Cellular in OT - Part 8
In this series we’re exploring various architectures we’ve encountered over the last decade involving the deployment of cellular gateways in OT / SCADA environments. By and large these cellular gateways have been deployed to replace previous communication paths such as POTS/Dial-Up or private licensed and unlicensed radio systems, microwave or perhaps integrate locations that were previously “offline”. I say monitored and imply these are used solely for the “DA” portion of SCADA (Supervisory Control and Data Acquisition) but I know first-hand that many are performing the “C” of SCADA over cellular as well. ***I’ll leave the discussions about whether or not anyone should do that to others; the focus in this series is on the various architectures once the decision to connect has already been made.***
Ok so we’ve talked about various Carrier Private Network alternatives and overlay solutions, but could it be even simpler? Recently an automation engineer reached out asking which solution would be the best for his project. After going through a little Q&A it became clear he wasn’t looking for secure remote access nor full secure net-to-net connectivity; he only wanted to facilitate the secure transmission of PLC data over cellular from a spoke node to a central location.
Enter edge-initiated protocols. Here there are many we could talk about but certainly the most prominent gaining seemingly more steam every day is MQTT. There are countless posts and videos on MQTT overall. I’ll give a shout out in particular to Opto22 for publishing tons of great technical content on MQTT - take a look at their latest here.
What I’d like to do is narrow in on the benefits specifically in cellular deployments:
1) Rather than legacy poll/response protocols that would require the HQ can reach out and touch the spokes, edge-initiated means the communications are initiated from the spoke which could be….drumroll….behind a dynamic IP so yet again we avoid any exposure/surface at the spoke.
2) Many vendor implementations support MQTT over TLS so end-to-end encryption is possible at the application layer, potentially removing the need for further network layer encryption like a VPN overlay.
3) Some implementations have a robust report-by-exception with deadband capability which can drastically reduce the amount of traffic sent. We’ve executed and seen projects where data transmission was reduced anywhere from 75 all the way up to 99%. A great comparison presentation by Johnathan Hottel is provided here.
The market offerings here are extensive and growing. You could deploy Ignition Edge MQTT, Autosol eACM, Node Red or Tentacle software on IPCs from Compulab, Moxa, OnLogic, or Advantec. MQTT is available in many of the newer generation controllers like Opto22 Groov Epic, Wago PFC, and Phoenix Contact PLCNext. The amount of dedicated edge gateway appliances with MQTT support such as RedLion FlexEdge is easily double digits if not triple.
So if all you’re looking to do is securely send data from several spokes to a central location, take your pick from the list above that supports MQTT over TLS, stick that behind a dynamic IP cell modem and you’re off to the races with no surface exposure on cellular and the additional benefit of substantial bandwidth savings (when properly configured) which is particularly great on a metered cellular connection.
We’ll see you guys next time when I figure out how to put a bow on this series!