[Imported] GIS Exportable file formats supported by ClearSCADA

sbeadle · ‎2019-11-07

>>Message imported from previous forum - Category:ClearSCADA Software<<
User: hardin4019, originally posted: 2019-07-02 13:39:08 Id:464
All,
Are there any file formats that ClearSCADA supports that could be imported to the SCADA environment instead of direct from a web based source? The help files are a little unclear on what is and isn't possible.

I had a brief and somewhat generic conversation with a GIS support guy about what it would take to get the GIS data into ClearSCADA. The short answer I got was it would be very simple for him to pull WebX or OSI PI data into GIS and overlay it since it is available in the Purdue Level 4 layer, but because SCADA systems are Level 2 or above, it would be much harder to get the GIS data into ClearSCADA unless there was a way to have a map source that uses an exported file format instead of a web based source. Of course, my goal would be to give my operators more visibility of where facilities and lines are located geographically in ClearSCADA, and hopefully overlay some of the data from the database on the map (like valve positions, pressures, flow rates, etc).

Current GIS system is by ESRI. GIS guys suggestion for top 3 exportable formats were: 1. File GEO DB, 2. Personal Geo DB, and 3. Shape Files.

sbeadle · ‎2019-11-07

>>Responses imported from previous forum

Reply From User: BevanWeiss, posted: 2019-07-10 23:48:13
Umm.... throw away any reference to the Purdue model here. It's really about interfacing protocols.

To get your GIS layers into ClearSCADA then you will want ClearSCADA 2017R2 (or better). You can then add the base maps and overlays directly.

It really depends what kind of data you want from OSI PI... if it's value data (like points for a trend or similar) then you could use the OPC-HDA driver from ClearSCADA and the OPC-HDA (I think this exists) connector/server (note: not interface) from PI.
Or you could use the ODBC driver in ClearSCADA and the OLEDB/ODBC connector from PI.

If you want things like graphical heat maps etc, then this is where you might want to have the PI data go into ESRI (since they have a close relationship) and then overlay that using the WMS / ArcGIS integration in ClearSCADA

Reply From User: hardin4019, posted: 2019-07-11 02:22:22
I'm lost... How do you add base maps and overlays directly from a map source ClearSCADA cannot reach? Is there a tutorial or how to documentation somewhere? I have CS2017R2.

Forget that I mentioned PI. I think that set you in the wrong direction.

How would you bring GIS data (locations of lines, valves, facilities, etc) from layer 4, into ClearSCADA in layer 2, without creating a permanent path/hole in a firewall, or recreating/duplicating the GIS server in Layer 2 to allow ClearSCADA access to the GIS database? I'm sure there is something I'm missing here, but I'm not sure what it is yet.

The goal would be to be able to geographically show facilities, lines, valves, etc in ViewX, and to show the valve position, pressures, and flow rates directly from ClearSCADA DB points instead of just having a P&ID representation of a line.

Reply From User: adamwoodland, posted: 2019-07-11 22:20:02
You can always stick a reverse proxy inbetween.

There's nothing necessarily wrong with layer 2 talking to layer 4 and vice versa, its just about proper network and security management. Cyber security isn't about blocking you doing stuff, it is about making sure what you're doing is managing the risk.

Reply From User: BevanWeiss, posted: 2019-07-12 00:17:34
"from a map source ClearSCADA cannot reach", you mean there is no network connection between the two?
If there is no network connection between the two, you will only ever get static data (manually imported, after security considerations in such a process).
Export as SVG (from GIS) and import into ClearSCADA Mimic.
You could then overlay your ClearSCADA live data ontop of the SVG imported into the mimic.

Why so fixated on the Purdue model? It's not 'the' preferred security model anymore. You should consult IEC 62443 for Security Zones and Conduits if cyber security is your concern.

Reply From User: hardin4019, posted: 2019-07-15 16:42:59
Correct, no network connections would be allowed per IT. Static data is all I need. I don't have any use for weather, traffic patterns, etc.

I will see if I can get SVG's exported and go from there.

Reply From User: sbeadle, posted: 2019-07-16 13:54:21
ClearSCADA server never 'sees' the GIS connection, only clients. Although that may not make much difference to your security people.
Anyway, nothing to stop you adding a 'private' map server within the server layer - with files {manually} synced from the GIS source. You may be able to use 'free' open source WMS server such as MapServer or GeoServer.
Note - ClearSCADA's WMS interface supports rendered tile layers, not feature layers, so configure the WMS server appropriately.

Reply From User: du5tin, posted: 2019-07-29 18:35:21
It might be worth SE putting publishing a datasheet or 'howto' on how to properly setup GIS in a couple different 'secure' network environments. The misunderstanding of how clients (WebX and ViewX) obtain GIS data is preventing clients from adopting the feature, at least in our industries. Just to give us some ideas on how to do this securely.

Reply From User: adamwoodland, posted: 2019-07-29 22:21:22
I haven't had a chance to test but as GIS is just http a reverse proxy in a DMZ, i.e. nginx, could cover off some of the security issues to do with connectivity.

Reply From User: BevanWeiss, posted: 2019-08-06 03:20:34
[at]adamwoodland said:
I haven't had a chance to test but as GIS is just http a reverse proxy in a DMZ, i.e. nginx, could cover off some of the security issues to do with connectivity.

It does indeed work fine.
But it doesn't really absolve of all cybersecurity concerns.

That the GIS HTTP could still be compromised and provide potentially malicious image files etc etc is still a concern. I'm unsure of whether the Webkit configuration that ViewX uses has protections for cross-site scripting etc.
There was a vulnerability some time ago where the EXIF data tagging was used to embed javascript which could then be executed.
Even just subverting the content type returned (so calling it javascript instead of a PNG file) might lead to a potential security exploit.

I can see the concern. But reducing risk to 0 isn't practicable.

See Answer In Context

sbeadle · ‎2019-11-07