Substation Networking With Non-Routable Protocols: A Practical, Cost-Effective Solution For NERC/CIP Compliance

Case Study: Legacy SCADA Protocols ENCORE NETWORKS

Problem: Legacy SCADA networks have become outdated and do not support communication to multiple host sites. (seeFigure1). Most common SCADA networks involve radio or leased line connectivity into the substations. This scenario requires a one-for-one solution. The Remote Terminal Unit (RTU) requires a modem/radio to modulate and the host requires hardware to demodulate. Going to dual host for redundancy is prohibitively expensive. The prices

of these solutions are not cost effective. Figure1 depicts a standard utility solution with 4 remote RTU’s communicating to single host. The illustration below depicts a standard utility solution. The RTU has a serial connection to the radio/modem which uses licensed or unlicensed radio frequencies. At the host end, a single front end processor (FEP) port is connected to a demodulation modem. You are purchasing twice the hardware for a solution that does not have a good host end solution.

Encore Networks Solution To Support Legacy SCADA Protocols

ProblemSummary: ► Radio and leased lines ► Single host ► Single point of failure ► No encryption ► Double hardware

Encore Networks | 45472 Holiday Drive | Dulles, Virginia 20166 | 703-318-7750 | www.encorenetworks.com

Figure 1

Encore Networks | Legacy SCADA Protocols

Encore Networks | 45472 Holiday Drive | Dulles, Virginia 20166 | 703-318-7750 | www.encorenetworks.com

The Encore Solution: (seefigure2below) Encore Networks provides a complete end-to-end solution via seamless migration strategy. We support Legacy SCADA protocols to IP conversion. TheBANDITII/III support Legacy and IP connections simultaneously. This allows the customer to migrate to IP as budget allows. The network becomes a private network by using VPN to connect the entire network.

Figure 2 illustrates a seamless migration utilizing the Encore solution. The RTU is connected to the BANDIT II or BANDIT

III using a serial connection. When the RTU is upgraded or replaced with IP, the connection then changes from a serial connection to Ethernet. Since the VPN network is already in place, only the cable needs to change. The VPN can terminate on any IPSEC supporting device. The Encore Networks VSR1200 will terminate up to 580 remote connections. It also has the ability to support up to 24 ports of serial connections on the FEP. The VSR1200 can be stacked to support an unlimited amount of serial connections.

SolutionSummary: ► Dual route support ► Network agnostic ► Multiple host ► VPN–IPSEC

• AES256 or 3DES (Encryption Algorithms)

Figure 2

Encore Networks | Legacy SCADA Protocols

Encore Networks | 45472 Holiday Drive | Dulles, Virginia 20166 | 703-318-7750 | www.encorenetworks.com

General Features► Protocol management (spoofing) and translation► NERC CIP-compliant security► Secure Wireless Cellular connection► SNMP manageability (Monitoring and

Configuration)► Operating System (OS) and Configuration Servers► Disaster Recovery and Load Sharing► QoS Enforcement

Security Appliance Features► Integrated router/firewall/VPN► NAT, PrAT, eNAT-T► VPN (up to 30 simultaneous tunnels) • IP Sec (RFC 2401) with DES (56 bit), 3DES (168

bit) and AES (256 bit) • GRE (RFC 1701) • SLE (Selective Layer Encryption)

Protocols► WAN Serial • Frame Relay • Asynchronous and Synchronous PPP • MLPPP • X.25► IP Ethernet • IP Routing (RIP v1/v2) or Static Routing • IPSec and SLE VPN • VPN Split Tunneling • DHCP Client/Server/Relay/BootP • IP QoS and traffic prioritization • VRRP (RFC3768) • VLAN • 802.1q VLAN tagging

Serial Legacy Support ► One DB25 port► Supports multiple asynchronous and synchronous

legacy protocols ► Pass through support for DNP3, IEC 60870-5-

101/103/104, MODBUS, CDC, S/NET, CONITEL, ABB, and most electrical industry proprietary protocols

► One DB9 serial console port supporting EIA/TIA RS232

Physical Ports► Serial • 1 DB25 port (RS232) User port • 1 DB9 port (RS232) console or User port► Ethernet • 2 10/100 BASE TX► Optional • CDMA 1xRTT, EVDO • GSM EDGE, HSDPA

