Candidates Declaration

I hereby certify that the training which is being presented in the report entitled

SCADA SYSTEM IN RAILWAY TRACTION DISTRIBUTION/ EXCHANGE in fulfillment of the requirement for the completion of the
vocational training submitted to East Central Railway, Danapur and School of Electronics Engg., KIIT University, Bhubaneswar, Orissa as an authentic record of my own work carried during a period from 25th of May, 2012 to 25th of June 2012 under the supervision of Mr. Prabhat Kumar, Sr. Section Electrical Engg (Remote Control), East Central Railway, Danapur.

(Neelabh Keshav)

This is to certify that the above statement made by the candidate is correct to the best of my knowledge.

(Mr. Prabhat Kumar) Sr. Section Electrical Engg (Remote Control) East Central Railway, Danapur Date-25/06/2012 Danapur

Acknowledgements
I would like to thank all my teachers of KIIT University for their technical suggestion and administrative support to complete this training. I would like to thank the Sr. Divisional Electrical Engg, TRD, Danapur for obliging me with the opportunity to undergo training at this site. Without his kind permission and consent this could have never been a reality. I sincerely thank my training guide Mr. Prabhat Kumar, Sr. Section Electrical Engg (Remote Control), East Central Railway, Danapur for his able guidance, encouragement and noble support. Without his technical insight and review it would have been impossible to complete this project report. I am greatly indebted to my parents for their love and good wishes which they have bestowed upon me. I would also like to thank my sister for her support and continuous encouragement. In the end, I would like to thanks the almighty God without whom nothing is possible in this world.

(Neelabh Keshav) Date-25/06/2012 Danapur

Table of Contents

Synopsis A Glance at East Central Railway 1. Introduction to SCADA 2. SCADA in Railway Traction Distribution System 3. A Sample tender for SCADA Systems 4. Traction Power Supply Feeding 5. History of Electric Traction in India

04 05 06 29 38 40 42

Conclusion References

43 44

Synopsis
This Project is all about Supervisory Control And Data Acquisition (SCADA) systems which are a form of Industrial Control System (ICS). They can trace their origins back to the days of the traditional control panel for industrial systems, when the operators and engineers worked from panels of dials, gauges and switches that were directly linked (hard wired) to the systems for which they were responsible. The controls were analogue and normally related to a single system, managed in real-time by watching the panel. Control input was through direct input by the operator, achieved through solenoids and relays with simple logic circuits of gates and valves. Feedback was information on the dials and pen recorder charts. The use of electronic data capture allows reporting, trend analysis and forecasting in a way that wasnt possible in the past with pen recorders and printers. The ability to predict problems, schedule maintenance as required and order parts and materials on a just-in-time basis are also facilitated by SCADA systems. Modern IT systems and software applications mean that reporting is even simpler and easier, with real-time updates to reports, moving averages and alarms for values that are out-of-tolerance. Not only are the numbers of staff reduced, but also the pre-requisite levels of training and skill they need, reducing personnel costs in many cases.

This project highlights the usage of SCADA systems in Indian Railways.

A Glance at East Central Railway

The East Central Railway is one of the sixteen railway zones in India. It is headquartered at Hajipur and comprises Sonpur, Samastipur Danapur, Mughalsarai, and Dhanbad divisions . This zone came into existence on September 8, 1996. Since its inception, the ECR has introduced 136 pairs of new trains in its five divisions providing connectivity to all major cities of the country. Railways has extended the run of about 73 pairs of mail and express trains while frequency of 26 pairs of trains have been increased to cater to the needs of the passengers from different places of the zone. Keeping in view passengers' demands, the ECR has provided stoppages of about 572 pairs of trains at different stations while 99 new halts have been approved so far. The number of computerized counters of passenger reservation system (PRS) has gone up to 121 in the ECR, and about 316 unreserved ticketing system (UTS) counters are also functioning.

1. An Introduction to SCADA

1.1 What is SCADA? Supervisory Control And Data Acquisition (SCADA) systems are a form of Industrial Control System (ICS). They are Real-time industrial process control systems used to centrally monitor and control remote or local industrial equipment such as motors, valves, pumps, relays, sensors, etc. SCADA is Combination of telemetry and Data Acquisition.

1.2 Need for SCADA Previously without SCADA software, an industrial process was entirely controlled by PLC, CNC, PID & micro-controllers having programmed in certain languages or codes. These codes were either written in assembly language or relay logic without any true animation that would explain the process running. It is always easy to understand the status of the process if it is shown with some animations rather than written codes. Hence SCADA software came to existence and with some exclusive features it became internal part of automation system.

1.3 Concept of SCADA SCADA is not just hardware but also software. Its a concept. Its a system as a combination of special hardware, software and protocols. SCADA is used to control chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities, water purification and distribution infrastructure, etc. For example, in a SCADA system a PLC can be used to control the flow of cooling water as part of an industrial process. At the same time the supervisor can use the Host control function to set the temperature for the flow of water. It can also have alarms and can record the flow of water temperature and report back. The RTUs and PLCs are responsible for data collection such as meter readings, equipment status etc and communicate back to the SCADA system. This data can be stored in a database for later analysis or monitored by a supervisor to take appropriate actions if required. SCADA systems typically implement a distributed database, commonly referred to as a tag database, which contains data elements called tags or points. A point represents a single input or output value monitored or controlled by the system. Points can be either "hard" or "soft". A hard point is representative of an actual input or output connected to the system, while a soft point represents the result of logic and math operations applied to other hard and soft points. Most implementations conceptually remove this distinction by making every property a "soft"

point (expression) that can equal a single "hard" point in the simplest case. Point values are normally stored as value-timestamp combinations; the value and the timestamp when the value was recorded or calculated. A series of value-timestamp combinations is the history of that point. It's also common to store additional metadata with tags such as: path to field device and PLC register, design time comments, and even alarming information. SCADA systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation. These systems encompass the transfer of data between a SCADA central host computer and a number of Remote Terminal Units (RTUs) and/or Programmable Logic Controllers (PLCs), and the central host and the operator terminals. A SCADA system gathers information (such as where a leak on a pipeline has occurred), transfers the information back to a central site, then alerts the home station that a leak has occurred, carrying out necessary analysis and control, such as determining if the leak is critical, and displaying the information in a logical and organized fashion. These systems can be relatively simple, such as one that monitors environmental conditions of a small office building, or very complex, such as a system that monitors all the activity in a nuclear power plant or the activity of a municipal water system. Traditionally, SCADA systems have made use of the Public Switched Network (PSniffing) for monitoring purposes. Today many systems are monitored using the infrastructure of the corporate Local Area Network (LAN)/Wide Area Network (WAN). Wireless technologies are now being widely deployed for purposes of monitoring. SCADA systems consist of:
Fig: A typical SCADA system

(a) One or more field data interface devices, usually RTUs, or PLCs, which interface to field sensing devices and local control switchboxes and valve actuators. (b) A communications system used to transfer data between field data interface devices and control units and the computers in the SCADA central host. The system can be radio, telephone, cable, satellite, etc., or any combination of these. (c) A central host computer server or servers (sometimes called a SCADA Center, master station, or Master Terminal Unit (MTU).

(d) A collection of standard and/or custom software systems used to provide the SCADA central host and operator terminal application, support the communications system, and monitor and control remotely located field data interface devices.

