Grid-SAS_DS_Agile_v5.1-2879-2014_09-EN-epslanguage=en-GB

SUBSTATION AUTOMATION SYSTEMS PRODUCT SOLUTIONSDS Agile v5.1 Digital Control System for electrical substations As power networks are becoming more efficient and intelligent, substation automation systems need to offer smarter and more secure solutions. Alstom's DS Agile v5.1 Digital Control System now adds advanced cyber-security capabilities to the ultimate hardware, software and communications technologies under IEC 61850 standards. The complete solution for substation protection, automation and control WIDE-AREA AUTOMATION STANDARDISATION CUSTOMER BENEFITS Scalable solution High level of standardisation IEC 61850 inter-operability NERC-CIP compliant cyber-security Reliable redundant architectures Wide-area automation Global teams for project delivery and support Based on IEC 61850, the international standard for digital data communications and systems interoperability in substations, DS Agile facilitates complete integration between the different devices, ensuring an optimal use of data. COMPLETE RELIABILITY The DS Agile digital control system provides the ultimate reliability via fully redundant architectures, like Alstom's Self-Healing Ring and Dual-Homing Star, or the recently developed interoperable Parallel Redundancy Protocol (PRP "RedBox'). Thanks to the wide range of Alstom switches, the possibility of an outage is practically eliminated. DS Agile v5.1 enables rapid data exchange and communications between all control and protection IEDs, not only across the substation and the substation gateway, but also through Wide-Area Control Units (WACU) that can manage realtime automation taking into account the topology of multiple substations. The WACU solution developed by Alstom Grid makes inter-substation automation and protection possible, helping protect your assets and optimise power flows. PROJECT DELIVERY AND SUPPORT Alstom has experienced teams located worldwide, with a proven track record in project management, engineering, application support, maintenance and training. Our experts can provide assistance in any of these areas, allowing users to make the best use of DS Agile. Grid-SAS-L3-DS_Agile_v5.1-2879-2014_09-EN. Information contained in this document is indicative only. No representation or warranty is given or should be relied on that it is complete or correct or will apply to any particular project. This will depend on the technical and commercial circumstances. It is provided without liability and is subject to change without notice. Reproduction, use or disclosure to third parties, without express written authority, is strictly prohibited. Alstom contributes to the protection of the environment. This leaflet is printed on environmentally friendly paper. une or more screens can be added at substation level in order to get more sophisticated monitoring. etc.  
  
   .DS AGILE v5. control signals. Additionally. duallanguage display and disturbance record analysis. DS Agile manages many types of data from the substation's primary and secondary equipment such as: tapchanger and switchgear positions. when re-using legacy equipment. measurement values and lists of event sequence. Once a control operation is initiated by an operator -locally or remotely-. disturbance records. settings. diverse functions for local or remote monitoring and analysis of collected data are available. allowing the operator to make the appropriate changes before issuing the order. For instance. both analog and digital. as well as allowing it to be re-used in other parts of the system. alarms. that is able to display single-line diagrams. comprehensive alarm annunciator screens and accurate fault localisation within the system. Each item of qualified data is uniquely referenced in the system configuration tool in order to ensure full consistency of the information. Interlocking conditions are graphically displayed on the operator’s screen in order to immediately identify the locking conditions (if any). Other features include advanced reporting. interlockings are ensured by logical equations or as the result of a dynamic topological analysis coupled with expert rules. measurement values. multiple checkings are performed by the system before the effective issue of the control order or signal. analog data can be acquired directly from current and voltage transformers and digital data can be acquired over serial communica-tions links or via hardwired links. Key situational information is offered by the embedded LCD screen of the C264 bay controller.1 FUNCTIONS DATA CONCENTRATION AND PROCESSING CONTROL One of the main functions of the DS Agile is to concentrate and process data: the information can come from a variety of sources. For example. in order to make it fully secure. Interlocks are managed as close to the process as possible in order to provide the best security of operation. MONITORING AND ANALYSIS Among the numerous DS Agile standard features. The user can then benefit from colour displays for easier awareness and maintenance. the outputs can perform local or remote actions. The optional PLC tool is fully compliant with IEC 61131-3 and it can be used for complex or sequential automation applications.1 provides additional in-built libraries of automation functions. Such applications can be based on local or remote data. automatic reclosing and voltage regulation of parallel transformers. PSL is used for fast automation applications and it is available within the C264 bay controller. not only at bay level (in the C264) but also at intersubstation (or inter-system) level through the programmable Wide-Area Control Units (WACU A400 series). Since PSL is event-driven. System Integrity Protection Schemes (SIPS). load shedding). . across one or more sites (e. DS Agile v5. automatic reclosing. including functions for feeder protection.    
