Secure Communications with Remote Stations

The communication needs in the Industrial sector and the Infrastructure sector, including the ICT Infrastructure sector applied to Smart Cities, are different and require differentiated strategies to be resolved.

In the industrial sector, communications are mainly concentrated between the IT and OT areas. In the OT area, we find the control devices that communicate with each other using numerous communication protocols, in some cases proprietary protocols. In this control and production environment, the priority is the availability of information in real time. In the IT area, we find systems that communicate with the OT area, vertically, to provide data to SCADA, HMI, MES, etc. supervision systems. In this area, the confidentiality of information is a priority. In these scenarios, security usually has as a starting point the implementation of DMZs and the segmentation of networks.

In the infrastructure sector, we can say, in general, that we have one or more Control Centers, normally a single Control Center, which needs to communicate with different Remote Centers. In this sector, the solutions to communicate the Control Center with the remote stations are heterogeneous. Wireless IP GPRS/3G/4G, IP over fiber, ADSL, XDSL, Satellite, Tetra networks, proprietary free radio ISM networks, proprietary licensed radio networks, other non-GSM operator solutions, etc., etc. communications are used. The clear trend is that communications are via TCP/IP, with gateways between physical media and/or protocols existing in many cases.

The control devices in the Infrastructure sector, located in the Remote Centers, are usually PLCs or devices for use such as RTUs. The protocols used are heterogeneous, as was the case in the industrial sector. The main difference between the control devices used in industry and those used in infrastructure is that, while in industry the control devices can be under the umbrella of a DMZ protection, in infrastructure the PLCs or RTUs are usually directly connected to the Internet and therefore exposed to the vulnerabilities of the network of networks.

In an ideal scenario, the remote RTU control devices, which are directly connected to the Internet, must incorporate native protections such as a firewall and must communicate using secure protocols. Secure communication protocols, commonly used in electronic banking communications, email or HTTPS web browsing, incorporate authentication and encryption mechanisms. There are industrial protocols that implement this level of security, such as OPC-UA, DNP3 Secure SAv5 and some IEC60870 implementations.

The real scenario is currently quite different from the ideal scenario. RTU devices use numerous protocols, rarely secure and in the best of cases RTU devices have some type of firewall, which in some cases is not activated.

Achieving secure communications, which guarantee the availability and integrity of the information, must be a priority for every new project. In many cases it may be necessary to analyze the status of the projects in operation to audit the current level of security, and to be able to apply the necessary corrective measures.

In those cases in which the recommendations to obtain an “ideal scenario” mentioned above cannot be applied, it is required to protect the communications between Control Center and Remote RTUs, regardless of the protocol used. The solution requires applying two different technologies: the Firewall and VPN tunnels.

VPN tunnels, “Virtual Private Network” allow establishing IP communications through non-secure networks such as LAN or WAN (Internet), ensuring an encrypted and authenticated Point-to-Point communication.

There are different implementations of VPN solutions. IPSec is a mostly extended VPN implementation to establish VPN tunnels, Site to Site and Client to Site. It is commonly used in IT devices to establish tunnels between network devices. SSL VPNs are used to establish an encrypted HTTPS tunnel to a Web server on the remote device. OpenVPN is a VPN technology that also allows establishing encrypted VPN tunnels and allows authentication. This protocol can be found in Control devices RTU, it is based on the SSL standard. There are control devices that are both OpenVPN Clients and Servers. There are also Appliance devices that are OpenVPN servers, as well as different software solutions for servers.

The advantages of using a VPN technology in RTU control devices are several and can be summarized in two: Any communication protocol regardless of its “weakness” can travel through a VPN with total security. The information travels encrypted and cannot be altered by a malicious user.