Professional Documents
Culture Documents
Windscada Secure Edition 2.0 Wind KXXX Cfa01 Edb001 en Doc-0079190 r05
Windscada Secure Edition 2.0 Wind KXXX Cfa01 Edb001 en Doc-0079190 r05
Windscada Secure Edition 2.0 Wind KXXX Cfa01 Edb001 en Doc-0079190 r05
GE Renewable Energy
Technical Documentation
Wind Turbine Generator Systems
All Turbine Types - Onshore
Technical Description
WindSCADA Compact, WindSCADA Refresh,
and WindSCADA Secure Edition 2.0
imagination at work
© 2020 General Electric Company. All rights reserved.
- Original Document -
GE Renewable Energy
Visit us at
www.gerenewableenergy.com
All technical data is subject to change in line with ongoing technical development!
All documents are copyrighted within the meaning of the Copyright Act. We reserve all rights for the exercise of
commercial patent rights.
This document is public. GE and the GE Monogram are trademarks and service marks of
General Electric Company.
Other company or product names mentioned in this document may be trademarks or registered trademarks of
their respective companies.
imagination at work
WindSCADA_Secure Edition_2.0_WIND = Kxxx CFA01 & EDB001_EN_Doc-
0079190_r05.
- Original Document -
GE Renewable Energy Technical Description
Table of Contents
Document Revision Table.................................................................................................................................................................. 7
Abbreviation List.................................................................................................................................................................................. 5
1 Introduction ................................................................................................................................................................................. 6
2 WindSCADA System Offerings for New Windfarms......................................................................................................... 7
2.1 WindSCADA Secure Edition 2.0..................................................................................................................................... 7
2.2 WindSCADA Compact...................................................................................................................................................... 7
2.3 More than 200 WTGs ....................................................................................................................................................... 9
3 WindSCADA System Offerings for Existing Windfarms .................................................................................................. 9
3.1 WindSCADA Refresh ........................................................................................................................................................ 9
3.2 WindSCADA Secure Edition 2.0 for Upgrade ............................................................................................................. 9
3.3 More than 200 WTGs ....................................................................................................................................................... 9
3.4 Summary of System Functions.................................................................................................................................... 10
4 Network Topology Description ............................................................................................................................................. 11
4.1 Overview ............................................................................................................................................................................ 11
4.2 Environmental.................................................................................................................................................................. 14
5 Cybersecurity Features .......................................................................................................................................................... 16
5.1 Anti-Malware Endpoint Protection ............................................................................................................................ 16
5.2 Segmented Network ...................................................................................................................................................... 17
5.3 SCADA Firewall ................................................................................................................................................................ 17
5.4 (Optional) Wind farm Firewall ..................................................................................................................................... 17
5.5 Switch Hardening ............................................................................................................................................................ 17
5.6 Turbine Secure Mode ..................................................................................................................................................... 18
5.7 Access Control System - Microsoft® Active Directory® ....................................................................................... 18
5.8 The ANIXIS™ Password Policy Enforcer™ ................................................................................................................. 19
5.9 Domain Controller........................................................................................................................................................... 19
5.10 Backup Domain Controller............................................................................................................................................ 19
5.11 Certificate Authority....................................................................................................................................................... 19
5.12 Security Information and Event Management (SIEM)........................................................................................... 20
5.13 Backup and Recovery ..................................................................................................................................................... 20
5.14 Regulatory and Standards alignment ........................................................................................................................ 21
5.15 WindSCADA Services ..................................................................................................................................................... 21
6 Wind Plant Fiber Optic Network .......................................................................................................................................... 22
6.1 Customer Scope .............................................................................................................................................................. 22
6.2 Customer’s Fiber Optic Contractor Scope ............................................................................................................... 22
6.3 GE Scope ............................................................................................................................................................................ 23
6.4 Single Mode Fiber Optic Cable Specification ........................................................................................................... 23
6.5 Wind Farm Cable Distance Design Requirements................................................................................................. 24
6.6 Windfarm Network Fiber Loops.................................................................................................................................. 24
7 System Compatibility .............................................................................................................................................................. 24
8 System Interfaces .................................................................................................................................................................... 25
8.1 Local System Interface Support.................................................................................................................................. 25
8.2 Modbus TCP/IP Client Interfaces to Customer Supplied Met Mast Dataloggers........................................... 25
8.3 Modbus TCP/IP Client Interface to Customer Supplied devices within the Substation .............................. 26
8.4 Customer Integrated IO................................................................................................................................................. 27
9 WindSCADA Remote System Integration (RSI) ............................................................................................................... 28
9.1 ODBC Connection ........................................................................................................................................................... 28
9.2 OPC Connections ............................................................................................................................................................ 28
9.3 Data licensing................................................................................................................................................................... 28
9.4 RSI Technical Specifications ......................................................................................................................................... 29
9.5 OPC Tags for Basic Monitoring .................................................................................................................................... 30
PUBLIC – May be distributed external to GE on an as need basis.
