1.3.4 WindSCADA System Generic XXHZ Network Connectivity Requirements EN r02

- Original -
GE Renewable Energy
Technical Documentation
Wind Turbine Generator Systems
All Turbine Types - 50/60Hz
Onshore
Technical Description
Wide Area Network Connectivity Requirements
imagination at work
© 2017 General Electric Company. All rights reserved.
- Original -
GE Renewable Energy Technical Description
Visit us at
www.gerenewableenergy.com
All technical data is subject to change in line with ongoing technical development!
Copyright and patent rights
This document is to be treated confidentially. It may only be made accessible to authorized persons. It may only be
made available to third parties with the expressed written consent of General Electric Company.
All documents are copyrighted within the meaning of the Copyright Act. The transmission and reproduction of the
documents, also in extracts, as well as the exploitation and communication of the contents are not allowed
without express written consent. Contraventions are liable to prosecution and compensation for damage. We
reserve all rights for the exercise of commercial patent rights.
 2017 General Electric Company. All rights reserved.
GE and are trademarks and service marks of General Electric Company.
Other company or product names mentioned in this document may be trademarks or registered trademarks of
their respective companies.
imagination at work
WindSCADA_System_Generic_xxHz_Network_Connectivity_Requirements_EN_r02.docx.
- Original -
Table of Contents
Introduction ............................................................................................................................................................................................................................ 5
Definitions and Acronyms............................................................................................................................................................................................... 6
SCADA Remote Connectivity ......................................................................................................................................................................................... 7
1 Shared ISP router connection ............................................................................................................................................................................ 8
2 B2B Connection ......................................................................................................................................................................................................... 9
3 Security ........................................................................................................................................................................................................................ 10
4 Break and Fix of GE’s Network Equipment .............................................................................................................................................. 10
5 GE’s Remote User Access .................................................................................................................................................................................. 10
6 Specific GE Connectivity Guideline ............................................................................................................................................................... 11
7 Open Ports needed by GE ................................................................................................................................................................................. 12
Appendix A: Technical Specifications for High Speed Network Data Circuit for GE Wind Farms (ISP) ................... 13
Appendix B: Technical Specifications for High Speed Network Data Circuit for GE Wind Farms (B2B) ................. 14
CONFIDENTIAL - Proprietary Information. DO NOT COPY without written consent from General Electric Company.
UNCONTROLLED when printed or transmitted electronically.
© 2017 General Electric Company. All rights reserved
WindSCADA_System_Generic_xxHz_Network_Connectivity_Requirements_EN_r02.docx x
- Original -
Introduction
A dedicated remote data connection to a wind farm network is required for GE's Customer Support Center (CSC)
to monitor and perform remote operations. The Customer is responsible for the availability and reliability of the
remote connection, provided for exclusive use by GE based on the descriptions in this document. GE must be
provided a public routable static IP address in order to establish a secure point-to-point IPSec VPN tunnel
between the endpoint and GE datacenter; dynamic IP addressing (DHCP) cannot be used. For its own use, the
Customer has to establish a separate connection using a separate IP address.
WindSCADA_System_Generic_xxHz_Network_Connectivity_Requirements_EN_r02.docx 5/14
- Original -
Definitions and Acronyms

ADSL Asymmetric Digital Subscriber Line
B2B Business-to-Business
CSC Customer Support Center (EU)
CSN Customer Service Network
DSL Digital Subscriber Line
FE Field Engineer
FW Firewall
GSM Global System for Mobile Communications
IKE Internet Key Exchange
IP Internet Protocol
ISDN Integrated Services Digital Network
ISP Internet Service Provider
LAN Local Area Network
NIDS Network Intrusion Detection System
NIPS Network Intrusion Prevention System
PIN Personal Identification Number
ROC Remote Operation Center (US)
SCADA Supervisory Control and Data Acquisition
SIM Subscriber Identity Module
WAN Wide Area Network
SMS Short Messaging System
WIMAX Worldwide Interoperability for Microwave Access
WTGS Wind Turbine Generator System
6/14 WindSCADA_System_Generic_xxHz_Network_Connectivity_Requirements_EN_r02.docx
- Original -
SCADA Remote Connectivity

