Abstract
PMI’s Boomerang monitor is a versatile product, with configurations capable of sampling voltage, current and power. These analyzers are accompanied by powerful analysis software through PMI’s Canvass web application or even through a utility’s own SCADA network. This white paper covers the different Virtual Private Network options and configurations that are possible with the Boomerang for a variety of data analysis scenarios.
Why Virtual Private Networks?
Virtual Private Networks (or VPNs) allow a network-connected device (or group of devices) to be virtually “walled off” from other devices on a larger network while still providing access of said network through the use of a “tunnel.” These tunnels encrypt the flow of data through the VPN.
Typically, a VPN is established to provide access to a secure environment through an unsecured network – such as allowing employees to remotely connect to a work network over the internet. The VPN is responsible for encrypting and securing all of the data that flows between nodes within the virtual network itself.
PMI makes heavy use of VPNs when deploying Boomerangs for a number of reasons, chief among them being security. That isn’t to say that Boomerang communication over the unencrypted internet is not safe – there are scenarios where this is supported and even preferred. Some of the other reasons that PMI chooses to use VPNs for Boomerang deployments is to segregate devices between customers into their own private networks (which can then be forwarded to the customers very own internal VPNs) and for bookkeeping purposes.
It is worth reiterating that when using a VPN, while the VPN is available through the internet, the devices that are within the VPN are not directly accessible through the internet – they are only accessible through the tunnel established between the customer and the remote virtual private network.
What Types of VPN Options Are Available?
Direct VPN Between Cellular Provider and the Utility: Under this scenario, a VPN is established directly between the cellular provider (both GSM and CDMA are available) and the end user, as shown in Figure 1. This configuration is often selected by larger utilities as they already tend to have accounts established with wireless providers which often affords them a little leverage when negotiating rates and data plans. Under this plan, the utility is solely responsible for provisioning service and SIM cards, managing the VPN tunnel and interfacing with the wireless provider. All IP addresses assigned by the wireless provider are static.
Direct VPN Between PMI and the Utility: Using this configuration, PMI is responsible for setting up a VPN between the wireless provider of choice and PMI. Once this VPN has been established, PMI then coordinates with the customer to establish a secondary VPN between the customer and PMI (see Figure 2). All traffic is then routed from the customer→PMI VPN through the PMI→Wireless Provider VPN. In this scenario PMI is responsible for all communications, networking and interfacing with the Wireless Provider. PMI is also available to help troubleshoot any communication issues between the customer and PMI through the secondary VPN network. Again, all IP addresses assigned by the wireless provider are static.
No VPN: The final option is to use no VPN at all. In this case the wireless provider will provide public (on the internet) static IP addresses directly to each Boomerang (Figure 3). This option has some pros and cons which are discussed further in the sections Canvass Configurations and SCADA Configurations.
Canvass Configurations
Canvass Only System – Hosted at PMI
With a PMI-hosted Canvass solution, a customer’s Boomerangs will report back to the PMI network using a proprietary communication protocol designed and developed by PMI. Power Monitors is responsible for the Canvass web application (updates, maintenance, etc.) and all data storage. Users are able to configure their accounts for e-mail and text message alerts, alarm thresholds and user preferences.
In a PMI-hosted solution, only one VPN option is really viable: the Wireless Provider → PMI VPN option. (The no VPN option is also perfectly legitimate in this scenario.) With a PMI-hosted Canvass-only solution, no connection back to the utility’s Local Area Network is necessary.
Canvass Only System – Hosted by Customer
With a customer-hosted Canvass solution, a customer’s Boomerangs will report directly back to the customer’s network using the same proprietary protocol mentioned above. In this case, the customer will be responsible for procuring the server hardware necessary to run the different pieces of the Canvass system and its related software (RDBMS, UNIX daemons, web servers, etc.).
With a customer-hosted solution, the only reasonable VPN option is the Customer → Wireless Provider VPN option, wherein the customer and the wireless provider negotiate their own terms and data plans for the Canvass system. (For more information on the pricing plans and wireless tiers available through PMI, see the whitepaper entitled “Choosing a Cell Plan for Boomerangs.”) Please contact PMI for more information on hosting Canvass.
SCADA Configurations
Utilities that are looking to deploy Boomerangs into an existing SCADA system are really given two options from those listed above: public static IP addresses outside of a VPN (the no VPN option) and the VPN between the wireless provider and the utility.
With the no VPN option, the utility will need to do a little bit of IT maneuvering: the firewall must be opened to allow traffic to and from the Boomerangs on the internet to allow for communication between the SCADA LAN and the Boomerangs.
With the Wireless Provider → Utility option, the utility will still have to do a bit of IT leg work to establish the VPN between the two entities, but it does prevent the IT staff from having to open a forward-facing port to the unsecured internet.
Hybrid Canvass-SCADA Configurations
In one final scenario, a utility may wish to take advantage of all of the Boomerang’s capabilities and report both back to the utility’s SCADA network and to Canvass. In this example, it will be assumed that the Canvass deployment is a PMI-Hosted Canvass system and that the SCADA system is part of the utility’s LAN as shown in Figure 4.
With this option, any of the three networking options (PMI VPN → Utility VPN, Wireless VPN → Utility VPN or no VPN at all) are all viable options.
In the instance of a PMI VPN → Utility VPN configuration, PMI would establish the VPN with the wireless carrier to segregate the utility’s Boomerangs from all the others. PMI would then use this VPN as the interface for the Boomerangs to use to report their data to the Canvass system and would then use the private VPN interface between PMI and the utility to forward all SCADA traffic back into the utility’s SCADA LAN.
In the case of the “no VPN” option, the Boomerangs would simply report directly to the PMI Canvass system over the internet and would also report directly to the utility’s SCADA system over the internet and through the aforementioned ports that had been opened on the utility’s firewall.
The Wireless VPN → Utility VPN would work much the same way as if PMI had established the VPN with the wireless carrier, except that traffic will flow from the utility’s network back to PMI over the VPN (instead of from PMI to the utility). This will allow the utility to directly manage the wireless accounts for their boomerangs, maintain their own VPN with the wireless carrier and still securely send Canvass data back to PMI, taking advantage of the full Boomerang feature set.
Conclusion
The wireless networking options for the Boomerangs are varied and range from the simple to the somewhat complex. This paper has enumerated several of these options and has provided some real-world, concrete examples of different configurations and has provided some of the pros and cons of each.
