Cellular in OT - Part 5

In this series we’re exploring various architectures we’ve encountered over the last decade involving the deployment of cellular gateways in OT / SCADA environments. By and large these cellular gateways have been deployed to replace previous communication paths such as POTS/Dial-Up or private licensed and unlicensed radio systems, microwave or perhaps integrate locations that were previously “offline”. I say monitored and imply these are used solely for the “DA” portion of SCADA (Supervisory Control and Data Acquisition) but I know first-hand that many are performing the “C” of SCADA over cellular as well. ***I’ll leave the discussions about whether or not anyone should do that to others; the focus in this series is on the various architectures once the decision to connect has already been made.***

In Part 4 we introduced the fact that dynamic IP SIMs do not support mobile termination so using them eliminates your “surface” at the edge for unsolicited traffic. With that advantage in mind, let’s explore solutions you could leverage to build out connectivity for multiple sites. Note, there are many solutions that utilize similar general architectures and may be able to accomplish similar results. I’m simply highlighting a few over these posts with particularly compelling differentiators.

Secomea

I know what you’re thinking. “Josh, that diagram is bananapants!” And you’re not wrong but I’ll be honest - I kinda love it. Look there is a lot to discuss when a solution can provide secure remote access and persistent connectivity between sites (or to a central SCADA server) and offers tremendous deployment flexibility.

As it relates to this post series and particularly Part 4, I’ll highlight the solution simply requires the SiteManagers are able to reach the GateManager, which can be done with dynamic IP SIMs (or any other internet connection for that matter, including from behind firewalls). Once this encrypted connection is established, the myriad of connectivity referenced above are all possible. Furthermore all of it is managed in a very OT-user-friendly UI that IMO accomplishes the rare goal of bending the pole that typically has security and convenience on opposing ends, particularly in the areas of user management and access control.

Below are a few of the Secomea advantages we leverage often:

-Spoke gateways (SiteManager) can be hardware or software.

-Hub/M2M Server (GateManager) can be hardware or software, vendor-hosted/operated or customer hosted-operated. The trust conversation comes to mind here. Many organizations leave the centralized hosting, updates, etc. to the vendor as a trusted partner, but you certainly can choose to manage the entire solution in-house if your policy or preference dictates your data never going across a 3rd party server.

-In addition to on-demand secure remote access, persistent site to site socket communication is possible even with remote LANs of repeated overlapping IP subnets (without overly-complex NAT configuration).

-When using hardware gateways, secure remote access is possible not only to Ethernet devices but USB and serial also. Furthermore, access to Ethernet devices is optionally possible as a Layer 2 connection enabling “discovery” applications (RSLinx, HiDiscovery, etc.) to function remotely.

What do you think? Does the combination of dynamic IP SIMs and a solution like above tick a lot of boxes for you? If you have any questions about the solution above, give us a shout.

We’ll continue this series exploring additional solutions that can leverage dynamic IP SIMs. See you next time!