Avoiding Pitfalls in Industrial IoT (IIoT) Communications IIoT Webinar May 2018

Alex GrinshteinBusiness Development Director CI LoB

2Secure IIoT Backhaul

Agenda

• IIoT Market Segments and Trends

• Use Cases

• Challenges & Requirements

• Deploying Secure Industrial IIoT Communications

3Secure IIoT Backhaul

Industrial IoT (IIoT): What is it?

• Enables digital transformation across all industrial and critical

infrastructure sectors.

• “ By 2020, IIoT is expected to be a $225 billion market,

encompassing many thousands of highly distributed

intelligent devices” www.ioti.com

4Secure IIoT Backhaul

IIoT in Energy Sector

Source: World market

Energy Infrastructure IoT is set to Double in the coming years

$0

$20,000

$40,000

$60,000

$80,000

$100,000

$120,000

$140,000

$160,000

2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

$ M

ILLI

ON

S

IoT Revenue by Type

Commercial

Residential

Energy Infrastructure

5Secure IIoT Backhaul

IoT Segments

Smart City, Energy and Industry are about 40% of IoT projects

6Secure IIoT Backhaul

Power Utilities

Gas Utilities

Water Utilities

Transportation Connected Industry

(Smart Factory)

Smart Cities

Re-closers Flow meters Flow control Traffic controlProduction floor monitoring

Smart parking

Load breakers Volume sensors Quality Info boardsRemote PLC control

Traffic monitoring & control

SCADA/MiniSCADA/FRTU

Pressure sensorsLeakage detection

KiosksAutomated quality control

Bike sharing

Secondary substations

Level sensors Pump/valve control

Smart lighting

Meters Meters Public safety

Main IIoT Applications

Use Cases

8Secure IIoT Backhaul

Utilities - From Automation to Industrial IoT

Industrial‘Internet of Things’

• Renewable Energy

• Mostly TCP/IP

• Cloud

• Internet-enabled

• SCADA

• On-premise

• No internet

“Protect the Production Line” “Fast Time to Market”

Legacy M2M

9Secure IIoT Backhaul

Connected Industry (“Smart Factory”)

• Real-time monitoring of production flow – saves time and work on the inventory process

• Inventory management – real time inventory monitoring and tracking

• Remote process automation and optimization

• Quality control automation

Challenges & Requirements

11Secure IIoT Backhaul

IIoT Communications and Operations –Main Challenges

• From private networks to untrusted public networks• Millions of new IP devices, exposed to attacks from the internet

Cyber Security

• Thousands of new edge devices increase deployment and maintenance cost

Operations

• Lack of connectivity to many new locations • In some cases only public mobile is an option – security

and reliability challenges

Service Reach

• Massive traffic growth is expected, resulting from numerous new devices

• Fog applications – help to reduce traffic and improve delay/jitter with some critical real-time apps

Data Usability

12Secure IIoT Backhaul

Industrial IoT Backhaul Hub & spoke / star topology

IIoT Gateway

• Ethernet• Serial

FW config, Security mng, PKI Enrollment, CA

Zero Touch ServerWireless/Fiber Links3rd-Party Network

IIoT Gateway

Security Gateway

IIoT Backhaul Key Requirements

• Reliable! Ruggedized for outdoor installations

• Secure! Encrypted VPN tunnels and firewall

• Low TCO – easy installation, provisioning and maintenance

• Ubiquitous communications - over private and cellular networks

• Supports legacy and new communications protocols and devices

• Hub and spoke topology

Hub & Spoke

Cyber Security

Plug & PlayInstallation

Always-OnCommunication

Legacy & New Protocols

About RAD

14RAD Proprietary and Confidential Company Presentation 2018

RAD in Numbers

19

>3716

220

800

15RAD Proprietary and Confidential Company Presentation 2018

Evolve Any Service Over Any Network for Critical Infrastructure

Assuring Network Performance and User Experience

Se

rv

ice

Ev

olu

tio

n

Packet

TDM

D-NFV/FOG

N e t w o r k E v o l u t i o n

TDM Packet

OT/ITConvergenc

e

TDM Hybrid Migration

OT/IT Convergence

Packet OWAN/IIOT

IIOT

Obsolete Equipment

Replacement

• Decouple service evolution from network evolution, migrate at a pace that is right for you

