslikemetering,networking,diversionchargingandloadcontrol(tonamejustafew).Today’scontrollershavemorebellsandwhistlesthantheBurlingtonNorthernRailroad.Solikeautomobiles,theyareallbasicallythesame,andyeteachonehasfeaturesthatmakethembetterforaparticularjob.Thisishowyouearnyourkeepbylearningallofthesefeaturesandhelpingyourcustomerschoosetherightcontrollerforthejob.Hopefullythisshortarticlegaveyouabasicunderstandingofwhat’s“UndertheHood”ofchargecontrollers.— Larry Cooper, Senior Associate Engineer, KYOCERA Solar, Inc.Kyocera is one of the world’s largest vertically-integrated producers and suppliers of solar energy products. Our solar division is headquartered in Scottsdale, Arizona, with regional sales centers on five continents, Kyocera Solar, Inc (KSI), our North American solar products subsidiary, services thousands of customers in both the developed and developing world.

efficiency-constrainedunitcommitmentforpumps,andastate-estimatorfordetectingtransducerfailures.“The Cal Water SCADA staff are pleased to be recognized for design and implementation of the California State-wide SCADA system”,saidClydeMcMorrow,SecureSCADAProgramManageratCalWater.“Among numerous critical suppliers, Control Microsystems was chosen as radio advisors and PLC suppliers, collaborating in a solution to provide Cal Water customers with the highest level of available technology, security, and service.”TheCalWaterteamcanprogramtheSCADAPackcontrollersremotelyfromtheirmainofficesandensurethatthepumpsarerunningatoptimumspeeds

forincreasedefficiencyandreducedoperatingcosts.

About California water Service CompanyCalWateristhelargestinvestor-ownedAmericanwaterutilitywestoftheMississippiRiverandthethirdlargestinthecountry.TheyarethelargestsubsidiaryoftheCaliforniaWaterServiceGroup,whichalsoincludesWashingtonWaterServiceCompany,NewMexicoWaterServiceCompany,HawaiiWaterServiceCompany,andCWSUtilityServices.Asawhole,theGroupprovideshigh-qualityregulatedandnon-regulatedutilityservicestoapproximately2millionpeoplein100communities.Formoreinformation,visitwww.calwater.com.

Innovators Award Continued from page 1

WIRELESSSpread Spectrum & Licensed Radios

Broad-band Mesh Networks Wireless Sensors

SCADAHMI Software &

Controllers

Out-of-the-Box Pump Controller

WIN-911 Alarm Notification Software from Specter Instruments

KYOCERA Solar Arrays & Charge Controllers

SECURITYAnalog & IP Cameras, Video Surveillance

Hardware & Software

PureActiv Video Analytics & Camera Management

1-888-ASK-SAGE • 1-888-FAX-SAGEwww.SageDesignsInc.com

Acknowledgements: SCADAPack™, FlowStation™, and ClearSCADA™ are trademarks of Control Microsystems Inc. Win-911® is a registered trademark of Specter Instruments. HotPort™, HotClient™, and HotView™ are trademarks of Firetide, Inc.. Firetide® is a registered trademark of Firetide, Inc.

S C A DA , S e C u r i t y & Au to m At i o n n e w S l e t t e rCa lendar of Events

SAvE A TREE

150 Shoreline Hwy., Suite #8AMill Valley, CA 94941-3634

Return Service Requested

STANDARD MAILuS poSTAGE pAID

pERMIT 191SANTA RoSA CA

March18,2010 CweA Tri-Counties march workshop & exhibit,Goleta,CA

March23-24,2010 USCID water management Conference, Sacramento,CA

March31,2010 CA-NV AwwA 2010 Spring Conference, Hollywood,CA

April13-15,2010 eNTeLeC 2010 Conference & expo,Houston,TX.VisitControlMicrosystems’booth.

April21-22,2010 CweA 82nd Annual Conference, Sacramento,CA

April28,2010 Cal rural water 2010 expo,LakeTahoe,CA

May5,2010 free SCADAwise Seminar*,Irvine,CA

May6,2010 free SCADAwise Seminar*,Livermore,CA

May10-12,2010 TelePACe Studio Ladder Logic Training Course*, MillValley,CA.

May13-14,2010 ISA/SSJV Section Cajun feast & exhibit, Bakersfield,CA

May24-27,2010 ClearSCADA Training Course*, MillValley,CA.Aug10-12,2010 TelePACe Studio Ladder Logic Training Course*, Reno,NV.

Aug17,2010 free ClearSCADA Test Drive (NorthernCA-TBA)*

Aug19,2010 free ClearSCADA Test Drive (SouthernCA-TBA)*

September23-25,2010 Tri-State Seminar on the river, Primm,NV

October5-8,2010 CA-NV/AwwA 2010 fall Conference, Sacramento,CA

Fall2010(TBA) TelePACe Studio Ladder Logic Training Course*, MillValley,CA. Fall2010(TBA) ClearSCADA Training Course*, MillValley,CA.

*Downloadtheregistrationformfromourwebsiteorcallformoreinformation.

Documents

SCADA, SeCurity & AutomAtion newSletter...2010/05/05 · 150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • ClearSCADA