Utilities of all sizes face the challenge of efficiently monitoring real-time substation performance across their networks. Each substation is or has the potential to be a data-rich environment, with hundreds of data points continuously sending data to a master station. Now, advancements in web-based supervisory control and data acquisition (SCADA) are transforming the process of installing, configuring and administering a SCADA system to easily monitor and manage substation performance.
Legacy SCADA solutions — which, for decades, were proprietary stand-alone systems with their own communication protocols — typically required time-consuming installations to connect to all end points and can be difficult to maintain. Technicians access and view data through increasingly obsolete DOS operating system-based screens lacking intuitive and easily configurable graphical user interfaces (GUIs).
Southwest Electric Cooperative’s legacy SCADA system required two people spending a week just to get a single device communicating with it, so adding remote terminal units (RTUs) to its 27-substation network was always an issue. When the system vendor informed Southwest Electric Cooperative it was going out of business, the utility sought a modern web-based SCADA system that would streamline installation and maintenance and give its engineers a modern user interface they could easily configure.
Engineering Simplicity
A key advantage of web-based SCADA systems is the use of standard internet protocols to communicate securely between RTU end points and a central monitoring terminal as well as for operators to view and engage with web pages. Southwest Electric Cooperative selected a SCADA system from Orion Utility Automation, a division of substation automation solution provider NovaTech LLC.
With the new SCADA system, Southwest Electric Cooperative could take a device it had never used before, connect it and have it communicating to every intelligent electronic device (IED) in the field within a day. This was a game-changer for the co-op.
The topology of a web-based SCADA system is configured as either a centralized or distributed model. In a distributed web server, the RTUs in a substation serve out SCADA web pages. In a centralized web server, an OrionLX automation platform at the enterprise consolidates data from the Orion RTUs in the substations and serves out SCADA web pages. Southwest Electric Cooperative opted for a distributed topology with a single Orion master station that talks to all the substations. In addition, the utility has an OrionLX or OrionLXm terminal at each substation.
The OrionLX and OrionLXm perform the functions of multiple single-purpose boxes in the substation, reducing cost and complexity. Both units can connect to nearly any substation device in its native protocol, perform advanced math and logic, and securely present the source or calculated data to any number of clients in their own protocol.
Mapping the topology often falls to the utility and can be a time-consuming process to identify locations and the associated data values that need to be brought back to the master terminal. Digital mapping for devices was built into the new SCADA. It was just a matter of selecting IEDs in the substation and entering some values to get them up and running.
Configurable User Interface
A web-based SCADA system enables an engineer to open the various substations in multiple browsers and key remote monitoring features in different tabs, making it easier to monitor a network. Multiple users can be logged in simultaneously.
NovaTech provides a library of over 500 pre-engineered points pick lists for the commonly applied substation IEDs from Schweitzer Engineering Laboratories Inc. (SEL), Eaton Corp., GE, ABB, Beckwith Electric, Basler Electric and others. This is particularly helpful for smaller utilities where engineers may operate as both relay and substation engineers. Not having to spend as much time programming and managing a system is that much more critical.
The Orion web server SCADA system typically includes the following screens: one-line diagram, breaker zoom and control, animated IED faceplates, communications diagnostics, alarm annunciator, sequence of events (SOE) and trending. One of the big advantages is in configurability. Modern web-based GUIs can be easily configured so faceplates appear on the screen as how they look in the field. Further, the configurations use unlicensed software to make the changes, which reduces costs.
NovaTech integrates an XML protocol to transfer data into custom web pages. Inkscape plug-ins also are included to simplify point selection, for graphics libraries and to create additional interfaces that are not prepackaged.
“Using Inkscape, our team can create a template, then plug the numbers and the functions into it,” said Victor Buehler, vice president of IT at Southwest Electric Cooperative. “We did not initially plan on tying in near points to the SCADA system, but we have since been able to easily add them after installation.”
Integrated into modern GUIs are built-in alarm annunciators and email notifications when thresholds are exceeded. NovaTech stores alarms, tags, SOE points and files in a nonvolatile expanded memory within an open object-relational PostgreSQL database management system. Transfer of archived data to the enterprise is simplified using standard calls and protocols.
“E-mails are automatically sent to us for breaker operations, undervoltage situations, things of that nature,” Buehler explained. “We can have a notification based on a change or a set point for essentially any data we are bringing in. This ensures we are aware of issues before they become a bigger issue.”
According to Buehler, he was able to reproduce, create new substations and dive into customizations for how Southwest Electric Cooperative wanted to view data, without having worked with a NovaTech product before.