Electrical► Power Supply Options • 10 watts maximum • DC: 12VDC, 24VDC, 48VDC • AC: 100-240VAC, 50-60Hz (with external

adapter)

Environmental► Temperature:

• Industrially hardened: -40° C to 85° C - DC -30° C to 70° C - AC• Commercial-grade: 0° C to 50° C• Cellular Wireless: -20° C to 65° C• Non-Operating: -40°C to 85°C

► Humidity: 10% to 85% non-condensing► Altitude: Up to 10,000 ft. (Up to 3048 m)

Mechanical► Height: 1.5 in. (3.81 cm)► Width: 6.0 in (15.24 cm)► Depth: 4.4 in. (11.18 cm)► Weight: Less than 1 lb. (Less than 0.45 kg)► Installation Type: Desktop

Standards Compliance► RoHS Compliant► EMC

• FCC Part 15• EN 55022: 1998• EN 55024: 1998

► Product Safety• UL/CSA 60950-1• CAN/CSA-C22.2 No. 60950-1-03• EN 60950-1

TECHNICAL SPECIFICATIONS BANDIT I I

Specifications subject to change

Front Back

1 DB9 Console Port(Optional User Serial Port)

2 10/100 Base TXEthernet Ports

All Port Status LEDs

1 DB25 RS232 Serial Port

Wireless Cellular

BANDIT II

Remote Substation Solution

Encore Networks | Legacy SCADA Protocols

Encore Networks | 45472 Holiday Drive | Dulles, Virginia 20166 | 703-318-7750 | www.encorenetworks.com

TECHNICAL SPECIFICATIONS BANDIT I I I

Specifications subject to change

General Features► Data concentration► Protocol translation► NERC CIP-compliant security► Dialup connection► Manageability (Monitoring and Configuration)► Real-time clock with battery backup

Security Appliance Features► Integrated router/firewall/VPN► DMZ LAN port► NAT► VPN (up to 30 simultaneous tunnels) • IP Sec (RFC 2401) with DES (56 bit), 3DES (168

bit) and AES (256 bit) • GRE (RFC 1701) • Internet Key Exchange - IKE (RFC 2409)

Protocols► WAN Serial • Frame Relay (RFC1490) • Asynchronous PPP and Synchronous PPP • X.25► IP • IP Routing (RIP v1/v2) or Static Routing • DHCP client/server/BootP/Relay • IP QoS and traffic prioritization • IP fragmentation/reassembly • IP routing over VPN • VRRP (RFC3768)► Ethernet • 802.1q VLAN tagging • PPPoE

Serial Legacy Support ► Up to 5 DB25 ports supporting EIA/TIA RS485,RS232,

RS422► Supports any asynchronous or synchronous traffic

over IP ► Pass through support for DNP3, IEC 60870-5-

101/103/104,MODBUS, CDC, S/NET, CONITEL, ABB, and most electrical industry proprietary protocols RS232

Physical Ports► Serial • 1 universal DB25 port (RS232) • Optional four DB25 ports (RS232)

• 1 RS232 console► Modem • Integrated 56Kbps V.90/92 with PPP support (PAP/CHAP)► Ethernet • 4 switched and configurable 10/100 BASE TX► Expansion Slot • 56/64k CSU/DSU • Single T1/E1 CSU/DSU • Dual T1/E1 CSU/DSU • Additional Universal Serial • CDMA 1X • CDMA EVDO Rev.A • GSM GPRS • GSM EDGE ► Alarm Port • Programmable alarm indicators

Electrical► Power Supply Options • 15 watts maximum • DC: 12VDC, 24VDC, 48VDC • AC: 100-240VAC, 50-60Hz (w/ ext.adapter)

Environmental► Temperature:

• Operating: -40oC to +85oC • Storage: -40oC to +85oC • Humidity: 5 to 95%, non-condensing• Operating (Cellular): -20oC to +65oC

Mechanical► Height: 2.375 in. (6.0 cm)► Width: 10.375 in (26.4 cm)► Depth: 7.5 in. (19.1 cm)► Weight: 2.25 lb. (1.02 kg)

