Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in...
Transcript of Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in...
![Page 1: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/1.jpg)
Avoiding Pitfalls in Industrial IoT (IIoT) Communications IIoT Webinar May 2018
Alex GrinshteinBusiness Development Director CI LoB
![Page 2: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/2.jpg)
2Secure IIoT Backhaul
Agenda
• IIoT Market Segments and Trends
• Use Cases
• Challenges & Requirements
• Deploying Secure Industrial IIoT Communications
![Page 3: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/3.jpg)
3Secure IIoT Backhaul
Industrial IoT (IIoT): What is it?
• Enables digital transformation across all industrial and critical
infrastructure sectors.
• “ By 2020, IIoT is expected to be a $225 billion market,
encompassing many thousands of highly distributed
intelligent devices” www.ioti.com
![Page 4: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/4.jpg)
4Secure IIoT Backhaul
IIoT in Energy Sector
Source: World market
Energy Infrastructure IoT is set to Double in the coming years
$0
$20,000
$40,000
$60,000
$80,000
$100,000
$120,000
$140,000
$160,000
2016 2017 2018 2019 2020 2021 2022 2023 2024 2025
$ M
ILLI
ON
S
IoT Revenue by Type
Commercial
Residential
Energy Infrastructure
![Page 5: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/5.jpg)
5Secure IIoT Backhaul
IoT Segments
Smart City, Energy and Industry are about 40% of IoT projects
![Page 6: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/6.jpg)
6Secure IIoT Backhaul
Power Utilities
Gas Utilities
Water Utilities
Transportation Connected Industry
(Smart Factory)
Smart Cities
Re-closers Flow meters Flow control Traffic controlProduction floor monitoring
Smart parking
Load breakers Volume sensors Quality Info boardsRemote PLC control
Traffic monitoring & control
SCADA/MiniSCADA/FRTU
Pressure sensorsLeakage detection
KiosksAutomated quality control
Bike sharing
Secondary substations
Level sensors Pump/valve control
Smart lighting
Meters Meters Public safety
Main IIoT Applications
![Page 7: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/7.jpg)
Use Cases
![Page 8: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/8.jpg)
8Secure IIoT Backhaul
Utilities - From Automation to Industrial IoT
Industrial‘Internet of Things’
• Renewable Energy
• Mostly TCP/IP
• Cloud
• Internet-enabled
• SCADA
• On-premise
• No internet
“Protect the Production Line” “Fast Time to Market”
Legacy M2M
![Page 9: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/9.jpg)
9Secure IIoT Backhaul
Connected Industry (“Smart Factory”)
• Real-time monitoring of production flow – saves time and work on the inventory process
• Inventory management – real time inventory monitoring and tracking
• Remote process automation and optimization
• Quality control automation
![Page 10: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/10.jpg)
Challenges & Requirements
![Page 11: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/11.jpg)
11Secure IIoT Backhaul
IIoT Communications and Operations –Main Challenges
• From private networks to untrusted public networks• Millions of new IP devices, exposed to attacks from the internet
Cyber Security
• Thousands of new edge devices increase deployment and maintenance cost
Operations
• Lack of connectivity to many new locations • In some cases only public mobile is an option – security
and reliability challenges
Service Reach
• Massive traffic growth is expected, resulting from numerous new devices
• Fog applications – help to reduce traffic and improve delay/jitter with some critical real-time apps
Data Usability
![Page 12: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/12.jpg)
12Secure IIoT Backhaul
Industrial IoT Backhaul Hub & spoke / star topology
IIoT Gateway
• Ethernet• Serial
FW config, Security mng, PKI Enrollment, CA
Zero Touch ServerWireless/Fiber Links3rd-Party Network
IIoT Gateway
Security Gateway
IIoT Backhaul Key Requirements
• Reliable! Ruggedized for outdoor installations
• Secure! Encrypted VPN tunnels and firewall
• Low TCO – easy installation, provisioning and maintenance
• Ubiquitous communications - over private and cellular networks
• Supports legacy and new communications protocols and devices
• Hub and spoke topology
Hub & Spoke
Cyber Security
Plug & PlayInstallation
Always-OnCommunication
Legacy & New Protocols
![Page 13: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/13.jpg)
About RAD
![Page 14: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/14.jpg)
14RAD Proprietary and Confidential Company Presentation 2018
RAD in Numbers
19
>3716
220
800
![Page 15: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/15.jpg)
15RAD Proprietary and Confidential Company Presentation 2018
Evolve Any Service Over Any Network for Critical Infrastructure
Assuring Network Performance and User Experience
Se
rv
ice
Ev
olu
tio
n
Packet
TDM
D-NFV/FOG
N e t w o r k E v o l u t i o n
TDM Packet
OT/ITConvergenc
e
TDM Hybrid Migration
OT/IT Convergence
Packet OWAN/IIOT
IIOT
Obsolete Equipment
Replacement
• Decouple service evolution from network evolution, migrate at a pace that is right for you