“Installing our web-based SCADA was very easy for us despite the fact that we are a small IT team,” Buehler noted. “Even without a dedicated SCADA team, we can easily maintain the product. It does not require a big department.”
Maintenance And Security
The elimination of annual ongoing licensing fees as well as the need to rely on the SCADA vendor for installation and maintenance was a major cost savings. Southwest Electric Cooperative was paying tens of thousands of dollars a year in ongoing costs to maintain its legacy system. Software licensing was a major part of this expense.
Security also is a key consideration for utilities, which typically need to be compliant with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations. Although the guidelines are intended for the more critical North American bulk power system comprising of higher-voltage transmission and power generation, NERC CIP provides an excellent framework for all utility operations, including the relatively smaller web server SCADA systems. The following summarizes NERC CIP guidelines in the areas of primary concern for web server SCADA, and how they are addressed:
- To address NERC CIP-5 Electronic Security Perimeter, web server SCADA provides a firewall and list of authorized users with permissions related to their role. Also provided is the “syslog” monitoring of login attempts, including the username and how the user is attempting connection.
- To address NERC CIP-6, where physical access restrictions to cabling between cyber assets are not implemented, web server SCADA can lock down the communication to and from the system with DNP3 secure authentication (SAv5), transport layer security-based encryption of DNP3, HTTPs and other secure public key infrastructure (PKI) protocols. All communications and access attempts can be monitored. Any openings of gates or intrusion alarms can be logged in syslog for future analysis in event monitoring software.
For NERC CIP-7 Systems Security Management, the following are implemented in web server SCADA:
- When equipment is shipped, only the minimal number of access ports are open to provide initial access.
- A patch management system is in place, including patch notification to users every 35 days.
- Strong measures are built in (integrity measurement architecture) to prevent the loading of unauthorized code. Included are mechanisms to detect and annunciate attempts.
- Logging of successful and unsuccessful login attempts is provided, including a mechanism to detect logging failure.
A strong password policy is provided in web server SCADA:
- Minimal use of shared accounts in the standard product
- Enforcement of strong password construction rules
- Available remote authentication through lightweight directory access protocol/active directory (LDAP/AD) or RSA RADIUS to simplify password management.
With these measures in place, some users may only view data, while others may acknowledge alarms and remotely control substation devices. The administrator user may add or remove users. Device controls can be locked down further with an IP address lockout feature, where only PCs at preauthorized IP addresses can control breakers and other apparatus. In addition, all user attempts to access the SCADA system or actions (such as controlling breakers) are logged in an unalterable syslog record.
For NERC CIP-10 Configuration Change Management, web server SCADA provides built-in tools and partner products to determine whether the baseline configuration has been modified as well as to highlight where these changes are and the extent to which they may result in unintended operation.
The NERC CIP-11 Information Protection guidelines are addressed through simple tools in web server SCADA to wipe the configuration, to reduce the potential for malicious data retrieval in transit or redeployment.
Finally, the recent NEC-CIP Supply Chain Risk Management is addressed through stringent vendor assessment, rigorous software control measures and structured vulnerability disclosures.
“In addition to the above, we also run our SCADA system over a cellular VPN connection,” Buehler explained. “Having this data from the end points to the master station encrypted is a big deal for us to maximize security. With the Orion system, it came encrypted out of the box.”
System Evolution
As utilities add substations and more advanced RTUs, the demands on a SCADA system inevitably evolve over time. As a hub for centralized access across the substation network, it needs to grow and be reconfigurable. A SCADA system really does not have an end. By its nature, it is an ongoing modular effort that requires enhancements and upgrades in lockstep with the substation technology and performance.
What is key for a utility considering replacing its SCADA system is to have an overall guiding strategy that will factor in ease of use, cost, scalability, redundancy, security, regulatory compliance and after-sale support to simplify what traditionally has been complicated, time-consuming process. With the elimination of PC-based SCADA software and SCADA licensing fees, along with simpler engineering and commissioning, a growing number of smaller utilities can now economically justify SCADA for the first time.
Bobby Williams (bobby.williams@sweci.com) is vice president of engineering at Southwest Electric Cooperative, a utility founded in 1939 to serve rural communities in 11 counties across southwest Missouri.
For More Information
ABB | www.abb.com
Basler | www.basler.com
Beckwith | https://beckwithelectric.com
Eaton | www.eaton.com
GE | www.ge.com
NovaTech | www.novatechautomation.com
SEL | www.selinc.com