2.ISA Security Compliance Institute

beaverswimmingΤεχνίτη Νοημοσύνη και Ρομποτική

14 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

85 εμφανίσεις

Process Control Systems

1.Logic control

Logic control systems for industrial and commercial machinery were historically implemented at
mains voltage

using interconnected

, designed using
ladder logic
. Today, most such
systems are constructed with
programmable logic controllers

(PLCs) or
. The
notation of ladder logic is still i
n use as a programming idiom for PLCs.

Logic controllers may respond to switches, light sensors, pressure switches, etc., and can cause
the machinery to s
tart and stop various operations. Logic systems are used to sequence
mechanical operations in many applications. PLC software can be written in many different ways

ladder diagrams, SFC

sequential function charts or in language terms known as statement

Examples include elevators, washing machines and other systems with interrelated stop

Logic systems are quite easy to design, and can handl
e very complex operations. Some aspects
of logic system design make use of
Boolean logic

Linear control

Linear control systems use


to produce a control signal

based on
other variables
, with a view to maintain the controlled process within an acceptable operating range.

The output from a linear control system into the controlled process may be in the form of a
directly variable signal, such as a valve that may
be 0 or 100% open or anywhere in between.
Sometimes this is not feasible and so, after calculating the current required corrective signal, a
linear control system may repeatedly switch an actuator, such as a pump, motor or heater, fully
on and then fully o
ff again, regulating the
duty cycle

width modulation

ISA Security Complia
nce Institute

Related to the work of ISA 99 is the work of the
ISA Security Compliance Institute
. The ISA
Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and
other contro
l system security standards.

They have also created an

accredited certification program called ISASecure for the
certification of industrial automation devices such a
s programmable logic controllers (PLC),
distributed control systems (DCS) and safety instrumented systems (SIS).

These types of devices provided automated control of industrial processes such as those found in
the oil & gas, chemical, electric utility, ma
nufacturing, food & beverage and water/wastewater
processing industries.

There is growing concern from both governments as well as private industry regarding the risk
that these systems could be intentionally compromised by "evildoers" such as hackers,
sgruntled employees, organized criminals, terrorist organizations or even state

he recent news about the industrial control system malware known as

has heightene
concerns about the vulnerability of these systems.

Control system security standards


ISA99 is the Industrial Automation and Control System Security Committee of the International
Society for Automation (ISA). The committee is developing a multi
part series of standards and
technical reports on the subject, several of which have been publicly released. Work products
from the ISA99 committee are also submitted to IEC as standards and specifications in the IEC
63443 series.

99.01.01 (formerly re
ferred to as "Part 1") (
ANSI/ISA 99.00.01
) is approved and published.

TR99.01.02 is a master glossary of terms used by the committee.

This document is still a
working draft but the content is available on the committee Wiki site

99.01.03 identifies a se
t of compliance metrics for IACS security. This document is currently
under development.

99.02.01 (formerly referred to as "Part 2") (
ANSI/ISA 99.02.01
) addresses how to
establish an IACS security program. This standard is approved and published. It has also been
approved and published by the IEC as
IEC 62443

99.02.02 addresses how to operate an IACS security program. This standard is currently
under development.

TR99.02.03 is a technical report on the subject of patch management. Thi
s report is
currently under development.

TR99.03.01 (
)is a technical report on the subject of suitable technologies for IACS secu
This report is approved and published.

99.03.02 addresses how to define security assurance levels using the zones and conduits
concept. This standard is currently under development.

99.03.03 defines detailed technical requirements for IACS se
curity. This standard is currently
under development.

99.03.04 addresses the requirements for the development of secure IACS products and
solutions. This standard is currently under development.

Standards in the ISA
99.04.xx series address detailed tec
hnical requirements at the component
level. These standards are currently under development.

