Cellular in OT - Part 4
In this series we’re exploring various architectures we’ve encountered over the last decade involving the deployment of cellular gateways in OT / SCADA environments. By and large these cellular gateways have been deployed to replace previous communication paths such as POTS/Dial-Up or private licensed and unlicensed radio systems, microwave or perhaps integrate locations that were previously “offline”. I say monitored and imply these are used solely for the “DA” portion of SCADA (Supervisory Control and Data Acquisition) but I know first-hand that many are performing the “C” of SCADA over cellular as well. ***I’ll leave the discussions about whether or not anyone should do that to others; the focus in this series is on the various architectures once the decision to connect has already been made.***
In Part 1 we mentioned some alternatives to public static IPs and in Part 2 and Part 3 we explored the carrier private network alternatives. In the next few parts I’d like to discuss overlays and there are many options here but IMO one aspect I like about these solutions is a choice the customer can make that reduces some of the risk of the overall architecture and a cellular characteristic that is less known or misunderstood.
“I’ve had my coffee and I’m listening. What’s this choice and characteristic I need to understand better?
Dynamic IP SIMs from the carrier do not support mobile termination* and this is a beautiful thing.
“Ok I guess I’m going to need more coffee. What?”
As an alternative to provisioning a dedicated private network with the carrier (additional cost, engineering, time, etc.) and certainly instead of using public static IPs, here we’re talking about using the simplest, typically default, offering from the carrier - the dynamic IP SIM.
Unlike residential wireline service with dynamic IPs, dynamic IP SIMs on cellular networks do not support mobile termination. This means that even if you know the IP of the gateway you can’t reach out and touch it from across the internet, and perhaps more importantly, neither can anyone else. More recently the IP you’ll see associated with the WAN interface of your cellular gateway isn’t even a public IP; its a NAT’d private IP. And yes, even if you run whatismyip or similar from behind the gateway to determine the public IP it is using at the time to communicate on the internet, you can’t reach out and touch that IP.
These dynamic IP SIMs are designed to facilitate mobile-initiated outbound access to the internet. You can think of your cellular gateway as a LAN client to a NAT firewall that is allowing internet access and performing stateful packet inspection. In this manner the carrier allows responses back for traffic initiated by the cellular gateway but unsolicited traffic from the internet is dropped by the carrier before they hit your gateway.
Every single option we will discuss in the following parts of the series only require that your cellular gateways can reach some hardware or service across the internet. If you the customer chooses to accomplish that connectivity with a dynamic IP, you gain the advantage of no “surface” at the edge for the unsolicited traffic (Bots, DDOS, etc.) we talked about in Part 1. Combine this advantage with the secure connectivity extended by the solution and you might just land on a great solution for your application.
We’ll continue this series further exploring a few of these overlay solutions. See you next time!
*P.S. This characteristic I know to be true for US carriers, particularly Verizon Wireless and AT&T. I should caution I can’t be sure if this is the case for other carriers, particularly outside of the US. If working with other carriers I would recommend you ask about mobile termination on dynamic IP lines and certainly to test yourself upon receipt of a first test SIM.