Upload
comms-connect
View
587
Download
0
Embed Size (px)
DESCRIPTION
The migration to IP has placed new demands on SCADA radio system capacity with equipment designers working to satisfy spectrum efficiency demands within economic constraints. Exciting new technologies have dramatically reduced the price of efficient quadrature amplitude modulation techniques to the point where implementation in moderately priced UHF SCADA radio systems is possible. This presentation will describe some of the technology behind a new low-cost digital radio that delivers 60 bps in 12.5 kHz for use in licensed UHF frequency bands with some discussion on application examples. John Yaldwyn, Chief Technology Officer, 4RF Australia
Citation preview
COMMS CONNECT 2014
High-performance, narrowband UHF SCADA radio John Yaldwyn, CTO and Director
4RF Australia Pty Ltd
@CommsConnectAus #comms2014
2 © 2014 4RF Limited | Public COMMS CONNECT 2014
Session discussion
Traditional SCADA radio systems operate in the VHF / UHF / 900 MHz spectrum
• Technology overview
Narrowbanding and cybersecurity concerns pushing technology limits
• ACMA 400 MHz replanning impact and demand drivers
New technology development to the rescue
• Speed, security, and management benefits
3 © 2014 4RF Limited | Public COMMS CONNECT 2014
Typical point-multipoint radio system requirement
Master Station
RTU RADIO
RADIO
RTU
4 © 2014 4RF Limited | Public COMMS CONNECT 2014
Traditional SCADA radio systems
Critical infrastructure SCADA applications include
oil & gas, electricity, and water
Effective SCADA critical to most public utility
infrastructure and needs wireless connections
Tasks typically data gathering (telemetry) and
remote control of machinery
Connections by radio in the narrowband VHF,
UHF, or 900 MHz bands
Distances are typically in the range 5 to 75 km,
sometimes more
Number of remotes n can range from a few to
perhaps 100 with a typical maximum of 200
ICS SCADA server
1 of n remotes
RTU
RTU
Radio base
station
RTU
5 © 2014 4RF Limited | Public COMMS CONNECT 2014
Public networks for utilities?
GSM / GPRS / 3G / LTE
• Best-effort services
• Variable throughput and latency
• Performance depends on number of other users
• Inexpensive, good for basic monitoring, use with dual SIM / APN
• Business is consumers and not utilities – ‘iTunes for iPhones’
Cigré Australia and others in the electricity industry have expressed
similar views with emphasis on the latency and coverage of cellular
4RF Australia, the ARCIA, and our worthy competitor from Carrum
Downs do not believe that cellular provides the reliability,
redundancy, and resilience necessary for critical infrastructure
Can public networks support today’s critical infrastructure requirements in light of wind,
fire, floods, and other threats?
gprs
LTE
6 © 2014 4RF Limited | Public COMMS CONNECT 2014
Narrowband VHF / UHF / 900 MHz radio systems
Traditional SCADA radio solution widely deployed, strong heritage
Reliable point to multipoint operation, directional antennas typical at remote sites
Licensed narrowband dedicated SCADA radio options
• VHF – long range 150 to 174 MHz with reasonably large antennas
• UHF – moderate ranges, convenient antennas sizes
• 900 MHz – short range with compact antenna sizes
ACMA RALI FX 16 for 400 and 900 MHz
Older systems operated at speeds between 300 and 1,200 bps in 25 kHz channels
• Modem audio tones over FM radio systems (sometimes called analog radio)
More recent system provide 9,600 in 12.5 kHz and 19,200 bps in 25 kHz
• True digital implementations using FSK modulation
• But still relatively slow, particularly with narrowbanding
7 © 2014 4RF Limited | Public COMMS CONNECT 2014
Demand drivers
Narrow banding and cyber security are real user concerns but alternative technologies
such as cellular do not address the reliability, redundancy, and resilience needs
IP SCADA products with new protocol, security, and management needs are driving
expectations for radio system capacity requirements
• Vendors are responding with new high speed designs
Using IP is not the same as ‘the Internet’ but they share the same protocols
• Interconnections need careful security approach, a key message
8 © 2014 4RF Limited | Public COMMS CONNECT 2014
MMS
1988
Utility
Communication
Architecture ‘99
IEC61850
2003
IEC60870-5 1994
DNP3 Serial