• Leverage your existing resources (networks, spectrum, expertise, operational practices)
• Prolong use of a large variety of existing legacy interfaces and equipment
• Maintain network performance, service level and guarantee user experience
![Page 16: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/16.jpg)
RAD’s Unique Solution for Secure Industrial IIoT Communications
![Page 17: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/17.jpg)
17Secure IIoT Backhaul
• End-to-end solution (hub & spoke and network management)
• Full suite of security tools-specifically designed for secure communications, especially over cellular
• Security Information and Event Management (SIEM)
• Zero-touch provisioning over public cellular – low OpEx and secure
Industrial IOT Backhaul – Application and RAD’s Key Advantages
IPsec VPN tunnel for SCADA and management traffic
IPsec VPN for remote management
Device Connection Control 802.1X MAC
BTS/eNB
BTS/eNB
BTS/eNB
ApplicationServer
SCEP server
Leased F.O
Security HUB
Internet
NMS
OT NetworkSecurity GW
IPsec
IPsec
Security ManagementServer (SMS)
RemoteManagement
IPsec
Cellular Network3G/LTE
Zero TouchSCEP Proxy
NMS
Zero Touch Redirect server
Smart metering/Grid/Energy
Counter
Counter
Counter
MeterConcentrator
Counter
Counter
IoT GW
IoT GW
Smart Industry
Smart City
• Secure VPN redundancy over private/public networks
• Virtual environment container for fog/edge applications
• RAD’s Security hub GW with optional HW redundancy or other 3rd party HUB (checkpoint, Fortinet, Cisco)
• Stateful L3-L4 firewall in each security GW
• Cost-effective – low TCO
![Page 18: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/18.jpg)
18Secure IIoT Backhaul
Built-in Security Features
• End-to-end secure VPN tunnel (for any service, IP or serial)
• IPsec VPN with PKI X.509, with automated (enrolment, renewal) PKI (SCEP)
• Optional RAD CA (Certificate Authority) or SCEP client support in all solution elements
• L3/L4 stateful firewall in all solution elements managed by RADview - with centralized provisioning (firewall configurator) and SIEM for centralized monitoring
![Page 19: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/19.jpg)
19Secure IIoT Backhaul
• Easy creation and editing of firewall rules using the firewall configurator
– Cyber securing the communications device and customer traffic
• Cluster based firewall configuration with scheduling
• Security Information and Event Management
Security and operations events reporting
• User defined dashboard
– Cyber events – reporting attacks on network elements
RADview Security Features
![Page 20: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/20.jpg)
20Secure IIoT Backhaul
Secure zero-touch (ZT) configuration over public networks - reducing cyber vulnerability with minimal OpEx
• Supports SecFlow devices with dynamic or static IP provided by the cellular operator
• No manual configuration on-site – Plug & Play
• Fast deployment with less mistakes (lower TCO)
• Easy device replacement – configuration automatically restored on new devices
• Each device will be redirected to the customer’s bootstrap server (located in its DMZ) for configuration download (secure connection)
• Secure automated configuration and auto-registration by the RADview server
Secure Zero-Touch Provisioning
BTS/eNB
BTS/eNB
BTS/eNB
ApplicationServer
SCEP server
Internet
RADview
OT Network Security ManagementServer (SMS)
End UserDevicesSerial/IP
SecFlow
Cellular Network3G/LTE
Configuration ServerSCEP ProxyNMS
DMZ
SGW
Organizational Firewall
Zero TouchServer
![Page 21: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/21.jpg)
21Secure IIoT Backhaul
Aggregation and data processing from multiple on premise devices
• On-premise processing:
• Standard connection to IoT clouds, protocol translation, analytics on the edge
• Reduce data (BW) before sending to higher levels in your network
• Minimize latency and maximize the efficiency of your network investment
• LXD engine for running multiple applications using Linux containers – similar to VM
• Secure by design w/advanced resource control (CPU, memory, network I/O, block I/O…)
• Ready-made images available for a large number of Linux distributions
SecFlow-1v and Third-Party Software Support(Pushing select data processes to the edge and fog)
tps://docs.microsoft.com/en-us/azure/iot-edgehttps://linuxcontainers.org/lxd/introduction/
![Page 22: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/22.jpg)
22Secure IIoT Backhaul
RAD’s Value Proposition
Connectivity
Security
Computing
Simplified Operation
![Page 23: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/23.jpg)
23Secure IIoT Backhaul
Video IIoT Demo
![Page 24: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/24.jpg)
IIoT Case studies
![Page 25: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/25.jpg)
25Secure IIoT Backhaul
Case Study – Power Utility in APAC
• Major power distribution modernization project, connecting legacy and IP SCADA RTUs in 300 sites in 1st phase, and 3,000 sites in 2nd phase
• Cellular link is used for connectivity of all spokes to the central hub.