1.4 Origin of SCADA They can trace their origins back to the days of the traditional control panel for industrial systems, when the operators and engineers worked from panels of dials, gauges and switches that were directly linked (hard wired) to the systems for which they were responsible. The controls were analogue and normally related to a single system, managed in real-time by watching the panel. Control input was through direct input by the operator, achieved through solenoids and relays with simple logic circuits of gates and valves. Feedback was information on the dials and pen recorder charts. It could be argued that the first PCS (Process Control System) of this nature was the electrical telegraph block control system implemented by the Great Western Railway on the Box Tunnel section of the London to Bristol railway line in 1847. A purely mechanical version for interlocking point control and position indication was patented by John Saxby of the North London Railway in 1856. Both could be said to be the progenitors of Industrial and Process Control systems. The original SCADA architecture had nothing to do with the traditional Confidentiality-IntegrityAvailability values of security. It was intended to be reliable in that it was used to monitor and control industrial systems. Traditional examples of this include water treatment and supply, sewage treatment and discharge, railway signaling, electricity generation/distribution and gas pumping systems. In these environments a high degree of reliability and accuracy is essential and SCADA was intended to operate within the required tolerances for Command & Control systems.

1.5 Elements of SCADA SCADA is not a specific technology, but a type of application. SCADA stands for Supervisory Control and Data Acquisition any application that gets data about a system in order to control that system is a SCADA application. A SCADA application has two elements: The process/system/machinery we want to monitor and control this can be a power plant, a water system, a network, a system of traffic lights, or anything else. A network of intelligent devices that interfaces with the first system through sensors and control outputs. This network, which is the SCADA system, gives us the ability to measure and control specific elements of the first system.

We can build a SCADA system using several different kinds of technologies and protocols.

1.6 Where is SCADA used? We can use SCADA to manage any kind of equipment. Typically, SCADA systems are used to automate complex industrial processes where human control is impractical systems where there are more control factors, and more fast-moving control factors, than human beings can comfortably manage. Around the world, SCADA systems control: Electric power generation, transmission and distribution: Electric utilities use SCADA systems to detect current flow and line voltage, to monitor the operation of circuit breakers, and to take sections of the power grid online or offline. Water and sewage: State and municipal water utilities use SCADA to monitor and regulate water flow, reservoir levels, pipe pressure and other factors. Buildings, facilities and environments: Facility managers use SCADA to control HVAC, refrigeration units, lighting and entry systems. Manufacturing: SCADA systems manage parts inventories for just-in-time manufacturing, regulate industrial automation and robots, and monitor process and quality control. Mass transit: Transit authorities use SCADA to regulate electricity to subways, trams and trolley buses; to automate traffic signals for rail systems; to track and locate trains and buses; and to control railroad crossing gates. Traffic signals: SCADA regulates traffic lights, controls traffic flow and detects out-oforder signals.

This very short list barely hints at all the potential applications for SCADA systems. SCADA is used in nearly every industry and public infrastructure project anywhere where automation increases efficiency. These examples dont show how deep and complex SCADA data can be. In every industry, managers need to control multiple factors and the interactions between those factors. SCADA systems provide the sensing capabilities and the computational power to track everything thats relevant to your operations.

1.7 Working of SCADA system A SCADA system performs four functions: Data acquisition Networked data communication Data presentation Control

These functions are performed by five (six in modern systems) kinds of SCADA components:

1) Sensors (either digital or analog) and control relays that directly interface with the managed system. 2) Remote telemetry units (RTUs). These are small computerized units deployed in the field at specific sites and locations. RTUs serve as local collection points for gathering reports from sensors and delivering commands to control relays. They take the analogue/Digital output and transform it into a data protocol format for transmission. They also receive data and turn that into commands for the control devices to which they are connected. 3) SCADA master units. These are larger computer consoles that serve as the central processor for the SCADA system. Master units provide a human interface to the system and automatically regulate the managed system in response to sensor inputs.
Fig: Basic SCADA control structure

10

4) The communications network that connects the SCADA master unit to the RTUs in the field. The communications system transports the data from the sensors to the monitors and vice-versa. These may be simple electronic wiring, radio communications, an IT network or something comprising elements of all three. 5) Human Machine Interface. The systems that display the data and allow real-time or programmed input from operators. In the days of ever-increasing sophistication in software and automated-decision-making, these controllers can be advanced software packages instead of a Human, although they are the final arbiters of the range of command options within the system. These are referred to as the Human Machine Interfaces (HMI) or Master units. In addition, there is usually a server, known as the Data Historian, which keeps logs of all activity within the system. 6) A sixth element that exists in modern systems is the use of complex modelling and reporting tools run on IT systems to analyze the data captured by the SCADA system for trending, forecasting and capacity modeling, simulations, development and training, etc.

1.8 Data Acquisition First, the systems we need to monitor are much more complex than just one machine with one output. So a real-life SCADA system needs to monitor hundreds or thousands of sensors. Some sensors measure inputs into the system (for example, water flowing into a reservoir), and some sensors measure outputs (like valve pressure as water is released from the reservoir). Some of those sensors measure simple events that can be detected by a straightforward on/off switch, called a discrete input (or digital input). For example, in our simple model of the widget fabricator, the switch that turns on the light would be a discrete input. In real life, discrete inputs are used to measure simple states, like whether equipment is on or off, or tripwire alarms, like a power failure at a critical facility. Some sensors measure more complex situations where exact measurement is important. These are analog sensors, which can detect continuous changes in a voltage or current input. Analog sensors are used to track fluid levels in tanks, voltage levels in batteries, temperature and other factors that can be measured in a continuous range of input. For most analog factors, there is a normal range defined by a bottom and top level. For example, you may want the temperature in a server room to stay between 60 and 85 degrees Fahrenheit. If the temperature goes above or below this range, it will trigger a threshold alarm. In more advanced systems, there are four threshold alarms for analog sensors, defining Major Under, Minor Under, Minor Over and Major Over alarms.

11

1.9 Data Communication In real life, we want to be able to monitor multiple systems from a central location, so we need a communications network to transport all the data collected from your sensors. Early SCADA networks communicated over radio, modem or dedicated serial lines. Today the trend is to put SCADA data on Ethernet and IP over SONET. For security reasons, SCADA data should be kept on closed LAN/WANs without exposing sensitive data to the open Internet. Real SCADA systems dont communicate with just simple electrical signals, either. SCADA data is encoded in protocol format. Older SCADA systems depended on closed proprietary protocols, but today the trend is to open, standard protocols and protocol mediation. SCADA systems today are now used in modern manufacturing and industrial processes, mining industries, public and private utilities, leisure and security industries. In these events, telemetry is needed to connect systems and equipment separated by long distances. Some of this ranges to up to thousands of kilometers. Telemetry is automatic transmission and measurement of data from remote sources by wire or radio or other means. It is also used to send commands, programs and receives monitoring information from these remote locations. SCADA is the combination of telemetry and data acquisition. Thus, remote telemetry unit (RTU) is needed to provide an interface between the sensors and the SCADA network. The RTU encodes sensor inputs into protocol format and forwards them to the SCADA master; in turn, the RTU receives control commands in protocol format from the master and transmits electrical signals to the appropriate control relays. A SCADA system uses MODBUS communication, represented by RS232, RS422 and RS485. MODBUS Protocol is a messaging structure developed by Modicon in 1979, used to establish master-slave/client-server communication between intelligent devices. It is a de fact standard, truly open and the most widely used network protocol in the industrial manufacturing environment. The MODBUS protocol provides an industry standard method that MODBUS devices use for parsing messages. In order to realize MODBUS communication, there are two options: installation of interface devices (PCI or PCMCIA type) and use of an RS485 communication converter connected with an RS232 interface built in a computer. The transmission mode defines the bit contents of the message bytes transmitted along the network, and how the message information is to be packed into the message stream and decoded. Standard MODBUS networks employ one of two types of transmission modes: ASCII Mode

