The regulatory and standards framework for the operation, maintenance and security of critical infrastructure is rapidly evolving.
Many standards and regulations affecting pipeline SCADA operations are under review or in some stage of draft. This evolving framework requires a new understanding of the operating challenges for the pipeline industry.
Many operators are working to understand the requirements and to proactively develop changes to control-room protocol, controller training, and SCADA infrastructure. The question of how to both comply and gain the benefits of upgrading operating procedures, heightening security, improving alarm management, enhancing graphic displays and improving human factors is challenging in itself. Regulations, by their nature, leave much to interpretation. In some cases, the standards conflict, making the objective of better equipping the controller to meet operational challenges more daunting and, at the same time, more important.
Energy companies rely upon Supervisory Control and Data Acquisition (SCADA) systems for monitoring and control in both the oil and gas transmission pipeline industry and in natural gas utilities. According to industry participants interviewed by Newton-Evans, 85% or more of the world’s operating pipelines of more than 25 kilometers are controlled by a computer-based SCADA system, which requires a skilled team of professionals to manage all aspects of the operation.
Traditional fundamental SCADA certification training covered the basic SCADA components, categorized into the following areas:
- Field devices
- Remote terminal units, programmable logic controllers and flow computers Communications
- Data acquisition strategies
- Host systems
- Graphical user interfaces
- SCADA maintenance
In the past, an understanding of the various hardware and communications components was adequate for a good foundation in SCADA fundamentals. Today, the fundamentals of SCADA include:
- Work environment and operations reliability
These issues are process vs. component issues. This is often a new idea for those responsible for the SCADA system.
Keeping SCADA Training Current
As critical lessons are learned from industrial mishaps, standards and regulatory requirements are revised, requiring operators to re-examine their control-room operations and control systems. Naturally, this leads to a reassessment of SCADA training requirements and the development of curriculum to support the new reality.
Regulatory agencies are driving companies to further examine their SCADA processes. It is important to recognize that the knowledge needed to operate effectively in the pipeline industry has changed substantially over the last five years. To train effectively, the traditional curriculum for SCADA fundamentals certification needs to be expanded to encompass the following:
Control Room Management
The Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed new regulations designed to enhance safety by requiring operators of pipeline and LNG facilities to implement new control-room management procedures. PHMSA recognizes the importance of controllers and their role in preventing and reducing risk to pipeline safety. In 2006, Congress enacted the Pipeline Inspection, Protection, Enforcement and Safety Act (PIPES Act), directing PHMSA to issue regulations requiring each operator of a gas or hazardous liquid pipeline to develop, implement and submit management plans designed to reduce risks associated with human factors in the control room.
Familiarity with the proposed regulations is an essential part of any fundamental SCADA training. Essential topics include the following categories and items:
- Standard operating procedures (SOPs) are required to clearly define and document the roles and responsibilities of controllers to ensure prompt and appropriate response to abnormal operating conditions and emergencies.
- Shift changes and information-sharing SOPs or processes should be developed to ensure controllers receive the timely and necessary information required for them to fulfill their responsibilities at all times.
- Change management processes are required to establish thorough and frequent communications between controllers, management, and field personnel when planning and implementing physical changes to pipeline equipment and SCADA configurations, such as alarm modifications.
- Learning from operator experiences requires all operators to review all reportable accidents and incidents on a routine basis to identify and correct deficiencies related to controller fatigue, field equipment, procedures, SCADA system configuration, SCADA performance and communications.
- Operators should be required to provide controllers training necessary to completely understand the pipeline and control systems they operate.
- Operators should be required to adopt additional qualification measures to measure or verify a controller’s performance, including prompt detection of, and appropriate response to, abnormal and emergency conditions that are likely to occur.
A senior executive officer should be required to sign a validation each calendar year that confirms certain aspects of the operator’s controller training, qualification and compliance with regulatory guidelines.
- SCADA systems with pipeline operators would be required to follow American Petroleum Institute (API) Recommended Practice 1165, which addresses SCADA displays.
- SCADA systems must also have a backup communication system, or alternatively, operators must have adequate means to operate manually or have provisions to shut down the affected portion of pipeline safely.
- Existing SCADA system operators will be required to conduct an initial point-to-point baseline verification for each SCADA system to validate and document that field equipment configurations agree with computer displays.
