Cellular in OT - Part 7
In this series we’re exploring various architectures we’ve encountered over the last decade involving the deployment of cellular gateways in OT / SCADA environments. By and large these cellular gateways have been deployed to replace previous communication paths such as POTS/Dial-Up or private licensed and unlicensed radio systems, microwave or perhaps integrate locations that were previously “offline”. I say monitored and imply these are used solely for the “DA” portion of SCADA (Supervisory Control and Data Acquisition) but I know first-hand that many are performing the “C” of SCADA over cellular as well. ***I’ll leave the discussions about whether or not anyone should do that to others; the focus in this series is on the various architectures once the decision to connect has already been made.***
In Part 4 we introduced the fact that dynamic IP SIMs do NOT support mobile termination so using them eliminates your “surface” at the edge for unsolicited traffic. In Part 5 and Part 6 we explored solutions that benefited from only needing dynamic IPs and here we’ll look at another, exploring it’s unique features.
Specifically, I have yet to differentiate between secure remote access or infrastructure vendors whose gateways have integrated cellular vs. those who have clear dedicated focus on cellular.
Peplink
“Do we really need to look at ANOTHER vendor solution? What could possibly be so unique that you felt the need to do a THIRD vendor solution post?”
Hold my beer.
Kidding aside I would be completely negligent if we did a series involving cellular and didn’t spend a little time on Peplink. Some of you know the name but it may be completely new to others. I can say confidently that if you’ve never looked at them before you’re missing out. Why? You better go refill that coffee cup; we’re about to test the character limit on this blog.
A model for every situation
We’ll talk even more about the breadth of the product line as the post carries on. Just now though I’d like to discuss the MAX HD Dome series shown in my sample architecture below. Many deployments require a centrally placed gateway indoors attached to strategically placed outdoor antennas. With the MAX HD Dome series the antennas and cellular radios are in a single integrated IP67 enclosure that can be mounted directly outdoors, completely eliminating RF cable loss and maximizing your signal. Still not impressed? Did I mention the gateway is PoE-powered, so you only have to run an ethernet cable to it?
Many cellular gateway vendors don’t make any products for the central side / hub / HQ of the application so to accomplish something like above, you’re left trying to shoehorn inter-vendor IPSec VPN from their cell gateway to a Cisco, Palo, Checkpoint, Sonicwall, Watchg….asdlkjfasnorrrre
Sorry I fell asleep. Where was I? Oh right - performing inter-vendor IPSec VPN. The challenges here include but aren’t limited to:
-Qualifed resources to configure an IT firewall in all its sophisticated glory
-Differences in IPSec implementations between cell gateway vendor and IT firewall vendor leading to configuration attempts, failures, blind configuration changes while standing on one foot and wearing a foil hat, crossing fingers and hoping for the best
Peplink however can provide all components of the solution. This public-facing hub could be an on-prem Balance router like pictured above (which can support diverse multiple WAN connections) or a cloud-hosted Fusion Hub if you have no physical hub location available.
Peplink makes both single cellular and multi-cellular gateways.
Regarding multi-cellular, its important we make a few key distinctions. First, let’s differentiate multiple SIM vs. multiple cellular. Many single cellular gateways support multiple SIMs; these feature cold failover. The cellular radio has to break all active communications with the primary SIM and in most cases flash the radio module firmware (to the firmware for secondary carrier) on the fly before it can switch to the secondary. Then, assuming you have a configured preference to run on the primary when that network is available, at the configured interval the gateway will need to flash the radio firmware back, just to test and see if the primary network is available. At this time it could either settle out here if the network is available or potentially kick off another flashing party until the next failback interval. I’m thinking most in OT don’t love the idea of a remote cellular gateway constantly flashing its radio module firmware back and forth presumably in the name of resilience.
Second, there are other multiple cellular gateway vendors but having multiple links doesn’t mean that your application will stay connected as you transition between your primary and backup. It also doesn’t mean that a single application could leverage the bandwidth of both connections concurrently.
And this is where things start to get really fun.
Peplink has basic failover and load balancing sure, but Peplink’s real magic comes by way of their foundational PepVPN and SpeedFusion technologies that enable bandwidth bonding, sub-second session-persistent application failover and more. The graphic below shows only one of the WANs at the Remote site as cellular, but on a MAX HD2 for example with dual cellular on two different carriers SpeedFusion works just the same.
It’s also worth mentioning that PepVPN supports L3 or L2…points for flexibility.
Centralized Management
And if we’re talking about ease of configuration and management we need to talk about Peplink’s centralized management platform InControl 2 (IC2). I mentioned in a previous post that centralized management is practically a must for large cellular deployments and Peplink makes one of the best in the business. Some key features:
-Zero Touch Configuration - easily manage network settings, firewall policies, wireless AP settings, etc. from IC2 allowing groups of field devices to be more simply maintained.
-Network Troubleshooting - email notifications for important network events can be configured with tiered notification. WAN quality and bandwidth usage is monitored using intuitive graphical reports. A Remote Web Admin feature lets you securely and directly access the WebUI of any device.
-THE COOLEST VPN ORCHESTRATION I HAVE EVER SEEN :)
I’m sure at this point maybe others have added similar, but when this first launched I was super pumped. If you’ve ever manually configured site-to-site or hub-and-spoke IPSec VPNs for example, you’ve probably been super annoyed about how much data you have to input from one side to the other and likely fat-fingered a subnet or two. This wizard does the thing you always dreamed of - you identify which device is in what role and since IC2 knows each device’s LAN network(s) etc, it will create all required policies and push them to the devices based on the topology and roles selected. You can literally create a site-to-site, hub-and-spoke, or even full-mesh VPN in seconds.
Well my keyboard is smoking now so I best give it a rest but if you have any questions about the solution above, give us a shout.
We’ll continue this series exploring edge initiated secure applications, I promise. See you next time!