 Typical components of a DS Agile system AUTOMATION An operator can configure specific control sequences or automation schemes. Programmable logic can be implemented using either Programmable-Scheme Logic (PSL) or Programmable-Logic Controller (PLC) methods. Similarly.g. there is no cycle time. 1 Operator Interface (System view) . Communications with remote control centres is possible through IEC 60870-5-101. ranging from the switch redundant power supply to the complete redundancy of each component. cost and compactness. It relies on fast ethernet networks and offers new perspectives in terms of distributed functions. COMMUNICATIONS PROTOCOLS Physical communications between components are based on both ethernet and serial RS links in order to cope with different applications such as the reuse of existing devices and the integration of third-party equipment. STANDARDISED The combination of modern. multifunctional and highly programmable IEDs together with fast communications greatly improves the capabilities for producing a “standard bay”.1 DS AGILE v5.SUBSTATION AUTOMATION SYSTEMS PRODUCT SOLUTIONS DS AGILE v5. When using MiCOM Alstom devices. DS Agile v5.1 ARCHITECTURE HOMOGENEOUS RELIABLE DS Agile v5. A standard bay is a product made of standard hardware. size. DS Agile v5. System availability is a function of the reliability of each individual component and the architecture in which they are combined. A DS Agile solution can be engineered from a few integrated components or have its functions split into several components. including configuration database redundancy. dependability and automation independently of the other levels. wiring interface and IED composition).1 accommodates a variety of redundancy solutions. etc. DS Agile enables innovative automation schemes and the flexible addition of new application clients. IEC 60870-5-104 and DNP3. performance.1 supports the most extended serial protocols (T103. DS Agile v5. the same link can be used to retrieve settings or disturbance records.1 offers a unified architectural framework for building multiple solutions tailored to the real needs of almost any application. and MODBUS) in order to interface with existing devices and it can be fully integrated within a remote control scheme. DS Agile v5. performance and flexibility. depending on the application. It can then be customised to the exact requirements of the project through changes to the database. or other older protocols on demand. Each level maintains a given performance in terms of transmission time. thus offering a balance between functional availability. software and engineering libraries (automation. EXTENDABLE A DS Agile solution can be contained within a single standard panel or be geographically distributed. It allows for progressive upgrading of the system design according to the evolving requirements in terms of functions. In addition to the self-checks carried out by each component. It therefore ensures that the system can be extended consistently and securely. State-of-the-art communication technologies based on client-server and peer-to-peer links such as IEC 61850 is standard across the whole architecture of the DS Agile system. graphical representations. The DS Agile system architecture is structured in a series of hierarchical levels. DNP3.1 offers a variety of system test modes such as 'device maintenance management' and 'data forcing' to further increase the overall availability. SIMPLE ARCHITECTURE Printer The DS Agile base architecture interconnects a Remote Terminal Unit (RTU) -like Alstom's C264 controller. Maintenance and configuration

 This centralised architecture is typically used within a distribution substation. a wind farm or at a bay level of a transmission substation (a feeder. C264 RTU-based architecture DS Agile OI + H15x switch  .or a substation PC with a group of Intelligent Electronic Devices (IEDs) such as protection relays or measurement and recording devices. for example). Simple. .     COMPLETE ARCHITECTURES DS Agile C264 BCU H35x switch DS Agile A30x Gateway + H15x switch     .  DS Agile self-healing ring redundant ethernet-based architecture MiCOM P40 Protection relays  . .     T1000 switch T1000 switch H38x/H36x switch DS Agile C264 BCU DS Agile PRP / dual-homing star redundant ethernet-based architecture MiCOM P40 Protection relays The ethernet network may be local to a substation -typically for a transmission application.or it can interconnect dispersed sites commonly found in industrial or infrastructure applications through Wide-Area Control Units.     . DS Agile OI + H18x/H16x switch DS Agile A30x Gateway + H18x/H16x switch A DS Agile complete architecture is built around an ethernet network that links the components from the base architecture with an Operator Interface (OI). The client-server communications exchange avoids any central point between local and remote control (as found in the simple architecture) and allows for tailored redundancy of the client and/or server. a gateway and protection and control IEDs. The older system then becomes a slave to an IEC 61850 converter and new devices can successively be plugged into this network. . The full architecture is also typically implemented as a way to make an existing installation evolve progressively via new technologies. Typical applications include: Bay control Remote Terminal Unit (RTU) IED gateway / Data concentrator Automation – PLC & PSL Sequence-of-events recorder (SOE) Measurement centre Power quality monitoring Integrated feeder protection Automatic voltage regulation Synchro-check MiCOM P40 Agile protection IEDs Reason RPV311 Digital fault recorder H-SERIES SWITCHES Alstom’s H-series ethernet switches use a