Citect Scada Software Protection Failure

Scada Review 2019: AVEVA, Schneider Electric

End–user responses

This video shows you how to solve issues related to CitectSCADA's Floating License Manager, including the Software Protection Failure. Learn More: https://w.

1. Version 6 continued this trend and included more SCADA-like functionality in addition to the poll-based real-time control system that still remains the core of the Citect software today. Version 7 was released in August 2007. This version is also the first version to support Windows Vista Operating system.
2. Do not use CitectSCADA or other SCADA software as a replacement for PLC-based control programs. SCADA software is not designed for direct, high-speed system control. Failure to follow these instructions can result in death, serious injury, or equipment damage.

General

Q: Briefly describe the application including information on any pre-existing control system.

The client has been using Citect SCADA V6.1 with Windows XP and Windows server 2003 which has been out of support. V6.1 and operating systems was in a mature lifecycle phase which indicate its functionality is stable and obsolete. The main drive for the upgrade to V2018 was to overcome obsolescence, establish engineering standards and migrate the system to be fully compliant to the ASM (Abnormal Situational Management) Standard.

Q: What were the primary motivations for the project?

• Outdated scada, obsolete operating systems, lack of knowledge, skills and diagnostic tools.

• Alarm flooding: poor alarm management.

• Change management: backups, deployment and version control.

• Security: upgraded from application level only.

• Colours: no consistency in colour management.

• ASM: non ASM complaint.

Q: In the procurement decision making process what were the primary considerations that influenced the product selection?

Current installed base is Citect SCADA, support from vendor and initial costs.

Q: What project management principles and/or methodologies did you employ as end-user to mitigate risk, ensuring the project came out on time and within budget?

Methodology: Agile.

1. Customer satisfaction through early and continuous software delivery.

2. Accommodate changing requirements throughout the development process.

3. Collaboration between the business stakeholders and developers throughout the project.

Citect Software Protection Failure

4. Support, trust and team motivation

5. Working software is the measure of progress.

6. Agile processes to support a consistent development pace.

7. Attention to technical detail and design.

8. Self-organising teams.

9. Regular reviews on project effectiveness.

Licensing, maintenance and support

Q: What upgrade agreements are in place on this particular application?

With a comprehensive suite of service levels and options, the client can choose the program level that best suits their specific needs. Whether they are planning a new installation, optimising and fine tuning a mature system, preparing a major upgrade, or evolving their system with the latest software upgrades to take advantage of rich new capabilities. The customer is on annual premium subscription, which gives them access to the latest software and 24/7 support. Any enhancements or upgrades will be on a case by case basis.

Q: How is after-sales support handled on this application?

This is provided via regular site visits and telephonic remote support.

Q: Do you have a documented process in place to manage, test and install OS and scada system software patches?

We have a standard procedure based on hierarchies of workstations and criticality of patches that determines the order and speed with which we deploy patches. Schneider Electric tests its products on systems that are configured with all the cumulative Microsoft Updates. Any exceptions to this will be listed in the Schneider Electric report specific to the test.

Integration, reporting and archiving

Q: Is the scada system integrated onto an intranet or the Internet?

No.

Q: Is the system integrated with an MES/ERP or other management reporting or control system?

Will be implemented on a later stage.

Q: Do you run the scada in conjunction with any third-party application software?

No.

Q: Does the application include data archiving/historian capabilities with an historical data reporting system?

Will be implemented on a later stage.

Maintenance, reliability and asset optimisation

Q: Have any operational or production benchmarking tools been configured as part of the scada system?

No.

End-user conclusion

Q: What was the predominant feature (or features) that made you decide to purchase this scada product over all others for this application?

Comprehensive situational awareness library, better alarm management, compatibility adaptability, lower risk, support structure and upgrade path.

Q: What was the most significant change

you implemented in scada engineering practice / technology in this project?

• Engineering efficiency: Deployment Server makes it is easier to roll out changes and manage version control.

• Operator awareness: fully ASM compliant.

• Cross platform transparency.

• Security improvement: domain level security. Find me crack.

• Process Analyst: operators have the capability to build their own trends.

Q: What single operational feature most impresses you about the product now that it is in operation?

ASM Aspect: operator response time and the identification of abnormal situations is quicker.

Q: What impresses you most about the architecture?

• Every area is set up as a different project.

• Multiple engineers can do development within the architecture layout.

SI Responses

Project details

Q: What tools were used to minimise the man-hours taken?

Build in Equipment generator and Excel.

Q: What human factors were taken into consideration as principles or development standards in the HMI design process?

Colour usage, amount of screens, abnormal situational awareness and ergonomics.

