Cellular security versus Ethernet and serial
Using a Cellular router, modem or switch has many advantages, but as with any network connection, security is one of the most vital elements in engineering your system. We will look at several aspects and where security weaknesses may occur within a cellular eco-system. There are 4 main areas to consider:
- Out-going data
- Incoming data
- Public/Static IP addresses
- Private IP addresses.
Let’s use a typical application to assess security questions:
A remote utility power transformer being monitored for power usage
In this use case inductive loads may cause a phase imbalance between current and voltage. Power companies will remotely switch in and out large capacitor banks to correct for power factor. There are many companies that manufacture power factor monitoring equipment. These devices typically have a serial or Ethernet port as a data communications interface. The problem with this initial scenario is the power factor data to be analyzed is local and the monitoring facility is many miles away or even half way across the world.
The power company has the option to construct a propriety RF telemetry system but the cost and limited scalability should eliminate this as a viable solution. Cellular devices use a standards based IP network to move data from a remote location to a global footprint. The power factor monitoring device in this case would simply connect to the router via a serial port or Ethernet port allowing the movement of data. By definition, a serial port does not have an address; therefore, using a cellular router with a serial port and terminal server type support gives an application the ability to convert serial data for transport over IP, which also inherently assigns an address.
In a nutshell: Protocols like Modbus RTU over serial can be sent and received over an IP network. This being said it also exposes the same serial data and device sending the serial data to the same types of security risks.
If you choose not to use an IP address that allows incoming data then your device is restricted to only sending outbound data. While this maintains security, it restricts you from much of the advantage of a cellular IP network, the ability for remote configuration and management including sending commands via protocols such as MODBUS.
So where does the security come into play in this use case? If the only requirement is for data to be pushed out of a cellular router to a remote location or a cloud based network then a static IP address is not required and you can significantly reduce the risk of a device or data network attack.
If your requirements include outreach or configuration of the router or anything connected to the router, then you will need a secure method to do so. This normally comes in the form of an IP address. The cellular carrier would be happy to sell you anywhere from one to hundreds of static IP addresses, but these static addresses are public which means anyone could access the cellular device and anything attached to it, including Ethernet and serial ports. In the use case we’re describing, this means the power factor monitoring equipment is exposed to being hacked. The same is true for any Ethernet device connected to the cellular device.
Using a VPN (virtual private network) gives you many advantages, some of which we’ll talk about in subsequent articles. VPN tunnels create a very secure connection between an IP device and other connecting IP devices. Assigned OpenVPN IP addresses cannot be accessed unless you or the devices connecting to the network have the proper credentials. These addresses are static, but they are not public, allow for controlled and restricted access into your remote network.
You have the option to create your own VPN with your carrier, or sign up for a third party VPN service such as SmartCluster. One advantage of using a third party VPN IP address is it’s portable across most if not all cellular carriers. For example, if you use an IP address from a specific carrier and then decide to change carriers, the IP address is also cancelled.
Using a standard like OpenVPN would eliminate this problem, you could maintain the secure IP address within your device and it would be portable and transferable to a competing cellular carrier/network. Imagine having to reconfigure hundreds of remote cellular devices with new IP addresses simply because you move from one cellular carrier to another. By using this technique you may keep your cellular devices in the field without having to send expensive personnel to update equipment, and you would be free to move from one carrier to another without any device configuration. Many of these services also recognize the data consumption needs of an M2M network, typically a small fraction of the data required by consumer devices, and are packaged appropriately.
Three important things to consider:
- Don’t make the mistake of creating a secure VPN network connection and use a carrier’s static IP address, the weak point here is the carrier’s IP address regardless of the VPN tunnel.
- Don’t confuse encryption with IP security, typically encryption occurs within the data stream. IP security is about accessibility to the devices on the cellular eco-system network.
- Don’t ever retain a default setting. It’s common sense if a system has a user-name and password, change it immediately. Cellular carriers do publish public IP addresses and simple hacking can occur in the form of automated BOT’s pinging the published public static IP address until a device responds. Then, an attempt is made to gain access to the device by using known default user-names and passwords. This can happen within moments of installing your new router.
Always keep in mind the nature of the equipment being used to engineer a system vs. the markets supported. Small adjustments in configuration, connections and data manipulation we would make in this remote power monitoring use case also transfer to other use cases such as tank farm monitoring, water waste-water, utility, and many other remote and isolated IP based networks.
Credit BB-Smartworx