 |
|
| |
| BANDIT
III OPTIMIZES SCADA DIGITAL NETWORKS |
|
|
|
| ENVIRONMENTAL HARDENING
IMPROVES AVAILABILITY IN HARSH CONDITIONS
AT REMOTE SITES |
|
|
BANDIT III, Encore’s multifunction
communications appliance for utility networks,
easily moves SCADA systems from analog lines
(point-to-point or multidrop) to the utility
operator’s choice of IP, frame relay,
cellular data link, satellite, cable modem,
or digital leased line service--or a combination
of those services with analog modems. Hardened
to operate in the wide temperature ranges and
harsh conditions found in power substations
and other remote locations, BANDIT III offers
up to six serial interfaces to existing RTUs.
In addition, the router features a 4-port Ethernet
switch for IP-enabled RTUs, and Ethernet-based
RTU LAN connectivity.
An integral terminal server converts
serial asynchronous data (bit or byte oriented)
into IP or frame relay packets for transmission
to the host site on modern digital transmission
services. The integral dial modem supports
modem-equipped RTUs as well as providing backup.
BANDIT III is ROHS compliant; no lead used
in soldering. |
|
► Proven, feature-rich ELIOS™ operating
system
► Disaster Recovery through Secure dial
backup (V.90, CDMA/GSM, VSAT) auto learned
routes provides continuous service availability;
incoming or outgoing connections; secured using
PAP/CHAP; fast switchover
► Legacy support via up to 6 serial ports
supporting TDI, RS-232, RS-449, V.35, and X.21
► Broadband access via Ethernet WAN
► Automatic backup failover via V.90/V.92
or CDMA/GSM up to 2 wireless ports and EDGE
/ GPRS wireless ports
► Internal protocol analyzer for traffic
monitoring
► Full standards compliant SNMP Management |
■ Standard MIB-II (system, ports,
TCP/IP, etc.)
■ Standard Frame Relay MIB (protocol, DLCI table, error
messages, etc.)
■ Custom MIBs for configurations and statistics
■ Standard TRAPs
■ Triggered TRAPs
|
• User-definable traps for any
SNMP-manageable conditions
• Guaranteed TRAP delivery
|
► Support for IP PBX, VoIP, Softswitch,
video conferencing
► Protection of corporate Intranet assets via comprehensive
firewall capabilities
► Guaranteed delivery of mission-critical data via Quality
of Service (QoS) features
► Inexpensive to set up and maintain — low cost hardware,
no software licensing
► Highly reliable for connectivity of legacy protocols
including spoofing
► Worry-free protection of data and management functions
with 3DES/AES encryption
► ROHS compliant |
| |
BENEFITS FOR UTILITIES USING SCADA NOW
• Adheres to security initiatives of NERC,
DHS, etc.
• Gracefully migrate analog circuits to
digital services.
• Adopt any of several digital services,
or a mix of landline, wireless, or VSAT
• Improve availability of SCADA control
links via automatic failover and backup.
• Add strong encryption for new security.
• Preserve investment in SCADA hosts and
RTUs from all vendors, on all protocols.
• Enhance management of network and RTUs
through SNMP and unique BANDIT features.
• ROHS compliant; no lead used in soldering.
• Hardened for wide temperature |
| |
SECURITY AND DISASTER RECOVERY
Concern for security takes two forms
in the BANDIT:
1. To protect the information in transit
from interception and to prevent hijacking
an RTU or the devices it controls, dedicated
hardware encrypts all traffic with very low-latency.
Users may configure the BANDIT to apply the
DES, triple DES, or AES algorithm, over any
type of WAN or LAN transmission.
2. To maintain control when the primary
link or network becomes unavailable, the BANDIT
offers several forms of failover and backup
(with encryption and PAP/CHAP authentication).
a) Dialup on a digital cellular connection
running a data link to the host; a BANDIT takes
one or two port modules which may be provisioned
on different carrier networks for added resiliency.
b) Dial up connection on the PSTN from
an integral V.90/V.92 analog modem (configurable
as 2- or 4-wire) to back up a primary digital
connection.
c) Transfer of traffic from a switched
IP connection (Ethernet) to a leased line (through
an integral CSU for 56 K or T1/E1).
