Energy Efficiency Made Simple Vol IV 2015

be properly secured. A few years ago security for VPNs was not as advanced as it is today, so remote access was generally never used on mission critical networks. With improvements in the authorisation and encryption protocols in use, a VPN can be set up that provides stable, reliable, remote access with the peace of mind that comes from properly implemented security. Finally, when implementing security it is critical that internal company policies are created to support the security system. For instance, securing your remote access with a VPN is a waste of time if the username/password and relevant certificates are spread around the company (and possibly outside of the company) in an uncontrolled fashion. Case in point In a recent case, an unspecified mission critical network in South Africa was providing VPN access to various third party companies for monitoring and control purposes. After a few months, the list of allowed VPN users was in the double digits, and suddenly it was discovered that unknown users were using the VPN to gain access to the network and interfering with PCs on the network that they had no business logging into. At this stage most of the VPN connections were cancelled and new policies were put in place to better control the VPN access. Fortunately, no malicious damage was caused by the unwanted remote access, but this could have turned into a serious problem. The cause of the issue was determined to be the fact that many of the third party companies started sharing the VPN login details amongst various members of the company, and eventually this became un- controllable. Whether the unknown users had malicious intents or not was (fortunately) not discovered before the VPN access could be better controlled. Conclusion In this article we have discussed some of the most salient points that must be covered when designing and planning an Ethernet network. Some sites may require other protocols and features that have not been discussed, while others may not require all the points in this article. Every application is unique and should be planned for with this in mind. Some set-ups that work perfectly for Application A may not work for Application B. IP ranges and VLANs will depend on the number of devices, their purpose and their physical locations, as well as the overall topology of the network and the requirements. For this reason it is important to spend time on the planning phase and invite specialists to provide information and insight where required, in order to arrive at the best possible network design that caters not only for the network at hand, but also for any future upgrades or changes to that network. Skimping on the planning and design phases will generally lead to a network that does not perform to the best of its abilities, and the time saved by doing so will be far outweighed by the additional time wasted on troubleshooting and design changes during commissioning and live running phases. References [1] IEEE1588/PTP. 2008. Standard for a Precision Clock Synchronisa- tion Protocol for Networked Measurement and Control Systems. [2] IEC61850. 2011. Communication Networks and Systems in Substations.

Files called MIBs (Management Information Bases) can be provided by manufacturers, and are effectively a dictionary for SNMP to understand manufacturer specific information about a device. Once again cost must be considered, as an NMS and its attached license will generally not come cheap. In almost any mission critical network, the benefits gained from having an NMS on site far outweigh the initial CAPEX (capital expenditure) and OPEX (operational expenditure) involved, especially when troubleshooting issues on the network. An NMS will give information in a couple of minutes that could take hours or even days to trace down and collect manually. Just by this an NMS will pay for itself after a couple of small issues, simply due to not calling a third party to troubleshoot the network. An NMS uses SNMP to gather information from devices period- ically (called polling), and also for devices to send information to the NMS in the case of a critical change such as a port failure on a switch (this process is known as trapping). Along with this, the NMS will also use protocols such as ICMP (Internet Control Message Protocol, i.e. ping) to test uptime of devices, and will test services such as HTTP (for web access to a device), FTP (for file transfers) etc. The NMS will then provide all this information in a summarised format and will provide a visual map of the network. Various alarms can be marked on the visual map to provide a quick and easy way to view the overall status of the network. An NMS allows network administrators to be proactive rather than reactive by pointing out potential issues before they become serious problems. An NMS can be closely compared to a SCADA system in that it provides a visual representation of the network, and monitors and possibly controls functionality. Remote access Remote access is another hot topic when dealing with a communica- tions network and, as long as it is properly implemented and secure, remote access can lead to huge savings of time and effort when trou- bleshooting or maintaining a network and its attached devices. Remote access refers to a user gaining access to the network and its attached devices from a location not directly attached to the network. This will normally use the internet as the intermediate network via which the user gains access to the site, but can also use a private WAN (Wide Area Network) such as a privately owned cellular network covering the locations in question. Using one of many VPN (Virtual Private Network) protocols availa- ble, the user will then create a secure tunnel through the intermediate network to the site. This tunnel will be encrypted and authorise any users/data attempting to traverse it, so data travelling along this tunnel will not be readable by potentially 3-4 times as long as when compared to the actual troubleshooting process. When an issue is discovered, this means that malicious users are in the intermediate network (which is obviously a concern when using the internet as the intermediate network). Users are therefore able to troubleshoot, configure or col- lect data off devices from the comfort of their home or office, rather than having to travel out to site or to a central control room to do so. This can prove invaluable, especially in cases where travelling to and from site can take a long time. In some cases in the time travel takes, technicians and engineers can address the issue. This adds up to reduced travel time, quicker troubleshooting response and increased productivity in the long run. It is critical to make sure that the security offered by the VPN router is high enough that the remote access can

4

60

ENERGY EFFICIENCY MADE SIMPLE 2015