Lecture Notes for

EE-647 Cyber Security of Industrial Control Systems

Ghulam Mustafa

Professor, Department of Electrical Engineering

Pakistan Institute of Engineering & Applied Sciences
Email: [email protected], Homepage: faculty.pieas.edu.pk/gm
 Lecture-3: ICS Architectures

What is a Distributed Control System (DCS)?

Functional Components of a DCS

Functional Features of a DCS

3-1
 What is a Distributed Control System (DCS)?
[center]
A PLC can control one or a few production processes. It cannot coordinate the control
of an entire plant. A Distributed Control System (DCS) can supervise and coordinate
each of the many controllers that are deployed across a plant.

A DCS is a system comprising of functionally and physically separate process

controllers, process monitoring and data logging equipment all of which are
interconnected through a fast, digital network.

As signified by the term “distributed,” DCS architecture enables distribution of the

controllers and the operator input elements through the network, called process control
network, which connects the different parts.

The hardware and software of the DCS are quite flexible and easy to modify and
configure. They are capable of handling a large number of loops.
What is a Distributed Control System (DCS)? 3-2
What is a Distributed Control System (DCS)? 3-3
Figure 2-7. DCS Implementation Example
 All data exchanged such as the presentation information for the multidisplays on
various operator control panels and historical data to and from archival storage have to
pass through the data highway. The data highway is, therefore, the backbone of the
DCS system.

The major advantages of functional distribution of hardware and software characteristic

of DCS are:

▶ Flexibility in system design

▶ Ease of expansion
▶ Reliability
▶ Ease of maintenance.

What is a Distributed Control System (DCS)? 3-4

 The control network is the most important component of DCS. Suppliers ensure this
through comprehensive maximum topology testing and subject the network to high
levels of message volume in test labs to ensure reliable network performance in
demanding environments. Most of the DCSs are provided with redundant industrial
Ethernet networking technology utilizing inexpensive off-the-shelf components to
provide a high-availability solution.

Control performance is another area where DCSs have great advantages. Good process
control is built on reliable and repeatable execution of the control strategy. While the
PLC runs “as fast as it can” the process controller favors repeatability. That means,
the control strategy runs on fixed clock cycles – running faster or running slower are
not tolerated.

What is a Distributed Control System (DCS)? 3-5

 DCS vendors also supply the control building tools, a data historian, trend tools, alarm
management, asset management, back up and archive, OPC servers, remote
maintenance servers, web servers, documentation servers, network management server,
business integration software, and graphics needed to run a plant as a single package
that can be easily deployed on the DCS.

On account of the systems approach to DCS design, the software elements can be
integrated to share a single data model, no matter where a data element resides, it can
be used by any element of the architecture and that particular data element need not
be duplicated. That is a significant advantage given the integrated nature of a typical
industrial automation system.

What is a Distributed Control System (DCS)? 3-6

 Design Considerations

Any modern DCS is expected to meet the following requirements from plant
operations and maintenance perspective.

High Reliability:
▶ A life-critical requirement for DCS.
▶ Extensive testing of components during design, development and manufacturing
▶ Redundancy in their design. Power supplies, data highways, traffic directors, and
controller electronics are important single points of failure in the system and are
considered as candidates for having redundancy

High Availability:
Availability is defined as the ratio of mean time between failure (MTBF) to mean time
between failure plus mean time to repair (MTBF + MTTR). A system is most available
when it is very reliable (high MTBF) and can be quickly repaired (low MTTR).
What is a Distributed Control System (DCS)? 3-7
 Low Cost:
The life cycle cost is lower in case of DCS compared to providing comparable level of
functionality using PLCs because the built-in functions and inherent integration
capabilities available in a DCS enable implementation and maintenance of a more
effective system with reduced labor and plant life cycle cost

High Alarm Management:

DCS must be capable of intelligent alarm management to aid in abnormal situation
management.

DCSs are designed with an alarm management system that dynamically filters the
process alarms based on the current plant operation and conditions so that only the
currently significant alarms are annunciated.