The WindSCADA System is capable of operating with local user connections over LAN as well as in an Intranet
environment with remote user connections. For remote user connectivity, the Customer shall provide a secure and
stable connection between SCADA System at the wind farm and GE's ROC/CSC.
The Customer is responsible for providing and maintaining a dedicated data network connection to the wind farm
with public static routable IP addresses. The network connection shall be provided through a terrestrial circuit. Any
other type of network circuit requires a written confirmation by GE.
The remote user utilizes the remote connection to connect to the SCADA System at the wind farm; therefore GE’s
connectivity to the wind farm must be established via Broadband connection.
Network connection shall enable the following functionalities:
1. GE to download SCADA data for warranty fulfillment

2. GE to perform remote monitoring, diagnostics and updating from within GE's network
3. The Customer (or third parties acting on behalf of the Customer) to remote access the site for
monitoring, diagnostics and data request
The Customer is responsible for isolation of the wind farm network and SCADA equipment from the public
internet, and it is recommended that credentialed IT and Security professionals be engaged to configure, review,
or otherwise aid in secure network operations. Exposure of any insecure software services ("ports") directly to the
public Internet is likely to result in discovery by malicious actors, if the networking equipment is not configured
with the proper Access Control Lists (ACLs), or the software servicing the ports is not kept updated to the
appropriate versions. (Tools such as https://censys.io and https://shodan.io may be used to ensure protocols that
lack built-in security, such as Telnet, OPC DA, MQTT, NTP, SQL Server, or HTTP, are not publicly accessible).
Table 1 describes the supported networking topologies. It is highly recommended that the Customer procure and
sustain a modern firewall operated between the remote access router and the SCADA equipment LAN to
establish an Electronic Security Perimeter (ESP). GE can, upon request, provide the list of required protocols for
proper SCADA operation with the Customer's firewall configuration.
Supported solutions
Solution Solution Comments

Shared ISP Customer and GE GE and the Customer use separate router hardware in order to
(Please see section 1) access the windfarm network. Any third party access (like Direct
Marketing Broker or Ice Detection System etc.) must be realized on
the Customer router.
B2B GE uses Customer infrastructure GE uses secure connection to Customer location and uses
(Please see section 2) Customer’s network to access SCADA System at the Wind farm. The
Customer provides his peer IP address for GE to establish VPN
connection with.
The Customer provides on himself owned equipment (router)
remote access to any third party companies like Direct Marketing
Broker or Ice Detection System etc.
Table 1: Supported solutions for remote connectivity
- Original -
1 Shared ISP router connection

A shared access solution requires at least two WAN router at the wind farm. One for GE and one for the Customer
access to the windfarm network. The Customer shall supply main broadband connectivity devices (ISP modem or
router). GE and the Customer will share the ISP router. The Customer must provide at least two static internet
routable IP addresses, one static public IP address for GE and a second one for the Customer access.
If third party access is granted to the wind farm, it won’t be through GE’s connection. The second IP address can
be used for the Customer and for third party access. If it is not possible to get two separate IP adresses for the
wind farm an alternative solution has to be discussed with GE on a project base.
The Customer is responsible for his access/connection to the wind farm. GE's equipment uses Ethernet handoff
(RJ 45) to make the connection. Please see picture below:
Figure 1: Internet Service Provider (ISP) connection
In addition to the above, the Customer will be responsible to supply and support the communication equipment
and lines installed in any of the locations and/or to contact the broadband provider in order to support
connectivity in case of outage.
The Customer is responsible for all costs associated with the broadband equipment and broadband subscription.
In cases where GE is managing the VPN router, GE will maintain access control and the Customer will not be
provided with administrative access.
For a shared ISP connection the Customer must provide the information in Appendix-A to GE.
- Original -
2 B2B Connection
A Business-to-Business (B2B) connection requires a Site-to-Site VPN tunnel to be created between GE's external
internet hub and Customer's WAN connection. The Customer is responsible to supply and support the
communication equipment at the wind farm. In case of an outage the Customer shall contact the service provider
for support, inform GE's ROC/CSC about the outage, and fix the connectivity issue. The Customer is responsible for
all costs associated with the service and maintenance subscription. The number of IP addresses available via this
connection will be examined on a project level and dictated by the number of Wind Farms that will use this
connection. Please see picture below:
Figure 2: B2B Solution
Business-to-Business (B2B) Connection