More information about the activities and plans of the ISA99 committee is available on the
committee Wiki site (

American Petroleum Institute

API 1164 Pipeline SCADA Security

North American Electric Reliability Committee (NERC)

ERC Critical Infrastructure Protection (CIP) Standards

4.Linear control

Linear control systems use


to produce a control signal
based on other variables
, with a view to maintain the controlled process within an acceptable
operating rang

The output from a linear control system into the controlled process may be in the form of a
directly variable signal, such as a valve that may be 0 or 100% open or anywhere in between.
Sometimes this is not feasible and so, after calculating the current

required corrective signal, a
linear control system may repeatedly switch an actuator, such as a pump, motor or heater, fully
on and then fully off again, regulating the
duty cycle

width modulation

Proportional control

When controlling the temperature of an

, it is usually better to control the
opening of the fuel

in proportion to

the current needs of the furnace.

This helps avoid
thermal shocks and applies heat more effectively.

Proportional negative
feedback systems are based on the difference between the required set
point (SP) and process value (PV). This difference is called the error. Power is applied in dire
proportion to the current measured error, in the correct sense so as to tend to reduce the error
(and so avoid
positive feedback
). The amount of corrective action that

is applied for a given error
is set by the

or sensitivity of the control system.

At low gains, only a small corrective action is applied when errors are detected: the system may
be safe and
stable, but may be sluggish in response to changing conditions; errors will remain
uncorrected for relatively long periods of time: it is
. If the proportional gain is
such systems become more responsive and errors are dealt with more quickly. There is
an optimal value for the gain setting when the overall system is said to be
critically damped
in loop gain beyond this point will lead to oscillations in the PV; such a system is

damped furnace example

In the furnace example, suppose the temperature is increasing
towards a set point at which, say,
50% of the available power will be required for steady
state. At low temperatures, 100% of
available power is applied. When the PV is within, say 10° of the SP the heat input begins to be
reduced by the proportional contr
oller. (Note that this implies a 20° "proportional band" (PB)
from full to no power input, evenly spread around the setpoint value). At the setpoint the
controller will be applying 50% power as required, but stray stored heat within the heater sub
system a
nd in the walls of the furnace will keep the measured temperature rising beyond what is
required. At 10° above SP, we reach the top of the proportional band (PB) and no power is
applied, but the temperature may continue to rise even further before beginnin
g to fall back.
Eventually as the PV falls back into the PB, heat is applied again, but now the heater and the
furnace walls are too cool and the temperature falls too low before its fall is arrested, so that the
oscillations continue.

Suppose that the gai
n of the control system is reduced drastically and it is restarted. As the
temperature approaches, say 30° below SP (60° proportional band or PB now), the heat input
begins to be reduced, the rate of heating of the furnace has time to slow and, as the heat

is still
further reduced, it eventually is brought up to set point, just as 50% power input is reached and
the furnace is operating as required. There was some wasted time while the furnace crept to its
final temperature using only 52% then 51% of availab
le power, but at least no harm was done.
By carefully increasing the gain (i.e. reducing the width of the PB) this over
damped and
sluggish behavior can be improved until the system is critically damped for this SP temperature.
Doing this is known as 'tuni
ng' the control system. A well
tuned proportional furnace
temperature control system will usually be more effective than on
off control, but will still
respond more slowly than the furnace could under skillful manual control.

PID control

Apart from sluggish performance to avoid
oscillations, another problem with proportional
only control is that power application is always
in direct proportion to the error. In the example above we assumed that th
e set temperature could
be maintained with 50% power. What happens if the furnace is required in a different application
where a higher set temperature will require 80% power to maintain it? If the gain was finally set
to a 50° PB, then 80% power will not
be applied unless the furnace is 15° below setpoint, so for
this other application the operators will have to remember always to set the setpoint temperature
15° higher than actually needed. This 15° figure is not completely constant either: it will depend

on the surrounding ambient temperature, as well as other factors that affect heat loss from or
absorption within the furnace.

To resolve these two problems, many feedback control schemes include mathematical extensions
to improve performance. The most com
mon extensions lead to proportional
control, or
PID control

(pronounced pee



part is concerned with the rate
change of the error with time: If the measured
variable approaches the setpoint rapidly, then the actuator is backed off early to allow it to coast
to the required level; conversely if t
he measured value begins to move rapidly away from the
setpoint, extra effort is applied

in proportion to that rapidity

to try to maintain it.