What is a Distributed Control System (DCS)? 3-8

 Scalability:
One of the chief considerations in the design of the engineering tools for a DCS is that
engineering time for system expansion and other changes must be considerably less.
Features such as batch updates, replication of application programs with suitable
substitution are provided in the engineering tools.
Real-Time Data Exchange:
A DCS has to share realt-time data across a network, despite the fact that the
components are geographically distributed. The objectives of a networking topology in
industrial automation systems include the following.
▶ Enable wide distribution of the components
▶ Connectivity to different machines and nodes
▶ Reliable data gathering and sharing
▶ Redundant communication medium
▶ Deterministic transmission and receipt of data
▶ Sufficient speed to match the plant requirements

What is a Distributed Control System (DCS)? 3-9

 Hierarchy of Plant Operations

▶ PCN (plant/process control network) layer where the process control operations
and data transfer occurs
▶ DMZ (demilitarised) layer where servers such as OPC, remote maintenance, web
servers can be operated
▶ PIN (plant information network) layer — for plant or office personnel access

What is a Distributed Control System (DCS)? 3-10

 Functional Components of a DCS
[center]
▶ Input/Output Subsystems
▶ Controller Subsystems
▶ Networks (PCN, PIN)
▶ Supervisory Systems (Engineering, Application, and Operation Subsystems)

Functional Components of a DCS 3-11

 I/O Subsystems

DCS operation and control depends on how the physical measurements are made and
transferred to digital control systems. A signal cannot be directly fed to the control
system; it must be converted or processed before being sent to the control system.
The signals are generally processed in three different ways:

1. analog signals directly being sent to the control system

2. analog-to-digital or vice versa conversion is done and sent to systems using digital
instruments
3. by dealing with the signals purely in digital form as digital-to-digital input and
output.

Functional Components of a DCS 3-12

 I/Os are broadly classified into the following categories:

▶ Analog Inputs
▶ Analog Outputs
▶ Digital Inputs
▶ Digital Outputs
▶ Pulse Inputs
▶ Fieldbus Inputs/Outputs

Functional Components of a DCS 3-13

 Fieldbus Inputs/Outputs (Communication)
Communication with field devices, input devices, i.e., sensors, and output devices, i.e.
actuators. Many protocols are used. Some are:

▶ HART: Used in process control instrumentation such as temperature, pressure,

level, flow, conductivity, density, concentration, resistivity, dissolved oxygen,
oxygen transmitters as well as final control elements such as control valve
positioners.

Functional Components of a DCS 3-14

 ▶ Modbus: Modbus/RTU has been adopted in a very wide range of distributed
peripherals such as conventional I/O blocks, flow computers, remote terminal
units (RTU), and weighing scales. Final control elements such as a.c. and d.c.
drives are also available.
▶ Foundation FieldBus: Designed for use in process control instrumentation for
measuring temperature, pressure, level, flow, pH/ORP, conductivity, density,
concentration, resistivity, dissolved oxygen, and oxygen transmitters as well as
machinery health monitors. Final control elements such as control valve
positioners, electric actuators, discrete switches, on/off valves, and signal
converters are also available.

Functional Components of a DCS 3-15

 ▶ Profibus: Designed specifically for Distributed Peripherals (DP) such as
conventional I/O blocks and weighing scales. Final control elements such as
drives, motor starters, circuit breakers, and solenoid valve manifolds are also
available.
▶ AS-I
▶ CANbus
▶ ControlNET
▶ DeviceNet: A wide range of products are available using DeviceNet including
conventional I/O blocks, inductive and optical switches, encoders and resolves,
barcode readers and RFID, final control elements such as electric and pneumatic
actuators, and valves, a.c. and d.c. drives, motor starters, and solenoid valve
manifolds.

Functional Components of a DCS 3-16

 Different areas of automation and different levels of the control system hierarchy have
different communication needs, many different Fieldbus technologies exist. All types of
devices are not available with all the different protocol options, and therefore it is
necessary to use more than one protocol in control systems.

For example, transmitters and valves will communicate using FOUNDATION FieldBus
because the bus must be synchronized for good PID control. Electric drives will use
PROFIBUS DP because of the higher speed possible at short distances, although
DeviceNet is also an option. Discrete I/O may use either DeviceNet or AS-I.

Functional Components of a DCS 3-17

 Controller Subsystems
[center]

▶ An integral part of any DCS

▶ Could be rack-mounted or rail-mounted
▶ IOLink connections communicate with IO modules over IOBus
▶ Redundancy is maintained at IOBus level, IO module level, controller level and
power supply level.
Functional Components of a DCS 3-18
ding on the type of IO module, communication protocol, and the way they are connected to 3.6 CONTROLLE
there exist various topologies that vary from vendor to vendor. There can be two types of
Controller
on chassis Redundancy
or rack-mounted type, based on the controller and IO modules position or slot
same rack or different rack. In all cases, modules communicate with each other within the
ough a common backplane circuit board. Figure 3.8 illustrates a nonredundant combination,
e 3.9 illustrates a redundant combination.

ed non redundant Figure:

controller Non-redundant controller

FIGURE 3.9
Rack mounted redundant controller Figure: Redundant controller

Figures 3.10 and 3.11 illustrate nonredundant and redundant types of topology b
tion of controllers and IO in different racks with IO rack connected to controller thro
Functional Components of a DCS cable. 3-19
 Controller Technology

Libraries which enable the system to perform control functions:

Standard Control Library

Variety of FBs to implement digital and analog control. The interfacing and
programming adheres to IEC61131-3 standards.

