Wireless Data Communications for SCADA Systems

Author: Dan Ehrenreich, Motorola

BCWWA Conference, Vancouver, November 28-29, 2005

Abstract
Supervisory Control and Data Acquisition (SCADA) solutions provide a base for better controlled
water systems. Computerized handling of remote installations is integrated with communication and
provides means for reducing the operating cost, cost of maintenance and effective handling of the
water network. System parameters communicated via wireless data network must present true
conditions related the status of the field equipment. In likewise manner, commands sent to remote
sites must be promptly executed and the back indication is to be sent to the control center.
Properly engineered SCADA systems shall allow for seamless communications from all Remote
Terminal Units (RTUs) to any RTU and from any RTU to the SCADA computer. Such
communication network may comprise of; Analog VHF or UHF radio, digital or analog trunking
radio, microwave, satellite, Multiple Address Systems (MAS), wide band Spread Spectrum data
network, GSM/GPRS, iDEN/Nextel, or CDMA.
Interfacing between the SCADA Master Control Center (MCC) and the wireless network serving
the RTUs may utilize a range of solutions such as; serial RS-232, LAN based TCP/IP, OLE for
Process Control (OPC), and other. The system may utilize a wide range of SCADA-type
communication protocols such as; DNP 3.0, BSAP, MDLC, IEC 60870-5-10x, and in some cases a
range of PLC-type protocols such as DF-1, MODBUS, etc.
It must be noted at this point, that as of today, there is no true standard for wireless RTU
communications. Therefore, while implementing a wireless SCADA system utilities must pay
special attention to issues that are unique for the selected media for data communications.
Recently the industry consultants and customers are more aware that SCADA systems might be
vulnerable to a variety of attacks via their communication media, examples of which have already
occurred. Such event might have devastating consequences. In order to avoid such events to take
place implementation of water SCADA system requires use of secure communication solution.

Seven Layers Protocol

As one cannot be an expert in all aspects of SCADA solutions, for a non-communication engineer it
may be difficult to specify the right communication architecture and distinguish between the
characteristics of the available data protocols as applicable for SCADA systems.
Figure 1 below briefly outlines the characteristics of the seven-layer Open System Interconnection /
International Standard Organization (OSI/ISO) protocol concept. The key advantages of this
method are, that each layer handles one or more designated functions, and that changes of a certain
function in a specific layer have no effect on functions specified in another layer.
• The lowest level is the Physical Layer, and it handles physical/electrical network interface
definitions and the channel access mechanism. This layer is configured according to the utilized
communication media; radio, fiber optics lines, satellite, etc.
• The layer above the Physical layer is the data Link Layer, and its role is to establish the link
and confirm the integrity of the transmitted frames/packets between two entities (or sites).

Wireless Data Communication for SCADA Systems Page 1 of 5

• The Network Layer truly provides the most important benefits to the SCADA system operation,
as it allows seamless routing of the data frames across the network, from any point to any point
as well as via multiple communication nodes. It allows each RTU to act as a digital Store and
Forward (S&F) repeater (linking sites over the same wireless channel) as well as allows routing
the data packets via communications nodes (linking remote sites using different media).
Note: Most three-layer protocols, including the MODBUS, IEC 60870-5-101 or DNP 3.0, do
not have the Network Layer and therefore RTUs cannot be utilized as a communication node.
• The Transport Layer handles fragmentation and de-fragmentation of the messages (into
frames) and provides means for connection management. It is also utilized to provide end-to-
end confirmation that an error free message was received at the destination site.
• The Session Layer enables conducting multiple simultaneous sessions/dialogues in the network
between two entities. While allowing multi-session transactions, this feature helps boosting the
overall data communication efficiency and to achieve better results within a given bandwidth.
• The Presentation Layer, as seen, is just under the top level layer of the protocol stack. In this
layer the data is packed or unpacked in order to be ready for use by the running application.
• The top level Application Layer actually allows implementing the "real thing" related to the
RTU operation such as; file transfer, data access and management, diagnostics, programming
and configuration document and message interchange, job transfer etc.
Note: The 3-layer protocols used in simple SCADA communication include: Physical, Link and
Application layers and therefore most functions can only be executed by the Application layer.