12

RTU Mode

The mode of transmission is usually selected along with other serial port communication parameters (baud rate, parity, etc.) as part of the device configuration. In the ASCII Transmission Mode (American Standard Code for Information Interchange), each character byte in a message is sent as 2 ASCII characters. This mode allows time intervals of up to a second between characters during transmission without generating errors. In RTU (Remote Terminal Unit) Mode, each 8-bit message byte contains two 4-bit hexadecimal characters, and the message is transmitted in a continuous stream. The greater effective character density increases throughput over ASCII mode at the same baud rate.

1.10

Data Presentation

A real SCADA system reports to human operators over a specialized computer that is variously called a master station, an HMI (Human-Machine Interface) or an HCI (Human-Computer Interface). The SCADA master station has several different functions. The master continuously monitors all sensors and alerts the operator when there is an alarm that is, when a control factor is operating outside what is defined as its normal operation. The master presents a comprehensive view of the entire managed system, and presents more detail in response to user requests. The master also performs data processing on information gathered from sensors it maintains report logs and summarizes historical trends. An advanced SCADA master can add a great deal of intelligence and automation to your systems management, making your job much easier.

1.11

Control

In real life, SCADA systems automatically regulate all kinds of industrial processes. For example, if too much pressure is building up in a gas pipeline, the SCADA system can automatically open a release valve. Electricity production can be adjusted to meet demands on the power grid. Even these real-world examples are simplified; a full-scale SCADA system can adjust the managed system in response to multiple inputs.

1.12

Architecture of SCADA systems

In this section the common architecture required for the SCADA products is described

13

HARDWARE ARCHITECTURE The basic hardware of the SCADA system is distinguished into two basic layers: the "client layer" which caters for the man machine interaction and the "data server layer" which handles most of the process data control activities. The data servers communicate with devices in the field through process controllers. Process controllers, e.g. PLCs, are connected to the data servers either directly or via networks or field buses that are proprietary (e.g. Siemens H1), or nonproprietary (e.g. Profibus). Data servers are connected to each other and to client stations via an Ethernet LAN. Fig.1. shows typical hardware architecture.

Fig: Typical Hardware Architecture

SOFTWARE ARCHITECTURE The SCADA products are multi-tasking and are based upon a real-time database (RTDB) located in one or more servers. Servers are responsible for data acquisition and handling like polling controllers, alarm checking, calculations, logging and archiving) on a set of parameters, typically to which those are connected. However, it is possible to have dedicated servers for particular tasks, e.g. historian, data logger, alarm handler. Fig. 2 shows a SCADA architecture that is generic for the product.

14

Fig: Generic Software architecture

1.13

Classification based on generation

SCADA systems have evolved through 3 generations as follows: FIRST GENERATION: "MONOLITHIC" In the first generation, computing was done by mainframe systems. Networks didnt exist at the time SCADA was developed. Thus SCADA systems were independent systems with no connectivity to other systems. Wide Area Networks were later designed by RTU vendors to communicate with the RTU. The communication protocols used were often proprietary at that time. The first-generation SCADA system was redundant since a back-up mainframe system was connected at the bus level and was used in the event of failure of the primary mainframe system. SECOND GENERATION: "DISTRIBUTED" The processing was distributed across multiple stations which were connected through a LAN and they shared information in real time. Each station was responsible for a particular task thus making the size and cost of each station less than the one used in First Generation. The network protocols used were still mostly proprietary, which led to significant security problems for any SCADA system that

15

received attention from a hacker. Since the protocols were proprietary, very few people beyond the developers and hackers knew enough to determine how secure a SCADA installation was. Since both parties had vested interests in keeping security issues quiet, the security of a SCADA installation was often badly overestimated, if it was considered at all. THIRD GENERATION: "NETWORKED" These are the current generation SCADA systems which use open system architecture rather than a vendor-controlled proprietary environment. The SCADA system utilizes open standards and protocols, thus distributing functionality across a WAN rather than a LAN. It is easier to connect third party peripheral devices like printers, disk drives, and tape drives due to the use of open architecture. WAN protocols such as Internet Protocol (IP) are used for communication between the master station and communications equipment. Due to the usage of standard protocols and the fact that many networked SCADA systems are accessible from the Internet; the systems are potentially vulnerable to remote cyber-attacks. On the other hand, the usage of standard protocols and security techniques means that standard security improvements are applicable to the SCADA systems, assuming they receive timely maintenance and updates.

1.14

Human Machine Interface

SCADA system includes a user interface which is usually called Human Machine Interface (HMI). The HMI of a SCADA system is where data is processed and presented to be viewed and monitored by a human operator. This interface usually includes controls where the individual can interface with the SCADA system. HMI's are an easy way to standardize the facilitation of monitoring multiple RTU's or PLC's (programmable logic controllers).

A Human-Machine Interface or HMI is the apparatus which presents process data to a human operator, and through which the human operator controls the process. An HMI is usually linked to the SCADA system's databases and software programs, to provide trending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information,
Fig: Typical Basic SCADA animations

16

detailed schematics for a particular sensor or machine, and expert-system troubleshooting guides. The HMI system usually presents the information to the operating personnel graphically, in the form of a mimic diagram. This means that the operator can see a schematic representation of the plant being controlled. For example, a picture of a pump connected to a pipe can show the operator that the pump is running and how much fluid it is pumping through the pipe at the moment. The operator can then switch the pump off. The HMI software will show the flow rate of the fluid in the pipe decrease in real time. Mimic diagrams may consist of line graphics and schematic symbols to represent process elements, or may consist of digital photographs of the process equipment overlain with animated symbols. The HMI package for the SCADA system typically includes a drawing program that the operators or system maintenance personnel use to change the way these points are represented in the interface. These representations can be as simple as an on-screen traffic light, which represents the state of an actual traffic light in the field, or as complex as a multi-projector display representing the position of all of the elevators in a skyscraper or all of the trains on a railway. An important part of most SCADA implementations are alarms. An alarm is a digital status point that has either the value NORMAL or ALARM. Alarms can be created in such a way that when their requirements are met, they are activated. An example of an alarm is the "fuel tank empty" light in a car. Once an alarm event has been detected, one or more actions are taken (such as the activation of one or more alarm indicators, and perhaps the generation of email or text messages so that management or remote SCADA operators are informed). In many cases, a SCADA operator may have to acknowledge the alarm event; this may deactivate some alarm indicators, whereas other indicators remain active until the alarm conditions are cleared. Alarm conditions can be explicit - for example, an alarm point is a digital status point that has either the value NORMAL or ALARM that is calculated by a formula based on the values in other analogue and digital points - or implicit: the SCADA system might automatically monitor whether the value in an analogue point lies outside high and low limit values associated with that point. Examples of alarm indicators include a siren, a pop-up box on a screen, or a colored or flashing area on a screen (that might act in a similar way to the "fuel tank empty" light in a car); in each case, the role of the alarm indicator is to draw the operator's attention to the part of the system 'in alarm' so that appropriate action can be taken. In designing SCADA systems, care is needed in coping with a cascade of alarm events occurring in a short time, otherwise the underlying cause (which might not be the earliest event detected) may get lost in the noise. Unfortunately, when used as a noun, the word 'alarm' is used rather loosely in the industry; thus, depending on context it might mean an alarm point, an alarm indicator, or an alarm event. SCADA software is usually linked to the SCADA system's databases and HMI, to provide trending, diagnostic data, and management information such as scheduled maintenance procedures, logistic information, detailed schematics for a particular sensor or machine, and expert-system troubleshooting guides. SCADA software can be divided into open type or

17

proprietary type. The main problem with these systems is the overwhelming reliance on the supplier of the system.

