Migrating SCADA Traffic To IP/MPLS Networks

IP/MPLS meets the demands of SCADA and other utility mission critical applications.
Published: Fri 16 Oct 2015

SCADA (supervisory control and data acquisition) systems have been widely deployed by utilities as well as other industrial operations for telecontrol applications, but with a long expected lifetime in the field (20+ years) they are at risk of becoming stranded by the latest advances in communications technologies.

With utilities having to rethink their communications requirements and increasingly opting for IP/MPLS, the challenge is one of how to migrate traffic from legacy SCADA systems to an IP/MPLS network.

“The majority of SCADA systems deployed today are based on legacy interfaces and this is presenting challenges as these old interfaces are typically not supported in new IP/MPLS routers,” Hansen Chan, marketing manager at Alcatel-Lucent, explained to Engerati, commenting that there are even SCADA systems with built-in modems as used to be seen in PCs. “All those systems deployed in the last decade have a good 10 years or more of life ahead.”

Why IP/MPLS?

Among the next-generation network solutions, in order to simultaneously support all mission-critical and non-mission-critical traffic, an IP/MPLS-based communications network is needed. [Engerati-IP/MPLS – Communications For The Forward Looking Utility]

Non-MPLS-based IP networks have grown significantly in recent years, but they often lack the necessary traffic management capability to support traffic that requires strict quality of service (QoS) for mission-critical operations. They also lack the flexibility to optimize the use of network resources and the capability to react to network events fast enough to guarantee end-to-end QoS per application.

With an IP/MPLS network, operators get the best of both worlds – the versatility of an IP network and the predictability of a circuit-based network along with high capacity and support for packet-based traffic with high QoS. An IP/MPLS network enables the deployment of new IP/Ethernet-based applications and also supports the existing time division multiplexing (TDM)-based applications which are used in most of the older SCADA systems. Because IP/MPLS networks can continue to carry existing TDM services, operators can now flexibly choose when to migrate the applications from TDM to IP.

Migrating SCADA to IP/MPLS

Mr Chan outlines three overarching challenges in migrating SCADA to a packet network:

• Terminating the legacy interface

• Transporting TDM traffic over IP/MPLS

• Security, including confidentiality and authentication.

Terminating the legacy interface

Older SCADA systems typically use the V.24 and/or the analogue 4-wire E&M interfaces.

One option to terminate the legacy interface is via a TDM multiplexer in front of an IP/MPLS router. In this case the multiplexer maps each SCADA circuit into a 64kbps channel inside an E1/T1 interface.

However, a less complex and preferred option is to directly connect the legacy device to an IP/MPLS router tailored for the mission-critical communications market.

“While the E1/T1 interfaces are common and a wide range of routers will support them, the latter option is preferred as it enables us to attain a true end-to-end packet architecture while retaining the same SCADA devices,” explains Mr Chan.

Transporting TDM over IP/MPLS

To transport TDM over IP/MPLS, two components are required – a circuit emulation service (CES), which packetizes the TDM traffic so that it can be carried over a packet network; and  data bridging capability, which merges the traffic received from the many remote SCADA locations towards the SCADA server. Data bridging requires data manipulation at the physical bit layer, instead of the frame layer as in Ethernet. It requires deep experience from the IP/MPLS networking specialist to design a solution that can interoperate with different SCADA system vendors.

Inherent in this step also is the requirement for server redundancy, both at equipment and geo levels to ensure operational continuity in the case of equipment failure and/or for disaster recovery. In the case of equipment redundancy two servers would be installed in the utility operations centre and data is continuously sent to both. In the case of geo redundancy a server is installed at another geographically separated centre running on cold standby and comes online automatically with little intervention in case of disaster at the utility’s main operations centre.

“It depends on the operator who may select either or both levels of redundancy,” notes Mr Chan.

Security of IP/MPLS

An MPLS network running with label switched path tunneling and segregated virtual private network services, is by nature inherently secure, but external attacks are becoming more widespread and sophisticated. With higher stakes at play, additional security is required.

Mr Chan says a multiprotocol encryption approach is recommended, which is secured with network group encryption (NGE). [Engerati-Mission Possible With Network Group Encryption] Independent tests conducted at the University of Strathclyde indicate that NGE, which seamlessly embeds in MPLS, incurs only an extra delay of 20μs which is negligible.

Utility preparedness to migrate SCADA to IP/MPLS

When it comes to performing a migration, Mr Chan says that both the technical and human aspects need to be planned. The utility should do testing of the technology to validate and understand it and should ensure that all relevant stakeholders within the company are involved in the process from its start.

Alcatel-Lucent has successfully partnered with many utility operators in migrating their traffic. One prime example is Creos in Luxembourg. More are on the cards.

“The length of carrying out a migration will depend on the size of the network but typically will take anywhere between a week and a year,” says Mr Chan, advising that planning should be done well in advance of the execution. “As SCADA is pivotal to monitoring and protection any disruption could have a huge economic cost and we offer a no compromise approach.”

Further information

Engerati briefing: Transitioning Experience - SCADA and Teleprotection to IP/MPLS

Alcatel-Lucent: IP/MPLS Network Transformation to Support SCADA Application Migration

Alcatel-Lucent: Seamless Encryption for Mission-Critical Networks

Alcatel-Lucent has joined Nokia creating an innovation leader in next-generation technology and services for an IP connected world. Visit Nokia.com

Disclaimer: Alcatel-Lucent joins Nokia following successful exchange of shares. Find out more