• Leverage your existing resources (networks, spectrum, expertise, operational practices)

• Prolong use of a large variety of existing legacy interfaces and equipment

• Maintain network performance, service level and guarantee user experience

RAD’s Unique Solution for Secure Industrial IIoT Communications

17Secure IIoT Backhaul

• End-to-end solution (hub & spoke and network management)

• Full suite of security tools-specifically designed for secure communications, especially over cellular

• Security Information and Event Management (SIEM)

• Zero-touch provisioning over public cellular – low OpEx and secure

Industrial IOT Backhaul – Application and RAD’s Key Advantages

IPsec VPN tunnel for SCADA and management traffic

IPsec VPN for remote management

Device Connection Control 802.1X MAC

BTS/eNB

BTS/eNB

BTS/eNB

ApplicationServer

SCEP server

Leased F.O

Security HUB

Internet

NMS

OT NetworkSecurity GW

IPsec

IPsec

Security ManagementServer (SMS)

RemoteManagement

IPsec

Cellular Network3G/LTE

Zero TouchSCEP Proxy

NMS

Zero Touch Redirect server

Smart metering/Grid/Energy

Counter

Counter

Counter

MeterConcentrator

Counter

Counter

IoT GW

IoT GW

Smart Industry

Smart City

• Secure VPN redundancy over private/public networks

• Virtual environment container for fog/edge applications

• RAD’s Security hub GW with optional HW redundancy or other 3rd party HUB (checkpoint, Fortinet, Cisco)

• Stateful L3-L4 firewall in each security GW

• Cost-effective – low TCO

18Secure IIoT Backhaul

Built-in Security Features

• End-to-end secure VPN tunnel (for any service, IP or serial)

• IPsec VPN with PKI X.509, with automated (enrolment, renewal) PKI (SCEP)

• Optional RAD CA (Certificate Authority) or SCEP client support in all solution elements

• L3/L4 stateful firewall in all solution elements managed by RADview - with centralized provisioning (firewall configurator) and SIEM for centralized monitoring

19Secure IIoT Backhaul

• Easy creation and editing of firewall rules using the firewall configurator

– Cyber securing the communications device and customer traffic

• Cluster based firewall configuration with scheduling

• Security Information and Event Management

Security and operations events reporting

• User defined dashboard

– Cyber events – reporting attacks on network elements

RADview Security Features

20Secure IIoT Backhaul

Secure zero-touch (ZT) configuration over public networks - reducing cyber vulnerability with minimal OpEx

• Supports SecFlow devices with dynamic or static IP provided by the cellular operator

• No manual configuration on-site – Plug & Play

• Fast deployment with less mistakes (lower TCO)

• Easy device replacement – configuration automatically restored on new devices

• Each device will be redirected to the customer’s bootstrap server (located in its DMZ) for configuration download (secure connection)

• Secure automated configuration and auto-registration by the RADview server

Secure Zero-Touch Provisioning

BTS/eNB

BTS/eNB

BTS/eNB

ApplicationServer

SCEP server

Internet

RADview

OT Network Security ManagementServer (SMS)

End UserDevicesSerial/IP

SecFlow

Cellular Network3G/LTE

Configuration ServerSCEP ProxyNMS

DMZ

SGW

Organizational Firewall

Zero TouchServer

21Secure IIoT Backhaul

Aggregation and data processing from multiple on premise devices

• On-premise processing:

• Standard connection to IoT clouds, protocol translation, analytics on the edge

• Reduce data (BW) before sending to higher levels in your network

• Minimize latency and maximize the efficiency of your network investment

• LXD engine for running multiple applications using Linux containers – similar to VM

• Secure by design w/advanced resource control (CPU, memory, network I/O, block I/O…)

• Ready-made images available for a large number of Linux distributions

SecFlow-1v and Third-Party Software Support(Pushing select data processes to the edge and fog)

tps://docs.microsoft.com/en-us/azure/iot-edgehttps://linuxcontainers.org/lxd/introduction/

22Secure IIoT Backhaul

RAD’s Value Proposition

Connectivity

Security

Computing

Simplified Operation

23Secure IIoT Backhaul

Video IIoT Demo

IIoT Case studies

25Secure IIoT Backhaul

Case Study – Power Utility in APAC

• Major power distribution modernization project, connecting legacy and IP SCADA RTUs in 300 sites in 1st phase, and 3,000 sites in 2nd phase

• Cellular link is used for connectivity of all spokes to the central hub.

• SecurityGateway - central hub which aggregates IPsec VPN tunnels from remote sites, started with Checkpoint moving to RAD’s new SecurityGateway

• SecFlow connects RTUs with speeds of up to 1Mbps

• Why we won?

– Security gateway, competitive price, close relations, full solution, commitment, responsiveness

Solution

B A C K G R O U N D

Customer Type Power Utility

Country & Region APAC

Application Industrial IoT Backhaul

RTU

SecFlow-1

ISPPSN

OTNetwork

RADview

SecurityGateway

IPSec hub

BTS/eNB

Cellular Network3G/LTE

SCEP Server

Security ManagementServer (SMS)

RTU

SecFlow-1IPsec

IPsec

HMI

26Secure IIoT Backhaul

Customer Type Electric power company (GEN, TSO, DSO)

Country & Region Central America

Application Industrial IoT backhaul

Background

• Company issued a tender for the payment kiosks

(POS) management including secure

communications between the central site and the

POS’s

• Company currently has 3111 POS’s distributed in

1800 sites nationwide (1st phase of project will

include 1000 POS’s)

• There will be two Central Sites, both need secured

communications:

– Management Center: For management &

monitoring of all ATMs in the network

– Transaction Center: For registering all payments

done in all ATMs in the network

• RAD’s Main UVPs: Automated PKI, Secured VPN

via IPsec, high scalability with Fortinet, 3G/LTE

backup, redundant HUB site

Solution

Case Study: Power Utility LATAM

ONT/DSLModem

RADview

ATM Mngt.

SCEP ServerFortinetFirewall

TransactionServer

FortinetFirewall

Central NOC

Transaction Center

NID

NID

Internet

SecFlow-1ATM

Remote Site #1

Remote Site #n

SecFlow-1

SecFlow-1

ATM #1

ATM #8

NID

3G/LTE Backup Link

27Secure IIoT Backhaul

Customer type Police

Country & region MEA

Application Industrial IoT backhaul

Case Study: Police

Background

Solution

Customer:

• Police Traffic Control department

RAD’s Offering:

• SecFlow-1, IPsec VPN with X.509 over cellular network

RAD Solution Benefits

• Two cellular operators for redundancy.

• Unique requirement - dry contact for restart

Why RAD?

• Our partner relationship with end user

• Flexibility to work with any HUB aggregator

CellularAPN #2

Backup

MainETH

Dry contactCisco FW

Syslog

DBServer 02

CellularAPN #1 Police

ISP

ETH

Dry contact

28Secure IIoT Backhaul

Takeaways

IIoT – a huge growing market

IIoT introduces unique reliability, security and connectivity challenges

RAD is a leader in critical infrastructure communications with over 37 years

of experience worldwide

Thank youF o r y o u r a t t e n t i o n

Alex Grinshtein

Director of Business Development in the Critical Infrastructure Line of Business

<alex_g@rad.com>