Derivative action makes a control system behave much more intelligently. On systems like the
temperature of a fur
nace, or perhaps the motion
control of a heavy item like a gun or camera on
a moving vehicle, the derivative action of a well
tuned PID controller can allow it to reach and
maintain a setpoint better than most skilled human operators could.

If derivative a
ction is over
applied, it can lead to oscillations too. An example would be a PV
that increased rapidly towards SP, then halted early and seemed to "shy away" from the setpoint
before rising towards it again.

Integral action

The integral term magnifies the effect of long
term steady
state errors, applying ever
effort until they reduce to zer
o. In the example of the furnace above working at various
temperatures, if the heat being applied does not bring the furnace up to setpoint, for whatever

action increasing

the proportional band relative to the setpoint until the
PV error is reduced to zero and the setpoint is achieved.In the furnace example, suppose the
temperature is increasing towards a set point at which, say, 50% of the available power will be
equired for steady
state. At low temperatures, 100% of available power is applied. When the PV
is within, say 10° of the SP the heat input begins to be reduced by the proportional controller.
(Note that this implies a 20° "proportional band" (PB) from full

to no power input, evenly spread
around the setpoint value). At the setpoint the controller will be applying 50% power as required,
but stray stored heat within the heater sub
system and in the walls of the furnace will keep the
measured temperature risin
g beyond what is required. At 10° above SP, we reach the top of the
proportional band (PB) and no power is applied, but the temperature may continue to rise even
further before beginning to fall back. Eventually as the PV falls back into the PB, heat is ap
again, but now the heater and the furnace walls are too cool and the temperature falls too low
before its fall is arrested, so that the oscillations continue.

Other techniques

It is possible to

the PV or error signal. Doing so can reduce the response of the system to
undesirable frequencies, to help reduce instability or oscillations. Some feedback systems will
oscillate at just one frequ
ency. By filtering out that frequency, more "stiff" feedback can be
applied, making the system more responsive without shaking itself apart.

Feedback systems can be combined. In
cascade control
, one control loop applies control
algorithms to a measured variable against a setpoint, but then provides a varying setpoint to
another control loop rather than affecting process variables directly. If a system has se
different measured variables to be controlled, separate control systems will be present for each of

Control engineering

in many applications produces cont
rol systems that are more complex than
PID control. Examples of such fields include

aircraft control systems, chemical
plants, and oil refineries.
Model predictive control

systems are designed using specialized
design software and empirical mathematical models of the system to be

5.UTC Fire & Secur

UTC entered the fire and security industry in July 2003 with the acquisition of
. In April
2005, they expanded their presence with the acquisition of
, and the business unit was
renamed UTC Fire & Security. Later that year they acquired
Lenel Systems

$440M and
Initial Fire and Security

for £585M. In March 2010, UTC announced th
e acquisition
of GE Security for $1.8B which was integrated under the Interlogix brand. On September 28,
2011, UTC announced Fire & Security would be merged with the Carrier division and renamed
UTC Climate, Controls and Security Systems.


, a fire/life safety company, acquired in 2007

, a company that provides fire safety and security solutions, which range from electronic
security systems to manned guarding operations

, a company specialising in industrial fire detection, gas detection, and hazard
mitigation systems

Detection Logic
, a provider of repair, service and inspection solutions to the life safety industry,
acquired in 2008

, a provider of flame safeguard controls; combustion controls

, a provider of combustion and environmental equipment for power plants and large
industrial systems

The former
GE Security

business, a fire and security systems company, acquired in 2010

, a designer of motion sensors, control panels and medium scale access control systems.

