Professional Documents
Culture Documents
The Design of an Industrial Remote Control Network Gateway Based on P2P VPN
Abstract-An industrial remote control network gateway was the untrusted data, thus to solve the problems of remote
designed to study and solve the security problems generated communication between SCADA system and industrial
by the network communication between SCADA system and equipments, then it provide a security communication
industrial computers, and provide security guarantee for mechanism for us.
making industrial network connect with the Internet under the
premise of full efficiency and reliability. It is not dependent on II. THE OVERALL DESIGN OF THE GATEWAY
any hardware environment and SCADA software environment,
With the rapid development of the modern computer
and capable of supporting any industrial equipment and all
kinds of SCADA system, the gateway can monitor industrial
technology, it is an inevitable trend to use the SCADA
equipments of industrial sites, forward packets between system connected with Internet, and extend the range of
SCADA system and industrial computers, and block untrusted industrial automation control technology from local area to
data, it can report abnormal events to solve the problems of the whole network world. The industrial computer pays
remote Internet network communication between SCADA more attention to the real-time and the reliability, and only
system and industrial equipments and provide security considered to be used in LAN. So it basically not equipped
communication mechanism. with network security measures, also failed to offer second
development interface of network security. The problem of
Keywords-SCADA; industrial computer; gateway; VPN network security is neglected for years. At present, the
traditional SCADA system failed to provide identity and
I. INTRODUCTION access management function, it is unable to distinguish real
Along with the development of the computer network users and the invaders, once the invaders invade the system,
technology, TCP/IP protocol is widely used in the industrial they can steal SCADA data or control the lower computer
control field, people can monitor the system which was through the SCADA system. It makes the industrial control
seated in the industrial site from Supervisory Control and system is often at high risk status. The accidents caused by
Data Acquisition System (SCADA system)[1]. It was widely system failure occur frequently. While the traditional IT
used in many modern industrial control fields. For example, system and industrial control system has many different.
electrical power system, Chemical industrial system, Security measures of IT system can not be used in industrial
national defense system and so on. But the environment of control systems, so it is imperative to design a remote
the system is restricted in a narrow range, and lack a kind of communication security mechanism between the industrial
safety management, so they can’t interacts with the outside computer and Internet.
world, it presses for us to realize the data exchange between To study and solve the security problems generated by
the process control system and the upper management the network communication between SCADA system and
information system or the enterprise. In order to remove the industrial computers, and provide security guarantee for
SCADA system information island state[2]. making industrial network connect with the Internet under
Modern industrial computer system (such as PLC and the premise of full efficiency and reliability. We must
HMI, SOC, etc) are equipped with the network interface, achieve two objectives:
But because of the restriction of some factors, such as (1)Even industrial network single node appears problem.
volume, CPU, the memory of the industrial computer We can also ensure stable operation of the device and the
system and so on, we must ensure the real-time and the factory. Realize the safety management under the premise
reliability of the system. The system was only designed to of compatible. For the modern computer networks, the
use in LAN, can not connect with the Internet. So the protective goal is that, while some local industrial network
industrial network dose not support to remote monitor exist some unsafe factors, it does not spread to other
through Internet, the market also does not have the equipments or networks, in order to ensure the safe and
corresponding product. For this, we plan to build a safety stable operation of the whole device or the factory.
gateway model of the industrial control network. We build a (2)To timely and accurate confirm the failure node and
professional gateway between the industrial equipments and solve problems. How to find the problems of failure node,
the SCADA system. It can monitor the industrial is the premise of maintain the control network security.
equipments of industrial sites, forward packets and block As everyone knows, generally speaking, the industrial
computer is connected with a closed LAN which secluded
Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.
with Internet. It only has the internal IP address, only can LAN could seamless connection with the Internet.
