Converts RS530 serial data connections into AES encrypted IP packets

Flexible Serial Data Extensions over Packet Switch Networks

Overview & Applications

The Black•Tube CEP RS530 converts RS530 serial data connections into AES encrypted IP packets that extend the circuit overThe Black•Tube CEP RS530 converts RS530 serial data connections into AES encrypted IP packets that extend the circuit oververy cost effective Ethernet based LAN/WAN/MAN wired and wireless networks. The Black•Tube CEP RS530 encapsulatesAsynchronous, Synchronous and HDLC serial data into IP packets. The Black•Tube CEP RS530, which is available with oneto four RS530 interfaces software configurable as DCE or DTE, facilitates the interconnection of Serial Data Over IP betweenSerial Bulk Encryptors (KG-84/KIV7/OMNI), Data Terminals, Data Acquisition Systems, WAN Routers and Bridges....

Layer 1
In Layer 1 operating mode every bit is encapsulated into an IP packet. The size and frequency of the IP packets can be setIn Layer 1 operating mode every bit is encapsulated into an IP packet. The size and frequency of the IP packets can be setwith data rates from 75 bits to 2.048 Megabits per second. Latency minimization is accomplished with FIFO sizing for the lowdata rate settings. A configured number of incoming packets are buffered in order to compensate for the packet delivery jitterintroduced by the Ethernet network. The size of this buffer is configured to accommodate the peak amount of jitter.

Asynchronous Over IP
Asynchronous characters from the RS530 interface with 5 to 8 data bits, baud rates from 1.2 to 38.4 kilobits, 1 or 2 stop bitsAsynchronous characters from the RS530 interface with 5 to 8 data bits, baud rates from 1.2 to 38.4 kilobits, 1 or 2 stop bitsthat are with or without parity are efficiently encapsulated into IP packets. The encapsulation supports block mode transfersto minimize the bandwidth required. Additionally the latency is controlled by setting the Tube Bytes per packet.

HDLC Over IP
In Layer 2 operating mode HDLC Data frames, such as those used by Wide Area Networking protocols PPP and Frame RelayIn Layer 2 operating mode HDLC Data frames, such as those used by Wide Area Networking protocols PPP and Frame Relayor proprietary Data Links, are transported within IP packets as HDLC over IP. The latency introduced is dependent upon theclocking rate and the HDLC frame size. Minimum latency is obtained by maximizing the clock rate and minimizing the MTU.HDLC Over IP frames are directly sent out the Serial interface since Clock synchronization is not required. WAN securityprovisioning, such as firewalling, is maintained.

Diagram1

Assured Delivery Protocol
In order to assure high quality communications over linkswith intermittent or noisy performance, such as Wireless, the Black•Tube CEP RS530 employs Engage’s robust AssuredDelivery Protocol with the following benefits:

• Packet out of sequence detection and re-sequencing
• Duplicate skipping
• Lost packet retransmissions with configured delay

Three LAN Interfaces

All Black•Tube CEP RS530 models ship with three10/100BaseT Ethernet LAN ports. The Ethernet interfaces provide for:

• Management interface on MLAN
• The Dual LAN Data Plane ports can be configured for:

- Connections over 2 Asymmetrical bandwidth links
- Protector Option for Redundant Packet Paths with Constant or Switch Over Criteria

Applications

Black•Tube CEP RS530 Applications

Flexible Synchronous Serial Data Extension Over IP
The Black•Tube CEP RS530, whose serial interfaces are configurable as DCE or DTE, facilitates the transport of bulk dataacross a combination of IP and WAN infrastructures. The Black•Tube CEP RS530's flexibility supports internetworking acrossvaried LAN/WAN/MAN/Satellite networks. The size and frequency of the IP packets can be set with data bit rates from 76bits per second to 16 million bits per second. Latency minimization is accomplished with multidimensional adaptive clockconfigurations.

Typical Applications

- RS530 LAN to LAN interconnect
- Secure Video TeleConferencing
- Field Command Centers
⁻ Secure Wireless Bridge connections

Black•Tube CEP RS530 for Type 1 Encrypted Data Over Internet Protocol

Defense and other Government agencies and Contractors face an ever-increasing need to establish Type 1 secure data communications links. These organizations often have access to flexible IP services such as Intranets, LANs, Metropolitan-Area Networks, WANs, or Wireless Ethernet. The Engage Black•Tube CEP RS530 allows users to leverage existing Bulk Data Encryption Modules for use over IP/Ethernet connections. Encrypted Data over IP with the Black•Tube CEP RS530 is a veryeconomical solution that leverages a proven installed base.

