High-performance, narrowband UHF SCADA radio

COMMS CONNECT 2014

High-performance, narrowband UHF SCADA radio John Yaldwyn, CTO and Director

4RF Australia Pty Ltd

@CommsConnectAus #comms2014

2 © 2014 4RF Limited | Public COMMS CONNECT 2014

Session discussion

Traditional SCADA radio systems operate in the VHF / UHF / 900 MHz spectrum

• Technology overview

Narrowbanding and cybersecurity concerns pushing technology limits

• ACMA 400 MHz replanning impact and demand drivers

New technology development to the rescue

• Speed, security, and management benefits


Typical point-multipoint radio system requirement

Master Station

RTU RADIO

RADIO

RTU


Traditional SCADA radio systems

Critical infrastructure SCADA applications include

oil & gas, electricity, and water

Effective SCADA critical to most public utility

infrastructure and needs wireless connections

Tasks typically data gathering (telemetry) and

remote control of machinery

Connections by radio in the narrowband VHF,

UHF, or 900 MHz bands

Distances are typically in the range 5 to 75 km,

sometimes more

Number of remotes n can range from a few to

perhaps 100 with a typical maximum of 200

ICS SCADA server

1 of n remotes

RTU

RTU

Radio base

station

RTU


Public networks for utilities?

GSM / GPRS / 3G / LTE

• Best-effort services

• Variable throughput and latency

• Performance depends on number of other users

• Inexpensive, good for basic monitoring, use with dual SIM / APN

• Business is consumers and not utilities – ‘iTunes for iPhones’

Cigré Australia and others in the electricity industry have expressed

similar views with emphasis on the latency and coverage of cellular

4RF Australia, the ARCIA, and our worthy competitor from Carrum

Downs do not believe that cellular provides the reliability,

redundancy, and resilience necessary for critical infrastructure

Can public networks support today’s critical infrastructure requirements in light of wind,

fire, floods, and other threats?

gprs

LTE


Narrowband VHF / UHF / 900 MHz radio systems

Traditional SCADA radio solution widely deployed, strong heritage

Reliable point to multipoint operation, directional antennas typical at remote sites

Licensed narrowband dedicated SCADA radio options

• VHF – long range 150 to 174 MHz with reasonably large antennas

• UHF – moderate ranges, convenient antennas sizes

• 900 MHz – short range with compact antenna sizes

ACMA RALI FX 16 for 400 and 900 MHz

Older systems operated at speeds between 300 and 1,200 bps in 25 kHz channels

• Modem audio tones over FM radio systems (sometimes called analog radio)

More recent system provide 9,600 in 12.5 kHz and 19,200 bps in 25 kHz

• True digital implementations using FSK modulation

• But still relatively slow, particularly with narrowbanding


Demand drivers

Narrow banding and cyber security are real user concerns but alternative technologies

such as cellular do not address the reliability, redundancy, and resilience needs

IP SCADA products with new protocol, security, and management needs are driving

expectations for radio system capacity requirements

• Vendors are responding with new high speed designs

Using IP is not the same as ‘the Internet’ but they share the same protocols

• Interconnections need careful security approach, a key message


MMS

1988

Utility

Communication

Architecture ‘99

IEC61850

2003

IEC60870-5 1994

DNP3 Serial

1993

DNP3

Ethernet

2000-2012 IP Ethernet

IP*

Standards evolution

Hundreds of proprietary

protocols

Modicon

1979

Modbus

2004 Serial

IEC 101 Serial

IEC 104 IP Ethernet


Capacity drivers

BANDWIDTH

EXPLOSION

1980 NOW FUTURE

IP

Cyber Security

Management

User & Device Authentication

Regulatory SOX etc

Routing VLANs

Device Profiles &

Object Models


The advantages of traditional radio and high speed

Bands VHF, UHF, and 900 MHz

Bandwidths 12.5 kHz, 25 kHz, and 50 kHz

• Speeds of 60 kbit/s to more than 200 kbit/s

0.3 1.2 2.4 4.8 9.6 19.2 38.4 40 60 54 72 96 144 216 kbit/s

Old modem style

Recent digital radios

New generation QAM radios

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=iMa1kQuqmkittM&tbnid=jHAcio2iriKyeM:&ved=0CAgQjRw4UQ&url=http://arabiangazette.com/uae-saudi-slowest-mobile-internet/&ei=uzkUU-3HFo7DkQWHyoDACA&psig=AFQjCNFvldkt_Yb9aZVvSlk5JFDyYrr1yA&ust=1393920827407802


0

50

100

150

200

250

300

350

400

450

4FSK SRQ QPSK SR+ 64 QAM

Ethernet SCADA polling (average number of polls per 30 seconds)

Performance – Modbus TCP 13 byte poll with 260 byte response


Gas resource example – 150 wells, 30 m tower, 380 km2

64 QAM 20 dB margin

64 QAM 10 dB margin

16 QAM 10 dB margin

16 QAM 20 dB margin


To achieve these results needs key design advances

SCADA radio systems are point-to-multipoint networks

• Need to deliver SCADA data with maximum reliability and robustness over

narrowband radio channels (6.25 to 50 kHz)

Challenge requires three key design attributes

• Efficient modulation schemes – FSK, 4FSK, QPSK to 64 QAM

• RF design complexity increase as capacity increases (quantum jump for QAM)