UNCONTROLLED when printed or transmitted electronically.
© 2020 General Electric Company and/or its affiliates. All rights reserved.
WindSCADA_Secure Edition_2.0_WIND = Kxxx CFA01 & EDB001_EN_Doc-0079190_r05
- Original Document -
Abbreviation List
GPS Global Positioning System
IO Input / Output
PC Personal Computer
1 Introduction
The GE Renewable Energy wind plant Supervisory Control and Data Acquisition (WindSCADA) system is a
supervisory control and operational data management system for a wind plant (wind farm) consisting of GE
wind turbines. WindSCADA is a fully integrated and easy-to-use system that improves productivity and
profitability of a wind plant. The solution integrates high reliability, superior data integrity, open system access,
and advanced data management into a single platform. This system also includes fully integrated, web-based
operator screens that are powerful and flexible. In addition, a web-based wind plant level reporting system
allows operators, owners and other stakeholders to monitor and analyze historical wind plant operation and
performance. This all-encompassing tool set can support a wind plant which consists of up to 200 wind turbine
generators (WTG) depending upon the system configuration.
WindSCADA features a full range of unified and integrated modules to meet individual wind plant site
requirements. These functions allow information to be shared between wind plant assets and enterprise
applications, helping organizations to improve operational efficiencies. Unified modules are focused on specific
applications such as real time data collection, historical data collection, archiving, alarm management,
enterprise interfaces, and can be implemented individually or as part of an overall solution. The open
architecture of the GE Renewable Energy WindSCADA system allows wind plant operators to start with a basic
monitoring, control and reporting system, while maintaining the ability to expand as needed to meet the
evolving requirements of wind plant operations.
The WindSCADA system offerings are available in flexible packages based on wind farm needs. The most
advanced GE WindSCADA system, WindSCADA Secure Edition 2.0, provides significant cybersecurity
capabilities to elevate the security level of a windfarm. These capabilities align to international cybersecurity
standards like ISA/IEC 62443 and NERC CIP.
The system provides several preconfigured database scripts and jobs to facilitate ODBC interactions with the
historical data. The WindSCADA Secure Edition 2.0 supports up to 200 WTGs.
The system provides the same features and functionality as WindSCADA Secure Edition 2.0 with the following
restrictions and limitations:
1 Available with WindSCADA11.0 SP2 and newer, 45 days for older version
No CD or DVD writer for backup purposes. Customers can utilize standard portable USB devices
(DVD, external hard drive, etc.) for backup.
Five simultaneous SiteWebHMI connection sessions are included, and additional five SiteWebHMI
connections can be optionally added.
The WindSCADA Compact enclosure includes a network switch for network connectivity. The optional product
components that can be installed within the enclosure while maintaining certification compliance are:
The primary HMI at the turbine level is implemented through a web-based interface. WindSCADA also provides
a web-based HMI for supervisory control at the wind farm level and for remote access. The system supports
connectivity to GE meteorological mast (metmast) interfaces, but no additional device (e.g. dataloggers) can be
installed in the WindSCADA Compact enclosure due to space limitations.
Cybersecurity features can be available through an optional cybersecurity package. Please refer to Section 5 for
additional details on options.
The WindSCADA Refresh includes upgrade of operating systems, SQL license if needed, end-of-life hardware
components like GE router and core switch and some select security features as described in Section 5. Some
software upgrades may require hardware upgrades outside of the included scope which will be determined
based on the existing WindSCADA system at site.
The WindSCADA Refresh is designed to fit a standard rack and therefore cannot be used to upgrade previously
installed WindSCADA Compact units, however, upgrade options for WindSCADA Compact can be quoted, if
desired.