Standard Communication Library

Consists of blocks to adhere to certain standards such as S88/Profibus/HART, and so
on.

User-Defined Library
Allows users to create blocks and customize control for an application

Functional Components of a DCS 3-20

 Supervisory Subsystems-Engineering and Operator Workstations

Operator consoles enable users to view the plant and control it to a certain extent.
Operators can change modes/set points of the loops and control them. These operator
consoles are normally located in the central control room or closer to the process in the
shop floor. Operator consoles have provision to display process graphics, and process
and system alarms. Trends can be viewed to understand how the process is varying.
Data from trends can be historized and restored at a later point of time to understand
the process responses.

Physical Properties of the Operator Console

▶ Customized operator interfaces
▶ Generic operator interfaces

Functional Components of a DCS 3-21

 Customized operator interfaces consist of components provided by the DCS provider.
For example, a DCS provider provides a key board and mouse that have customized
keys or track ball movements to navigate across the display pages in an operator
interface. Dedicated keys are also provided for ac- knowledging alarms, changing
access levels.

Generic operator interface consists of components that are available in market and
support is received from popular hardware manufacturers such as DELL/IBM/HP.
However, the recommendation for the configuration including hardware such as hard
disk, RAM, graphic cards, monitors, and network cards along with their supported slots
is given by the DCS provider.

Functional Components of a DCS 3-22

 Software
Software used for operator interfaces has its base on operating system. The operating
systems supported for desktops vary. The proprietary software from DCS vendors is
installed on top of these operating systems. Proprietary software primarily contains the
following components; although they are generic soft- ware components, their usage
methodology leads to the evolution of proprietary software.

▶ SQL
▶ HTML
▶ XML
▶ Ethernet
▶ Scripting techniques such as VB
▶ Generic communication protocol such as Modbus

Functional Components of a DCS 3-23

 Database A database is a set of data held in a structured format available for access
to multiple systems. A database on an operator interface is used for data access in the
station; a station is a page where users can view the displays, alarms, trends, and so on.
SQL, Access, and Oracle are the most popular software on which databases are built.

Functional Components of a DCS 3-24

 Functional Features of DCS
[center]

▶ System configuration/programming
▶ Communication
▶ Control
▶ Alarms and events
▶ Diagnostics
▶ Redundancy
▶ Historical data
▶ Security
▶ Integration

Functional Features of a DCS 3-25

 System Configuration/Programming

Every DCS controller is a computer and therefore needs instructions to execute the
control actions. Engineering tools enable configuration programming of controllers.
The engineering tools also hide the complexities of programming the microcontrollers
(which have their own specific instruction sets) by providing a common programming
language with suitable user interfaces. Therefore, application and process engineers
describe the control logic mostly graphically, which are translated into the instruction
set of the microcontrollers. Typically, the control strategies are made up of
interconnected FBs, sequential function charts (SFC), and equipment and unit
representations, which perform functions within the control scheme based on inputs.

The configuration/engineering application also allows a designer to create or change

operator interfaces, such as plant schematics and process control diagrams viewed on
the operator displays through a viewing application. These diagrams displayed on the
screen enable the operator to change settings within the PCS.

Functional Features of a DCS 3-26

 Communication

Today’s DCS are enabled with integrated web services for plant integration through
open standards such as OPC, for communication with external sources.

The data highway is the communication medium that allows a DCS to permit
distribution of the controlling function through a large plant area.

Functional Features of a DCS 3-27

 Control

The DCS is connected to field sensors and actuators and uses set-point control to
control the process in the plant. The most common example is a set-point control loop
consisting of a pressure sensor, controller, and control valve. Pressure or flow
measurements are transmitted to the controller, usually through transmitted and signal
conditioning I/O cards. When the measured variable reaches a certain point, the
controller instructs a valve or actuation device in the field to open or close until the
fluidic flow process reaches the desired set-point.