Encrypted Bulk Data-over-IP utilizing the Black•Tube CEP RS530 is an economical "Purpose Built" proven solution that leverages aninstalled base of high-performance INFOSEC devices. Approved Data Encryptors include:

• KIV-7 • KIV-19 • OMNI • KG-84

Flexible DCE to DTE Synchronous Serial Data Extensions over IP

Diagram2

Black•Tube CEP Management

Management Module

CEP security features include:

Black•Tube CEP isolates management and data plane func-tionality with the use of two separate processor modules. Management processor access is limited to encrypted ses-sions via SSH, or SNMPv3, that employ AES 256 bit keys and sophisticated NIST passwords. These sessions may be estab-lished after authentication via TACACS+ or Radius.

The independent Linux based management plane of the
Black•Tube CEP ensures Critical Infrastructure Data is iso-lated from management network access. The Management
Module uses internal serial ports to connect to the Data Planeprocessor.

Administration and User Logs are available with Syslog.

• Administrative policies for adding, removing, disabling andrenaming authorized users; limiting user access to assignedcommands; and enabling only desired port numbers.

• User authentication directly to the Black•Tube CEP or in conjunction with TACACS+ or RADIUS servers

• RSA SecureID support for two factor trusted compliance.

• An SSH command interface encrypting management traffic
with powerful 256 bit symmetric keys and NIST based pass-words.

App Diagram3

NERC Critical Infrastructure Protection Compliance

The Black•Tube CEP installations achieve NERC CIP compliance with a combination of internal and external functions.

Internally the Management Module software has the sophistication to implement comprehensive policies and privileges for administrator and user accounts. Administrator policy includes removal, disabling or renaming.

Interoperability with external functions such as Syslog, Network Timing Protocol, TACACS+ and Radius with its support for RSA SecureID delivers trusted compliance.

Electronic Security Perimeter	CIP-005 Requirement	IPTube CEP Solution
The Black•Tube CEP in combination with industry standard services meets the Electronic Security Perimeter's NERC CIP-005 specifications. In addition Control Plane isolation from the Data plane provides a higher level of security for the Cyber Assets.	R2.1 - Deny Access by Default R2.2 - Enable only needed ports R2.4 - Strong Technical Controls R3.2 - Unauthorized Access R5.3 - Access Logging	• Accounts must be created to allow access • Each Port may be enabled or disabled • RSA's SecureID two-factor Authentication • Alert messages via Syslog or TACACS+ • Syslog of Access and Command interactions
System Security Management	CIP-007 Requirement	IPTube CEP Solution
Access control is Authenticated, Authorized and Accounted for with Radius or TACACS+. Security Patches managed proactively.	R2.1-3 - Ports and Services R3 - Security Patch Management R5.3 - Secure Passwords R6.4 - Security Status Logs	• Unused Serial Ports and Services are disabled • Kernel and application upgrade alerts • Require minimum length, strength, frequency • Syslog and AAA via TACACS+

Black•Vault CA

Certificate Authority with Harware Security Module

The Black•Vault CA is a Certificate Authority appliance with an integrated cryptographically advanced Hardware Security Module, Smart Card Reader and resistive Touch Screen Display.

The Black•Vault CA is utilized to provide strong assurance of identity by issuing and managing public-key certificates. Certificates are generated and managed within secure software and trusted hardware. The Private key associated with a Certificate's public key is contained within the FIPS Level 3+ tamper reactive cryptographic boundary of the integrated HSM.

Circle of Trust
The built-in touch screen display, smart card reader and secure boot eliminates the risk from intermediary software or devices. An intuitive on-screen interface provides step by step guidance with a certified Trust Path for configuration, PIN entry and Multifactor Authentication.

Purpose-Built
The Black•Vault CA securely boots up as a Certificate Authority connected to its cryptographically advanced internal HSM. Secure installation and configuration of a general purpose operating system based Certificate Authority application combined with a Hardware Security Module is very complex and time consuming.

Black•Vault CA operations are performed in accordance with NIST IR 7924. Smart Card Multifactor Authentication with M of N ensures that key generation and certificate creation is restricted to those authorized by the Certificate Policy. Autonomous and Network Attached modes of operation are supported.

In autonomous operational mode all management operations are performed via the touch screen GUI interface. Authenticated Certificate Signing Request are input as files from the USB drive.

Certificate Revocation Lists are published by the internal HTTP server or transferred to a remote server. Online Certificate Status Protocol (OCSP) is used to provide access to the Certificate Revocation List.

A Network Attached operational interface is accessed by an authenticated and encrypted Secure Socket Shell channel. Certificate Signing Request are input as files or copied and pasted by an administrator's computer.
Operation is partitioned by privilege into security relevant functions that are Administrator, Auditor and Operator role based.

Real-Time Audits of the configuration and operation provide Security Administrators with the necessary information to discover anomalous activity or failure of critical functions. Audit information, can be sent to a trusted entity, is protected to prevent unauthorized access, modification, or deletion.