Distributed Control System components are usually included in SCADA. IEDs, RTUs or PLCs are also commonly used; they are capable of autonomously executing simple logic processes without a master computer controlling it. A functional block programming language, IEC 61131-3, is frequently used to create programs which run on these RTUs and PLCs. This allows SCADA system engineers to perform both the design and implementation of a program to be executed on an RTU or PLC. From 1998, major PLC manufacturers have offered integrated HMI/SCADA systems, many use open and nonproprietary communications protocols. Many third-party HMI/SCADA packages, offering built-in compatibility with most major PLCs, have also entered the market, allowing mechanical engineers, electrical engineers and technicians to configure HMIs themselves.
Fig: SCADA control station

1.15

Benefits of SCADA

The primary motivation behind the adoption of SCADA systems were: Reduction in the number of people required to monitor systems. Not only are the numbers of staff reduced, but also the pre-requisite levels of training and skill they need, reducing personnel costs in many cases. Increased availability of information available to those people, Improved efficiencies in terms of faster response and reduced operating costs. Ability to remotely monitor and control can also reduce the number of call-outs in response to alarms and staff having to work outside normal hours, Implementation and control of complex industrial processes where human control would not be sufficient because there are too many control factors, or the responses required have to be input faster than possible by a human-machine interface.

18

The use of electronic data capture allows reporting, trend analysis and forecasting in a way that wasnt possible in the past with pen recorders and printers. The ability to predict problems, schedule maintenance as required and order parts and materials on a just-in-time basis are also facilitated by SCADA systems. Modern IT systems and software applications mean that reporting is even simpler and easier, with real-time updates to reports, moving averages and alarms for values that are out-of-tolerance.

1.16

Modern SCADA systems

Modern systems have largely moved away from the original electro-mechanical systems in a private control network, radio or PSTN dial-up circuits. Control is often through Programmable Logic Controllers (PLCs) and Computers, with the signalling passing over data networks. Radio and PSTN still have their place, but the signalling is mainly using Internet protocols. Another change is that the modern command networks tend to be publicly accessible and this brings a new challenge to security. Previously attacks usually required insider knowledge, physical access and electrical engineering knowledge to achieve success. Now knowledge of protocols and access to a computer connected to the internet is sufficient as a starting point. The scale of systems has also grown. The introduction of autonomous and semi-autonomous systems has been made possible by smart software. Large infrastructures now have Distributed Control Systems (DCS) that automate many of the routine tasks and often perform better in the role than human interaction ever could. The capability of the devices on the end has also changed and improved. Instead of a valve with a motor and relay to control the opening and closing of the valve, plus a sensor to report on the actual position of the valve, there is now an integral valve with stepper motor and a PLC to control and report on status. It needs less cabling and the Total Cost of Ownership can be lower, but it is more complex to maintain, requiring a different skill set from that of the control technician who looked after the older systems. While there are proprietary software systems and protocols for SCADA the majority is Open Source (e.g. IGSS, FreeSCADA, SZARP and MANGO), which allows for interoperability between equipment and software suppliers and reduces dependence on a single supplier. This brings down cost and increases flexibility for the end user.

1.17

SCADA Protocols

SCADA protocols are designed to send small packets of data in a reliable fashion using Serial communications, or TCP in more recent systems, and in a deterministic manner the order in which the commands arrive and are implemented is very important and the effects that they

19

will have are well understood. This is very important, as the systems can be safety-critical in their nature. In 1988 the International Electrical Commission (IEC) began to publish what is now known as IEC 60870. Alongside this sits another offering, the Utility Communications Architecture (UCA), which was first released in the same year. This protocol is supported by the IEEE and is now available as UCA-2, the second major release, and defines the TCPIP networking and digital radio communication standards. It is the favored protocol within Europe for the electricity distribution industry. UCA is an open protocol for SCADA command and control systems. It is more economical in terms of communications overheads but has more limited functionality in terms of command and control. It is mainly used in the power generation and distribution industries, for whom it was written, but contains functionality for other industry sectors (e.g. gas and water) to use. This protocol is steadily growing in popularity. For other users with more generic operational requirements, another protocol was introduced in 1993 DNP3 (Distributed Network Protocol). It has much wider adoption across a range of industries and is used globally. This protocol is largely compatible with UCA-2 and the two are gradually becoming more and more aligned in terms of interoperability. One of the strengths of DNP3 is that it has a well-documented and robust compliance regime. It also contains stronger error correction capability than 870, but has a more limited addressing schema. This protocol has a much higher established user base in North America, Southern Africa and Eurasia and there is a very active DNP3 user group. Both of these protocols have been updated to support data transmission over OSI model data networks. They use a 3 layer model (known as the Enhanced Performance Architecture (EPA)), comprising the Application, Data Link and Physical layers from OSI. The used of TCP isnt mandated but very strongly recommended. This is because of the deterministic nature of SCADA and the fact that TCP provides reliable and error-free packet transfer, which UDP doesnt do. Application Data Protocol Units (APDU) are created at the Application layer, broken down into packets for transmission and re-assembled at the receiving end. It should, however, be noted that there are significant differences in the lower EPA layers of the networked and non-networked versions of the IEC 60870 protocol. A more recent candidate for adoption is OPC (It originally stood for OLE for Process Control but is now just a name), which has arisen out of co-operation between device manufacturers and Microsoft to derive a set of standards for ease of command and control from within a windows environment. It has grown over the last 14 years to become a strong candidate as the protocol of choice. Its designed to allow ease of installation and configuration in an Indu strial Automation environment, where a device driver can be developed for a device and loaded

20

quickly and simply into a Master system. The Unified Architecture Model (OPC-UA) has proven very popular with many manufacturers and users. Some items of equipment do not use modern data networks to communicate, relying on serial communications protocols to send and receive data and instructions. Examples of these include: Modbus is one of the most popular serial communications protocols used within SCADA systems. Initially released in 1979 and in the public domain, it is very widely used by many manufacturers of SCADA equipment. There is a ModbusTCP variant, allowing for integration of old and new technology. Profibus (PROcess FIeld BUS) communication, using serial cabling with signals sent in RS232 bit-serial mode to an industry agreed messaging specification. DeviceNet using CANBus over a Control Area Network, supported by the Open DeviceNet Vendors Association. It has a greater signalling range than RS232. Foundation Fieldbus, supported by the IEC and is adopted as IEC 61804. It is a two-way serial communication protocol working to (yet another) open architecture. The signalling uses its own Physical layer methodology.

