securitate IOT

May 2018

Datanet Systems recently presented, during a workshop dedicated to new technologies for utility suppliers, its LoRaWAN solutions for the remote reading of meters and industrial radio communications, as well as a series of novelties of the Cisco IT security architecture applicable to this economic sector.

In the past years, the number of LoRaWAN applications in the Utilities field has increased rapidly. This evolution is justified by the specific advantages of this technology, which Gabriel Musat, Deputy Executive Director of Datanet Systems, succinctly presented in the opening of the workshop held during the 2018 “Bucharest Technology Week” event. According to the Datanet specialist, the main characteristics of the LoRaWAN radio networks are:

  • radio coverage of 10-15 km in rural areas and 3-5 km in urban areas;
  • low data flow, packages of 1-2 maximum 5 Kbps per channel (there may be from 3 to 8 channels per gateway, the channels being shared by all the devices in a certain area);
  • use of simple terminal devices, having low procurement and maintenance costs and low battery consumptions, providing an extended autonomy of up to 10 years;
  • operation in the 868 MHz frequency band, requiring no licence;
  • use of an interference rezistant protocol;
  • allow the realisation of star topologies, with a medium and high device density.

All these characteristics recommend the LoRAWAN technology to be used for remote metering, on-site event collection and reporting, providing status reports on maintenance; as well as – in certain cases – geolocation applications.

The Soitron Group has capitalised the technical parameters of the LoRaWANtechnology into two proprietary solutions developed with Cisco technology: an application for the remote reading of meters for water companies and a ModbusTCP communications system.


Solutions for water companies

“The field of water supply services is well suited for the development of LoRaWAN technology applications, because it has a series of special conditions: it is a tough environment, with big temperature differences and high humidity, with frequent risks of floods and it is difficult or too costly to provide electricity supply and/or install cables,“ explained the Deputy Executive Director of Datanet Systems.

The Soitron solution is an application for water consumption remote reading, having the following characteristics:

  • easy to install;
  • it allows rapid subsequent developments (the number of meters can be easily changed);
  • flexible – not limited just to the LoRaWANtechnology (it operates simultaneously with other Low Power Wide Area Network protocols, too);
  • it does not require maintenance at terminal level (it is designed so that the equipment, once installed, operates for 5 years with no intervention);
  • the terminals need no external electricity supply and no cables.

Another major advantage of the solution presented is that it is already in production with water distribution companies. The solution is used for: consumption remote reading, leak detection, loss detection and fraud attempt identification. The reading devices collect and transmit data from the entire water distribution network, continuously delivering correct information for a low price. Based on such information, water suppliers can optimise their decisions regarding maintenance operations, can view the areas requiring rapid intervention, depending on the loss values, and can prioritise on-site interventions. Thus, an improvement of the decision-making process is obtained, as well as an increase in the operational efficiency, with the related savings.

The system allows end clients to control and monitor the consumption characteristics (the application also provides a portal where clients may see their current consumption, their consumption history, their average consumption, etc.), issues warnings when average values are exceeded (these are useful especially in case of incidents) and can make consumption forecasts based on historical data. All these facilities offered to consumers, as well as the earnings water suppliers obtain by using the Soitron solution, were exemplified in a live demonstration performed by Teodor Skeren, Senior Business Development Manager within the Soitron Group.


Modbus TCP applications

The second LoRaWAN application presented by Gabriel Musat is a Modbus TCP remote traffic transport solution, dedicated to areas where providing an IP connection through other technologies is too difficult and/or too costly. The Soitron solution is already used in areas with no coverage from mobile operators and having no other way of communication other than satellite connection, with its related costs.

In such cases, the LoRAWAN technology is an efficient solution both performance-wise and economically, using devices that have a relatively low cost. There are a few apparent difficulties represented by the fact that, on one hand, the packages sent by LoRaWAN networks are shorter than Modbus packages, and on the other hand the LoRaWAN technology ensures low data flows with high delays – there are instances when client applications cannot wait for a long time to receive the answer from a certain device. To solve such issues, we provided data fragmentation/reassembly and compression modules in the software code of the terminal devices and of the central communication server. In this way we obtained a Modbus TCP communication by LoraWAN with a response time under 20 seconds“, explained the Deputy Executive Director of Datanet Systems, who afterwards detailed how the LoRaWAN application developed in a SCADA environment can be used.

Next, Gabriel Musat presented the Cisco Actility LoRaWAN infrastructure for private networks, which Datanet integrates within the LPWA communication solution for utility suppliers. The presentation highlighted its special technical characteristics and the technological novelty incorporated in these products. The Cisco LoRaWANinfrastructure for private networks is characterised by simplicity in design and use, very good scalability – up to 20,000 devices can operate in this type of network – as well as its opening toward multiple present and future applications in the IoT area.


