2012 4th International Conference on Intelligent Human-Machine Systems and Cybernetics
The Design of an Industrial Remote Control Network Gateway Based on P2P VPN
Yuze Huang1, Zhibin Zhang2, Peng Zhu3
Faculty of Information Engineering and Automation
Kunming University of Science and Technology
Kunming, China
Email˖byronhyz@foxmail.com1, kmust.zhangzhibin@gmail.com2, 43793649@qq.com3
Abstract-An industrial remote control network gateway was
designed to study and solve the security problems generated
by the network communication between SCADA system and
industrial computers, and provide security guarantee for
making industrial network connect with the Internet under the
premise of full efficiency and reliability. It is not dependent on
any hardware environment and SCADA software environment,
and capable of supporting any industrial equipment and all
kinds of SCADA system, the gateway can monitor industrial
equipments of industrial sites, forward packets between
SCADA system and industrial computers, and block untrusted
data, it can report abnormal events to solve the problems of
remote Internet network communication between SCADA
system and industrial equipments and provide security
communication mechanism.
Keywords-SCADA; industrial computer; gateway; VPN
I. INTRODUCTION
Along with the development of the computer network
technology, TCP/IP protocol is widely used in the industrial
control field, people can monitor the system which was
seated in the industrial site from Supervisory Control and
Data Acquisition System (SCADA system)[1]. It was widely
used in many modern industrial control fields. For example,
electrical power system, Chemical industrial system,
national defense system and so on. But the environment of
the system is restricted in a narrow range, and lack a kind of
safety management, so they can’t interacts with the outside
world, it presses for us to realize the data exchange between
the process control system and the upper management
information system or the enterprise. In order to remove the
SCADA system information island state[2].
Modern industrial computer system (such as PLC and
HMI, SOC, etc) are equipped with the network interface,
But because of the restriction of some factors, such as
volume, CPU, the memory of the industrial computer
system and so on, we must ensure the real-time and the
reliability of the system. The system was only designed to
use in LAN, can not connect with the Internet. So the
industrial network dose not support to remote monitor
through Internet, the market also does not have the
corresponding product. For this, we plan to build a safety
gateway model of the industrial control network. We build a
professional gateway between the industrial equipments and
the SCADA system. It can monitor the industrial
equipments of industrial sites, forward packets and block
978-0-7695-4721-3/12 $26.00 © 2012 IEEE
DOI 10.1109/IHMSC.2012.130
Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.
the untrusted data, thus to solve the problems of remote
communication between SCADA system and industrial
equipments, then it provide a security communication
mechanism for us.
II. THE OVERALL DESIGN OF THE GATEWAY
With the rapid development of the modern computer
technology, it is an inevitable trend to use the SCADA
system connected with Internet, and extend the range of
industrial automation control technology from local area to
the whole network world. The industrial computer pays
more attention to the real-time and the reliability, and only
considered to be used in LAN. So it basically not equipped
with network security measures, also failed to offer second
development interface of network security. The problem of
network security is neglected for years. At present, the
traditional SCADA system failed to provide identity and
access management function, it is unable to distinguish real
users and the invaders, once the invaders invade the system,
they can steal SCADA data or control the lower computer
through the SCADA system. It makes the industrial control
system is often at high risk status. The accidents caused by
system failure occur frequently. While the traditional IT
system and industrial control system has many different.
Security measures of IT system can not be used in industrial
control systems, so it is imperative to design a remote
communication security mechanism between the industrial
computer and Internet.
To study and solve the security problems generated by
the network communication between SCADA system and
industrial computers, and provide security guarantee for
making industrial network connect with the Internet under
the premise of full efficiency and reliability. We must
achieve two objectives:
(1)Even industrial network single node appears problem.
We can also ensure stable operation of the device and the
factory. Realize the safety management under the premise
of compatible. For the modern computer networks, the
protective goal is that, while some local industrial network
exist some unsafe factors, it does not spread to other
equipments or networks, in order to ensure the safe and
stable operation of the whole device or the factory.
(2)To timely and accurate confirm the failure node and
solve problems. How to find the problems of failure node,
is the premise of maintain the control network security.
As everyone knows, generally speaking, the industrial
computer is connected with a closed LAN which secluded
140
 with Internet. It only has the internal IP address, only can
communicate with each other in LAN. It can't exchange
data with Internet. For this, we design two front-end
equipments in the industrial network, to complete the task
of safety management and information exchange between
the industrial computer and SCADA system. According the
role, the two equipments can be divided into the SCADA
network manager and the site network agency.
The site network agency and industrial equipment are in
a same LAN. It will monitor the situation of industrial