1.18

Design and Implementation of SCADA systems

The requirements for fault tolerance, resilience and accuracy mean that a SCADA system requires detailed planning, integration and testing, but should then be straightforward to operate. There are standards that exist (see the standards section later in this document) to help in this task. The process has five main stages; a) Design: This is no different from any other project. Start with requirements capture and operational drivers to derive the initial design for the Systems Architecture. This must include the requirements for the elements described in this paper RTUs Communications HMIs Functionality e.g. sampling frequency and accuracy, response times, etc Availability/resilience Safety System Security/Assurance & Audit physical and logical Infrastructure Operations and Training

21

Risk management

b) Procurement: The supply of RTU, communication and HMI equipment, the latter consisting of a PC system and the necessary control and alerting software. The statement of requirements for suppliers should include the behaviour inside and outside of normal parameters e.g. Is the system expected to fail safe? What monitoring and auditing capability must be present? What Identification and Authentication systems must be use to validate any user or instruction?

c) Installation: The installation process is largely self-explanatory, and may be complex to control and co-ordinate if geographically dispersed. It may also include many diverse work packages, depending on the nature and scale of the command and control system. Installation and securing of all systems. Physical security of devices and communications links. Characterization of communications links Time Domain Reflectometer profiling of copper and fibre cabling Power-on testing

d) Integration: Once the entire hardware and communications infrastructure is installed it must be integrated and tested. It is important to understand that systems behave exactly as expected and modelled. Test should include all functions and properties, including security and resilience. The behavior of the system when operating outside of desired/expected parameters is as important as that when it is functioning normally. An understanding of the symptoms displayed by each kind of error is essential diagnostic tool for prompt and effective response to incidents. Any additions or changes will require regression testing and integration into existing systems to manage the risks of unexpected actions and interruption of service. The potential risks and impacts must be analysed and managed appropriately. This should be part of the Business Continuity Planning. e) Commissioning This is the final process: Trouble-shooting outstanding problems Documentation of all hardware, software and processes Training of staff Handover to operations Commencement of review, audit and monitoring processes

22

Fig: Representative SCADA system

1.19

SCADA security

This part discusses various attack scenarios against SCADA networks. They differ in complexity, intent, and require access vectors for execution. There are different types of security issues that a vulnerable SCADA network represents. A majority of SCADA networks have some sort of Master Station. For reliability, most networks have multiple control centers. Attackers who gain access to a SCADA network can use a variety of techniques to alter the information consumed by the control center. Insiders to the network may be able to compromise servers on the network and change their data. Outsiders to the network may be able to exploit a vulnerability which gives them similar access to that of an insider. In either case, information about key processes can be altered at the source of the data to present different information to operators and control systems. If the control station is not protected by security patches, firewalls, intrusion prevention and other mechanisms, it may be possible for an intruder to gain complete control over the SCADA networks. Modern control centers use a combination of Unix, Windows and Web Based SCADA management tools. Each of these tools may be installed on any number of vulnerable operating

23

systems and applications such as Apache or Microsoft web servers. An attacker who has control over the SCADA network may not even need to understand the underlying SCADA protocols. Instead they will likely be presented with any user interface that a normal control center operator would use. These displays often include documentation and procedures for emergencies and change control. This information can be used by a remote attacker to understand how to control the SCADA network. Any SCADA system which manages a real-time or non-stop operation can be used to prevent that operation from occurring. Attackers, intruders and malicious insiders can use network vulnerabilities to send turn off and power off messages to equipment performing a variety of processes. If direct manipulation of the SCADA devices is not possible, it may also be possible to prevent communication from a control center to the SCADA devices. This may be all that is required for a hostile agent to prevent normal operations of a SCADA network device. Since SCADA devices are usually physically inconvenient to get access to, an intruder may be able to keep the key systems powered off or out of commission and override any commands sent. These effects can also be manifested in the case of a worm outbreak. Increased bandwidth usage, support systems being infected with viruses and loading down CPUs can keep a control center from managing their SCADA equipment. Lastly, since SCADA devices control many different physical processes, it may be possible to not only disrupt or disable operations, but it may also be possible to create permanent damage. There are simply too many combinations of physical processes and any safety controls which may be in place to truly assess this vulnerability. Most SCADA plants do not have a self destruct sequence we see in the movies. Instead, most high availability or all time physical plants have a variety of physical and electronic safety precautions. For example, anything that moves at all likely has a governor on it which limits a top speed, regardless of what the SCADA control unit says. Similarly, ovens, power generators, power relay stations, and so on all have physical safety limitations built into them for what they can and cannot do. So if the SCADA will malfunction, it will cause debilitating impact to the community and society. Power Utilities, Energy Utilities and other major Infrastructures are now converted in SCADA controlled systems.

1.20

Attack on SCADA network

The history of SCADA security is very similar to that of many other technologies. In short, nobody thought about it beyond error correction and reliable delivery of data until the advent of networking. Security was by obscurity and the isolation of the control network from outsiders. For many years this was very rarely an issue and there wasnt a big problem until the

24

use of Local and Wide Area Networks (LANs & WANs) for SCADA and the hacker subculture developed. At that point the industry realized that there were potential problems. As the concept of Cyberwarfare developed industry and governments realized that there was potential for widespread disruption of services using SCADA and other technologies. This has been proven to be achievable through attacks such as those on Estonia in 2007. While not specifically attacking SCADA systems this was a very real proof of concept. The discovery of Stuxnet has shown that SCADA systems are a target and that successful attacks are possible and that (most probably) nation states are prepared to devote considerable resources to attacking them. The possible attacks on systems include disruption/denial of service, sabotage, espionage and the threats come from sources such as; Disgruntled employees or contractors launching attacks from inside or outside the organization, using their detailed knowledge to defeat countermeasures. Opportunist hackers acting out of curiosity or malicious intent Motivated individuals or interest groups/activists Organized crime for extortion, theft, etc Nation states for industrial espionage or cyberwarfare

The knowledge and capabilities of the attackers is increasing with time. The new generation has grown up with technology and more resources are being put into training and the development of hacking toolsets and methodologies. The sophistication of the Stuxnet worm (Jun 2010) shows the capabilities and lengths to which an attackers are prepared to go in order to achieve success. Over time this capability and motivation is only going to increase. The threat will grow. There is much vulnerability that could be exploited to affect an attack; the most likely of these are; DNS attacks to disrupt access or DNS pinning to inject malware or extract data Jamming of radio frequencies War-dialling PSTN lines for support modems on hardware Cross-site scripting or Firewall bypass attacks on Master control systems Interception and tampering with legitimate commands or injection of spurious data and commands on control networks Corruption of control code on master systems or RTUs (e.g. Stuxnet) Physical attacks on the infrastructure

There have been some well-publicized attacks on SCADA systems and these amply demonstrate the need to ensure the security of their command and control systems. An attack on SCADA and related IT systems are an effective way of bringing about such an outcome.

25

Early SCADA networks communicated over radio channels, modems or dedicated serial lines. Today the trend is to put data on Ethernet and IP over Synchronous Optical Networking (SONET). It is best practice to keep SCADA data on closed LAN/WANs without exposing the sensitive data to the open Internet. If that is necessary, then a secure VPN is required to protect the traffic, and suitable protocols must be designed and implemented.