Standards Compliance► RoHS Compliant► EMC

• FCC Part 15• EN 55011/CISPR II• IEC 61850-3• IEEE 1613

► Product Safety• UL/CSA 60950-1• CAN/CSA-C22.2 No. 60950-1-03• EN 60950-1

Front Back

All Port Status LEDs

2 CellularExpansion Ports

4 OptionalSerial Ports

IntegralSerial Port

(Port 1)

ExpansionPort 1

V90/V92Modem

4 Ethernet 10/100 Base TXEthernet Ports

BANDIT III

Remote Substation Solution With Multiple Serial Connections

Encore Networks | Legacy SCADA Protocols

Encore Networks | 45472 Holiday Drive | Dulles, Virginia 20166 | 703-318-7750 | www.encorenetworks.com

TECHNICAL SPECIFICATIONS VSR-1200

Specifications subject to change

Host Solutions Architecture► ELIOS™ operating system► High performance 800 MHz RISC-based processor► VPN hardware acceleration processors to

guarantee high performance► Compression► IP QoS tagging, classification, and enforcement

Port InterfacesStandard: ► Two (2) Ethernet 100 BaseT/GigE auto-sensing RJ45

full- and half-duplex ports for LAN and WAN ► One (1) auto-sensing port switch with eight Ethernet

10/100 BaseT full- and half-duplex RJ45 ports ► One (1) PCI slot for future expansionOptional: ► External Remote Data Unit (RDU) module with up to

12 serial ports for legacy protocol conversion and spoofing

► Up to 2 RDU units are supported per a single VSR-1200

Network Protocol Support► PPPoE► IP► Ethernet► Link compression

IP Routing► IP fragmentation/reassembly► Standard RIP v1/v2► Static routing, ► Routing over VPN tunnels► DHCP client/server/relay, ► BootP► IP QoS► Priority queuing, ► Dynamic bandwidth allocation, ► Diffserv marking and classification ► 802.1q/p VLAN tagging and prioritization

IP VPNs► Support up to 1200 simultaneous tunnel interfaces► Tunnel initiation, pass-through, multiplexing and

termination► Standard IPSec encryption (RFC2401)► GRE (RFC 1701)► Selective Layer Encryption (SLE)► AES, DES (56bit), and 3DES (168 bit) encryption► ESP (RFC2406) and AH (RFC 2402) encapsulation► HMAC MD5 (RFC2403) and HMAC SHA-1 (RFC

2404) authentication► IKE (RFC 2409)► ISAKMP (RFC2408)► CEP and Digital Certificates and DH groups► Compatible w/ other IPSec VPN clients & gateways► SLE-to-IPSec tunnel switching

Stateful Firewall► Built-in stateful firewall functionality► IP filtering, protection against Denial of Service

(DoS) attacks► NAT and Private Address Translation (PrAT)

Redundancy and High Availability► Support of VRRP (RFC 3768)► Virtual Broadband Redundancy System (VBRS) for

legacy host applications► Device and line failure detection and recovery► Auto-learning of IP routes► Fail-over based on flexible policies and network

configuration criteria ► Dual redundant and load-sharing power

supplies with separate AC inputs

Network Management► Supervisory port (out-of-band)► Internal modem dial-in (out-of-band)► Telnet (in-band)► Multi-level password protection► TFTP for software upgrades and configuration

updates► SNMP (MIB-II with extensions)

Product Compatibility► Satellite Modem Vendors► Hughes Network Systems► Gilat - Spacenet► iDirect► Viasat Wild Blue► ComTech

Physical Specifications► Dual RedundantPower: 100 to 240 VAC, 50–60

Hz; auto-ranging► Two separate AC power inputs► Temperature: 32° to 104° F (0° to 40° C)► Humidity: 10% to 85% non-condensing► Altitude: Up to 10,000 ft. (3,048 m)► Height: 1.75 in. (4.5 cm); ► Width: 19 in. (48.3 cm); ► Depth: 8.3 in. (21.1 cm); ► Weight: 4 lb. (1.8 kg)

Agency Compliance Safety ► Safety: • ANSI/UL Std. No. 60950, 3rd Edition (U.S. Safety) • CAN/CSA-C22.2 No. 60950 (Canadian Safety) • EN 60950, European Safety (CE Mark)► Emissions: • FCC Part 15, Sub-Part B, Class A (U.S.) • EN 55022: 1998 (Europe)► Immunity: • EN 55024: 1998 (Europe)

VSR-1200

Front

Back