Failover between ports and dialup via
modem or cellular connection occur quickly
and automatically when the BANDIT detects a
failed primary circuit. |
| |
| Multiple RTU Remotes
- Wireless, Dial Backup |
|
| |
FLEXIBILITY
Multiple RTU Remotes - Wireless, Dial
Backup
The basic BANDIT III chassis contains
the essence of the device:
● A 4-port 10/100 Ethernet switch typically
used as the network uplink to the host and
locally to IP-capable RTUs.
● A serial port for legacy RTUs that
is configurable to handle many different protocols
(various SCADA formats, polled async, X.42,
MATIP, BiSync, DPA, SDLC, VISA, etc. are included
as standard in the ELIOS operating software).
● A supervisory port for local configuration
and access to the many management features
built into the BANDIT such as the protocol
analyzer.
● Integral V.90/V.92 modem that can access
the PSTN or an RTU that has a modem interface.
Four additional RS232 serial ports are available.
An externally facing accessory slot accepts
any of several plug-in modules for specific
interfaces:
● T-1/E-1 CSU
● Dual-port T-1/E-1 with drop and insert
capability
● 56 K CSU
● Serial port configurable as RS-232,
RS-449, V.35, X.21, or TDI
● Additional Ethernet port for DMZ LAN
segment
Slots provide for up to two cellular radio
modules, either GSM or CDMA. The BANDIT has
been certified by major carriers as compatible
with and acceptable to commercial cellular
networks. Each BANDIT radio module comes with
both an internal and external antenna. |
| |
CONVERGENCE ON A SECURE VPN
The encryption capability of the BANDIT
III matches or exceeds popular branch office
routers. It supports simultaneous sessions
(VPN tunnels) that may be assigned to different
applications or functions, with prioritization
according to the user’s policy. For
example, one VPN tunnel could carry voice
traffic (VoIP) from an IP phone at the remote
site to a softswitch at headquarters or a
service center--this connection does not need
to terminate at the same site as the SCADA
connection’s VPN tunnel. Another tunnel
could provide “out of band” access
to manage devices from an operations center
using the terminal server function. A third
would carry SCADA connections, serial or Ethernet.
For example, to ensure good sound quality
it is customary to give voice top priority.
SCADA might get second priority, with other
applications getting the remaining bandwidth.
The choice is up to the utility.
Selective Layer Encryption (SLE, patent
applied for) accelerates encrypted TCP connections
over any satellite service. This Encore technology
avoids the cap on throughput imposed by waiting
for acknowledgments over the high-latency satellite
path. As a full-function router, BANDIT III
provides stateful firewall protection, IP address
filtering, IPsec format, Generic Router Encapsulation,
and protection from denial of service attacks.
In addition to network address translation
(NAT) Encore includes in ELIOS the Private
Address Translation feature that supports the
same range of private addresses at both ends
of a connection. |
| |
| Wireless Solution -
SCADA |
|
| |
EMERGENCY/DISASTER RECOVERY
The recent events in the “Katrina States” have
illustrated the requirement for fast mobile
recovery solutions. These solutions must address
not only the needs of the newer IP enabled
equipment, but also the old legacy hardware
and protocols. This equipment is required to
operate under the harshest of environments,
but still provide for secure encrypted data
VPNs that ensures the security of the network. |
| |
|
| |
|
| |
| TECHNICAL SPECIFICATIONS |
|
Architecture
ELIOS™ operating system; high performance
RISC-based processor; VPN hardware assist;
IP QoS enforcement, CIR enforcement |
|
Port Interfaces
Standard: 4 Ethernet 10/100 Base-T auto-sensing
RJ45 connectors for LAN and WAN; standard
internal V.90/V.92 modem
Optional: Up to an additional 5 Serial
ports: RS-232, V.35, X.21, RS-449 for legacy
protocol conversion and spoofing such as SDLC,
X.25, ALC, MATIP,
async, polled async, CDLC, and X.42
Optional: Expansion slot for choice of
56/64 kbps DSU port, single or Dual/Single
T1/E1 channelized CSU/DSU port with drop and
insert capability,
serial port, or DMZ Ethernet port, optional
slot for wireless CDMA/GSM 56K T1/E1 FRAD modules
Optional: CDMA or GSM or EDGE ports.