These are some examples of actual attacks on SCADA systems in the last 10 years. March 1997 - Worcester Air Traffic Control, USA A hacker in Worcester, Massachusetts disabled part of the public switched telephone network using a dial-up modem connected to the exchange control system. This disabled the telephones at the Airport Air Traffic control centre, airport security and fire departments, the weather service, and all the offices of the airlines. In addition, the data connections for the main radio transmitter and runway lighting controls were taken offline. Service was disrupted for 6 hours. April 2000 - Maroochy Shire sewage system, Australia The radio command and control SCADA system was hacked by an ex-employee of the company that installed the control system. He opened valves remotely, allowing more than 800,000 litres of raw sewage to contaminate the river and local environment. His attacks altered the system configuration in order to stop pumps, cancel alarms and disrupt radio communications systems so that data did not allow easy diagnosis or a rapid response to the problem once identified. Dec 2000 - Servers hacked as games host The master servers of Electric Power Services were hijacked to host and run games. The vulnerability wasnt SCADA-related, but SCADA servers were accessed by hackers and their performance adversely affected.

June 2001 - Cal-ISO SCADA systems attacked

The organization that runs most of the power distribution grid for California (the 8th largest economy in the world) was attacked at the end of April 2001 and the attack sustained. The activity wasnt detected until early May. Fortunately the attacks didnt cause any damage or affect performance in spite of the h ackers best efforts. Analysis of the logs showed that the hackers were trying to bypass the firewalls in that protected the SCADA systems before the attack was detected (and traced to Guangdong in China). The attack continued for 17 days. Jan 2003 - Slammer hits Nuclear SCADA system

26

The First Energy Davis-Besse nuclear power plant in Ohio was infected by the Slammer worm. The resulting server outage disabled a safety parameter monitoring system for almost five hours. This system monitored and displayed data on (among other things) reactor coolant levels, core temperature and radiation levels from multiple sensors. Shortly afterwards another server was infected and offline for six hours. This wasnt a targeted attack, but highlights the dangers of SCAD A systems with connections to the internet direct or indirect. The source of the infection was traced to a services supplier with a connection that did not have firewall or IDS protection, providing an inadvertent backdoor into the nuclear control systems. January 2008 A 14 year old in Lodz, Poland, subverted the points control system of the town tram network with a modified TV remote control, causing 2 trams to collide and injuring 12 people. The system uses Infra-Red signals from the drivers to set the points. The boy recorded and replayed signals to change points settings. April 2009 - Malware discovered in US power networks A US government report stated that malware had been found in the SCADA systems of the Electrical distribution systems. The software wasnt active, but was capable of being activated to disrupt electricity supplies across large parts of North America. It is assumed that the malware would have been activated in the event of conflict or disagreement by the perpetrators. The actions are publicly attributed to Russian or Chinese state-sponsored organizations. Jun 2010 - Discovery of Stuxnet attack The well-publicized discovery in June of the Stuxnet malware shows the capability of attackers to infect RTUs and machinery. Analysis of the code shows that the malware is very precisely target at a specific PC combination and control software packages (WinCC and PCS 7). It is also very sophisticated, relying on 4 different zero day vulnerabilities and two stolen digital certificates in order to function. Analysis shows it also contains Digital Signatures stolen from a company in Taiwan and used to authorize code execution. A public proof of concept demonstration shows that this code is effective. Nov 2010 - SHODAN website used to identify vulnerable websites CERT advised that the SHODAN (Sentient Hyper-Optimized Data Access Network) website has used search tools to enumerate networks and build a profile of the hardware they contain. This resides in a database that can be searched by users who can specify target configurations, allowing them to look for probable SCADA systems and known vulnerabilities, such as missing patches and default password configurations. The search and indexing process continues, adding new systems as they are connected to the internet.

27

1.21 Securing SCADA The incidents listed in the previous section have prompted a series of surveys to identify the state of security within SCADA systems. These have been conducted by academic and national security organizations. The generic findings of these found the following common problems: No encrypted communications data in transit can easily be read or manipulated Default passwords left in place for software and hardware devices No means for authentication of signals and commands Application code poorly designed without sufficient regard for security and not fully tested. Executables easily reverse-engineered Web and application servers not hardened to remove unwanted modules and services Networks not set up securely Batch and command files easy to compromise or misuse Software and operating system files unpatched against known vulnerabilities Access control and intrusion detection devices not in use or incorrectly configured Remote access easy to achieve and access points unprotected (includes Wi-Fi) System event logs incorrectly configured and not monitored Legacy SCADA systems operating with no security architecture in place

28

2. SCADA in Railway Traction Distribution System

2.1 SCADA in Railways SCADA is an acronym for Supervisory Control And Data Acquisition. Hamilton research and Technology Ltd. (HART) has developed a SCADA system for KV Traction Power Control for the Indian Railway based on RDSO specification no. ETI/PSI/16 (12/93) with AC slip 1. The SCADA system is based on a multiple networked Pentium PC based Remote Control Centre. Microprocessor based RTUs are located at trackside sheds generally known as TSS, SSP & SP. The communication between the RTUs and the RCC equipment work or multiple master slave modes. The long distance voice grade communication happens over multiple communication media like optical fiber cable, microwave link, Quad copper cable. Each of the RTUs as well as the RCC communication through modems. The RTUs are plotted on a regular basis to monitor the status of the various switchgear (Breaklers/Interrupters) as well as transformers. The catenary voltage is monitored at the various controlled post to provide the up to date information to the traction power controller at the RCC. The TPC monitor the status of the entire section on the view terminals and issues appropriate command. The RTU receiver the packet containing the telecommand information and after verifying its integrity executive the telecommand through the digital output module.

2.2 SCADA Equipment 2.2.1 General The SCADA equipment at the RCC is called Master Station while that of the controlled station is referred to as Remote Terminal Unit (RTU). 2.2.2 Transmission Path To limit the buildup of longitudinal induced voltage on account of induction effects of 25KV traction, isolating transformers are provided on the cable circuit at intervals of 10 to 15 Km. the cable is tapped at the RCC and each controlled station and 3 pairs of conductors are terminal board. Isolating transformer of impedance ratio 1120:1120 is provided at the point of tapping. 2.2.3 Repeater Stations Voice frequency repeaters are provided at intervals of 40-50 Km. to boost the signal and to make good the line attenuation. The amplifier gain at the repeater station is about 20 dB;

29

with an equalizer incorporated to compensate up to 0.02 dB/kHz/km. depending upon the distance the repeater gain is set so that the signal level at any point en-route is within certain prescribed limits. If the lead is long suitable surge arrestors are provided inside the equipment room to protect the circuits. The metallic sheath of the lead in cable shall also be kept insulated from the earth system of the switching station to prevent induction effect, the insulated conductor also being led into control panels. For the same reason, switching station earthing and earth of R.C. equipment are all kept separate and distinct and are not interconnected. In addition, the switching station structure should be solidly bonded to the track rails by two independent connections. 2.2.4 Microwave Communication In some of the sections on Indian railways dedicated microwave channel at carrier frequency of 18 GHz has been provided for the purpose of communication. 2.2.5 Optical Fibre Cable Optical fibre cable has also been introduced for communication in some sections of Indian railways, which is also used for R.C. equipment. Details of the interface between the latest communication system and the RCC/RTU equipment may be seen in the relevant technical documents. 2.2.6 Master Station Equipment Hardware configuration: dual main micro-computer / mini-computer system, one main and the other hot standby, is provided at the master station, each system interfaces with its font end processor, in any, and modem for communication with RTU and with man- machine interface equipment to provide up-to-date network data and to accept commands. Each system has its own system console and hard and floppy disk along with their drives. Watchdogs are provided for monitoring the health of the computer system. In case of failure of one computer system, the standby system takes over automatically. Two data-logging printers, one online and other as standby, are provided, both being connected to the same online computer system. In case of failure of one printer, the other printer automatically takes over.

