Secure data transmission from power plants via 4G cellular

Secure data transmission from power plants

Connection of decentralized plants to SCADA systems with 4G routers.

The increasing flexibilization of energy grids poses more and more challenges for grid operators, as well as direct marketers of electricity and system operators of operating reserve. Depending on influences such as weather, holidays and seasons, the interaction between generators and consumers varies greatly. On a sunny day, for example, more energy is fed into the grid via PV systems than on a cloudy autumn day. To cope with this flexibility, SCADA systems are used to collect corresponding data from the plants at a central point and make it available for further operations. Typically, this is done in the power sector using the IEC60870-5-104 network protocol.

To enable communication between decentralized plants in the field and central SCADA system, LTE routers are often used.

However, since the corresponding systems in the field come from a wide variety of manufacturers, the challenge here is to develop a homogeneous and secure communication network across a large number of varying devices. Although this is possible with widely available technologies such as OpenVPN, further challenges arise.

Challenges in the administration of VPN communication infrastructures.

Decentralized systems are connected to the control center via public networks such as the 4G network. Encrypted connections are used to protect data from manipulation or theft. A widely used solution recommended by the german BSI is OpenVPN, protected by digital certificates.

For smooth operation of large VPN infrastructures, it is essential to issue and manage the certificates for access centrally. Once a certificate has been issued, it must be ensured that it is also implemented on the correct end device. This process is usually carried out manually and thus offers great potential for error. This potential for error is multiplied accordingly when you consider that certificates usually run for less than a year and therefore need to be renewed.

In addition to the certificates, it must also be ensured that the configuration and the firmware on the devices in the field are up-to-date. Firmware updates and configuration adjustments can be carried out manually for a small number of devices, but when it comes to a fleet of hundreds of devices, a central solution is required.

Welotec VPN Security Suite

To meet these requirements and challenges, the Welotec VPN Security Suite was developed. The system includes a central management component, a PKI (Public Key Infrastructure) for certificate management and a central security and routing platform as a VPN concentrator based on a firewall.

Overview VPN Security Suite

The heart of the solution is the central element management system (SMART EMS). The SMART EMS distributes the correct configurations, updates and certificates to the LTE routers in the field. In addition, the SMART EMS communicates via secured and encrypted interfaces with both the security and routing platform and the central PKI. This integration enables the complete management of a large VPN infrastructure from a central interface. After the initial configuration, firmware, configurations and VPN certificates are assigned via predefined templates. If a new Welotec router is now assigned to the template, a specific configuration, VPN certificates, and static VPN IP address are assigned. Larger batches of devices can be conveniently assigned to a template via an Excel import. As soon as the router logs on to the SMART EMS, it receives the corresponding configuration and certificates and establishes the connection independently.

In addition to Welotec routers and gateways, a variety of other devices such as RTUs, PLCs, telecontrol devices and edge gateways that support either VPN technologies or containers can be easily integrated.  For this purpose, a new device is created via the web interface and the corresponding certificates and VPN configuration are generated at the push of a button.

To ensure that all devices have the latest security patches and the correct configuration, the SMART EMS offers the option of rolling out configurations and firmware updates centrally to Welotec routers and gateways via templates. For a widespread rollout of a new firmware or configuration, the new firmware just has to be integrated into the template.

In this setup, the OPNsense-based firewall is used as VPN server and central security and routing platform. The use of VPN makes it possible to implement a homogeneous VPN infrastructure across devices from a wide range of manufacturers. A specific VPN configuration is generated for each end device, which ensures that one and the same device always gets the same IP address in the VPN network. The customer’s SCADA system now has the option of using this secured VPN connection for IEC60870-5-104 communication. The encrypted VPN connection allows simple and standardized access regardless of whether the device operates behind an APN, NAT gateway or DSL connection, or via which SIM card the dial-in takes place.

In order to establish a VPN connection in the first place, the end device requires a certificate. However, managing a certificate infrastructure – PKI for short – regularly presents companies with challenges when it comes to end devices. To simplify this step, VPN Security Suite offers an integrated PKI. The PKI works completely automatically. Once set up, all client VPN certificates are signed with the customer’s own CA and trust is maintained from the end device to the root CA.

For centralized monitoring and event management, the VPN Security Suite can be linked to a Security Information and Event Management (SIEM) system via the JSON-based API. Through the interface, the SIEM system receives information such as firmware, VPN IP, certificate runtime, last update, and more. The seamless API integration even makes it possible to create new devices, revoke VPN certificates, and acquire router status information.

Automated VPN infrastructure in practice

This solution makes it possible to manage the VPN structure centrally. In particular, the simple onboarding of existing devices, as well as new devices via an Excel import, in conjunction with the automated certificate management, offer great added value.

The high degree of automation means that more resources can be used for the actual core business. The seamless connection to existing SIEM systems also offers the possibility to identify challenges quickly and reliably and to plan appropriate service deployments.