, a specialist in fire systems for detection, suppression and fire fighting

Lenel Systems International
, a security systems and software developer, acquired in 2005

, a water mist fire suppression systems company acquired in 2007

, a provider of electronic locks, in
room safes and energy management solutions

Red Hawk Industries
, a secur
ity integrator and service provider, acquired in 2006

Products and services

Access Control Systems

Industrial and Commercial Fire Safety

Consumer and Residential Fire Safety

Hazard Sensing and Combustion Control

Electronic Security

Monitoring and Response

Physical Security

Cash in Transit

Security Personnel

Intrusion sensors

Digital Video

HFP Corporation

A Fire Sprinkler System & Fire Alarm installation, maintenance & inspection
contractor. HFP was acquired July 2008.

6.Access control models

Access contro
l models are sometimes categorized as either discretionary or non
The three most widely recognized models are Discretionary Access Control (DAC), Mandatory
Access Control (MAC), and Role Based Access Control (RBAC). MAC and RBAC are both
citation needed

based access control

In attribute
based access control (ABAC), access is granted not based on the rights of the

associated with a user after authentication, but based on attributes of the user. The user has to
prove so called claims about his attributes to the access control engine. An attribute
based access
control policy specifies which claims need to be
satisfied in order to grant access to an object.
For instance the claim could be "older than 18" . Any user that can prove this claim is granted
access. Users can be anonymous as authentication and identification are not strictly required.
One does however

require means for proving claims anonymously. This can for instance be
achieved using
anonymous credentials


(extensible access control markup
citation needed

Discretionary access control

Discretionary access control

(DAC) is an policy determined by the owner of an object. The
owner decides who is allowed to access the object and what privileges they


Two important concepts in DAC are
citation needed

File and data ownership: Every object in the system has an
. In most DAC systems,
each obje
ct's initial owner is the subject that caused it to be created. The access policy for
an object is determined by its owner.

Access rights and permissions: These are the controls that an owner can assign to other
subjects for specific resources.

Access cont
rols may be discretionary in


s control systems.
(In capability
based systems, there is usually no explicit concept of 'owner', but the creator of an
object has a similar degree of control over its access policy.)

Mandatory access control

Mandatory access control

refers to allowing access to a resource if and only if rules exist that
allow a given user to access the resource. It is difficult to manage but its use is usually justified

used to protect highly sensitive information. Examples include certain government and
military information. Management is often simplified (over what can be required) if the
information can be protected using hierarchical access control, or by implementin
g sensitivity
labels. What makes the method "mandatory" is the use of either rules or sensitivity labels.

Sensitivity labels: In such a s
ystem subjects and objects must have labels assigned to
them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label
specifies the level of trust required for access. In order to access a given object, the
subject must ha
ve a sensitivity level equal to or higher than the requested object.

Data import and export: Controlling the import of information from other systems and
export to other systems (including printers) is a critical function of these systems, which
must ensur
e that sensitivity labels are properly maintained and implemented so that
sensitive information is appropriately protected at all times.

Two methods are commonly used for applying mandatory access contr


(or label
based) access control: This type of control further defines specific
conditions for access to a requested object. A Mandatory A
ccess Control system
implements a simple form of rule
based access control to determine whether access
should be granted or denied by matching:


An object's sensitivity label


A subject's sensitivity label

based access control
: These can be used for complex access control decisions
involving multiple objects and/or subjects. A lattice model is a mathematical structure
that defines greatest lowe
bound and least upper
bound values for a pair of elements,
such as a subject and an object.

Few systems implement MAC;


are examples of systems that do. The
computer system at the company in the film

is an example from the prior century.

based access control

based access control

(RBAC) is an access policy determined by the system, not the owner.
RBAC is used in commercial applications and also in military systems, where multi
curity requirements may also exist. RBAC differs from DAC in that DAC allows users to
control access to their resources, while in RBAC, access is controlled at the system level, outside
of the user's control. Although RBAC is non
discretionary, it can be d
istinguished from MAC
primarily in the way permissions are handled. MAC controls read and write permissions based
on a user's clearance level and additional labels. RBAC controls collections of permissions that
may include complex operations such as an e
ommerce transaction, or may be as simple as read
or write. A role in RBAC can be viewed as a set of permissions.

