General Electrical Industrial Communications
Senior Technical Application Engineer
In the world of electric utilities, privately owned communication networks remain the vehicle of choice for interconnecting assets in the Field Area Network (FAN). Currently, thousands of utilities in the US are “managing multiple—sometimes more than a dozen—wireless networks in support of grid operations”. “During the next decade, Navigant Research expects the number of connected devices within the average utility to grow by an order of magnitude—at least—and the volume of data coming from each connected device will also climb. At the same time, the number of non-utility connected devices leveraging unlicensed spectrum bands will increase by 400% or more.” (Anterix-Navigant 2018)
While steadily increasing, Public wireless technologies, such as cellular, on the other hand, are not as widely used. This, in part, is due to common adoption barriers for cellular among electric utilities, which include misconceptions around the lack of security, reliability, and performance. This paper will address those concerns by showcasing how cellular and private wireless technologies compare.
While the North American Electric Reliability Corporation- Critical Infrastructure Protection (NERC-CIP) security recommendations apply mostly to critical assets in the transmission grid, more utilities in North America have been requesting comparable security mechanisms in their Field Area Networks.
It’s common in today’s complex cyber security environment for utilities to require the encryption of all wireless communication in Field Area Networks, protecting against eavesdropping and theft or manipulation of sensitive data. Advanced encryption mechanisms include the use of certificate management, public key infrastructure (PKI), and key rotation algorithms to guard against compromises associated with static, pre-shared keys.
Centralizing control of network access is of equal importance to securing the grid. It ensures that a single, protected database and source of truth is used to identify users and machines, and to authenticate them on network resources for authorized times, locations and roles. Such access control systems like RADIUS are commonly located in the control center.
Firewalling is another NERC-CIP recommendation that is increasingly used to extend a security perimeter around the FAN. It permits valid types of traffic (e.g., SCADA between specific devices) to flow over specific network paths while blocking unapproved traffic as defined by company policies and grid network operators. Advanced firewalling capabilities such as intrusion detection and prevention (IDS/IPS), enable the monitoring of traffic for suspicious patterns such as those generated by hacking/intrusion attempts. When such patterns are identified, networking devices can either alert the operator or automatically block the intruder.
It is commonly understood that the aforementioned security mechanisms are possible with utility-built and operated private networks; however, public cellular networks do offer comparable capabilities. As an example, standards-based encryption technologies like IPSec VPNs and APNs with key rotation are used to enable an end-to-end encrypted IP tunnel through which data can flow securely between utility assets. Similar to a private network, RADIUS authorization, authentication, and accounting services are also offered on cellular networks. Additionally, many cellular carriers offer advanced firewalling and IDS/IPS capabilities as a service to help utilities identify and deny invalid or illegal traffic from entering their domains.
Thanks to its massive ecosystem that drives constant innovation, cellular technology characteristics such as security, reliability, and performance have in many instances surpassed those of private proprietary wireless networks. Furthermore, the race by Tier 1 carriers to offer QoS and guarantee network throughput help quell the fears of network availability, especially during disasters. Network availability is also elegantly addressed with modern mobile virtual network operators (MVNOs) with their multi-carrier failover connectivity services. And while recurring monthly cellular fees may be a concern for utilities that are not OPEX-oriented, newer Industrial Internet of Things (IIoT) automation protocols can dramatically optimize the volume of data exchange between FAN devices. A typical recloser’s SCADA monitoring monthly cellular bandwidth of 100 Mbytes a month may be reduced to less than 1 Mbyte per month with over 90% of cost savings.
The ecosystem of cellular technology and carriers evolved dramatically in recent years to offer security, reliability, and performance characteristics that meet the requirements of modern FAN applications. Whether cellular will overtake private wireless technologies in the FAN is to be determined. The arm-wrestling between the technologies is ongoing, and the cultural shifts happening within utilities undergoing IT and OT convergence may bring more changes.
- https://anterix.com/navigant-whitepaper-the-urgent-need-for-a-licensed broadband-spectrum-allocation-for-critical-infrastructure/