iSEG RF-3180 Secure Gateway

Specifically designed for the needs and the operating conditions at remote production sites

Overview

Radiflow’s iSEG RF-3180 ruggedized gateway was designed to meet the cyber-security and environmental challenges of critical infrastructures’ remote sites.

Once connected to the OT (SCADA/ICS) network, the iSEG RF-3180 immediately begins to gather information from across the network (devices, behaviors, etc.) and suggest editable firewall rules. The iSEG RF-3180 secures both M2M (Machine to Machine) and H2M (Human to Machine) traffic by incorporating DPI (Deep-Packet Inspection) capability for analyzing SCADA network traffic. Upon detecting an anomaly the 3180 will automatically generate alerts, block the abnormal activity and isolate any affected sub-networks.

To facilitate NERC CIP V6 compliance, the iSEG RF-3180 includes an APA (Authentication Proxy Access). It grants authenticated users access to predefined devices and functions, all fully logged. Integration with a physical identity server system also allows other authentication methods, e.g. magnetic card.

Radiflow’s whitelist-based, distributed DPI firewall ensures uninterrupted control over the network. Installed at every port for both Serial and Ethernet traffic, meaning that every access point at the remote site is firewalled. Each SCADA protocol packet is validated by the firewall engine not only for its source and destination, but also for its protocol and packet content. The distributed firewall structure enables the creation of a unique firewall at each access point on the network, which is especially important for securing insider attack.

Features

Secure access

Strict enforcement of identity and access policies via Authentication Proxy Access for NERC CIP V6 compliance

DPI SCADA firewall

Whitelist-based, distributed IP and Serial DPI SCADA firewall (DNP3, ModBus, IEC-101/104, S7)

Secure VPN Connectivity

Communication with central site via IPsec VPN over cellular & fiber with X.509 certificates

Ports

Up to 16 x 10/100 and 2 x 100/1000 SFP ports, as well as RS-232 ports with protocol gateway functionality

Cellular communication

Cellular 2G/3G/4G/LTE dual-SIM modem for operator redundancy or for remote substations with no LAN connectivity

Fit for Harsh Environments

Radiflow’s iSEG 3180 was designed for operation under harsh temperature and radiation conditions

Implementation

Click on image for full size

Specifications

SECURITY

Distributed DPI Firewall

  • Profile-based firewall
  • Security rules planning per service group
  • Modes: Monitoring, Enforcement, Learning
  • IEC 101 DPI Firewall; IEC 104 DPI Firewall
  • Modbus RTU DPI Firewall, TCP Firewall
  • DNP3 RTU Firewall, TCP Firewall
  • S7 RTU Firewall, TCP Firewall

VPN

  • IPsec Certificates X.509
  • IPsec Dynamic Key Exchange
  • IPsec encryption AES, 3DES
  • L3 IPsec VPN: policy based, route based
  • L3 mGRE DM-VPN
  • L2 VPN GRE

Access control

  • Port access filter per MAC/IP addresses
  • Enable/Disable port
  • IEEE 802.1x port-based authentication
  • Local APA (Authentication Proxy Access)
  • User activity report (under local APA)
  • Access Lists L2, L3, L4
  • NAT – traversal

LOCAL OPERATION

  • RS-232 Console Port
  • Local USB Port for Emergency Boot
  • Discrete outputs for reporting system alarms Failsafe output relay for reporting critical alarms

INTERFACES

  • 2 x 100/1000 SFP ports
  • 8 x 10/100 Base-T ports POE+
  • 8 x 10/100 Base-T Ports (optional)
  • 8 x 100FX SFP Ports (optional)
  • 4 x RS-232 Ports (optional)
  • Cellular Modem (optional)

PHYSICAL DESIGN

  • Mounting: DIN rail (optional wall mount)
  • Enclosure: Rugged – IP 30 rated, no fans
  • Weight: 1.4Kg (DC), 1.8Kg (AC)
  • Dimensions: (mm) 148h x 72w x 123d
  • Operating temperature: -40oC to 75oC
  • Storage temperature: -40oC to 85oC
  • Operating Humidity: 5%-90%
  • IEEE1613 EMI – Electric Utility Substations
  • EN50121-4 – Vibration and Shock resistance
  • lEC 61000-4

POWER CONSUMPTION

  • 15W without PoE
  • 135W with POV

INPUT POWER RANGES 

  • 12 -12V DC (range: 9-18v DC)
  • 24 – 24V DC (range: 18-32v DC)
  • 48 – 48V DC (range: 36-60v DC)
  • HD – 125V DC (range : 85-165v DC)
  • 110-230V AC (range: 90-250v AC)
  • WDC – Wide DC range (range: 18-60v DC)

MANAGEMENT

  • Console serial port
  • Remote CLI access using SSH tunnel
  • Backup/Restore running config
  • Conditioned/scheduled system reboot
  • Remote management and upgrade
  • TFTP/SFTP Client
  • Safe Mode
  • Syslog
  • SNMPv1/v2C/v3
  • iSIM Network Management System

NETWORKING

Advanced Layer 2 feature-set

  • ITU-T G.8032v2 Ethernet ring
  • IEEE 802.1s MSTP
  • IEEE 802.1w RSTP, enhanced RSTP
  • IEEE 802.3ad LAG with LACP
  • IEEE 802.1q VLAN segregation
  • IEEE 802.1p per-port queues
  • DHCP Client, Server and Relay
  • QOS Prioritization, Shaping, Scheduling
  • OAM EFM IEEE 802.3ah
  • OAM CFM ITU-T Y.1731/IEEE 802.1ag

Layer 3 feature-set

  • Static routing; OSPF, RIPv2 Routing
  • VRRP redundancy scheme

Serial

  • Transparent tunneling of serial streams
  • SCADA gateway for IEC101/104, ModBus
  • RTU/TCP and DNP3
  • Terminal Server Byte/Frame mode; TCP/UDP

Cellular Modem

  • Cellular 2G/3G/4G/LTE modem with 2 x SIM cards

System Performance

  • Line rate L2/L3 switching throughput
  • Switching latency < 10?Sec
  • 16K MAC addresses; 4K VLANs

Multicast

  • L2 Multicast
  • IGMP snooping for traffic optimization