Historically, human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems were not included in the scope of the charter for information technology (IT). Process engineering or the plant maintenance organization were normally tasked with the responsibility for the SCADA/HMI systems. The responsibility included the selection and management of the computing platform and the industrial control network (ICN). In many cases, a lone electrician was responsible for the entire system, including the workstation, the ICN, and the programmable logic controller (PLC). In this era of SCADA/HMI, the ICN was rarely interconnected with the IT enterprise network or the Internet. Remote access typically was done using phone modems connected directly to the SCADA host workstation.
Bringing IT and SCADA in sync
In the second half of the 1990s, two trends brought IT and SCADA closer together. The first was the Y2K scare that allegedly affected all enterprise computing systems. This included computing systems found in production management software, such as SCADA and HMI. IT departments included production systems in the scope of their audits, looking at production systems to ensure that they were ready to handle the new century date formats.
This alone did not lead to the integration of production systems and IT architecture. For the most part, these systems still weren't connected to the rest of the corporate IT networks. Given the air gap security combined with the unique requirements for managing traffic on the ICN, centralized IT network management tools simply could not be used effectively.
A second trend that coincided with the Y2K focus was the deployment of enterprise resource planning (ERP) systems in many organizations. ERP's data demands and uncertain connection to the shop floor meant that either a parallel system had to be deployed or SCADA would become the bridge. As a result, SCADA and other production systems such as manufacturing execution systems were used for tracking production and feeding ERP's shop floor data appetite by connecting to both IT networks and industrial control networks.
During the past 15 years, we have seen continued integration of IT and production systems. SCADA systems are now for the most part connected to the enterprise networks. Remote access usually is provided via virtual private networks (VPNs) so the SCADA system can be reached from anywhere on the Internet.
There has been some organizational friction in bringing these two very different cultures together. At the top level, the IT department generally looks at its systems as dynamic and having a focus on scalability, performance, and cybersecurity. It may be more willing to apply patches and updates, as long as it knows it has the ability to roll back to previous configurations if problems occur. The focus of the industrial network is to deliver extremely high reliability and safety. Due to the critical nature of real-time data, even short term disruptions can impact production rates and the safety of the workers and equipment that rely on it. For this reason, software patches and firmware upgrades are more thoroughly tested before they are applied to production systems.
SCADA's place in the control center versus data center
Today, systems are more under the protection and management of IT and its practices. This is particularly true for cybersecurity and virtualization, which are becoming widely adopted. This leads to the question of whether the SCADA host computer should be removed from the control room or the shop floor and moved into the data center.
PcVue Solutions was recently asked to provide guidance to a medium-sized organization that was considering this issue. The company has a large warehouse that houses materials that must be controlled in strict environmental conditions. To automatically maintain the integrity of the warehouse environment, the company purchased a system from a vendor that uses our SCADA platform for the HMI. The vendor delivered the HMI on a single-user workstation connected via an industrial network to several PLCs in the warehouse that controlled the heating and cooling equipment along with other environmental control equipment. The workstation was physically located in a desk in the warehouse.
Management was concerned that the workstation was exposed to physical damage from normal warehouse material handling activities such as forklift movements (see Figure 1). They also were concerned about the time required to respond to either an accident of this sort or even normal maintenance issues with the workstation, given its physical location. For these reasons, the company wanted to move the workstation from the warehouse floor to the enterprise data center.
Newer protocols offer possibilities
This was possible because the PLC communication was an Internet Protocol (IP), which has generally replaced the older serial protocols in modern ICNs. The IP created the possibility to have a VPN established from the data center to allow the HMI to connect to the PLCs on the ICN.
To provide the warehouse operator access to the graphical user interface (GUI) of the HMI, the IT department preferred to use Microsoft Remote Desktop Applications (RDA). RDA is a subset of the widely used Remote Desktop Services (RDS). RDA allows the HMI GUI to appear on the operator's normal desktop as an icon without having the RDS requirement to overlay the entire desktop. As a standard Microsoft solution, the use of RDS or RDA is transparent to Microsoft-compliant SCADA software platforms.
The IT department also wanted to host the HMI workstation on a virtual machine (VM) in the data center rather than have it on a dedicated workstation, as was the case when it was in the warehouse. With a standard Microsoft application, running on a VM is transparent, as designed. The only issue that was out of the ordinary for IT was the need to map a universal serial bus (USB) port to the host. Use of a USB dongle for licensing is a common practice found in SCADA and HMI platforms, but less common for enterprise software. In this case, it was a simply a mapping of the USB port to the VM hosting the SCADA. A network USB device may be required in more complicated multi-station networks.