4. 4
Westermo Group 2020
Founded in 1975
Industry leading
software and hardware
development force
Own production in
Sweden with state of
the art process control
Own sales and support
units in 12 key
countries, distribution
partners in many
others
6. 6
Conventional Dial-Up Access
Laptop
Modem dial up connection
Serial
communications
• Only one application can be used at a time
• Bandwidth is limited to 33600 bps at best
• Some system allow drill down or pass-through
• Multiply modems and lines are needed for multi vender applications
• Still better than sending an engineer to site!
7. 7
Serial IIoT!
Control room
SCADA using serial
scanning protocol’s
A changing world
• Telecoms provide is withdrawing the leased
lines service
• No alternative solution is available
• Existing modem technology now obsolete
• Dialup modems are problematic
• Mobil CSD Dial-up is being discontinued
• Bandwidth requirement are only going up
Dedicated Leased line
Analogue Dial-up
CSD over GSM
9. 9
Routers Replace Modems
• The Internet is the new media
• Routers replace modems
• The VPN is the new virtual leased line
IEC 62443 and 62351 state that VPNs
should be use over any 3rd party media
Internet
11. 11
Understanding the Value of Remote Access
Save time, money, and the environment by reducing site visits
Fast and effective customer support
Reduce cost for support
More efficient use of time and resources
Offer preventive maintenance
Collect data from end-customers
Stock control, shipping supplies on time
Examples
Water level monitoring (SCADA)
Street light control
Remote support and diagnostics
SCADA monitoring
13. 13
Virtual Private Network – What Is It?
What do we mean?
Secure real-time communication
over an insecure network
(Internet)
Site-to-site VPN: Connect two or
more sites
Remote access VPN: Individual
hosts (PCs, etc.) connect to a
central site
Private: Enable confidentiality using
encryption
Virtual: Build secure network over
shared intermediate network
(Internet)
VPN GW
(Server)
VPN GW
(Client)
VPN client
(Road Warrior)
Internet
Central
Office
Branch
Office
14. 14
Terminology and Entities
VPN Gateways
VPN Server Gateway (Alice)
VPN Client Gateway (Bob)
Central Office and Branch Office
Road-warriors
“Site-to-site” or “Remote access” VPN
Firewall
Part of VPN Gateway
External Firewall
Often Both
Backend authentication server
Internet
VPN GW
(Server)
VPN GW
(Client)
VPN client
(Road Warrior)
Alice Bob
Site-to-site VPN
Internet
VPN GW
(Server)
Alice Bob
Remote access VPN
AS
AS
Central
Office
Central
Office
Branch
Office
15. 15
Extended Topologies
Multiple clients
Multiple clients can connect to the
server
Mix site-to-site and remote access
Redundant site-to-site
Multiple VPN gateways at each
site
Dynamic routing protocols
(OSPF/RIP) for automatic failover
Alice Charlie
Bob
Dave
Internet
Alice2 Bob2
Alice1 Bob1
Internet
Central
Office
Branch
Office
Branch
Office
Central
Office
Branch
Office
16. 16
Establishing a Secure Tunnel
Authentication phase
Long term secret
Preshared key (symmetric), KAB
Certificates (asymmetric)
Prove identity
Prepare data transfer phase
Negotiation of cipher suite
Create session key (Ksession)
Data transfer
Protection: Encryption (e.g. AES-
128) and Integrity (e.g., SHA1)
Encapsulation (format/layer) of
data to be protected
Alice Bob
KAB
Ksession
AES
SHA-1
Authenticated
Key Exchange
Based on KAB
Data transfer:
Data Protection &
Encapsulation
KAB
Ksession
AES
SHA-1
17. 17
Real-Time Security Protocols
“Real-time” as opposed to
asynchronous communication (secure
email, etc)
WeOS support two protocols
OpenVPN (SSL VPN)
IPsec VPN
Roughly equivalent service
Encapsulation
OpenVPN: Layer-4 (UDP/TCP)
IPsec: Layer-3 (IP)
Pros of IPsec
Well recognized IETF standard
Relatively good performance
Pros of OpenVPN
Widespread platform support
Easier to setup (in particular if
VPN GW is placed behind a 3rd
party firewall)
19. 19
Cellular data communication started in the 1970s with 1G networks. 1G used analog
signal to transfer data up to 2.4 Kb/s.
In the 1980s, 2G was introduced, changing from analog to digital communications, and
introducing CDMA (Code Division Multiple Access) and GSM (Global System for Mobile
Communications). Multiplexing was introduced to allow multiple data sources over one
single channel.
3G was introduced in the early 90s and was the first cellular technology able to send a
large amount of data over the cellular network.
4G, otherwise known as LTE, is the current modern accepted standard. The core network
behind it is the internet, and frequency channels of LTE communications have increased
to allow more bandwidth for more data. 5G is on the way, but 4G LTE is the most well-
known technology.
History of Cellular Technology
20. 20
4G LTE Visual
Cellular data communications works by
establishing radio service over an area of
land divided into “cells”.
Each cell has its own band of frequencies to
use for communications, and frequencies
can be re-used if no adjacent cells have the
same frequency.
CDMA is used to allow multiple
simultaneous data flows to access the
network over the single frequency.
21. 21
4G LTE Routers and SIM Cards
Cellular routers access a carrier’s network but require a SIM card to do so.
All cellular devices accessing an LTE network require a SIM card, as the SIM card holds
vital information.
The unique serial number and ISMI numbers are held on the card, along with
cryptographic security information, and information denoting what services the user
has access to on the network.
SIM cards can be swapped between devices to allow devices to access multiple
different networks, so long as it is cleared with the carrier.
22. 22
Considerations of Cellular Networks
Any connection to a Cellular network should be treated the same as a connection to
the Internet, and therefore requires more awareness of cybersecurity.
Firewalls are imperative to prevent any unauthorized or unallowed traffic to access
the network.
VPNs can be configured to ensure any data going outside the network will be
encrypted and safe.
VLANs can be configured so the cellular router and access to the Internet will go
through its own VLAN, limited the exposed surface of the network.
27. 27
Underlying Technology
SSL VPN
Secure Socket Layer Virtual Private Network
Extremely reliable and secure
Highly Encrypted
AES256
Used by the financial industry
Open source
Huge community
28. 28
Product Definition
Wired Interfaces:
2 x RJ-45 10/100 Mbit/s Ethernet
1 x DB-9 RS-232 Serial Connection
Wireless Interfaces:
3G WCDMA & LTE Cat. 4
2x2 MiMo
3G Band 2 & 5
4G Bands 2, 4, 5, 13, 17
Dual SIM Support
Physical Specification:
-40 to +70C Temperature Range
Small DIN Rail Form Factor
Power:
12-48 VDC Input, 10-60 VDC Operating
Full Galvanic Isolation
29. 29
Product Definition
Always Connected
Connection Manager ensures connectivity in crowded networks.
Dual SIM Support
Security
Ensures secure communication w/o unauthorized access
Wide VPN Protocol support
Built-In Firewall management
Simple Management
Web GUI Interface for Ethernet management
SMS Support
Management over SNMP Available
Legacy Connectivity
RS-232 Serial connectivity support
Modbus, DNP3, Dynamic Peer Serial Protocol support
30. 30
IP Train Networks
Next Webinar Will Be In August:
Learn about the topology and application of Ethernet Train Networks
Westermo’s full offering of EN50155 certified Ethernet Switches
A greater focus for onboard communications for both old and new train networks
See Westermo’s Website under News and Events for more details.