Q: For the graphics development process did you use standard library images, or did you have to draw images from scratch?

Both.

Q: How would you describe the library of graphic images?

Comprehensive.

Q: What alarm management standards or best practices were adopted in configuring the scada system alarms?

ISA18.2

Q: What structured processes were followed to determine expected performance under full load, and during abnormal failure conditions?

A complete library of test sheets with a pre-determined set of acceptable limits exists within the Schneider Electric Quality Management System. During commissioning, failures are simulated and results documented against these pre-determined criteria. Exceptions are documented as non-conformances and are actioned before final handover.

Q: What are the key physical communication layers and communication protocols employed in the system?

New Ethernet installation.

Q: What is the network speed and communications medium of the slowest link in this project’s scada network?

100 MB over Ethernet.

Q: What is the network speed and communications medium of the fastest link in this project’s scada network?

1 GB over Ethernet.

Q: What levels of redundancy are incorporated in this scada application?

Citect SCADA hot standby servers.

Maintenance, reliability and asset optimisation

Q: What steps were taken to address maintenance, reliability, asset optimisation and/or continuous improvement aspects relating to this system?

Citect SCADA hot standby servers.

Project management

Q: What project management principles and/or methodologies did you as SI employ to mitigate risk and to ensure the project came out on time and budget?

Schneider Electric’s Customer Project Process (CPP) was employed. This is an internally branded Project Lifecycle Management system. CPP methodologies provide guidance for the implementation of a customer project and strive to provide a superior customer experience.

Security and data protection

Q: How have authentication, authorisation and role management been configured?

Authentication has been implemented using a Windows Active Directory domain (users and groups). Each domain group has been associated with internal Citect groups. Within the Citect environment role-based security is implemented, where roles are associated with specific areas. A scada user is unable to view information outside his area without explicit permission.

Q: Does the design make provision for a DMZ and firewall segregation of process (scada) network and business networks (LAN, WAN, GAN, Internet, etc.)?

The solution is logically separated using VLANs. Further information is unavailable as the network is managed by the end-user.

Q: What intrusion detection has been incorporated on the plant network(s) on which this scada system exists?

Intrusion detection is provided via McCafee.

Q: In what ways is this project’s hardware architecture optimised for: patch management and antivirus management?

1. Patch management is done by Schneider Electric. Every second week of the month a new patch is released. The patch is tested. If performance or functionality improvements are evident, a date and time are arranged for implementation.

2. Antivirus management is managed through site IT personnel.

To implement any patches or antivirus changes, the rollout is first done on all A-machines. A-machines consist of the primary server and 1 operator station in each control room. The rest of the plant runs from B-machines: the hot standby server and the 2nd operator station in control rooms. When test and rollouts are done, they are duplicated on the B-machines.

Q: What configuration backup and data archive backup methodologies have been adopted?

Configuration and data backups are performed weekly, monthly and on change.

SI conclusion

Q: How would you rate the ease of use of the historical reporting system?

Citect Scada Software Protection Failure Failed

Easy.

Q: What impresses you most about the engineering/configuration aspects of the product now that it is in operation?

The ease of implementing changes. Navigation is also much quicker for site personnel on the scada information given from the new improved Alarm Server.

Q: What impresses you most about the architecture?

The small hardware server footprint for the scada application, where a single server is used for alarming, logging, trending, and scanning to PLCs, thus reducing overall costs.

Vendor responses

Product

Q: Vendor comments on product/modules?

Schneider Electric is committed to at least one release per annum; within a given 12 month period we continue to enhance product quality with service packs and add-on packages such as +PowerConnect and +Facilities. The Citect SCADA product is core to Schneider Electric’s automation architecture and is continually enhanced to support integration of Schneider Electric products.

Operating systems/VMware

Licensing, maintenance and support model

Q: What sort of licensing agreement options are offered? Leo’s fortune - hd edition for mac.

There are 3 types of licences: Full Server, client read-only and client read-write. There is no differentiation between modules, and a single full licence enables all functionality. A full licence also acts as a client on the server hardware and the system can be operated from this server. Additional clients provide users access to all system features from additional hardware connected to the system via an Ethernet network. A base licence comprises core modules, with optional modules available.

Q: Are licences sold outright or subject to periodic (e.g. annual) renewal?

Licences are a once-off purchase with a yearly renewal named Customer First. Customer First for Citect SCADA offers a rich portfolio of fundamental services to help protect and extend the value of the software investment. A Customer First agreement protects the entire investment by delivering via:

• Software version updates and upgrades.

• Streamlined access to support experts.

