One of my broad based philosophical warnings to anyone new to the SCADA business is that utility SCADA is Infrastructure. Infrastructure should depend on as few other infrastructural features as possible. The more interdependent they are, the more likely it will be that something in common will break communications for all dependencies and the work required to restore service will be greater.
We had visitors recently from a neighboring water utility. They were working on upgrading their SCADA system. However, the design was being handled by another project manager working with another integration firm handling a whole lot more than just water.
The system was actually supposed to be part of a city-wide effort to incorporate everything in to a city SCADA system. It would include traffic, water, sewer, perhaps some street lighting controls, some security, and probably a few cameras from key vantage points.
When this was described to me, I had to ask why this was a good idea. I would imagine the agency responsible for this would probably find some way to segment the control rooms so that one group of HMI screens would control traffic, and another would control water and so on. But is that enough? What if someone brings in malware in to their side of the system? What other security measures would they use to isolate the various sides of the system?
My guess is that someone thought they might be able to save some money on telecommunications, get a volume discount on RTU hardware, and manage a central group of technicians who might be better at doing SCADA-ish things. But how much effort and time would be saved if they consolidated telecommunications? How much do these technicians know about instrumentation and automated controls? How would they determine that the problem was actually due to the RTU or whether it was due to a network issue on site? For example, if the RTU communications with an intelligent power meter were disrupted, who would respond and how would it be diagnosed?
Furthermore, RTU design and the protocols are highly dependent upon the regulatory and tactical requirements one might have. How much event data would one need? Or is this all supposed to be real time? What kind of infrastructure would this have? How much backup power would each RTU need? If the requirements are that different, where is the volume discount?
If it is part of the city’s fiber optic metropolitan area network, who determines where those fibers go? If they are buried in parallel with large water pipelines and a pipeline breaks, what gets washed out and destroyed? How about if a tanker full of gasoline catches fire and burns under a bridge or in a tunnel where those fibers are located? What concerns are used in the design of this infrastructure?
If patches or updates to a master station are to be scheduled, when should they be done? If the traffic management staff have a say, they’ll want it done in the middle of the night, when the least amount of traffic is on the road. If the water distribution staff have any say, they’ll want it done in the middle of the day because they get really busy at night while the energy is cheap. The overtime alone will eat a significant amount of savings. Again, why is this a good idea?
And finally, what security model gets used and who are we defending against? Is it reasonable for water operators to have easy access to the traffic system? Should someone have remote access to this SCADA system? If so, who should have it, and how should it be secured?
What I know is this: A big SCADA system of everything is one very juicy target for anyone with bad intentions. The more stuff it does, the more desirable a target it would be.
I think that consolidating traffic on an endeavor like this is very dangerous. I suspect that any savings there might be from such efforts would be spent retrofitting or updating security as new vulnerabilities and threats emerge. My concern is that returns on such an investment may be a very long time coming, if ever.