30

2.2.7 Mimic Diagram Board (MDB) A mimic diagram board and its associated mimic driver are provided at the RCC. The MDB depicts the traction power supply diagram, indicating the energize/de-energize condition of the sub-sectors of the catenary, status of the interrupters and CBs at TSS & FP, SSP and SP. Unlike in the conventional Mimic Diagram Board used in RCCs prior to introduction of SCADA system all control operations are carried out from the key board(s) provided at the work station(s). The Mimic Diagram Boards sole purpose is, therefore, to give an overall view of the traction power supply system to the operator. Size of the MDB is, therefore, very much smaller. It is the intention to do away with the MDB altogether since the system can be viewed in the VDUs. 2.2.8 Annunciations Controlled Station Remote Station defective is annunciated by a LED. Master Station. The following annunciations by LEDs are provided on the MDB. (i) Main System ON (ii) Standby System ON (iii) Main system Defective (iv) Standby System Defective (v) Main UPS Failed (vi) Standby UPS Failed (vii) UPS battery low (below 90% of nominal voltage) (viii) 415 V, ac, 3 ph, supply to UPS failed. 2.2.9 SCADA Software: The operating system used is suitable for multi-user, multi-tasking, net working and real time application. 2.2.10 VDU Display The application software supports a large number of versatile semi-graphic colored displays for issuing telecommands, blocking/deblocking the controlled point, viewing alarm listing, event listing or for carrying out special functions. For details of these displays, manufacturers Operating Manual may be referred to. Calling any of the VDU displays is by simple keyboard operation by the operator, with pre-defined options available for the order and manner in which displays are called.

31

2.2.11 Transmission and coding System The master station equipment normally scans continuously all the RTUs in a pre-defined cyclic sequence, to update the equipment status, alarms, events and measurands. Exchange of information between Master Station and RTUs takes place on interrogation by master followed by reply from RTU. The communication technique is based on Digital Address Time Division Multiplexing. Every data exchange is based on well-defined transmission protocol. Each transmitted information contains sufficient parity check bits to detect transmission errors. 2.2.12 Remote Terminal Unit (RTU) The RTU is microprocessor based and includes its associated digital input/output modules, alarm input modules, analog input modules, watchdog transducers, memory modules, interposting relays, summation CTs, power supply unit(s), surge arrestors and other items necessary for its proper working. SCADA can be divided into six-sub sector or modules : 1. Power Supply Module. 2. CPU SUB RACK. 3. Input Modules. 4. Modem. 5. Transducer. 6. Relays/Contractors 2.2.13 POWER SUPPLY MODULE: The RTU draws its power basically from one of the following two sources. 240 Volt AC nominal supplied from the Auxiliary PT. 110 Volt DC supplied from the control post battery supply.

While attending to the RTU one must ensure the availability of the source power supply at the respective input terminal of the RTU. For the input terminal number the reader is requested to refer to the harness wiring detail attached as appendix to this document. Subsequent to the availability of the appropriate power supply the next step is to switch on the Power Switch (MCB) located at the bottom of the panel. Successful switching ON of the MCB extends the source power to the power supply unit.

32

The block diagram of the Power Supply Module is as follows: -

To trouble shoot the power supply one is advised to work backwards. Check for the dc voltage on the terminal block mounted in the front plate of the power supply unit of the RTU. In the event of none of the voltages appearing one should look backwards and measure 110 volts coming out of the static switch module. Possible cause of the voltages not available at the output of the static switch module is the absence of the 110 volts DC / or the 240 v AC. If both the supplies are present the module to investigate would be either the static switch or the comparator. The absence of the supplies at the input is traceable to failed MCB and / or failed filter PCB. The attached list mentions the voltage connection details for various types of RTUs the voltage measured at the terminals indicate the health of various sub modules.

2.2.14 CPU SUB RACK The CPU sub rack consists or a back plane and a number of PCB sub modules like the processor PCB, digital input, digital output, Analog input module the number of cards depends on the particular RTU configuration. The processor module as the name suggests, drives the CPU sub rack. It receivers commands and information request from the RCC via the modem. It in turn conveys the telesignal status and telemetered parameters back to the RCC via the modem. It decodes the telecommands received and executes the same via the appropriate DO module number of LEDS which indicate the health of the module. By following the diagnostic routine in conjunction with the LED indications one can identify the faulty sub modules.

33

2.2.15

LED Details of Processor Board

LED POS From top

1. 2 3

NAME CMI IOR IOW

FEATUE Blink Blink Blink

FUNCTION CPU clock IO Read IO Write

REMARKS Indicate working of CPU clock. If a Read option on external BUS The LED blinks. If a write option on external BUS The LED blinks.

LI

Normally OFF

Reset

In the event of watchdog toggling LED with blink indicating a board Mal function.

5 6 7

TXD1 RXD1
RTS1

Blink Blink Blink DN Blink

RTU Transmit RTU receive Modem control

Modem Serial comm.

22

L3

Presence of +5v

Logic Supply. These LEDs are extensively Used for debugging. RS 232 Power supply +12v RS 232 Power supply -12v Only valid For SP & TSS Only valid For SP & TSS

L2 to L19

1 TO 8

Refection of Black data BUS

20 21 23 24

+12 -12 ADC+ ADC-

ON ON ON ON

+12v Supply +12v Supply +12V Supply -12V Supply

2.2.16

Input Modules

Input modules can be classified in the following categories: (i) (ii) (iii) Modules to read the status of the Bi state device like breaker / interrupter. Catenary monitoring module. DC low modules.

34

Appropriate signal is applied to me input of the modules and the corresponding output monitored. The presence or absence of the correct signal at the output detects the proper functionality of the modules. In case of catenary monitoring modules the calibration needs to be checked along with the above indicated go no go test. Apply the two desired levels for turn off and turn on. 2.2.17 Modem Modem Converts the RS232 Signal from the RTU transmit line into FSM Signal and transmit the same over a communication medium to the RCC. Similarly it receives FSK Signal on the receiver fair of lines from the RCC and converts the same into RS232 level and supplies the same to the RTU over its receive line. The modem also has a look back switch. Putting it on the loop back can check the modem mode and rerunning the communication check program of the CPU DIAG ROM. The modem interface cable should be left in place. The transmit and receive sensitivity setting of modems at different RTU may vary depending on its distance from the RCC, Line condition etc. 2.2.18 Modem

I > A TEST MODEM zig.ii > A HAND-HELD TERMINAL.

35

TEST PROCEDURE: (i) Switch off the RTU. (ii) Make the connection as per above. (iii) Switch on TEST MODEM first and then RTU and at last LAP TOP/HAND HELD terminal. (iv) LOG_ON the Hand-held terminal/Laptop, by using Key-board Set I.D & Type identical to the given RTU. After setting I.D. & Type RTU starts running with local software and Tx L.E.D & Rx L.E.D. on both the MODEM card start BLINKING.
THE ABOVE TEST ENSURES THAT MODEM CARD along with all other cards in the RTU is 100% O.K.