• Access to the Global Customer Support website, a source for extensive self-assist tools to help configure or troubleshoot a system.

• Optional services to help optimise and extract value from the software solution.

Q: What upgrade agreements are offered?

Patches and hot-fixes are available to end-users with valid maintenance agreements. Version upgrades are available to those end-users with valid maintenance agreements.

Q: What after-sales offerings iro support and maintenance are available, and which technologies are used to deliver them?

Support is covered under a paid annual support agreement and includes ‘virtual engineer’ (desktop remoting), telephonic support, e-mail support, online self-help tools, automatic driver updates, product upgrades, on-site engineering under a service level agreement, security advisory services, user forum (LinkedIn group) and online knowledge base repository.

Q: Do you have a documented process in place to manage and test OS patches and to release scada system software patches?

Citect’ s goal is to verify that Microsoft Security Updates work with Schneider Electric Software within 15 business days of release. Any exceptions to this will be listed on the Safety & Security Central web page.

Microsoft Security Bulletin Master Page (includes related KB Articles). Microsoft KB articles for a particular patch are listed in each Microsoft Security Bulletin:

Citect Scada Software

• Microsoft Security Bulletins master page.

• Microsoft Security Bulletin Data

Schneider Electric tests its products listed under the Active Support phase for compatibility/coexistence with Microsoft Security updates. Specific Schneider Electric products listed under the Mature Support phase are tested on a case-by-case basis. For specific products covered under other customer support options. Schneider Electric tests its products on systems that are configured with all the cumulative Microsoft updates to-date. Any exceptions to this will be listed in the Schneider Electric Test Report specific to the test.

Technology incorporated

Q: What changes have been introduced into the product in the last 12 months?

The upcoming release delivers on three strategic pillars as below, each of which will be explored in further detail throughout a number of focused blog posts over the coming weeks and months:

Citect Scada Software Protection Failure Support

• Significantly increasing engineering efficiency and speed to production.

• Reducing operator distractions to deliver increased operator awareness.

• Increasing operational productivity and real-time decision making.

How does Citect SCADA 2018 achieve this?

With a focus on providing richer context in addressing Abnormal Situational Management (ASM) across a variety of industrial applications, Citect SCADA 2018 includes a number of enhancements that empower operators to optimise the engineering experience with:

• A dedicated situational awareness workspace.

• An extensive library of configurable objects, including out-of-the-box faceplates.

• A wealth of alarm management capabilities.

• Visualisation and graphics enhancements.

A preview of comments from Citect SCADA 2018 beta customers can be found at: https://www.techvalidate.com/product-research/schneider-electric-software-citect-scada/facts

Integration and reporting

Q: What generic and/or product specific interfaces does the product have iro well-known MES packages?

An OLE-DB compliant interface is available as well as the Citect API for integration into higher level business systems; however, no certified interfaces are available for the above mentioned.

OPC A&E, OPC-DA Servers are available as per the OPC Foundation certification and are included in the version release as well .Net Framework is integrated into the cicode programming function.

Q: What native historical data reporting options are available?

Citect Trend Server is a standard archiving component within Citect SCADA that will enable an end user to access histocial data through a native client tool called Process Analyst. Aveva Process Historian is a high-performance process historian, capable of storing huge volumes of data generated from today’s industrial facilities. Historian easily retrieves and securely delivers information to desktop or mobile devices, enabling organisations to analyse processes anywhere at any time.

PLC configuration and programming

Q: What capabilities does the scada offer in terms of generation and/or management of PLC configuration files or PLC application code?

Citect enables the synchronisation and automatic creation of variable tags using a Unity application project file (.STU), CSV file or OPC Server. It does not generate PLC configuration or PLC application files. It maintains a common set of variables between Citect and Unity, i.e. when tags are added to a Unity Linked device from Citect, the Unity STU file is updated and when variables are added from the Unity environment and saved to the STU, Citect will import the updated variable list.

Security and data protection

Q: What authentication, authorisation and role management models are available for the runtime environment?

The following should be considered: areas, privileges, roles and users. Security may be incorporated in the application or through Windows’ integrated authentication, which will determine where users are created:

• Areas: an area is a section of the plant. It can be defined geographically or logically.

• Privileges: level of access applied to system elements within the project. A user is assigned a role that possesses particular privileges.

• Roles: a defined set of permissions (privileges and areas) that are assigned to users.

• Users: a person or group that need access to the runtime system.

Q: List the top five feature/benefit pairs that contribute to this product’s USP.

Unique selling proposition (USP)

To view the unabridged version of this scada review, please visit http://instrumentation.co.za/+J4474