Three primary rules are defined for RBAC:


Role assignment: A subject can execute a transaction only if the subject has selected or
been assigne
d a role.


Role authorization: A subject's active role must be authorized for the subject. With rule 1
above, this rule ensures that users can take on only roles for which they are authorized.


Transaction authorization: A subject can execute a transaction o
nly if the transaction is
authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can
execute only transactions for which they are authorized.

Additional constraints may be applied as well, and roles can be combined in a
hierarchy where
level roles subsume permissions owned by sub

Most IT vendors offer RBAC in one or more products.

7.Controlling elevators

he controller was contained within a cylindrical container about the size and shape of a cake
container a
nd this was operated via a projecting handle. This allowed some control over the
energy supplied to the motor (located at the top of the elevator shaft or beside the bottom of the
elevator shaft) and so enabled the elevator to be accurately positioned


the operator was
sufficiently skilled. More typically the operator would have to "jog" the control to get the
elevator reasonably close to the landing point and then direct the outgoing and incoming
passengers to "watch the step". Some older freight eleva
tors are controlled by switches operated
by pulling on adjacent ropes. Safety interlocks ensure that the inner and outer doors are closed
before the elevator is allowed to move. Most older manually controlled elevators have been
retrofitted with automatic
or semi
automatic controls.

Automatic elevators began to appear as early as the 1930s, their development being hastened by

elevator operators which brought large cities
dependent on skyscrapers (and therefore
their elevators) such as New York and Chicago to their knees. These electromechanical systems
relay logic

circuits of increasing complexi
ty to control the speed, position and door
operation of an elevator or bank of elevators. The Otis

system of the early 1950s
brought the earliest predictive systems which could anticipate traffic patterns within a building to
deploy elevator mov
ement in the most efficient manner. Relay
controlled elevator systems
remained common until right up until the 1980s, and their gradual replacement with solid

based controls which are now the industry standard.

General controls

A typical modern passenger elevator will have:

Space to stand in, guardrails, seating cushion (luxury)

Overload sensor

prevents the elevator from moving until excess load has been
emoved. It may trigger a voice prompt or buzzer alarm. This may also trigger a "full car"
indicator, indicating the car's inability to accept more passengers until some are unloaded.

Electric fans or air conditioning units to enhance circulation and comfor

Call buttons to choose a floor. Some of these may be key switches (to control access). In
some elevators, certain floors are inaccessible unless one swipes a security card or enters
a passcode (or both). In the United States and other countries, call bu
tton text and icons
are raised to allow blind users to operate the elevator; many have

text besides.

A set of doors kept locked on each floor to prevent unintentional access into the

shaft by the unsuspecting individual. The door is unlocked and opened by a machine
sitting on the roof of the car, which also drives the doors that travel with the car. Door
controls are provided to close immediately or reopen the doors, although

the "door close"
does not work all the times. Objects in the path of the moving doors will either be
detected by sensors or physically activate a switch that reopens the doors. Otherwise, the
doors will close after a preset time.

A stop switch (not allowe
d under British regulations) to halt the elevator while in motion
and often used to hold an elevator open while freight is loaded. Keeping an elevator
stopped for too long may trigger an alarm. Unless local codes require otherwise, this will
most likely be

key switch

An alarm button or switch, which passengers can use to signal that they have been
trapped in the elevator.

Some elevators may have one or more of the following:

An eleva
, which can be used (in addition to the alarm) by a trapped
passenger to call for help.

Hold button: This button delays the door closing timer, useful for loading freight an
hospital beds.

Call cancellation: A destination floor may be deselected by double clicking.

Access restriction by key switches, RFID reader, code keypad, hotel room card, etc..

One or more additional sets of doors that can serve different floor plans. Fo
r example, in
an elevated crosswalk setup, the front doors may open on the street level, and the rear
doors open on the crosswalk level.

Security camera

Plain walls or mirrored walls giving the illusion of larger area

Glass windowpane providing a view of t
he building interior or onto the streets.