• Efficient sharing of the channel, particularly when considering asynchronous ‘report

by exception’ protocols, drives radio media access control (MAC) architecture

+ +


RF performance – high power, less distortion, better range

A newly developed highly effective power amplifier

pre-distortion system with stable temperature

operation that corrects amplifier impairments for

more linear output power

• Less distortion = better range

The measured adjacent channel power

performance results for the 12.5, 25 and 50 kHz

cases are excellent

• Significant design challenge

• Output spectrum shown with and without

predistortion

• Adjacent channel performance complies with

stringent ETSI and FCC regulatory

requirements

Pre-distortion off (above) and on (below)


Excellent EVM metrics – 0.3 m% rms error at 64 QAM


The ability to provide adaptive coding and modulation (ACM) is a key new feature

• Enables maximum use of channel, with high speed for near remotes and robust

connectivity for distance remotes

• Allows reduced operational fade margins – plan with standard fade margin for

robust QPSK but enjoy operational time at high capacity 64 QAM

• Maintains link operation during fading, multipath, and interference scenarios

Downlink messages (broadcast) set to most effective modulation rate for network

Uplink from remotes has modulation and FEC automatically

adjusted based on performance of last packet

• ACM currently implementation from remote

to base station (poll response and exceptions)

• ACM in both directions is under study

ACM – another step to make best use of a channel

Hill

Base Station

QPSK

16 QAM

64 QAM

16 QAM QPSK


Security must be designed in from the start

SCADA systems are subjected to attack from

many sources, internal and external, malicious

and accidental

A comprehensive and in-depth approach to

cyber security from the start is the best way to

protect a network

Generic SCADA Risk Management Framework

• www.tisn.gov.au

Security standards and recommendations,

industry best practice

• Security fundamentals of integrity, availability,

confidentiality and non-repudiation

• Types of traffic and interfaces, both

management and data

Excellent US NERC CIP framework

Image: Vincent Diamante

360° Security

‘Cyber security is one of Australia’s

top national security priorities’ Prime

Minster’s National Security Statement


Security – typical ICS network architecture

Use of IP provides a standard

interface for attacks and compromise

ICS integrity critical

• The security of all interfaces

must be considered

Capacity considerations

ICS LAN fast while radio links slow

• 10 to 240 kbps

System design is important

• Filtering rules

• Routing tables

• VLAN arrangements

• QoS measures RTU

100 Mbps corporate Ethernet network

100 Mbps Ethernet switch

Serial or

IP

RTU

ICS servers

ICS LAN

SCADA radio

base station

1 of n remotes


Security – confidentiality and authentication

A secure network must be designed around maintaining confidentiality and

authenticating devices, users, and messages

Encryption is used to reduce information leakage as far as possible

• Today the robust cryptographic AES algorithm is used (to FIPS 140-2)

• Industry best practice is regular key change (over the air)

Authentication of devices and messages

• Prevents replay and man-in-the-middle attacks

• Implemented using AES combined with the NIST specified CBC MAC method of

authentication (refer NIST report SP 800-38C 2004 and RFC 3610)

Authentication of users (management)

• Username / password with access control lists

• Move to remote user authentication (RADIUS)

• Audit user activity


Security – internal operating systems

Embedded product operating systems need security measures

Advantages of real time OS vs embedded Linux

• No output displayed during boot sequence

• Ports closed during system start-up, preventing interruption of

the start-up sequence and compromise

• No user access to the radio’s internal file system – the core

operating system should not be accessible to, or

programmable by, the end-user thus ensuring the functionality

of the radio cannot be compromised

Prevent maliciously altered software from being introduced into

radios via USB memory stick or other firmware upgrade means

Isolating management and user IP traffic, blocking of unused

remote ports and protocols such as Telnet or ICMP


Security – management

Management access typical via SNMP, web style embedded server, or SSH

Authorisation levels means that end user accessible parameters are limited

• Limiting the number of personnel who can change functional settings reduces the

potential of inadvertent change or malicious tampering

Basic authentication with username and password ensures that the end user must be

approved by the system administrator before gaining access to the radio

Web style embedded – HTTPS with certificate

• Session cookies should expire when the end user’s browser is closed

• Automatic logout in the event of a user failing to end their management session

SNMP – use version 3 security extensions

SSH – need version 2

Reliance on username and password credentials – ACL and RADIUS


Authentication, authorization, and accounting (AAA)

Need to control access to network devices

Username/password required, but should these be stored locally or in corporate cloud?

• Local database retained if corporate server not available

• Methods include RADIUS RFC 2865, and RFC 5080

• Audit via Accounting Start, Interim Updates, and Accounting Stop records

Username and password

In local data

base?

Success

Failure

RADIUS server(s) lookup

Access request

Access accept

Accounting


Management – monitoring the radio infrastructure

SCADA radio systems well proven but the

communications network itself is often

invisible, monitoring by simply noting the

presence or absence of the RTU responses

We manage network switches, routers,

why not radios?

• Industry converging on SNMP, moving

away from proprietary applications

• SNMP is the simple network

management protocol, a unified, open

standard, supported by a wide range of

vendors

• SOAP over CoAP emerging for resource

constrained Internet of Things

Example: SNMPc from CastleRock


Summary

Evolving IP SCADA requirements are driving proven conservative

radio technology forward to meet 21st century needs

New developments in narrow band radio technology now providing

speeds of more than 200 kbps with built in security and management

Questions?

Thank you

[email protected]

4RF Australia Pty Ltd

GPO Box 752

MELBOURNE

VIC 3001

AUSTRALIA

www.4rf.com