Part 2: Network Security and Fiber Considerations
When it comes to best practices for Supervisory Control and Data Acquisition (SCADA), systems, there are several areas to consider. In the first part of this two part blog series, we focused on practices relating to servers, Programmable Logic Controller (PLC) and Human Machine Interfaces (HMI). We will now focus on the best practices for fiber and network security.
Network Security
As arguably one of the most important areas to focus on, network security ensures, for example, that a hacker can't gain access to the power plant controller and delete all of the system logic. SCADA networks play a crucial role in managing and monitoring the complex infrastructures in solar PV plants. They also perform functions that optimize performance, manage consumption, and protect equipment, which makes them attractive targets for hackers.
Specific types of threats to SCADA networks include:
- Hackers: intentional, malicious network intruders or groups that are intent on gaining access to components in SCADA networks.
- Malware: often includes viruses, spyware, and other programs that are not necessarily targeting SCADA networks, but may still pose a threat to the operation of key infrastructure.
- Terrorists: hackers may want access for malicious intent, but are typically motivated by sordid gain. Terrorists, in comparison, are typically driven to cause as much damage as possible to SCADA systems that are tied to targeted services.
- Insider error: workers are a common cause of SCADA network issues. Either intentionally due to internal work issues or more commonly because of operator error. To avoid insider error, ensure that everyone is properly trained on security protocols and have configurations in place to minimize damage if a mistake is made.
Firewall Protection
Firewalls separate networks from each other and restrict the traffic flowing between systems. They are commonly found separating internal networks from the internet (such as in a DMZ configuration), but they can also be used internally to segment sensitive networks from general-purpose networks.
All SCADA networks should use firewalls to stay separate from general productivity networks and companies must also ensure that authorized users are given access to those networks remotely.
Performing the initial configuration and ongoing updates according to the company's security policy is also vitally important for all devices on SCADA networks. If users access SCADA systems using smartphones, tablets or other mobile devices, specialized configuration management will also often be required.
Lastly, it's a good idea to have two firewalls in place for standard SCADA projects so that they can act as a redundancy: if one firewall fails, the other is still there to offer protection.
Managed Switches
In a SCADA system, there are two types of switches: managed and unmanaged. In a normal residential home you'll have an unmanaged switch and all electrical devices will be connected through the same network, or subnet. Being a part of the same subnet allows you to plug them into the same unmanaged switch, enabling the connection. Unmanaged switches offer no security whatsoever. Anyone can connect to the unmanaged switch and gain access to your network.
Managed switches offer much more management capability because of their ability to have multiple switches and also provide more security because devices are placed onto different subnets. With a managed switch, subnets can talk to each other through their configurations.
The managed switch also works with the firewall in order to tag subnets, or VLANs (virtual LANS) and LANs. These VLANs are tagged in the firewall and configured into the managed switch to enable communication between networks.
Network and Cybersecurity Best Practices
- System mapping: document or "map" everywhere your system connects to the internet and internal networks, and anyone who has access to these systems
- Monitoring and detection: after every connection and device is documented, implementing monitoring and detection controls are crucial next steps. Network segmentation (discussed above under Managed Switches) should also be employed to separate other crucial business systems.
- Procedures for network security: security is something that needs constant attention. Security checks, report monitoring, and standard protocols should be instituted and employed by anyone with access to the SCADA network.
Fiber Best Practices
- Collapsed ring for consistent communication: many companies choose the collapsed ring topology option over other fiber topologies when working with Nor-Cal as it is a cost-conscious option while still maintaining redundancy, meaning that if you lose one inverter, you're not going to lose all the inverters in the link. It saves money because with a collapsed ring, you can wire the outbound and inbound fiber loop within the same fiber bundle, effectively cutting the needed fiber length in half. Also with the collapsed ring topography, the network hardware can continue to communicate between inverters even if one is compromised, so that you can isolate the single dysfunctioning inverter and troubleshoot the issue without losing operation.
- Multimode vs single mode fiber: there are two types of fiber available, single mode and multi mode. Single mode fiber can handle longer distances, whereas multi mode is only operable for distances up to two kilometers (km). Single mode fiber also provides better communication in comparison to multi mode because it employs lasers rather than LED as its light source. For this reason, single mode fiber is in most cases what we use in the field. For example, you can go five km and not have an issue with a single mode fiber whereas multi mode fiber simply wouldn’t work. This is especially important for solar PV plants as devices may lie very far apart from each other and you would need to be able to cover those distances without jeopardizing communication stability. Although single mode fiber isn’t always used, it is ideal for most cases especially when working with larger sites.
Why Choose Nor-Cal Controls?
Nor-Cal can help EPCs, Owners and Operators by integrating an open architecture SCADA system, based on industry best practices to ensure that your system is safe and efficient at all times.