Windfarm
VPN = Virtual Privat Network
SCADA
GE VPN-Connection Network
GE Network
Customer
Network
SCADA Server
Customer Router for
GE VPN-Tunnel B2B connection
Router
Firewall
Internet Network
Historical SCADA
Server
Router communication
Firewall
3rd Party Network (e.g Direct

The customer router can 3rd Party
Marketing Broker) be located at site or in the
customers office. The Equipment
router must be capable to
support natting.
For example:
Router Firewall
Ice Detection
System or Direct
Marketing Broker
Mandatory GE IPSec Protocol setup:
The settings listed below are mandatory guidelines to configure the IPSec tunnels. SHA-1 hashing, popular in older
routers, should not be used due to newly-discovered weaknesses and its deprecation by the US National Institute
of Standards and Technology (NIST). It is also recommended to ensure firmware running on the router is the latest
version recommended by the manufacturer.
IKE Phase 1 IKE Phase 2

Encryption: AES-256 Encryption: AES-256
Hash: SHA-256 Hash: SHA-256
DH/MODP Group 2 DH/MODP Group 2
Pre-shared secret authentication (TBD) SA’s negotiated per subnet (not per host)
SA lifetime: 3600 seconds Use Perfect Forward Secrecy (group 2)
SA lifetime: 3600 seconds (60 minutes)
Crypto map/domain: 10.119.x.x/28 (GE) and

Customer’s network: 172.16.x.x (Customer).
This natting has to be done on the Customer router which provides the connection to GE.
For a B2B connection the Customer must provide the information in Appendix-B to GE.
- Original -
3 Security
The Customer is responsible for installing necessary means of security to protect their facility. At least a secure
VPN connection ("tunneling") to the wind farm is necessary, and should be configured as "point-to-point" to
restrict network access to only trusted IP addresses. Broadband connection equipment is required to be physically
secured in the WindSCADA Server rack or the Customer's office and protected from unauthorized access or use.
All networking equipment used to connect GE to the turbine network is for GE's remote monitoring use only. This
equipment represents an extension of GE's network and the Customer and third parties will not be granted access
to the wind farm via this equipment. Connecting other network equipment is not allowed without GE's
authorization.
The Customer must take care to properly segregate their own network segments from the SCADA LAN. GE
operates Network Intrusion Detection and Prevention (NIDS/NIPS) on their remote monitoring network, which
may result in disconnect and disrupted operations if Customer equipment is used to pivot an attack vector into
GE's monitored network. GE reserves the right to remove the connection to GE network if it is determined that the
Customer's wind farm poses risk to GE's network.
Attackers utilize a variety of automated techniques to discover and exploit improperly configured equipment, and
can often move from network segment to segment. Common threats include "brute force" attacks that enumerate
common or simple login passwords, "denial-of-service" network packet floods, and injection of ransomware
(encrypting files with a promise to send the utilized key in exchange for monetary payment).
Malware may not present itself immediately, but often impacts equipment performance with side effects that are
disruptive and difficult to isolate. GE recommends that the Customer becomes familiar with best security
practices to avoid disruption and unexpected recovery costs in equipment operation. The Customer should
engage credentialed security professionals to periodically review their security posture, as the cost of prevention
is often far less than the costs of production downtime and incident investigation and recovery.
4 Break and Fix of GE’s Network Equipment