Cisco security news

In the second part of the workshop, Octavian Szolga, Security Consultant within the Datanet Systems team, presented the main security solutions novelties brought by Cisco to, explaining how they can be capitalised by companies, as well as the most usual usages in the field of Utilities. The first elements approached were the functionalities introduced on ASA equipment with new generation Firepower Services. “Now there is a unified code, Firepower Threat Defense (FTD). To facilitate the migration of ASA services to FTD, Cisco introduced a dedicated instrument, the configuration in FTD being made by the Firepower Management Center” (it can be both virtual and physical/appliance), explained Octavian Szolga.

Identity Services Engine (ISE), a central element of the Cisco security architecture, benefits of new versions (2.3 and 2.4) as well, the upgrades including:

  • a migration instrument of the rules, network equipment, user’s data, etc., from the old ACS solution to ISE;
  • IPv6 support for Radius;
  • an upgrade’s opportuneness verification tool (there are cases where the upgrade cannot be performed – expired certificates, corrupted database, etc.);
  • improvements in the Posture area, defining a time interval when a user connected to the infrastructure can remediate his problems;
  • possibility of integration with the Cisco Industrial Network Director management platform, useful for utility suppliers because it delivers to the ISE platform attributes regarding the equipment connected to the network, by using Profiling-type services.

For Web Security Appliance (WSA), the Datanet specialist presented the 10.x and 11.x OS versions, which offer: • Possibility of configuration of the TLS v1.1 and v1.2 support for different modules (management, LDAPS, etc); • Support for AMP Private Cloud (on-premise integration); • Inspection of archive files; • Possibility for virtual machines to also run in HyperV environments; • Web Traffic Trap functionalities, useful when there are complementary solutions for web traffic inspection.

The new versions of Email Security Appliance (ESA 10.x si11.x) offer: • Forged Messages Detection functionalities (they check and certify the identity of an e-mail sender); • Improvements in the client feedback area (when the modification of a server or domain reputation is desired); • An improved Data Loss Prevention (DLP) module; • Using geolocation attributes in the e-mail filtering/processing policies; • URL scanning for links included in attachments.

Cisco AnnyConnect Secure Mobility Client enriched its offer, too, now having: • Extended support for Linux; a Network Visibility module (offers information about who is logged in, what processes are running) • Captive Portal Detection functionality (useful when Internet access is performed by public wireless hotspots). “The new version of the application can stop processes and install applications, and when unauthorized applications are installed in endpoints, AnnyConnect can automatically fix it without needing other solutions,“ said the Datanet specialist.

For Umbrella, a relatively new application in the Cisco portfolio, a series of new important functionalities are announced, too, such as those blocking/allowing the access of applications via DNS or the possibility to define selective decryption policies.

As concerns the Advanced Malware Protection (AMP) for Endpoints, Octavian Szolga named among the main new functionalities: • Exploit Prevention (identifies possibly vulnerable applications, remaps DLL libraries and inputs and moves them to a random location with each launching of the concerned applications, thus preventing malicious codes from accessing them); • System Process Protection (analyses and validates the relations between processes); • Malicious Activity Protection (verifies for any newly launched application the writings, readings and accesses made by the application within a timeframe); • AMP Unity (integrates the AMP console at endpoint level with AMP solutions present on WSA, ESA and Firepower).


Usecase scenarios

Finally, the Datanet specialist presented a few usual scenarios of integrated utilizations of the Cisco solutions:

  • ISE + ASA with FirePower Services – scenario in which a company creates access control rules based on the users’ identity, not by means of IP addresses, thus offering increased mobility to end users and a lower administrative load;
  • ISE + WSA– a “combination“ used to offer access to “guest“ users by integration with ISE, thus getting detailed information about who and what type of traffic they had, what resources they accessed, etc.;
  • ISE + Posture– “Integration is useful, for instance, when mobile users try to access the company’s VPN with a device which was disconnected for a long time, which can mean the absence of security updates, of necessary applications, etc. The access request reaches ISE, which checks its identity and introduces it in a temporary state having an undetermined status. The Posture agent checks if the conditions are complied with and sends a report to ISE, which subsequently changes the authorization depending on the result obtained,” explained the Datanet security consultant.

The workshop dedicated to LoRaWAN applications and integrated security architectures is part of an extended series of events organised by Datanet Systems, addressed to both cybersecurity professionals and organisations operating in the field of Utility service provision.

Datanet delivers turnkey projects for system monitoring and remote data collection, providing:

  • system design for private LoRaWAN networks;
  • manufacture of terminal equipment for specific applications;
  • development of the software for the terminal equipment and of the central application for connection with the client applications, for certain purposes;
  • radio-site survey for the designed network, network qualification, product installation, integration of the entire solution, service and technical support.

At the same time, Datanet is one of the main system integrators in Romania with advanced competences in integrated security architectures, confirmed by the many projects implemented in critical infrastructures, financial and banking institutions, telecom operators, etc.

For more information, contact