2.2.19 RCC System Configuration The RCC computer system is designed as per RDSOS specification No EN/PSI/76(12/93) with A/C slip 1 and is built around multiple PCs connected in a local area Network. The system is built around two numbers of identical supervisory computers (SCI & SC2) running a 100% fault tolerant hot standby mode. Normally SCI is working as the mater and Se2 works as the standby listening on to the various transaction-taking place on the network. Sc2 thus goes on updating its Own Date Base so that in case of the Sc1 breakdown it is ready to take over with the most recent date. The Sc2 queries the Sc1 over the network is in perfect health. In case of receiving a wrong answer within the specified waiting period the Sc2 takes over after broadcasting a warning message to all the view terminals. The RCC to RTU communication happens over a single four-wire communication channel. The communication happens in multidrop master slave mode. The proprietary protocol is based on IEC 870-5 (the details of the protocol is explained under the software section) the communication is controlled by nos. front-end processors F1 & F2) also working on a hot standby mode. The front-end processors are Pentium PCs connected to the LAN. Through a serial port the FEPs are connected back to back. The modem connected to the active FEP controls the RTU communication channels whereas the other modem is held back in standby mode. The health of the supervisory computers and switching is affected as and when necessary. The two work stations each consisting of three 19VGA color monitors connected to the LAN through three individual PCs forms the man machine interface of the SCADA system. The TPC can view the up to date status of the RTU s through the mimic diagram depicted on the monitor scanner. The command can be issued via the mouse or keyboard connected to each of the six terminals. The normal condition of the entire network is initially waded in the hard disc drive of the PCs and any change in status is broadcast by the active SC as an exception message thus keeping the LAN traffic to minimum.

36

The LAN is implemented using 10 Base T ETHERNET standard the computer are connected in star topology using a 10 port unmanaged hub. The connections are done in a radial manner through UTP CAT V table. The cable is terminated on both sides using RJ45 connector. 2.2.20 Transducer

A TRANSDUCER is a voltage/current sensitive device. Actually there is voltage drop in the traction line due to increase in distance. The transducer detects this drop and hence measures the different voltages and currents at different places. Two transducers are used because we find potential difference between two points and AI card computes these voltages. One 25 KV input is given to the PT and 110 v AC is obtained. This voltage is given to the voltage transducer. And an output of 5v DC is given to the AI card. The second 25 kV input has the same process. But the third 25kv input is given is given to a CT and the obtained 5m Amp. Is given to the current transducer and an output is given to the AI card. The AI card (analog input card) is placed in the main sub rack of the RTU. AI card communicates the signals with the CPU via upper EURO and the lower EURO is used to accept analog inputs of the voltage and current transducer. The CPU card and the modem are the RTU system. The RTU is connected with TPC and once RTU knows the states of voltages and currents then through optical fibre it communicates with this to TPC and TPC will adjust/reduce voltage and current according to the demand of that section.

37

3. A Sample tender for SCADA systems

38

39

4. Traction Power Supply Feeding

Supply System

The single phase 25 kv power for the electric traction is obtained from 132 kv Extra high Voltage 3 phase grid System through step down single phase transformer. For this purpose duplicate feeders comprising of only 2 phases are run from the Supply authority to the traction Substation. There are two traction transformers in parallel. The main function of the Fig: View of a Traction Sub-Station transformers is to step down the high Voltage of 132 kV obtained from the Power Station up to 25 kV. This Voltage is then given to the Supply lines. The H.V side of the transformers is provided with DP isolators. When the handle is locked at the top position the switch Blades are fully open and when the handle is locked at the bottom position the switch blade are fully closed. A Current transformers is Provided on the H.V side and a SF6 type Circuit breaker are generally used in Railways. A lightning arrester is also provided to protect the System from lightning if any.

On L.V side first of all 42 kV lightning arrester is also provided to protect the System from lightning. A 25 kV Circuit breaker is Provided again C.T, 25 kV Feeder Circuit breaker 25 kV SP isolator is Provide so that the Complete System can be safe and connected or disconnected in case of emergency. A 25 kV Bus Coupler interrupted (normally open) is Provided to feed the OHE either of two Power transformers.
Fig: Overhead lines

Different PT & CT are provided to take this Voltage and Current for SCADA. Every 50 60 KM neutral section is provided so that Power can be transferred from one side to another side.

40

Railway traction System Power Supply feeding arrangement are so Design that in case of failure in Power of Bihar Electricity Board, power can be taken either from Bengal Electricity Board or UP Electricity Board so that the train operation is not stopped.

Fig: Typical of Traction Power Supply feeding arrangement

41

5. History of Electric Traction in India

Electric Traction took birth in India in 1925 when 10 miles between Bombay VT to Kurla of the Central was electrified. With 1500 Volts D.C the electrification was gradually extended to Sub Urban section b/w Bombay Thane & Igatpuri Pune for this electrification Railway had Provided these Power house at Thakuaraly and Transmission line. Rotatory converts were used for conversion from A.C to D.C. The second phase was the electrification on the Sub-Urban section of Weston Railway from Church Gate to Colawa and Morivally. This was taken in 1928 and was extended in virar in 1936. In Third Phase electrification was done by Southern Railway in Madras where 25 miles of meter gauge from madras Beach to Tambram was inaugurated in the Year 1931. This section was SubSequentially Converted into 25 kV A.C 1-Phase 50 cycles traction. The Railway Board in 1957 after watching sure that single phase traction load will not produce adverse effects of unbalancing in 3 Phase power supply and decided to adopt 25 kv A.C 1-Phase 50 cycles System of electrification for all further Schemes in 1960 1 st electrification on 1-Phase 50 cycles traction System was run at Rajkharsawan- Dongapushi. With the discussion for our further schemes of 25 kV A.C System 1500 volts D.C around madras and 300 D.C around Calcutta had been converted to 25 kV A.C traction 50 cycles except 1500V D.C System around Bombay.
Fig: Electric Traction on the G.I.P Railway, India

42

Conclusion

43

References
The following publications were used in the preparation of this project: Practical SCADA for Industry, D. Bailey and E. Wright, http://rapidshare.com/files/55124808/Practical.SCADA.for.Industry.pdf Securing SCADA Systems, Krutz, Wiley_2006 SCADA http://en.wikipedia.org/wiki/SCADA SCADA Systems, www.ncs.gov/library/tech_bulletins/2004/tib_04-1.pdf History of Traction in India, http://elocos.railnet.gov.in/Analysis/Elect_Tr_history.html Railway Traction System http://en.wikipedia.org/wiki/Railway_electric_traction Testing of Security Enhanced DNP3 on Operational SCADA System, Jeffery L. Hieb, Patricia A. Ralston, and James H. Graham Central Organization for Railway Electrification, Allahabad TENDER NOTICE No. ELCORE/SCADA/ VM-VLR/Gr.155 Cyber Incidents Involving Control Systems, Robert J. Turk, October 2005 Integration of Wireless SCADA through the Internet,Tai-hoon Kim1, International Journal Of Computers and Communications Design on SCADA Test-bed and Security Device, Sungmo Jung, Jae-gu Song, Seoksoo Kim, International Journal of Multimedia and Ubiquitous Engineering

O
44