• SecurityGateway - central hub which aggregates IPsec VPN tunnels from remote sites, started with Checkpoint moving to RAD’s new SecurityGateway
• SecFlow connects RTUs with speeds of up to 1Mbps
• Why we won?
– Security gateway, competitive price, close relations, full solution, commitment, responsiveness
Solution
B A C K G R O U N D
Customer Type Power Utility
Country & Region APAC
Application Industrial IoT Backhaul
RTU
SecFlow-1
ISPPSN
OTNetwork
RADview
SecurityGateway
IPSec hub
BTS/eNB
Cellular Network3G/LTE
SCEP Server
Security ManagementServer (SMS)
RTU
SecFlow-1IPsec
IPsec
HMI
![Page 26: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/26.jpg)
26Secure IIoT Backhaul
Customer Type Electric power company (GEN, TSO, DSO)
Country & Region Central America
Application Industrial IoT backhaul
Background
• Company issued a tender for the payment kiosks
(POS) management including secure
communications between the central site and the
POS’s
• Company currently has 3111 POS’s distributed in
1800 sites nationwide (1st phase of project will
include 1000 POS’s)
• There will be two Central Sites, both need secured
communications:
– Management Center: For management &
monitoring of all ATMs in the network
– Transaction Center: For registering all payments
done in all ATMs in the network
• RAD’s Main UVPs: Automated PKI, Secured VPN
via IPsec, high scalability with Fortinet, 3G/LTE
backup, redundant HUB site
Solution
Case Study: Power Utility LATAM
ONT/DSLModem
RADview
ATM Mngt.
SCEP ServerFortinetFirewall
TransactionServer
FortinetFirewall
Central NOC
Transaction Center
NID
NID
Internet
SecFlow-1ATM
Remote Site #1
Remote Site #n
SecFlow-1
SecFlow-1
ATM #1
ATM #8
NID
3G/LTE Backup Link
![Page 27: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/27.jpg)
27Secure IIoT Backhaul
Customer type Police
Country & region MEA
Application Industrial IoT backhaul
Case Study: Police
Background
Solution
Customer:
• Police Traffic Control department
RAD’s Offering:
• SecFlow-1, IPsec VPN with X.509 over cellular network
RAD Solution Benefits
• Two cellular operators for redundancy.
• Unique requirement - dry contact for restart
Why RAD?
• Our partner relationship with end user
• Flexibility to work with any HUB aggregator
CellularAPN #2
Backup
MainETH
Dry contactCisco FW
Syslog
DBServer 02
CellularAPN #1 Police
ISP
ETH
Dry contact
![Page 28: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/28.jpg)
28Secure IIoT Backhaul
Takeaways
IIoT – a huge growing market
IIoT introduces unique reliability, security and connectivity challenges
RAD is a leader in critical infrastructure communications with over 37 years
of experience worldwide
![Page 29: Avoiding Pitfalls in Industrial IoT (IIoT) Communications...Secure IIoT Backhaul 18 Built-in Security Features • End-to-end secure VPN tunnel (for any service, IP or serial) •](https://reader030.fdocuments.in/reader030/viewer/2022041021/5ed182df4aceee121c105413/html5/thumbnails/29.jpg)
Thank youF o r y o u r a t t e n t i o n
Alex Grinshtein
Director of Business Development in the Critical Infrastructure Line of Business