1
Only available for replacing existing WindSCADA Standard or Plus installations
2
Requires managed switches
3
Can be quoted separately as requested
The schematics below portray the most advanced WindSCADA system offering: WindSCADA Secure Edition 2.0.
The network topology connects the WindSCADA, WindCONTROL, and turbines on the wind farm network
utilizing the Purdue Model or IEC 62443 zones and conduits approach to segment the network :
Figure 1: Wind Farm Network System Topology for WindSCADA Secure Edition 2.0 demonstrating segmentation
WAN
IPSec
VPN
IPSec
VPN
SCADA Rack
Virtualization In Us e for Infrastructure DMZ FW
Wind Farm
Wind Farm FW
SCADA Core
Optional Components
NOTICE
Not all components or systems may be included in a standard project.
Figure 3 shows the network topology for WindSCADA Refresh which has been designed as a retrofit solution to
upgrade existing WindSCADA Standard or Plus models to a more secure architecture without disruption of the
existing IP scheme or replacement of the SCADA rack.
Figure 4 shows the network topology for WindSCADA Compact which is the SCADA solution intended for
windfarms with 20 or less turbines.
Wind Plant Local Area Network (SCADA LAN) is an Ethernet fiber optic-based system that
connects all GE WTGs within the wind plant to the WindSCADA rack. The LAN also connects
optional components such as the WindCONTROL plant-level control system, Substation Interface
Device and other approved/validated customer-supplied devices which interface with the
WindSCADA system.
WindSCADA real-time system is the collection of services and applications which gather data from
the WTGs and auxiliary systems (WindCONTROL, substation, metmasts) and present them in real-
time to the client interfaces. It resides primarily on the servers in the SCADA rack but includes
applications running on the substation and metmast interface devices.
The WindSCADA historical system includes a relational database of plant operational data, which
collect the historical (10-min) records from the WTG controllers and auxiliary systems.
Additionally, the historical system includes the reporting service for querying and running reports
on this data.
4.2 Environmental
For WindSCADA Secure Edition 2.0 and WindSCADA Refresh , the SCADA server rack is typically located in the
substation control room or in an adjacent O&M building. The equipment must be in an environmentally
controlled location. (Operating temperature +20°C +/-25 %, protected against rain, dust, moisture, etc.). The
SCADA rack requires one square meter of floor space and 1.2 meters of clearance in all directions to allow for
access and the operation of the cabinet doors. Cable entry can be routed from either the top or bottom of the
rack for network connectivity and power. The rack is 1.85 m tall x 0.625 m wide x 1.2 m deep and weighs
approximately 500 kg.
PUBLIC – May be distributed external to GE on an as need basis.
UNCONTROLLED when printed or transmitted electronically.
© 2020 General Electric Company and/or its affiliates. All rights reserved.
14/33 WindSCADA_Secure Edition_2.0_WIND = Kxxx CFA01 & EDB001_EN_Doc-0079190_r05
- Original Document -
GE Renewable Energy Technical Description
For the WindSCADA Compact configuration the SCADA hardware is designed to be installed inside a
WindSCADA Compact enclosure located within the WTG. When deploying the WindSCADA Compact edition,
GE provides all power connections. Equipment supplied for this deployment will be environmentally compatible
with other control equipment within the WTG. The Universal Cabinet which houses WindSCADA Compact is
2.1 m tall x 0.6m wide x 0.6 m deep and weighs about 300 kg.
WindSCADA 2.0:
Power consumption: 1500 W
Heat dissipation: 5465 BTU/h
Compact:
Power consumption (without heater and A/C unit): 575 W
Power consumption of heater: 1000 W
Power consumption of A/C unit: 1334 W
Heat dissipation: 2080 BTU/h
One circuit of 230 VAC, 50 or 60 Hz, 15 A, which is standard for GE turbine auxiliary power supply.
5 Cybersecurity Features
WindSCADA Secure Edition 2.0 provides a comprehensive cybersecurity solution. An in-depth approach to
cyber solutions is integrated into the wind farm's industrial control system via:
The WindSCADA Refresh contains a subset of these cybersecurity features. See Section 3.4 for details.