1993
DNP3
Ethernet
2000-2012 IP Ethernet
IP*
Standards evolution
Hundreds of proprietary
protocols
Modicon
1979
Modbus
2004 Serial
IEC 101 Serial
IEC 104 IP Ethernet
9 © 2014 4RF Limited | Public COMMS CONNECT 2014
Capacity drivers
BANDWIDTH
EXPLOSION
1980 NOW FUTURE
IP
Cyber Security
Management
User & Device Authentication
Regulatory SOX etc
Routing VLANs
Device Profiles &
Object Models
10 © 2014 4RF Limited | Public COMMS CONNECT 2014
The advantages of traditional radio and high speed
Bands VHF, UHF, and 900 MHz
Bandwidths 12.5 kHz, 25 kHz, and 50 kHz
• Speeds of 60 kbit/s to more than 200 kbit/s
0.3 1.2 2.4 4.8 9.6 19.2 38.4 40 60 54 72 96 144 216 kbit/s
Old modem style
Recent digital radios
New generation QAM radios
11 © 2014 4RF Limited | Public COMMS CONNECT 2014
0
50
100
150
200
250
300
350
400
450
4FSK SRQ QPSK SR+ 64 QAM
Ethernet SCADA polling (average number of polls per 30 seconds)
Performance – Modbus TCP 13 byte poll with 260 byte response
12 © 2014 4RF Limited | Public COMMS CONNECT 2014
Gas resource example – 150 wells, 30 m tower, 380 km2
64 QAM 20 dB margin
64 QAM 10 dB margin
16 QAM 10 dB margin
16 QAM 20 dB margin
13 © 2014 4RF Limited | Public COMMS CONNECT 2014
To achieve these results needs key design advances
SCADA radio systems are point-to-multipoint networks
• Need to deliver SCADA data with maximum reliability and robustness over
narrowband radio channels (6.25 to 50 kHz)
Challenge requires three key design attributes
• Efficient modulation schemes – FSK, 4FSK, QPSK to 64 QAM
• RF design complexity increase as capacity increases (quantum jump for QAM)
• Efficient sharing of the channel, particularly when considering asynchronous ‘report
by exception’ protocols, drives radio media access control (MAC) architecture
+ +
14 © 2014 4RF Limited | Public COMMS CONNECT 2014
RF performance – high power, less distortion, better range
A newly developed highly effective power amplifier
pre-distortion system with stable temperature
operation that corrects amplifier impairments for
more linear output power
• Less distortion = better range
The measured adjacent channel power
performance results for the 12.5, 25 and 50 kHz
cases are excellent
• Significant design challenge
• Output spectrum shown with and without
predistortion
• Adjacent channel performance complies with
stringent ETSI and FCC regulatory
requirements
Pre-distortion off (above) and on (below)
15 © 2014 4RF Limited | Public COMMS CONNECT 2014
Excellent EVM metrics – 0.3 m% rms error at 64 QAM
16 © 2014 4RF Limited | Public COMMS CONNECT 2014
The ability to provide adaptive coding and modulation (ACM) is a key new feature
• Enables maximum use of channel, with high speed for near remotes and robust
connectivity for distance remotes
• Allows reduced operational fade margins – plan with standard fade margin for
robust QPSK but enjoy operational time at high capacity 64 QAM
• Maintains link operation during fading, multipath, and interference scenarios
Downlink messages (broadcast) set to most effective modulation rate for network
Uplink from remotes has modulation and FEC automatically
adjusted based on performance of last packet
• ACM currently implementation from remote
to base station (poll response and exceptions)
• ACM in both directions is under study
ACM – another step to make best use of a channel
Hill
Base Station
QPSK
16 QAM
64 QAM
16 QAM QPSK
17 © 2014 4RF Limited | Public COMMS CONNECT 2014
Security must be designed in from the start
SCADA systems are subjected to attack from
many sources, internal and external, malicious
and accidental
A comprehensive and in-depth approach to
cyber security from the start is the best way to
protect a network
Generic SCADA Risk Management Framework
• www.tisn.gov.au
Security standards and recommendations,
industry best practice
• Security fundamentals of integrity, availability,
confidentiality and non-repudiation
• Types of traffic and interfaces, both
management and data
Excellent US NERC CIP framework
Image: Vincent Diamante
360° Security
‘Cyber security is one of Australia’s
top national security priorities’ Prime
Minster’s National Security Statement
18 © 2014 4RF Limited | Public COMMS CONNECT 2014
Security – typical ICS network architecture
Use of IP provides a standard
interface for attacks and compromise