Maximum two ports. |
|
CDMA Specifications
► Antenna Interface: 50 Ohm SMA Female
► EVRC, 13k QCELP
► Data rates up to 153 kbps forward and
reverse
► Circuit Switch (IS707-A.4)
► Packet Data (IS707-A.5)
► RUIM (for China only – see R-UIM
Interface)
► OTASP, OTAPA
► IOTA
► Wireless interface: CDMA2000 (IS-2000)
► Band (CDMA2000) – (Dual Band)
• Band class 0 (TX: 824 ~ 849 MHz/ RX:
869 ~ 894 MHz)
• Band class 1 (TX: 1850 ~ 1910 MHz/ RX:
1930 ~ 1990 MHz) |
|
GSM/GPRS Specifications
► Dual Band EGSM/GPRS
► Module (EGSM 900/1800 MHz, EGSM 850/1900MHz)
designed for M2M and Compliant with ETSI GSM
Phase 2+ standard
► Class 4 (2W @ 900 MHz)
► Class 1 (1W @ 1800 MHz)
► Data circuit asynchronous, transparent
and non-transparent to 144 kbps
► Fax group 3 (Class 1 and 2)
► GPRS packet Data features
► GPRS Class 2 or Class 10
► Coding Schemes: CS1 to CS4
► PBCCH support |
|
Safety and Governmental Agency Approval
► IEC950, for electrical safety
► UL950, for electrical safety
► FCC Part 22 (800 MHz), Part 24 (1900
MHz)
► CSA for Canada
► CDG 1, 2 (IS-98D, IS-898)
► CDG 3 (application specific) |
|
Agency Compliance
Safety: ANSI/UL Std. No. 60950, 3rd Edition
(U.S. Safety) CAN/CSA-C22.2 No. 60950 (Canadian
Safety) EN 60950, European Safety (CE Mark)
Emissions: FCC Part 15, Sub-Part B, Class
A (U.S.) EN 55022: 1998 (Europe)
Immunity: EN 55024: 1998 (Europe) |
|
Network Protocol Support
Frame Relay; PPP; Multi-link PPP; PPPoE;
X.25; IP; Ethernet, RIP, NAT |
|
IP Routing
Static routing, standard RIP v1/v2; IP
fragmentation/reassembly; routing over VPN
tunnels; DHCP client/server/BootP; IP QoS,
priority queuing,
dynamic bandwidth allocation, Diffserv
marking and classification. 802.1q VLAN tagging,
VRRP (RFC 3768) |
|
IP VPNs
Support of up to 30 simultaneous tunnels;
User and port based tunnels; tunnel initiation,
pass-through, multiplexing and termination;
standard
IPsec encryption (RFC2401); GRE (RFC
1701); Selective Layer Encryption for VPN over
satellites (SLE); DES (56 bit) and 3DES/AES
(168 bit)
encryption; ESP (RFC2406) and AH (RFC
2402) encapsulation; HMAC MD5 (RFC2403) and
HMAC SHA-1 (RFC 2404) authentication; IKE(RFC
2409), ISAKMP(RFC2408); compatible with
other IPsec VPN clients; SLE to IPsec tunnel
switching. |
|
Stateful Firewall
Built-in stateful firewall functionality;
IP filtering; protection against Denial of
Service (DoS) attacks, additional DMZ LAN
port; NAT and PrAT
(Private Address Translation). |
|
Dial Backup
PAP/CHAP authentication; PPP; fast switchover;
auto-learning of IP routes; incoming or outgoing
connections |
|
Network Management
Supervisory port (out-of-band); SNMP
(MIB-II with extensions); telnet (in-band);
multi-level password protection; and TFTP
for software
upgrades and configuration updates |
|
Physical Specifications
Height: 1.7 in. (4.32 cm); width: 8.36
in. (21.34 cm); depth: 9.0 in. (22.86 cm);
Weight: 1.5 lb. (0.68 kg)
Power (external): 100 to 240 VAC, 50-60
Hz; DC voltages 22DC - 56DC
Operating Temperature: -4° F to 140° F
(-20° C to 60° C); no fans
Non-operating Temperature: -40° F to 185° F
(-40° C to 85° C)
Humidity: 10% to 95% non-condensing
Altitude: Up to 10,000 ft. (3,048 m)
Specifications are subject to change
without notice. |
|
Specifications are subject to change |
|
| |
|
|