Other controls, which are generally inaccessible to the public (either because they are
, or because they are kept behind a locked

panel), include:

Fireman's service, phase II key switch

Switch to enable or disable the elevator.


switch, which places the elevator in inspection mode (this may be situated
on top of the elevator)

Manual up/down controls for elevator techni
cians, to be used in inspection mode, for

independent service
exclusive mode

(also known as "Car Preference"), which will
prevent the car from answering to hall calls and only arrive at floors selected via the
panel. The door should stay open w
hile parked on a floor. This mode may be used for
temporarily transporting goods.

Attendant service mode.

Otis 1920s controller, operational in NYC apartment building.

* Large buildings with multiple elevators of this type also had an
elevator dispatcher

stationed in the lobby to direct passengers and to signal

the operator to leave with the use
of a mechanical "cricket" noisemaker.

External controls

Elevators are typically controlled from the outside by up and down buttons at each stop. When
pressed at a certain floor, the elevator arrives to pick up more passe
ngers. If the particular
elevator is currently serving traffic in a certain direction, it will only answer hall calls in the same
direction unless there are no more calls beyond that floor.

In a group of two or more elevators, the call buttons may be linke
d to a central dispatch
computer, such that they illuminate and cancel together. This is done to ensure that only one car
is called at one time.

Key switches may be installed on the ground floor so that the elevator can be remotely switched
on or off from
the outside.

In destination control systems, one selects the intended destination floor (in lieu of pressing

) and is then notified which elevator will serve their request.

Floor numbering

Elevator buttons showing the missing 13th floor

The elevator algorithm

elevator algorithm
, a simple

by which a single elevator can decide where to stop,
is summarized as follows:

traveling in the same direction while there are remaining requests in that same

If there are no further requests in that direction, then stop and become idle, or change
direction if there are requests in the opposite direction.

The elevator algo
rithm has found an application in computer
operating systems

as an algorithm
for scheduling
hard disk

requests. Modern elevators use more complex
heuristic algorithms

decide which request to service next. An introduction to these algorithms ca
n be found in the
"Elevator traffic handbook: theory and practice" given in the references below.

Destination control system

Some skyscraper buildings and other types of installation feature a destination operating panel
where a passenger registers their f
loor calls before entering the car. The system lets them know
which car to wait for, instead of everyone boarding the next car. In this way, travel time is
reduced as the elevator makes fewer stops for individual passengers, and the computer distributes
jacent stops to different cars in the bank. Although travel time is reduced passenger waiting
times may be longer as they will not necessarily be allocated the next car to depart. During the
down peak period the benefit of destination control will be limit
ed as passengers have a common

It can also improve accessibility, as a mobility
impaired passenger can move to his or her
designated car in advance.

Inside the elevator there is no call button to push, or the buttons are there but they cannot

except door opening and alarm button

they only indicate stopping floors.

The idea of destination control was originally conceived by Leo Port from Sydney in 1961

at that time lift controllers were implemented in relays and were unable to optimise the
performance of destination control allocations.

The system was first pioneered by
Schindler Elevator

in 1992 as the Miconic 10. Manufacturers
of such systems claim that average traveling time can be reduced by up to 30%.

However, per
formance enhancements cannot be generalized as the benefits and limitations of the
system are dependent on many factors.

One problem is that the system is subject
to gaming.
Sometimes, one person enters the destination for a large group of people going to the same floor.
The dispatching

is usually unable to completely cater for the varia
tion, and latecomers
may find the elevator they are assigned to is already full. Also, occasionally, one person may
press the floor multiple times. This is common with up/down buttons when people believe this to
be an effective way to hurry elevators. Howe
ver, this will make the computer think multiple
people are waiting and will allocate empty cars to serve this one person.

To prevent this problem, in one implementation of destination control, every user gets an

card to identify himself so the system knows every user call and can cancel the first call if the
passenger decides to travel to another destination to prevent empty calls. The newest invention
knows even where people are located and h
ow many on which floor because of their
identification, either for the purposes of evacuating the building or for security reasons