As part of the GE Renewables Patch and Vulnerability Management Program subscription service or the Wind
Farm Health Management (WFHM) Program, antivirus threat signatures are validated in a secure simulated
SCADA environment prior to being available to customers for auto-update through the GE update-server.
Threat signature validation is only available for McAfee at this time. GE will also verify, on regular basis, that the
updates successfully occured as part of the Wind Farm Health Management Program.
Wind Farm and SCADA dataflows are segmented based on the following functions:
Infrastructure Management
Windfarm Operations
Industrial DMZ
Physically Separation for IT Networks
Services and Farm Level Function
It is possible to achieve additional security and segmentation at each individual turbine through the
deployment of managed switches within the wind tower.
This platform domain provides a role-based access control system to manage access to resources and
applications based on the identity and privileges assigned to the user by the administrator. This role-based
concept grants users minimum rights and privileges to perform their role. By limiting the privileges to the
minimum required, user impact on the system is reduced. Proper assignment of user privileges limits the ability
of a user to cause harm to a system through either malicious intent or inadvertent action (e.g. inadvertently
triggered malware).
Human-machine Interfaces (HMIs) and other computers are also registered within the directory service. Policy
servers enforce access controls across users and computers in the domain. Additionally, access to network
devices is managed using the AAA model (Authentication, Authorization and Accounting).
The access management system is redundant between the primary directory server and the backup directory
server. An audit trail is created for access to the system and is available through the Security Information and
Event Management (SIEM) application.
The access management system is redundant between the primary directory and the backup directory. An
audit trail is created for access to the system and is available through the Security Information and Event
Management (SIEM) application.
Non-domain based elements (such as network switches) access Active Directory® user authentication rights
through RADIUS servers running on the Domain Controllers. The RADIUS servers allow non-domain based
elements to leverage security permissions assigned to domain users to either allow or disallow access to
device.
The combination of Active Directory, Domain Controller and Certificate Authority provide key identity
management capabilities that are at the heart of securing access to the turbine controllers, the network
switches and WindSCADA.
The Splunk® application receives and collates events received from various sources, including:
Security features as shown in Section 3.4, align to NERC CIP and IEC 62443 as shown below:
Network CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.1 - Network Segmentation,
Segmentation SR 5.2 Zone Boundary Protection
Windfarm Firewall CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.2 customer zone boundary
protection
Anti-Malware CIP-007 R3 - Malicious Code Prevention IEC 62443-3-3 SR 3.2 Malicious Code Protection
Domain Controller CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
authentication control
SCADA Firewall CIP-005 R1 - Electronic Security Perimeter IEC 62443-3-3 SR 5.1 - Network Segmentation,
SR 5.2 Zone Boundary Protection
Backup and CIP-009 R1 - Recovery Plans IEC 62443-3-3 SR 7.3 Control system backup
Recovery
Password Policy CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
Enforcement authentication control
Switch Hardening* CIP 007 R1 - Ports and Services IEC 62443-3-3 SR 7.7 Least functionality
Turbine "Secure CIP-007 R1 - Ports and Services IEC 62443-3-3 SR 3.1 Communication Integrity
Mode" feature
Backup Domain CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
Controller authentication control
Active Directory CIP-007 R5 - System Access Control IEC 62443-3-3 FR1 Identification and
authentication control
Certificate IEC 62443-3-3 FR1 Identification and
Authority authentication control
Log File CIP-007 R4 - Security Event Monitoring IEC 62443-3-3 SR 3.3 Security Functionality
Management Verification
Security CIP-007 R4 - Security Event Monitoring IEC 62443-3-3 SR 3.2 RE2 Central management
Information Event and reporting for malicious code protection, SR
Manager (SIEM) 6.1 Audit log accessibility, SR 6.2 Continuous
monitoring, SR 2.8 Auditable events
*Note: As shown In Section 3.4, some features are not included in all WindSCADA systems.
The GE standard wind plant fiber optic design utilizes single mode 9/125 fiber cable. Any deviation from the
fiber optic specification in this section is considered a deviation from standard and must be agreed upon with
GE.
The Send and Receive fibers must be crossed once per connection to a fiber optic switch to ensure
upstream and downstream communication.
Met mast fiber optics switch and cable from met mast to SCADA server.
6.3 GE Scope
GE utilizes single-mode fiber within the ring architecture for windfarm LAN per default.