communicate with each other in LAN. It can't exchange
data with Internet. For this, we design two front-end III. THE DESIGN OF GATEWAY COMMUNICATION
equipments in the industrial network, to complete the task PROTOCOL
of safety management and information exchange between Such As noted above, we design a remote industrial
the industrial computer and SCADA system. According the control network gateway model based on VPN technology
role, the two equipments can be divided into the SCADA according to the industrial network problems and the
network manager and the site network agency. purpose we needs to achieve. Because the particularity of
The site network agency and industrial equipment are in the industrial control network, we require it has highly
a same LAN. It will monitor the situation of industrial security. Such as the node, When a node failure, it doesn't
equipments in the industrial network, and register the affect the security of entire system. So the traditional VPN
information of the industrial equipments to SCADA is not applied., we adopted a new type of open source VPN
network manager. SCADA network manager will inform project-N2N.N2N is a layer two peer-to-peer VPN, The
the site network agency, to protect the industrial equipments. communications protocol uses P2P protocol[3]. It's different
The agency will receive the Encrypted data from the with the traditional VPN network, the network can reverse
industrial equipments, and send them to the SCADA through NAT and the firewall, Thus the firewall is no longer
network manager, at the same time, it receives encrypted the communication barrier between the two nodes in the
data from SCADA system, then decrypts and forwards to network N2N does not exist the traditional server and client,
industrial equipments, So the site network agency becomes the nodes are divided into two kinds, respectively is Super
security gateway between network equipment and SCADA node and Edge node[4]. And each Edge node can also to
system, Since each site network agency should belonging to belong to more than one network organization(domain),if
an domain, Only can communicate with the SCADA we want to run the Edge Node, we must set up a TUN/TAP
network manager which is in a same domain. So the virtual network adapter at first. When the node accesses
forwarding data should through NAT for many times, could VPN, we use the virtual network adapter to communicate. A
reach the destination host. SCADA network manager virtual network adapter corresponds to Edge Node, but a PC
installed in SCADA network, it is located the same LAN can create multiple virtual network adapters. The N2N
with the monitoring network, and have the static Internet IP network structure as figure 2 shows:
address. It dynamic monitors the situation of industrial
equipments which was reported by the network agency, and
manages these equipments.
We develop a safety VPN channel to guarantee the
security of data between the SCADA system and industrial
equipments. Thus we can solve the problems of remote
communication between SCADA system and industrial
equipments, to provide security communication mechanism.
The network topology is shown as follow:
141
Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.
of the algorithm is no longer to be described in this passage. (1)Access the current network device list, and select the
As previously mentioned, we have built the professional adapter which will be used.
gateway between industrial equipments(such as PLC, SOC (2)According to filter to set the packets filter
and other industrial computers) and SCADA system, the independent.
gateway can monitor industrial equipments of industrial (3)Capture the packets.
sites, forward packets between SCADA system and (4)If the packets meet the conditions, we will put it into
industrial computers, and block untrusted data, it can also the buffer for further treatment; otherwise we will discard it
report abnormal events. We use gateway construct SCADA directly.
communication area, registered the trust industrial (5)Encapsulate the packets according the protocol
equipments and SCADA system to the gateway, it works format and forward these packets.
through the communication protocol which have been The flow chart shows below:
designed. The protocol can be divided into two parts:
z Capture and forward the packets.
z Nodes management, such as monitor the status of
nodes, report abnormal events, delete and register
the information of nodes and so on.
A. packet capture and forwarding
The main function of gateway is how to forward packets,
the function of capturing and forwarding packet directly
related to the performance of industrial gateway. Since the
industrial LAN does not connected with the outside world
network directly, industrial equipments can not exchange
data with SCADA system, we need to forward these data by
industrial site PC which acts as the gateway function. In
order to complete the packets capturing and forwarding
function, we use Winpcap to realize it.
According to the function, the overall structure can be
divided into three parts, from bottom to top, it is packets
capture, packets analyze, packets filter and forward. The
whole structure as the figure shows below:
142
Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.
use the technology of multithread to programming it. We IV. THE EXPERIMENT RESULT
send the ICMP packet to the nodes. Gateway accept the After the design mentioned above, we used c++
response information of the nodes, if they receive the programming to realize the function of the gateway, after it,
correct response information, it is said that the nodes and we did the experiment of the industrial gateway. The
gateway are in the connection stature. Otherwise, it will experiment shows that industrial gateway can transmit the
delete the related information of the node from the chain date safety and effectively. The IP address of the agency is
table. The main steps and the flow chart shows below:
Ā 222.197.201.170 ā , and the IP address of SCADA
(1)Create raw socket of IPPROTO_ICMP protocol, and
set the socket properties. network manager is Ā 222.197.201.175 ā , we use the
(2)Create ICMP packets, and fill the data. wireshark to capture the packets forwarding by the gateway,
(3)Send the ICMP packet to the nodes. the result shows below:
(4)Activate the second thread, receive ICMP packets,
analyze the ICMP packets, and return the response
information.
(5)According to response information, refresh the nodes
list.
143
Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on May 24,2021 at 05:27:39 UTC from IEEE Xplore. Restrictions apply.