End user application process

Included in 3-layer protocols

Application Layer
Includes all transactions related to SCADA system operation
Presentation Layer Provides means for preparing the data for handling by the application
Session Layer Provides means for multiple entities to exchange data simultaneously
Transport Layer Handles data fragmenting and confirming end to end data integrity
Network Layer Provides redundancies and routing of messages via network links
Link Layer Provides means to establish, maintain and terminate connections
Physical Layer Defines the physical and electrical interface to the network

Data communication network

Figure 1. Layered Data Communications

Characteristics of Wireless SCADA Networks

Wireless SCADA systems usually operate over wide geographical area; country, province, large city,
district, etc. These systems shall preferable operate as stand alone and well "isolated" from other
communication networks, which may be vulnerable to overloading, interference, interruption of
service, security attacks, fraud, etc.

During the system definition, utilities shall consider the following considerations prior selecting a
wireless communication for their system:

Wireless Data Communication for SCADA Systems Page 2 of 5

• Communications data rate
Water SCADA systems do not require frequent transmission of long messages. Therefore it is
commonly agreed that these systems may use a low rate communication, of course as long as the
selected media and data protocol provide reliable data transactions. Typical water system may use data
rates in the range of 1200 bps up to 9600 bps and deliver adequate SCADA performance.
Conclusion: Investing in expensive high-data rate radios for water SCADA will not add operating
benefits to the system and not enhance the system performance.
• Communication Architecture
The communication architecture may involve a single media or a combination of a wide area data
communications backbone with a shorter-range (last-mile) wireless network.
Conclusion: Consequently, investing in a high speed data network with multiple connections may
increase the cost and also it is not an optimal choice for such system.
• Radio Transmission Power
The utilized wireless data-network shall allow extended coverage across the city and shall preferable
utilize high power radios, which allow reliable coverage even in populated area. One shall consider the
propagation characteristics of the utilized frequency band.
Conclusion: Investing in a GHz-range wireless media with low power radios might in city type
environment (buildings, no line-of-sight, etc.) not enhance the system performance.
• Air Time Utilization
Water SCADA systems typically do not require frequent communication sessions to the MCC. As a
matter of fact, data which is not required for instant decision by the MCC (or the operator) shall not be
communicated at all. It is considered in the industry that a "quite system" is a better engineered system,
as it is immediately available to communicate urgent messages within the network.
Conclusion: Utilizing a data protocol, which allows only polling, might reduce the performance of the
system, even if a high data-rate channel is used. Alternatively SCADA RTUs shall utilize Report-by-
Event communications method, which allows operating many RTUs on just a single channel
• Communications Protocol
Data protocols transmitted over wireless SCADA networks must be extremely robust, equipped with
reliable air-time-efficient error handling mechanism, and allow Peer-to-Peer and Store & Forward
communications. The selected data protocol shall preferable allow combining multiple media into the
network, where each RTU may act as a communication node.
Conclusion: Use of three-layer PLC-type protocols (such as MODBUS, DF-1, etc.) might not perform
adequately over complex wireless media, and might cause multiple retransmissions and downtime.
• Data Security
Water SCADA is among the highly critical SCADA applications, therefore one should consider using
a reasonable secure protocol, including some type of integrated data encryption and data authentication
means. It shall not be very easy to analyze and modify neither easy to retransmit without being
detected as system intrusion.
Conclusion: Transmission of low tier three-layers protocols over wireless networks might result-in
vulnerability to security related events and system failures.

Wireless Data Communication for SCADA Systems Page 3 of 5

• Integrated RTUs and PLCs
SCADA systems may allow seamless integration of existing PLCs with RTUs in the same system
while the RTU is acting as a polling master to the PLC. This configuration, practically make these
units operating as a hybrid unit behaving as a "large RTU".
Conclusion: Using of hybrid solution allows convenient and cost-effective re-using of the existing-
already installed PLCs or adding new PLCs to existing RTUs.
• Protocol Conversion
In a retrofitted SCADA system, an RTU may have to interface to an existing PLC or to a smart sensor
integrated in the same system. This configuration requires the RTU operating as a polling master to
that PLC, exiting RTU or sensor and communicating with these devices using their native protocol.
Conclusion: RTUs must have built in capability to emulate or encapsulate other protocols. While
implementing the encapsulation method is simpler, emulation will generate more operating benefits.

