mguard SCADa System Integration

Installing SCADA without Internet Access Using mGuard

A Mini Case Study in Network Connectivity and Security

Blog post by Senior Controls Engineer Nick Hitchcock, P.E.

With the growth of IIoT (industrial internet of things), many people are looking to get access to their system and their data wherever they are. The VPN capabilities of mGuards allow that access through a secure tunnel and the firewall built in to the appliance provides protection from malicious or accidental access while allowing devices behind the firewall access to the internet.

Problem:

A city wanted to install a SCADA System for the city’s water system, which included water plants spread throughout the city. However, no network access existed between the sites or back to City Hall. The plants did not even have internet access.

Solution:

Hardware

We installed cellular routers at each remote plant in order to get internet access at the plants. We installed industrial VPN/firewall appliances at each plant and at City Hall (Phoenix Contact mGuards).  We used an mGuard RS4000 at City Hall as central point. At each plant, we used a mGuard RS2000.

Network Architecture

With the mGuards, we were able to configure a secure remote network between the plants and City Hall via encrypted IPsec VPN tunnels. The mGuard at City Hall was plugged into the local network and had the SCADA’s server sitting behind it. With the webserver sitting behind the firewall, it is able to freely talk to each device on the plant networks via the IPsec VPN tunnels.

Programming

Firewall rules were set up on the RS4000 that blocked all incoming traffic from the network at City Hall with the exception of HTTP requests, which were forwarded only to the SCADA’s webserver. This allowed people at City Hall to get access to the data that they needed from the SCADA system, without allowing malicious or accidental accesses to the water systems network. The firewalls at each plant were configured to block all traffic (in or out) except for what went through the VPN tunnels. We also configured an additional VPN tunnel to allow remote access to the network via a PC-based VPN client.

Results:

Both city maintenance staff and our own staff can use this VPN client to access the network to remotely monitor and debug the entire system. Besides the safety and security that this setup provides, this secure remote access increases uptime by decreasing response time to issues. It saves the user money by reducing the cost of service calls by eliminating travel costs.