combination of advanced redundancy protocols and fibre-optic connections to ensure the reliability. reactions of protection IEDs. highly accurate. New additions to Alstom Grid's H-series range for DS Agile v5. monitoring. strict tests are realised in order to validate functional interoperability limits. MiCOM H38 PRP "RedBox" redundant ethernet switch . data retrieval. Typical protection applications include: Voltage/Frequency Auto reclose and breaker failure Busbar Transformer Line differential Distance Generator Motor Feeder Phasor measurement System integrity protection schemes C264 MODULAR SUBSTATION BAY CONTROLLER ALSTOM MEASURING AND RECORDING IEDS The C264 bay controller is a sophisticated modular computer that supports many applications and functions for substation control.1 for fast.SUBSTATION AUTOMATION SYSTEMS PRODUCT SOLUTIONS DS AGILE v5. etc. When third-party devices are integrated.1 DS AGILE v5. DS Agile is fully open to the integration of third-party devices so that existing devices in the field and user preferences can be accommodated. generation and industrial substations.1 include GOOSE switches and Parallel Redundancy Protocol (PRP) switches. bay controllers. also called "RedBox". C264 substation / bay controller Additionally. DS Agile offers integration with off-the-shelf communications components. Alstom Grid provides a complete family of protective relays for transmission. real-time fault recording and analysis. sub-transmission. control capabilities and remote settings. protection and automation. In addition to those supplied by Alstom. embedded and PCI card (for integration into a PC) versions. dynamic network stability and long term trends. The new Alstom Reason range of IEDs can be integrated in DS Agile v5.All this while maintaining the flexibility of being able to connect to standard ethernet networks and thus ideal for substation refurbishment or upgrades. availability and dependability of substation communications networks . measurement centres. communications. power quality measurements and trend recording Ideal for analysing network faults. They are available as standalone.1 COMPONENTS MICOM ALSTOM Px40 PROTECTION IEDS A typical DS Agile solution integrates many Intelligent Electronic Devices (IEDs) such as protection relays. or group of devices. the new DS Agile A401 WACU allows the same gateway functionalities as well as substation inter-voltage and intersubstation exchange through IEC 61131 PLC automation.DS AGILE GATEWAY WIDE-AREA CONTROL UNIT (WACU) Combining full compliance with IEC 61850. . Key modules include: Real-time display Single-line diagrams System component status Alarm viewer Sequence of events Alstom's DCS Operator Interface This wide-area automation capability becomes highly valuable whenever the implementation of multi-substation control is needed.). IED engineering. tailored to the substation environment and the end-user’s specific requirements. in order to test any user action or automation procedure before running on site. Real application cases of the WACU include. automating the configuration of multiple substations across railway lines or exchanging data between the generation subsystem and the transmission inter-tie substation in the connection of a power generation source to the grid. Based on the A301 Gateway. solid-state and designed to work within stringent substation environmental conditions (EMC complianc eaccording to the IEC 61850-3 standard. etc. SYSTEM ENGINEERING TOOLS DS Agile Configuration Editor (SCE) Alstom's DCS engineering software tools cover the complete lifecycle of the electrical application including system engineering. islanding a section of the grid under nonstability conditions. The A301 is ruggedised. for example. The DCS Equipment Simulator (ES) can reproduce a missing or existing device. station level devices (DS Agile clients and servers) and upper level systems (Network Management Systems or Digital Control Systems). network analysis. system maintenance and IED maintenance – all integrated with a consistent look and feel. protection or control).1 system. hot-standby redundancy and ease of commissioning. the DS Agile A301 Gateway offers a powerful solution for interfacing bay level devices (measurement. DS Agile A-series Gateway / WACU DCS OPERATOR INTERFACE (OI) The state-of-the-art DS Agile OI user interface is integrated in the DS Agile v5. This proven HMI provides efficient and secure access to information and archives. substation automation. Auditability Router / Firewall securing communication with remote centres and bringing a single mandatory path to the DCS LAN All basic security events are logged on each device. • Unused USB ports are disabled in the BIOS or Windows. • Many registry keys are setup to increase security and the audit and password policies are set. The firewall's built-in IDPS (Intrusion Detection and Prevention System) is configured to detect. IEC. the substation digital control system can be the target of deliberate or inadvertent attacks from different sources. • Unnecessary user accounts and daemons / services are disabled. C264 • All unused protocols are disabled. . Authorisation (Role-Based-Access-Control. Secure Protocols for SCADA link The SCADA link is secured via the VPN feature of the router / firewall. accessing a restricted list of devices and applications on the private zone. IEEE. Authorisation. RBAC) DS Agile implements RBAC to fully manage the authorized users. NIST. regulators and known IT good practices such as NERC. whether external or internal to the IT system. Remote maintenance is done by adding a “jump box” (standard PC) in the substation's DMZ ("demilitarized zone") and. Accounting (AAA) Authentication