Network Communication
In a SCADA system some RTUs may be configured to operate as an S&F repeater or as a
communication node. Upon receipt of a message, they check the address of the received message if
it is intended for them or to another RTU. Such transmission may also include frames, which
belong to different, unrelated sessions simultaneously initiated by different RTUs in the system.
Upon completing the data transaction (the message reaches its final destination - RTU site), the
destination RTU will send an “end-to-end” acknowledgement to the source RTU (or FEP, or vice
versa) via the Transport Layer confirming the message integrity.
Occasionally, if part of the network or a specific RTU (serving as a communication node) fails and
it cannot communicate with the designated site, the transmission is not confirmed. Prior to
canceling that message, the Network Layer may reroute the related frames via a pre-defined backup
link as illustrated in Figure 2 below. Having such an advanced option embedded in the SCADA
communication process provides an even higher level of data reliability, as messages may reach
their destination in spite of temporary or permanent malfunction of a link.

Printer Primary
MCC
RTU & Data
Local Ethernet Comm. Node
Main IP Gateway
Line ToolBox
Based IP Wireline Comm.

Remote Ethernet Backup

Prime Link Link RTU & Data
Secondary RTU & Data Comm. S&F
TS
MCC Comm. Node
(SLIP)
Backup
Prime Link Link
Remote Wireline
ToolBox Comm.

RTU & Data

Comm. Node
RTU & Data
Prime Link Comm. Node

Figure 2 – Integrated SCADA system with main and backup links

Wireless Data Communication for SCADA Systems Page 4 of 5

Summary and Conclusions
Communications reliability, data security and networking play a major role in wireless SCADA
systems. These subjects were highlighted in this paper for the benefit of SCADA engineers, who
do not have the necessary expertise and might overlook the importance of selecting the optimal
communications media and the suitable data protocol.
Implementation of an error handling method based on frame retry mechanism and frame level
confirmation minimizes the probability of a faulty message passing through the SCADA network
and reaching its destination without being detected and eliminated. Furthermore, the applicable
layers in the ISO/OSI seven layer protocol validate the data integrity, hence providing enhanced
system operation reliability. As already mentioned above, the major advantage of the "layered
communication" is, that modifications in the communication network structure or media change
will neither affect the application program nor risk the functioning of the RTU operation.
Furthermore, this method allows implementation of additional functions such as smart RTU
decisions based on imported data from other RTUs, update of programs via the network, download
and upload via the wireless data network of new operating parameters, etc. While some three-layer
SCADA and PLC protocols may perform similar processes achieved by application layer
programming, in the ISO/OSI protocols these functions are “built-in” within the corresponding
layers. Consequently, the integration of advanced seven-layer communication protocols optimized
for wireless SCADA communications generates major operating and cost benefits to the customer
and more than justifies the investment.

@@@@@@@@

References:
1. Operating benefits achieved by use of advanced communications Protocols for DA/DSM systems,
Dan Ehrenreich, Dr. Salomon Serfaty, DA/DSM Europe, Vienna 1996.
2. Electronic Management Systems from Motorola Improve Efficiency of Water Projects, Dan
Ehrenreich, Market Study Report, published in UK, 1999
3. Data Communications for Oil and Gas SCADA Systems. Dan Ehrenreich, Shlomo Liberman,
PETROMIN magazine October 1999.
4. Wireless IP Networks Serve Distribution Automation Systems, Dan Ehrenreich, Utility
Automation Magazine, August 2000
5. Managing Water Infrastructures with SCADA Systems, Dan Ehrenreich, Motorola Application
Notes, July 2003
6. Data Reliability and Security Considerations for SCADA Systems, Dan Ehrenreich, Entelec 2004,
San Antonio TX, USA April 2004

________________________________________________________________________________
Dan Ehrenreich is Marketing Manager at Motorola and handles SCADA Business Development in
Canada, and Latin America countries. He received his B.Sc. in Electronics Engineering in 1975, and
joined Motorola in 1991. Dan may be contacted via email: dan.ehrenreich@motorola.com. For more
details on MOSCAD type SCADA solutions refer to our web site; http://www.moscad-systems.com

Wireless Data Communication for SCADA Systems Page 5 of 5