Methods should be implemented to prevent controller fatigue that could inhibit the controller’s ability to carry out defined roles and responsibilities
SCADA alarms are an integral part of the controller’s toolkit to understand and manage pipelines. Alarm management practices have dramatically and competently matured in the first decade of the 21st century. Best practices have been identified by the Engineering Equipment and Materials Users Association (EEMUA), the International Society of Automation (ISA 18) and the American Petroleum Institute (API 1167). These practices include:
- An improved ability to identify abnormal situations and operations
- Proper design and use of alarms
- Adequate operator situation management information and documentation
- The design of appropriate and informative controller SCADA screen displays
SCADA alarm systems must recognize and accommodate the following:
- Remote locations of controllers: Controllers are removed from pipelines and associated heavy equipment, thus preventing easy personal physical inspection and on-the-site adjustments and modifications to equipment.
- Uneven nature of data communications: The expectation of correct, uninterrupted information and rapid enforcement of control action cannot be expected due to the dispersed locations of equipment and control stations and the need to use various nodes of telecommunications equipment for data communication and control modifications.
- Lengthy delay for field responses and adjustments: Almost all hands-on evaluations and repairs and adjustments will be significantly delayed with respect to the ability of the controls equipment to identify and then convey potential problems to controllers.
- Increased number of system status alarms: The increased use of smart field devices, fieldbus architecture, equipment and networks has produced a vast number of additional alarms.
The design and operation of alarm systems will be required to follow established good practices, including the following regular reviews:
- Level One: On a weekly basis, operators must review pipeline operations and the alarms and events that have been received.
- Level Two: On an annual basis, operators must undertake a detailed review of alarm configuration and management to consider the number of alarms, potential systemic issues related to field equipment or the SCADA System, including potential systemic issues resulting in excessive or unusual alarms, unnecessary alarms, changes in controller performance in response to alarms and setpoint values.
SCADA, DCS (Distributed Controls Systems), EMS (Energy Management Systems) and PCN (Process Control Network) environments require different management and security considerations than a traditional enterprise environment. At one time, SCADA systems were stand-alone environments, making it easy to manage the security of a system. The merging of industrial networks with IP-based networks created the need to balance reliability with security. Control-system environments and organizations are not only challenged with becoming or remaining secure, they are now required to comply with a growing number of ambiguous security standards and guidelines available throughout the industry.
Covering these complexities is essential to SCADA fundamentals certification:
- Technical Threat Agents: Industrial security threats are increasing at an exponential rate, and events are gaining public exposure. Industrial process control systems and networks were not exactly designed to be “change friendly”, and consistent issues linger between corporate IT and process control.
- Technical Vulnerabilities in SCADA Environments: The question is “What causes vulnerability?” The root of SCADA applications and data base vulnerabilities requires examining SCADA protocols, which are insecure by design and prone to human error. Understanding the complete lifecycle of a security threat, including both basic and highly advanced techniques used by attackers, is important. A case study on a security threat to SCADA system provides students a better understanding of vulnerabilities as they exist within SCADA/PCN environments and how to safeguard against them safely and properly.
- Beyond the Cyber Threat – Physical and Operational Security: Completely addressing SCADA security includes more than just cyber issues. It also includes physical security, which is ensuring that only the appropriate people gain access to facilities, computers, servers and components. Operational security makes certain that those with access have that access properly controlled.
- Best Practices and Beyond – A Security and Compliance Survival Guide: The difficulty in SCADA security is that many of the standards and guidelines available seem to address cyber-security issues more than anything, leaving physical attack vectors (which can also lead to control system cyber access) as well as legal issues by the wayside. It is important that any SCADA fundamentals certification training goes beyond industry best practices and is tailored to meet the unique challenges of SCADA/PCN environments.
With the shifting winds of regulatory compliance and new standards, training SCADA professionals is more complex, but with expanded curriculum, far more attainable. It is important that fundamentals of SCADA certification training programs reflect the current best practices and regulatory guidance.
Russel Treat is president of Gas Certification Institute (GCI) and an instructor for the Fundamentals of SCADA Certification course in Houston. He has more than 30 years of SCADA experience and has been involved with implementing, designing, executing and operating SCADA systems for transmission, production and distribution in energy industry since 1994.
Ardis Bartle is a representative for GCI and has worked in SCADA and gas measurement for more than 15 years. As an active committee member of the American Gas Association (AGA) and the International Society of Automation (ISA), she has been involved in writing and reviewing standards and practices in both SCADA and gas measurement. She is active in providing Sarbanes-Oxley standard operating procedures to the natural gas industry.