Cellular in OT - Part 1
In this series I’d like to explore various architectures I’ve encountered over the last decade involving the deployment of cellular gateways in OT / SCADA environments. By and large these cellular gateways have been deployed to replace previous communication paths such as POTS/Dial-Up or private licensed and unlicensed radio systems, microwave or perhaps integrate locations that were previously “offline”. I say monitored and imply these are used solely for the “DA” portion of SCADA (Supervisory Control and Data Acquisition) but I know first-hand that many are performing the “C” of SCADA over cellular as well. ***I’ll leave the discussions about whether or not anyone should do that to others; the focus in this series is on the various architectures once the decision to connect has already been made.***
Let’s take a look at an architecture I’ve seen more times than I can count and I believe was deployed typically in ignorance to the potential operational and financial consequences.
Below we have a SCADA Server at a fictional HQ looking to poll PLCs at remote locations. After a discussion with the carrier, it seems the customer for a nominal fee could request public static IP data lines to deploy on these cellular gateways, setup some basic IP Passthrough or Port Forwarding and these PLCs will be reachable across the internet - YAY!
Wait…what?
Yes, you read that correctly. Many…MANY users have deployed industrial controllers and assets behind cellular gateways on public static IPs. Don’t believe me? A quick search at Shodan.io for “Allen Bradley” results in over 7,000 Ethernet IP devices exposed on the internet, many of which are on cellular public static IPs. Similar equally mortifying results come up searching any number of name-your-favorite-insecure-by-design-industrial-protocol.
The customer wanted a quick path to be able to reach their assets and it often doesn’t occur to them that if THEY can reach their asset, so can anyone else on the internet. And with many of these insecure-by-design industrial protocols such as Ethernet IP, Modbus, etc. exposure = GAME OVER. Since these protocols don’t require authentication, anyone can connect, modify the program, manipulate values, and directly impact the operation.
“OK Josh, of course that’s a bad idea, but we can fix this easily. Can’t we just use the firewall features of the remote site cellular gateways to prevent others from reaching our assets?”
The idea in the question above is to whitelist the public IP of HQ, such that it is the only IP allowed to communicate to/through the cellular gateway. Assuming the HQ public IP is static, this still leaves another problem. Cellular carriers hold the customer responsible for all traffic that hits the cellular gateway. This means even unsolicited traffic from others be it bots, (D)DOS attacks, etc. are charged to the customer, even if the cellular gateway “drops” this traffic at its firewall. Google the Mirai Botnet for one crazy DDOS example in recent years; and note while reading about it that a major industrial cellular gateway vendor was among those with devices taken over in the attack.
“OK Josh, I acknowledge using public static IPs is ill-advised. So how else can I utilize cellular and connect to my remote sites?”
The good news is there are MULTIPLE alternative architectures that may potentially facilitate more secure remote site communication over cellular:
Carrier or MVNO Private Networks (Standard, w/ Mobile Network Routing, +VPN Overlay, Zero Tunnel, etc.)
Overlay Networks (Vendor-hosted/managed, Customer-hosted managed including VPN, TLS, etc.)
Examples: Secomea (LogTunnel), Tosibox, Peplink (SpeedFusion/PepVPN), Cradlepoint (Netcloud), OpenVPN, Wireguard
Edge-Initiated Applications
Examples: MQTT/S from Ignition Edge, Autosol eACM, NodeRed, Tentacle
Stay tuned as we add to this series! In Part 2 we explore Full Tunnel Carrier Private Networks.
*P.S. Public static IPs became increasingly harder to come by from the carriers in the last few years as IPv4 space approached total depletion but not before a staggering number were deployed into applications just like above. I’m not into fear mongering but I have had discussions with many end-users and system integrators who work with systems architected like above that it wasn’t a matter of IF something happens but simply WHEN. Time and time again we received the call AFTER that when. If you’re currently deployed in such an architecture and would like to discuss the alternatives listed above faster than we publish blog posts, give us a shout.
P.P.S. Debatably I should include a number 4 in the list above - Private LTE. Every other topic listed above including my reference to Carrier Private Networks utilize Public LTE Infrastructure. TBD whether we’ll cover Private LTE in this series. It could certainly be a different topic entirely as it moves more ownership and responsibility (infrastructure and potentially spectrum) into the hands of the customer or their hired third-party MSP etc.