Several months ago, one of my customers called me explaining that he needed to build a small water/wastewater management system where there would be a main office and multiple satellite locations. Each would have an HMI and PLC for control, but the main office would be responsible for monitoring specific tank and process levels – it was a small SCADA, if you will.
These types of configurations come up all the time. Historically, due to combinations of distances between sites, budget, and comfort level, a less than ideal option sometimes gets selected.
Many have chosen to go the route of using 900MHz radio. Hopefully at this point, most engineers understand that that is a non-starter from a security and authentication standpoint due to the ease of interception, lack of encryption, and inability to authenticate sites. While options do exist to provide site authentication, the process typically does not secure data. Not to mention absurdly small bandwidth capacity that is simply insufficient for modern data communications.
Others have selected separate internet service lines at each location with VPN appliances at each site to maintain encrypted VPN tunnels which is secure, but expensive to deploy and maintain and generally requires a skill set out of the scope of the typical Controls Engineer.
In this case, the client opted to use cellular gateways, thinking site-to-site connectivity could be achieved via port forwarding. While this is possible, doing so exposes end devices on open Internet allowing potential remote access by any party! Obviously, a random person being able to connect to your PLC is a major problem – particularly in critical infrastructure scenarios such as water/wastewater or power.
Given budget constraints, it was too late to re-engineer the system in any way, so the concept of using a cellular provider Private Static IP Network was suggested. This is conceptually a wonderful idea as it assigns any device on the cellular network a specific Private Static IP address over the public Internet (WAN). When in use, only those devices within that Private Static IP range can communicate with one another, which seems like an ideal secure solution.
This also proved to be a much more difficult proposition than originally anticipated. Granted, a large part of the problem was making the cellular provider understand precisely what we intended to do and with what equipment, but there were challenges achieving connectivity even then. Programming was needed to change local IP addresses to equivalent WAN IP addresses, problems with IP addresses and availability of gateway addresses caused more problems, and port forwarding rules were needed for communication.
Thankfully, ProSoft Technologies has recently developed a ‘Persistent Data Network’ (PDN) solution that sits on top of their growing ProSoft Connect Cloud Platform for remote access.
Persistent Data Network is an annual subscription that offers “always-on,” secure, VPN encrypted tunnels from site-to-site cellular connections. This means no hassle of provisioning specific Private Static IP networks – it runs on standardly provisioned cellular service and minimizes having to deal with the cellular provider. In addition, since it uses ProSoft Cellular Gateways, it is not reliant on any one cellular provider either, which is handy if cellular coverage is an issue.
PDN does not require any additional software installation, maintenance, or configuration; the sites are connected via the PDN service while encrypting data between sites using 256-bit AES encryption. Programming does not need to change because the gateways allow recognition of end devices by their native IP address rather than a WAN IP address – so no more port forwarding!
The ProSoft Connect Cloud Service exists as a single entity but is distributed in multiple tunnel servers located in all regions of the
Though there is a data limitation, it is quite generous compared to comparable VPN services on the market – the data is measured as an aggregate figure; so, the effect is cumulative. That’s why if you have one site that sends a ton of data and others that really aren’t transmitting or receiving much at all, the 2GB/month per site allows a system of a pretty nice size. For example, 12 sites total have available 24GB of data every month. That’s a lot of data.
New sites can be added and taken away on the fly without adverse effects to the system, and when new sites are added, the expiration date of service for the whole system is extended. This makes PDN a dynamic, scalable solution for changing industry needs.
Embedded with the PDN service are many advanced features that many users have come to expect such as two-factor authentication, virtual Lockout/Tagout (vLOTO), as well as the ability to achieve secure remote access to any of the sites using ProSoft Connect.
If the tunneling network is down for any reason, or a gateway has lost connection to the PDN network, you will receive notifications as well, so you won’t ever have to sit wondering what happened. This brings an element of awareness to the situation that is critical in the event anything is to happen. You won’t be left flying blind.
ProSoft Persistent Data Network is a new solution that allows fast, simple deployment of a secure, always-on network between sites regardless of geographic distance. Leverage the power of open Internet with the security of VPN, with the flexibility to allow your system to scale to up to 100 sites in a single system.