equipments in the industrial network, and register the
information of the industrial equipments to SCADA
network manager. SCADA network manager will inform
the site network agency, to protect the industrial equipments.
The agency will receive the Encrypted data from the
industrial equipments, and send them to the SCADA
network manager, at the same time, it receives encrypted
data from SCADA system, then decrypts and forwards to
industrial equipments, So the site network agency becomes
security gateway between network equipment and SCADA
system, Since each site network agency should belonging to
an domain, Only can communicate with the SCADA
network manager which is in a same domain. So the
forwarding data should through NAT for many times, could
reach the destination host. SCADA network manager
installed in SCADA network, it is located the same LAN
with the monitoring network, and have the static Internet IP
address. It dynamic monitors the situation of industrial
equipments which was reported by the network agency, and
manages these equipments.
We develop a safety VPN channel to guarantee the
security of data between the SCADA system and industrial
equipments. Thus we can solve the problems of remote
communication between SCADA system and industrial
equipments, to provide security communication mechanism.
The network topology is shown as follow:
Figure 1 The topology of industrial control network
Industrial equipments are different from traditional PC,
they can not be installed the VPN software. So we install
the VPN software on the site network agency and the
SCADA system, then, we build a VPN tunnel between them,
Industrial equipments can communicate security with the
remote PC through the site network agency. The industrial
141
Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.
LAN could seamless connection with the Internet.
III. THE DESIGN OF GATEWAY COMMUNICATION
PROTOCOL
Such As noted above, we design a remote industrial
control network gateway model based on VPN technology
according to the industrial network problems and the
purpose we needs to achieve. Because the particularity of
the industrial control network, we require it has highly
security. Such as the node, When a node failure, it doesn't
affect the security of entire system. So the traditional VPN
is not applied., we adopted a new type of open source VPN
project-N2N.N2N is a layer two peer-to-peer VPN, The
communications protocol uses P2P protocol[3]. It's different
with the traditional VPN network, the network can reverse
through NAT and the firewall, Thus the firewall is no longer
the communication barrier between the two nodes in the
network N2N does not exist the traditional server and client,
the nodes are divided into two kinds, respectively is Super
node and Edge node[4]. And each Edge node can also to
belong to more than one network organization(domain),if
we want to run the Edge Node, we must set up a TUN/TAP
virtual network adapter at first. When the node accesses
VPN, we use the virtual network adapter to communicate. A
virtual network adapter corresponds to Edge Node, but a PC
can create multiple virtual network adapters. The N2N
network structure as figure 2 shows:
Figure 2 N2N network structure diagram
As the figure shows above, Super Node provides the
places, let two Edge Node behind at the NAT/firewall to
meet, once it completes the first shake hands, the rest of the
data flow happened between two Edge Nodes, if one side
belongs to the symmetric NAT, Super Node is still need to
continue to forward packets for two sides[3]. Edge Node
encrypts and decrypts data. Edge node uses UDP protocol
to encapsulate the packets.
From the figure 1, we know that, we installed Edge
Node at the industry site PC and SCADA system, and
installed Super Node at the remote PC, Thus we formed the
VPN tunnel between them. To ensure the safety of the data
transmission in the VPN tunnel, we use Twofish
algorithm-a kind of symmetric encipherment algorithm to
encrypt the data. Due to the space limitation, the principle
 of the algorithm is no longer to be described in this passage. (1)Access the current network device list, and select the
As previously mentioned, we have built the professional adapter which will be used.
gateway between industrial equipments(such as PLC, SOC (2)According to filter to set the packets filter
and other industrial computers) and SCADA system, the independent.
gateway can monitor industrial equipments of industrial (3)Capture the packets.
sites, forward packets between SCADA system and (4)If the packets meet the conditions, we will put it into
industrial computers, and block untrusted data, it can also the buffer for further treatment; otherwise we will discard it
report abnormal events. We use gateway construct SCADA directly.
communication area, registered the trust industrial (5)Encapsulate the packets according the protocol
equipments and SCADA system to the gateway, it works format and forward these packets.
through the communication protocol which have been The flow chart shows below:
designed. The protocol can be divided into two parts:
z Capture and forward the packets.
z Nodes management, such as monitor the status of
nodes, report abnormal events, delete and register
the information of nodes and so on.
A. packet capture and forwarding
The main function of gateway is how to forward packets,
the function of capturing and forwarding packet directly
related to the performance of industrial gateway. Since the
industrial LAN does not connected with the outside world
network directly, industrial equipments can not exchange
data with SCADA system, we need to forward these data by
industrial site PC which acts as the gateway function. In
order to complete the packets capturing and forwarding
function, we use Winpcap to realize it.
According to the function, the overall structure can be
divided into three parts, from bottom to top, it is packets
capture, packets analyze, packets filter and forward. The
whole structure as the figure shows below:

Figure 3 The structure of packet capture and forward

Data collection is the most mainly function. This is the
foundation of the whole system and the sources of data.
Gateway capture the raw packets of industrial LAN, then
according to the destination address and source address
information to filter the data packets, if the packets meet the
conditions, we will put it into the buffer for further
treatment, otherwise we will discard it directly. The
algorithm of packets capturing and forwarding is divided
into the following steps:
Figure 4 The flow chart of packet capture and forwarding
B. nodes management
Nodes management module is used to manage the
information of industrial equipments of the industrial LAN.
Gateway need to monitor real-time state of each node, and
create a chain table to store the information of these nodes,
such as the IP address and MAC address and the
community of the node. Gateway will monitor the active
condition of the nodes, and then refresh the chain table. We

142

Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.
 use the technology of multithread to programming it. We IV. THE EXPERIMENT RESULT
send the ICMP packet to the nodes. Gateway accept the After the design mentioned above, we used c++
response information of the nodes, if they receive the programming to realize the function of the gateway, after it,
correct response information, it is said that the nodes and we did the experiment of the industrial gateway. The
gateway are in the connection stature. Otherwise, it will experiment shows that industrial gateway can transmit the
delete the related information of the node from the chain date safety and effectively. The IP address of the agency is
table. The main steps and the flow chart shows below:
Ā 222.197.201.170 ā , and the IP address of SCADA
(1)Create raw socket of IPPROTO_ICMP protocol, and
set the socket properties. network manager is Ā 222.197.201.175 ā , we use the
(2)Create ICMP packets, and fill the data. wireshark to capture the packets forwarding by the gateway,
(3)Send the ICMP packet to the nodes. the result shows below:
(4)Activate the second thread, receive ICMP packets,
analyze the ICMP packets, and return the response
information.
(5)According to response information, refresh the nodes
list.

Figure 6 The experimental result figure

From the figure, the gateway can encapsulates the

packets and forwards them, in this process, there is no
significant phenomenon of losing packets. It meets the basic
demand of industrial control network.
V. CONCLUSION
The industrial remote control network gateway does not
dependent on any hardware environment and any SCADA
software environment. It can solve the problems of remote
Internet network communication between the industrial
equipments and SCADA system and provide security
communication mechanism.
REFERENCES
[1]. Jeffrey Lloyd Hieb. “Security hardened remote terminal units for
SCADA networks” [D].Dissertation for the Degree of PH.D,
Department of Computer Science and Computer Engineering,
University of Louisville, May 2008.
[2]. Mariana Hentea. “Improving security for SCADA control
system”[J].Interdisciplinary Journal of Information, Knowledge, and
Management. Volume 3, 2008.
[3]. Deri Luca, Andrew Richard. “N2N: A layer two peer-to-peer VPN”
[J]. Second International Conference on Autonomous Infrastructure,
Management and Security, AIMS 2008, Proceeding, 2008.
[4]. http://www.ntop.org/products/n2n/.
[5]. Wentao Liu. “Network security programming techniques and
examples” [M].Beijing: China machine press.2008.7
[6]. Gongyi Wu etc. “Advanced computer network software
programming technology”[M].Beijing: Tsinghua University
press.2008.1.

Figure 5 The flow chart of node detection

143

Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.