All users are required to authenticate for interacting with any IED. Each user account is assigned one or more roles and associated non-overlapping rights.SUBSTATION AUTOMATION SYSTEMS PRODUCT SOLUTIONS DS AGILE v5. The access point is generally a router combining Virtual Private Network (VPN) to communicate with remote systems. DS AGILE HARDENING Hardening aims at reducing the number of possibilities a threat has to disrupt or take control of the DS Agile software. etc. The different technical countermeasures used to ensure cyber threat detection. LAN Firewall to allow only specific protocols communication between specific devices / zones and Authentication proxy functions. Users have individual accounts and passwords (no shared accounts). block and report malicious traffic. secure protocols are implemented to increase confidentially and integrity (Ftps or sftp. Authentication.1 DS AGILE v5. • There are no backdoors or hardcoded user accounts that give “write” access to the device. Software Integrity All Alstom software is free of malware and digitally signed to guarantee authenticity and integrity at installation time. Finally. This allows securing the traffic to the substation IEDs. increasing the substation cyber-security in line with the recommendations from international standard bodies.1 CYBER SECURITY STRATEGY Being integrated in the utility IT system and infrastructure. the C264 controller has no USB port. No sensitive information (such as passwords) are logged. The VPN can transport IEC-60870-5-104 as well as serial protocol IEC-60870-5-101. while the Ethernet switches also participate to reduce threat impact on the network by organising the LAN traffic. prevention and protection of the DS Agile LAN are organised as a defense indepth strategy. rdp over https). host firewalls running on Windows PC allow only the required communication flows between authorised PCs. • A user session is automatically ended after a settable time out. from there. System Hardening Operator Interface (OI) and SCADA Gateways • The OI and Gateway are installed on Windows 7 PCs. OS Upgrade The Windows PC in DS Agile are updated to the latest security patch set provided by OS vendors before the DCS final testing. ftp and telnet). Password complexity is reinforced and its storage strictly managed. DS AGILE NETWORK PROTECTION Protection against external threats begins with limiting the number of access points to the DS Agile LAN architecture. A defense in-depth strategy including multiple layers of security is implemented in DS Agile to counter these attacks and limit their impact. Secure Maintenance Protocols In addition to the standard maintenance protocols (such as http. This approach is particularly adapted to the substation automation system where the system being stable. Alstom contributes to the protection of the environment. This guarantees its integrity and authenticity. . whitelisting software have a “deny by default” policy. DS AGILE DEFENSE IN-DEPTH STRATEGY Alstom has strongly reinforced the substation cyber security by implementing in DS Agile this differentiated defense in-depth strategy with emphasis on prevention and detection at each level in the DS Agile architecture. refurbishment and asset life-extension Technical training programs After-sales services with worldwide regional coverage For more information please contact Alstom Grid: Alstom Grid Worldwide Contact Centre www. When it comes to protecting and controlling your critical assets. depending on the PC role (“real-time” or “non-real-time” functions). antiviruses have some drawbacks. Only software that is present in the white list is allowed to be executed. the whitelist seldom changes. This will depend on the technical and commercial circumstances. Reproduction. without express written authority. It is provided without liability and is subject to change without notice. only software digitally signed by Alstom can be installed or updated on the PC.com Grid-SAS-L3-DS_Agile_v5. good products are not enough. This leaflet is printed on environmentally friendly paper. anti-virus and whitelisting. All Windows PC in the DS Agile system come with whitelisting software installed and configured. Anti-virus Alstom Grid can also provide you with: An antivirus can be installed at the customer request on each Windows PC. which are processes.1 MALWARE PREVENTION When it comes to protecting and controlling critical DS Agile uses two techniques in each of its Windows PC to improve malware assets. On top of our excellence in state-of-the-art products. Alstom Grid can also provide you with: Strong systems design and manufacturing Highly experienced project execution teams located worldwide Support and advice to make existing installations evolve Long-term maintenance. Information contained in this document is indicative only.alstom. However. like the need for regularly updating the malware signature database or the consumption of CPU and memory resources of the PC. Application control (Whitelist) Contrary to antiviruses that work with a “allow by default” policy.SUBSTATION AUTOMATION SYSTEMS PRODUCT SOLUTIONS DS AGILE v5.alstom. No representation or warranty is given or should be relied on that it is complete or correct or will apply to any particular project. thus this solution is less recommended for PCs running "real-time" applications such a Gateway or HMI.com/grid/contactcentre/ Phone: +44 (0) 1785 250 070 Visit us online: www. On top of our excellence in state-of-the-art products. good products are not enough. cannot run on the protected system. is strictly prohibited.1-2879-2014_09-EN. Following whitelist activation. use or disclosure to third parties. prevention. The result is that malware.