ICS integrity critical
• The security of all interfaces
must be considered
Capacity considerations
ICS LAN fast while radio links slow
• 10 to 240 kbps
System design is important
• Filtering rules
• Routing tables
• VLAN arrangements
• QoS measures RTU
100 Mbps corporate Ethernet network
100 Mbps Ethernet switch
Serial or
IP
RTU
ICS servers
ICS LAN
SCADA radio
base station
1 of n remotes
19 © 2014 4RF Limited | Public COMMS CONNECT 2014
Security – confidentiality and authentication
A secure network must be designed around maintaining confidentiality and
authenticating devices, users, and messages
Encryption is used to reduce information leakage as far as possible
• Today the robust cryptographic AES algorithm is used (to FIPS 140-2)
• Industry best practice is regular key change (over the air)
Authentication of devices and messages
• Prevents replay and man-in-the-middle attacks
• Implemented using AES combined with the NIST specified CBC MAC method of
authentication (refer NIST report SP 800-38C 2004 and RFC 3610)
Authentication of users (management)
• Username / password with access control lists
• Move to remote user authentication (RADIUS)
• Audit user activity
20 © 2014 4RF Limited | Public COMMS CONNECT 2014
Security – internal operating systems
Embedded product operating systems need security measures
Advantages of real time OS vs embedded Linux
• No output displayed during boot sequence
• Ports closed during system start-up, preventing interruption of
the start-up sequence and compromise
• No user access to the radio’s internal file system – the core
operating system should not be accessible to, or
programmable by, the end-user thus ensuring the functionality
of the radio cannot be compromised
Prevent maliciously altered software from being introduced into
radios via USB memory stick or other firmware upgrade means
Isolating management and user IP traffic, blocking of unused
remote ports and protocols such as Telnet or ICMP
21 © 2014 4RF Limited | Public COMMS CONNECT 2014
Security – management
Management access typical via SNMP, web style embedded server, or SSH
Authorisation levels means that end user accessible parameters are limited
• Limiting the number of personnel who can change functional settings reduces the
potential of inadvertent change or malicious tampering
Basic authentication with username and password ensures that the end user must be
approved by the system administrator before gaining access to the radio
Web style embedded – HTTPS with certificate
• Session cookies should expire when the end user’s browser is closed
• Automatic logout in the event of a user failing to end their management session
SNMP – use version 3 security extensions
SSH – need version 2
Reliance on username and password credentials – ACL and RADIUS
22 © 2014 4RF Limited | Public COMMS CONNECT 2014
Authentication, authorization, and accounting (AAA)
Need to control access to network devices
Username/password required, but should these be stored locally or in corporate cloud?
• Local database retained if corporate server not available
• Methods include RADIUS RFC 2865, and RFC 5080
• Audit via Accounting Start, Interim Updates, and Accounting Stop records
Username and password
In local data
base?
Success
Failure
RADIUS server(s) lookup
Access request
Access accept
Accounting
23 © 2014 4RF Limited | Public COMMS CONNECT 2014
Management – monitoring the radio infrastructure
SCADA radio systems well proven but the
communications network itself is often
invisible, monitoring by simply noting the
presence or absence of the RTU responses
We manage network switches, routers,
why not radios?
• Industry converging on SNMP, moving
away from proprietary applications
• SNMP is the simple network
management protocol, a unified, open
standard, supported by a wide range of
vendors
• SOAP over CoAP emerging for resource
constrained Internet of Things
Example: SNMPc from CastleRock
24 © 2014 4RF Limited | Public COMMS CONNECT 2014
Summary
Evolving IP SCADA requirements are driving proven conservative
radio technology forward to meet 21st century needs
New developments in narrow band radio technology now providing
speeds of more than 200 kbps with built in security and management
Questions?
Thank you
4RF Australia Pty Ltd
GPO Box 752
MELBOURNE
VIC 3001
AUSTRALIA
www.4rf.com