Provide the fiber optic switches for the GE wind farm network, patch panels and patch cables for
every turbine controller, and in the WindSCADA rack and WindCONTROL cabinet.
Provide the fiber optic cable inserts that are pre-installed inside the patch panels.
If the Site Fiber Optic Network Design option is selected, GE will perform the fiber optic network
loop design and provide the fiber optic communication drawings. These drawings must show the
path of the fiber optic connections throughout the wind farm, the connections to turbine patch
panels and connections to network switches based on the customer supplied wind farm collection
system drawing. The collection system drawing must be provided to GE 70 days prior to the start
of commissioning. The Site Fiber Optic Network Design option does not include fiber laying,
splicing, terminating or patching.
Every loop must have a dedicated fiber optic cable backbone and a dedicated fiber optic switch. No more than
one fiber optic loop can be accommodated within a single fiber optic backbone. Splitters must not be utilized on
a fiber optic backbone to create multiple loops.
7 System Compatibility
The SCADA system supports the MarkVIe PLC based control system for turbine and farm level controls. There
are SCADA system compatibility requirements that need to be evaluated by GE Application Engineering when a
customer is integrating or adding new Mark Vle PLC turbines into an existing wind plant that has non -Mark VIe
PLC turbines (Bachmann-based or Galileo based controllers). In order to support the Mark Vle PLC turbines, the
existing wind plant level WindSCADA system needs to be WindSCADA Release 11.0 or later. Depending upon
the existing turbine and farm level controllers and WindSCADA system, this can require hardware and/or
software replacement/upgrade of the existing WindSCADA or control system.
When adding new WTGs to an existing site, GE also typically upgrades all the existing WTG controller software
to the latest release to help assure end-to-end SCADA and controls reliability and interoperability. Customers
must also anticipate that a full re-commissioning of WindSCADA and WindCONTROL (if installed) may be
required when new WTGs are added to an existing site.
Customers adding new wind turbines to existing sites will require a new system to take advantage of the new
cybersecurity features added to the system architecture in WindSCADA Secure Edition 2.0.
8 System Interfaces
8.1 Local System Interface Support
The standard WindSCADA platform includes Local System Interfaces (LSI) for Integration of Auxilary on -
premise data generating devices. Detailed specifications for these interfaces are shown in the table below.
More information is provided in the following sections.
The data from the met mast(s) is collected by the WindSCADA system for real-time operator displays. In
addition, the data is archived within the system database for historical reporting purposes.
Customer input is required in a comma-separated file format with the following information:
8.3 Modbus TCP/IP Client Interface to Customer Supplied devices within the
Substation
Substation device interfaces can be supported as an option. GE presently supports interfaces to GE D20, GE
D25, SEL 2030, SEL 2032, SEL 3332, SEL 3551, and Orion 5R. Other devices can be capable of being supported
dependent upon system validation by GE.
GE scope includes the configuration of an interface of up to 200 data points and development of one
WindSCADA system user interface screen to display this data. Typically, up to ten control outputs (i.e. Open
Breaker) are supported. GE does not support Close Breaker controls due to the lack of Select-Check-Before
Operate functionality within the WindSCADA system.
For every Modbus instance, an instance of the Modbus interface software is required. Currently only one
instance of the Modbus interface software can run on a single virtual machine. That means for every instance of
a Modbus device an additional virtual machine is required.
Customer input is required in a comma-separated file format with the following information:
Up to two sets of additional IOs are supported per turbine, one set down-tower and one set up tower. A cabinet
needs to be provided and installed for every IO set. Each IO cabinet contains up to 16 non-standard IO points,
but each turbine only accommodates a maximum of 16 non-standard IOs.
Both digital and analog inputs and outputs are supported. Additionally, control commands that set an AO or a
DO are supported. The IO data is connected via Modbus TCP to the SCADA system. The IO data is not available
to the turbine controller.
Data access and use of certain classifications of data or data acquisition methods may be subject to additional
terms and conditions. Licensing and pricing are available upon request to support the following WindSCADA
features.
There are technical resource limitations for each WindSCADA platform as described in the “RSI Technical
Specifications” table below. Purchase of the OPC Server License option includes access to approximately 51
fixed tags for Basic Monitoring in section 9.5. Please contact your GE Sales Representative for information on
expanded data licensing.