The Customer is responsible to coordinate with the local internet service provider and the GE’s ROC/CSC on any
break/fix related to GE's network connection. GE is responsible for GE’s router at the wind farm as long as it is
connected to GE's network.
The Customer is responsible for maintaining the network circuit and coordinating the repair in a reasonable time
frame.
The Customer shall assign an on-site technical point of contact that GE can contact for network connection issue
resolution.
5 GE’s Remote User Access

The Customer to must provide at least one user account consisting of a user name and password per SCADA
System for the GE's remote user access. The Customer is responsible for the security lifecycle management at the
facility.
- Original -
6 Specific GE Connectivity Guideline

GE recommends a terrestrial low latency land line similar to DSL in order to provide best of class service. If a
terrestrial line or the minimum bandwidth can not be met, the project can be reviewed separately. Theses
guildeline will support standard monitoring and operation functions. For additional digital capabilities, a
bandwidth review maybe required.
Up to 20 Turbines (e.g. WindSCADA Compact):
Recommended
 Download of data from the wind farm to GE – 4096Kb/s

 Upload of data from GE to the wind farm – 4096Kb/s
Minimum

Up to 200 Turbines (e. g. WindSCADA Standard & Plus-200)
Recommended

 Upload of data from GE to the wind farm– 6000Kb/s
Minimum

Up to 500 Turbines:
Recommended

Minimum
 Download of data from the wind farm GE – 4096Kb/s

 Upload of data from GE to the wind farm– 4096Kb/s
The Customer shall ensure that the connection performance will not fall below the minimum performance
requirements at any given time. If connection performance is below specification the Customer is responsible to
improve the quality until the specification is met.
- Original -
The Customer shall carry out the necessary bandwidth planning to ensure continuous SCADA connections for the
GE's monitoring and remote operations of the wind farm.
GE reserves the right to remove the connection to GE network after mutually agreed that obligations have been
satisfied, or when the connection to the wind farm poses risk to GE's network.
Higher bandwidth allows better performance and reduced

access time.
Note
7 Open Ports needed by GE

In order for GE to communicate with the SCADA server onsite, the following ports must be open to communicate
to GE's Customer service center to establish a secure tunnel. These ports are as follows:
 IP Protocol = TCP, TCP Port number=1723

 IP Protocol = GRE (value 47)
 IP Protocol Type = UDP, UDP Port Number=500
 IP Protocol Type = UDP, UDP Port Number=4500
 IP Protocol Type = ESP (value 50)
 IP Protocol = TCP, TCP Port number=443
Note: Direct connection to the server requires open ports as follows:
Protocol Port no.

TCP 21, 22, 23, 25, 49, 53, 80, 123, 139, 443, 445, 1025, 1026, 1433, 1434, 2001, 3389, 5510, 5631, 5632, 5900, 6129, 6785,
7001, 7003, 7009, 7055, 7122, 7900, 8080, 14000
UDP 53, 69, 137, 138, 161, 162, 514, 1645, 1812, 2967, 5500, 9995, 38293
- Original -
Appendix A: Technical Specifications for High Speed Network Data

Circuit for GE Wind Farms (ISP)
Please complete this form and return to GE's project manager 14 days prior to wind farm’s grid connection.
Information below has to be provided by the Customer for shared ISP router connection.
Item Item Description Detail (to be filled by Customer)

No.
1. Customer
2. E-Mail
3. Phone
4. Project Name
5. Geo Coordinates of Substation
Project Location (address or nearest town /
6.
city, state)
7. Circuit Provider
8. Connection Type (i.e. T1, DSL)
9. Circuit Size (Kbps)
Static Internet Routable IP address for GE
10.
use
11. Subnet Mask
12. Default Gateway
13. DNS
14. Customer Helpdesk Number
Customer Local On-Site contact, if there is a
15.
problem
16. Special Instructions, if there is an outage
_________________ _______________________________
Date Signature
- Original -
Appendix B: Technical Specifications for High Speed Network Data

Circuit for GE Wind Farms (B2B)
Please complete this form and return to GE's project manager 14 days prior to wind farm’s grid connection.
Information below has to be provided by the Customer for B2B connection (B2B).
Customer information:
Item Item Description Detail (to be filled by buyer)

