By Tim Craven
Critical networks such as control network for Smart Grids use Ethernet as the de facto industry standard these days. Ethernet provides a myriad of benefits over more traditional, point-to-point technologies such as serial, one of the most obvious of which is the fact that Ethernet can operate over large scale WAN (Wide Area Networks) and connect multiple remote sites to a central control room for monitoring, control and automation.
The use of Ethernet also allows connection to the largest public communications network in existence, the Internet. Again this can be used to provide remote access to sites, from almost anywhere is the world (anywhere that provides Internet access). This means that engineers and technicians can save huge amounts of travel time when troubleshooting or commissioning sites, by being able to connect from the office, home or even a hotel when travelling.
One of the major concerns when connecting a remote site to a WAN is the type of connection. While in some cases the remote site may be near enough to the nearest network node that some form of wired link can be used, such as long range (100 km+) single-mode fibre optic cabling. However often physical cabling is not feasible, whether due to distance, terrain or similar conditions. In these cases using a wireless option is generally best. Long distance licensed wireless technologies exist, such as WiMAX, however these can be costly to achieve licenses for (and almost impossible currently in South Africa due to politics surrounding the allocation of frequencies). In these cases the best option is often the cellular route, using the existing cellular infrastructure held in place by a service provider such as Vodacom. Using a utility grade router with a 3G interface you can connect your various LANs together over the cellular WAN.
However, it must not be forgotten that we are working with a mission critical control network, and so security when connecting to the Internet (or any other unsecure network) becomes utterly critical. Weak security can allows harmful viruses onto the network and attached devices, as well as provide a possible entry point for hackers. Standard access security and policies are generally enough to keep the local network secure, and 3rd party, on-site technicians can be easily monitored, however security on the Ethernet connections to other networks is controlled by hardware and the setup of the network.
The Siemens Ruggedcom RX1400 unit is designed and manufactured according to worldwide standards to be used in harsh environments, especially those found in the utility industry. Offering Zero Packet Loss technology, this unit is guaranteed not to lose any packets due to EMI (Electro-Magnetic Interference) affecting the device, which is important on such a mission critical network. The units also boasts a mature, stateful firewall that is perfect for providing a high level of security for your secure network. The unit also offers IPSec security, allowing for even stronger, more secure connections through a non-secure network such as the Internet.
With dual-redundant SIM card slots, Tim Craven, H3iSquared Technical Manager ,says, the unit not only provides a secure, firewalled LTE cellular connection, but can automatically choose between two providers, depending on which network connection is stronger at any time of the day. This LTE connection can even be used in conjunction with the fibre SFP slots, allowing for a redundant wireless/wired connection setup. The unit also contains a built in GPS interface, which can be used for accurate location data of the unit. This, along with the LTE interface, means the unit can even be used in mobile applications, such as providing CCTV monitoring of trucks, ships or other vehicles.
On the wired side, Tim, adds, the unit offers 4 x 100BaseTx Copper ports via RJ45 connectors, and then 2 x gigabit SFP slots for fibre optic (or Gigabit Ethernet). Two built in serial ports also allow integration of legacy equipment and the option to extend serial connections through the existing Ethernet network. The unit also meets or exceeds various utility standards, including IEC 61850-3 and IEEE 1613 for electric power substations.
2 SMA ports for Wireless WAN Interface (4G/3G/2G) with up to 100 Mbit/s bandwidth, 4 x 10/100 Mbits/s ports (10/100TX), 2 x 1000 Mbit/s SFP ports (1000LX) for long reach fiber optic connections (up to 100 km), 2 Serial Ports RS232/RS422/RS485 (DB9)
SMA port for GPS, RS232 console port for local management / diagnostics on the device and Isolated built-in power input (12-24 VDC)
Rugged Rated for harsh environments
–40° C to +85° C operating temperature (no fans) and CSA/UL 60950 safety approved to +85° C
Reliable operation in harsh electrical environments
IEC 61850-3 and IEEE 1613 (electric power substations), IEC 61000-6-2 and IEC 61800-3 (industrial environments), NEMA TS-2 (traffic control equipment) and EN 50121-4 (railway applications)
Error-free operation in high EMI environments
Zero-Packet-Loss technology for fiber-based networking devices and IEEE 1613 class 2 error-free performance under EMI stress
Web-based, SSH, CLI management interfaces, SNMP v1/v2/v3, Remote Syslog, Rich set of diagnostics with logging and alarms, Loopback diagnostic tests and, Raw and interpreted real time line traces
Running ROX II Operating System, Enhanced security / reliability through data and control path separation, Single file configuration automation ensures easy installation and configuration control, Automatic rollback in the event of configuration errors, NETCONF configuration interface supports powerful remote configuration and status features, Port rate and Broadcast Storm Limiting, Port configuration, status, statistics, mirroring, Routing Protocols OSPF, BGP, RIPv1 and v2, Virtual Router Redundancy Protocol (VRRP), NTP time synchronization (client and server), Redundancy protocols MSTP 802.1Q-2005, RSTP (802.1w) and Enhanced Rapid Spanning Tree (eRSTP) for network fault recovery and Quality of service (802.1p) for real-time traffic
Cyber security features
IPSEC – the integrated hardware encryption engine delivers high performance IPSEC traffic without using the main processor, Passwords – compliant with NERC guidelines including provision for RADIUS based authentication, SSH / SSL – extends capability of password protection to add encryption of passwords and data as they cross the network, Enable / disable ports – capability to disable ports so unauthorized devices can’t connect to unused ports, 802.1Q VLAN – provides the ability to logically segregate traffic between predefined ports on switches, SNMPv3 – encrypted authentication and access security, HTTPS – for secure access to the web interface, 802.1x – to ensure only permitted devices can connect to the device and MAC access list – control access to devices that do not support RADIUS