Modern DCSs also support neural networks and fuzzy applications.

Functional Features of a DCS 3-28

 Alarms and Events

A critical part of the DCS is the integrated alarms and events processing subsystem.
The engineering software is used to configure to get notified of significant system
states. This enables monitoring the system states and acknowledging them.

Events represent significant changes in state for which some action is potentially
required. In most DCS event types can also be defined. The event type specifies the
message to be displayed to an operator for the various alarm states and the associated
attributes whose value should be captured when an event of this type occurs. Event
priorities can also be defined. An event priority type defines the priority of an event for
each of its possible states.

Many DCS systems also support device and equipment alerts.

Functional Features of a DCS 3-29

 Alarms are the most vital part of a system. In facts alarms are a subset of alerts.
Alerts can be broadly classified into three categories:

1. Alarms
2. Events
3. Messages

Alarms are classified into two types: Process alarms and Diagnostic alarms.

Functional Features of a DCS 3-30

 Figure: Diagnostic alarm display

Functional Features of a DCS 3-31

 Diagnostics

Integrated diagnostics is an important feature of the DCS. The diagnostics cover

hardware, redundancy, communications, control, and, to some extent, the software
that makes up the DCS. Usually a system alarm is reported on the failure or
malfunction of any of these components and the necessary log messages are recorded.

The tests built into the control room equipment are designed to analyze a high
proportion of all failures, diagnose the problem, and pinpoint the logical replaceable
unit (LRU) or optimum replaceable unit without intervention by the operator or a
maintenance technician while the system is online and controlling the process.

Functional Features of a DCS 3-32

 Historical Data

The DCS usually includes the ability to collect batch, continuous, and event data. A
centrally defined history database is available for the storage of historical data. The
value of any attribute, alarm or any control strategy, alert, or process condition can be
recorded in the history database along with its status. In modern control systems, the
data values are collected as an integrated feature of the system.

Events are collected and time-stamped at their source – in some cases down to a
resolution of few milliseconds. Users and layered applications can retrieve the batch,
continuous, and event data in a time-ordered fashion. For security reasons, values
cannot be edited without leaving behind an audit trail. The engineering tools and
operator tools enable selection of points for history storage.

Functional Features of a DCS 3-33

 Figure: A sample history configuration
Functional Features of a DCS 3-34
 Security Security is essential in process control. The DCS system must be able to
limit access to the various parts of the control system to authorized people only. This
is done by user, plant area, and workstation. Layered applications have to establish a
session before they are allowed access into the system. There are several aspects to
security as summarized below, in addition to the normal physical security measures:

▶ Authentication: Access to the DCS for human users and layered application users
is controlled by password-protected user accounts.
▶ User: A human user of the DCS must have a user account on the system to gain
access. All user accounts are named. User accounts have unique names within the
scope of a site. All user accounts have a password, which must be provided in
conjunction with the account name in order to start a DCS session.

Functional Features of a DCS 3-35

 ▶ Plant Area Security: A user account can be permitted or denied access to make
changes within one or more plant areas within a site. The user account can also
be denied access to any of the plant areas. For each plant area where access is
permitted, access can be restricted at runtime according to the classification of the
runtime attribute data. For each plant area where access is permitted, the ability
to make configuration changes can be restricted. A user account can be permitted
or denied access to view or modify user account and privilege information. In
some systems, it is also possible to enable authorization as an additional security
mechanism. In these cases a user, or in some cases several users, need to confirm
by password the changing of certain parameters, starting/stopping a batch, and so
on. This, in addition to the password, is used for logging into the system.

Security for operator interfaces is one of the most important aspects of any control
system especially in the current world where we are more prone to cyber threats than
ever.

Functional Features of a DCS 3-36

 Integration When a new plant area is added or expanded, the operators of the new
area may need some information about the existing plant to provide a coordinated
operation. Similarly, the operators of the existing plant may need feedback from the
new process area in making decisions on how best to run the balance of the plant. In
most cases, only a small fraction of the information in either system must be
communicated to support such coordination between these areas. Several techniques
are used to integrate systems. The OPC foundation has defined an industry standard
for accessing information within a control system. Thus, many control systems provide
OPC server capability in workstations designed for interfacing to the plant LAN.
Several DCS also communicate using several other hardware connections (RS232,
RS485, USB, etc.) and software protocols (Modbus, LON, etc.) including hardwired
serial and parallel communication lines.

Functional Features of a DCS 3-37