No.
1. Customer
1. E-Mail
2. Phone
3. Project Name
4. Geo Coordinates of Substation
5. Circuit Provider
6. Connection Type (i.e. SAT, DSL, Landline, LTE)
7. Project Location (address or nearest town/city, state)
8. Special Instructions, if there is an outage
9. VPN Device Manufacturer (i.e. Cisco)
10. VPN Device Type (i.e. Pix, ASA)
11. VPN Device Software Version
12. External Peer Public IP Address
By sending this information to GE ,the Customer confirms the usage of the mandatory configuration below.
IKE Phase 1 IKE Phase 2

Encryption: AES-256 Encryption: AES-256
Hash: SHA-256 Hash: SHA-256
DH/MODP Group 2
Pre-shared secret authentication (TBD) DH/MODP Group 2
SA lifetime: 3600 seconds SA’s negotiated per subnet (not per host)
Use Perfect Forward Secrecy (group 2)
SA lifetime: 3600 seconds (60 minutes)
Crypto map/domain: 10.119.x.x/28 (GE) and

Customer’s network: 172.16.x.x (Customer) .
This natting has to be done on the Customer router which provides
the connection to GE.
_________________ _______________________________
Date Signature

1.3.4 WindSCADA System Generic XXHZ Network Connectivity Requirements EN r02

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1.3.4 WindSCADA System Generic XXHZ Network Connectivity Requirements EN r02

Uploaded by

Copyright:

Available Formats

- Original -

Copyright and patent rights

 2017 General Electric Company. All rights reserved.

GE and are trademarks and service marks of General Electric Company.

Definitions and Acronyms

CSC Customer Support Center (EU)

CSN Customer Service Network

DSL Digital Subscriber Line

GSM Global System for Mobile Communications

IKE Internet Key Exchange

ISDN Integrated Services Digital Network

ISP Internet Service Provider

LAN Local Area Network

NIDS Network Intrusion Detection System

NIPS Network Intrusion Prevention System

PIN Personal Identification Number

ROC Remote Operation Center (US)

SCADA Supervisory Control and Data Acquisition

SIM Subscriber Identity Module

WAN Wide Area Network

SMS Short Messaging System

WIMAX Worldwide Interoperability for Microwave Access

WTGS Wind Turbine Generator System

SCADA Remote Connectivity

Network connection shall enable the following functionalities:

1. GE to download SCADA data for warranty fulfillment

Solution Solution Comments

Table 1: Supported solutions for remote connectivity

1 Shared ISP router connection

Figure 1: Internet Service Provider (ISP) connection

Business-to-Business (B2B) Connection

3rd Party Network (e.g Direct

Mandatory GE IPSec Protocol setup:

IKE Phase 1 IKE Phase 2

Crypto map/domain: 10.119.x.x/28 (GE) and

4 Break and Fix of GE’s Network Equipment

5 GE’s Remote User Access

6 Specific GE Connectivity Guideline

Up to 20 Turbines (e.g. WindSCADA Compact):

 Download of data from the wind farm to GE – 4096Kb/s

 Download of data from the wind farm to GE – 2048Kb/s

Up to 200 Turbines (e. g. WindSCADA Standard & Plus-200)

 Download of data from the wind farm to GE – 6000Kb/s

 Download of data from the wind farm to GE – 4096Kb/s

 Download of data from the wind farm to GE – 8192Kb/s

 Download of data from the wind farm GE – 4096Kb/s

Higher bandwidth allows better performance and reduced

7 Open Ports needed by GE

 IP Protocol = TCP, TCP Port number=1723

Note: Direct connection to the server requires open ports as follows:

Protocol Port no.

Appendix A: Technical Specifications for High Speed Network Data

Item Item Description Detail (to be filled by Customer)

Appendix B: Technical Specifications for High Speed Network Data

Item Item Description Detail (to be filled by buyer)

IKE Phase 1 IKE Phase 2

Crypto map/domain: 10.119.x.x/28 (GE) and

You might also like