Critical Security Parameters, such as a certificate's private key, are encrypted by an inaccessible Master key that is zeroized upon tamper. Verifiable Updates: only signed code updates that are verified by the secure boot's private key will be executed.

Military Grade Tamper Reactive
The Cryptographic Boundary is within Secure CPU's silicon. The Die Shield has dynamic fault detection with real time environmental and tamper detection circuitry.

• Achieves Level 4 Tamper
• Eliminates Inadvertent Tamper
• Inherently Transport Safe

Black•Vault CA utilizes a resistive touch LCD color display to provide an intuitive iconic user interface. A structured menu system facilitates straight forward Key configuration and management.

The user interface presents Crypto Officers with a sequence of dialog boxes that lead through a series of well-defined steps to initiate the HSM and provision cards and keys.

BV mainmenu shrkn 2h web

Integrated Smart Card Reader
The Smart Card reader connects to industry standard smart cards via PKCS#11 such as the industry leading Gemalto IDPrime .NET. Two-factor authentication (2FA) solutions secure Crypto Officer and Operator access with Digital Certificates (PKI).

Black•Tube SER RS232

Encrypted RS232 Over IP

Overview & Applications

Flexible Encrypted Serial Data Extensions over IP Packet or MPLS Networks

The Black•Tube SER RS232 converts RS232 serial data connections into AES encrypted IP packets, securely extending the serial data over very cost effective Ethernet or MPLS based LAN/WAN/MAN wired and wireless networks. Synchronous, Asynchronous, Isochronous or HDLC serial data is encrypted then encapsulated into IP packets. This facilitates the packet interconnection of Serial: Bulk Encryptors (KIV7/OMNI), Data Terminals, Data Acquisition, SCADA RTUs....

Encrypted Serial over IP

Integrating encryption into the Engage's serial to packet converter means serial control and monitoring traffic is never “in the clear” on the packet network. Additionally, since encryption is done at the source prior to transport over the primary or redundant packet networks, the expensive and complexity of external in line Encryptors is eliminated.

Layer 1 with Isochronous

In Layer 1 operating mode every bit is encapsulated into an IP packet. The size and frequency of the IP packets can be set with data bit rates from 75 bits to 256 kilobits per second. Isochronous serial protocols, such as Conitel, are transported synchronously to maintain message timing alignment. A configured number of incoming packets are buffered in order to compensate for the peak packet delivery jitter introduced by the network.

Asynchrous over IP

Asynchronous characters from the RS232 interface with 5 to 8 data bits, baud rates from 1.2 to 38.4 kilobits, 1 or 2 stop bits that are with or without parity are efficiently encapsulated into IP packets. The encapsulation supports block mode transfers to minimize the bandwidth required. Additionally the latency is controlled by setting the Tube Bytes per packet.

HDLC over IP

In Layer 2 operating mode HDLC Data frames, such as those used by Wide Area Networking protocols PPP and Frame Relay, are transported within IP packets as HDLC over IP. The Serial to Packet conversion only occurs when HDLC frames are active.

Black•Tube SER RS232 Standard Features

Dual LAN Interfaces

All Black•SER RS232 models ship with two 10/100BaseT Ethernet LAN ports. The two Ethernet interfaces provide for:

• Management interface on LAN port 2 when LAN port 1is connected to a VPN tunnel

• Protector Option for Redundant Packet Path connections with Constant or Switch Over Criteria

Assured Delivery Protocol

In order to assure high quality communications over links with intermittent or noisy performance, such as Wireless, the Black•SER RS232 employs Engage’s robust Assured Delivery Protocol with the following benefits:

• Packet out of sequence detection and re-sequencing

• Duplicate skipping

• Lost packet retransmissions with configured delay

Black•Tube SER RS232 Optional Features

Protector OPTION -PRO

The protector option utilizes the second LAN interfaceas a redundant path for the interconnection of the IP encapsulated SER RS232 data. The extension of the SER RS232 has a fault tolerant link that is configured to always on, or with switch over criteria.

Serial Redundancy OPTION -Y

The Serial Redundancy option is used to switch the RS232 connection to a secondary IPTube in the case of a network or equipment failure maximizing network availability by providing complete hardware redundancy for mission critical applications.

Applications

Black•Tube SER RS232 for Encrypted Serial Data Over IP/Ethernet Connections

The "Purpose Built" Engage Black•Tube SER RS232 encapsulates and encrypts synchronous or HDLC serial data from Data Terminal or Data Communication Equipment such as Bulk Encryptors (KIV7/OMNI), Terminal Servers, Modems, Video Codecs, WAN Routers into IP packets. The IP connection provides for the transparent interconnection of Data Terminal/Communication Equipment via LANs, WANs, MANs, Satellite and Wireless Ethernet. The size and frequency of the IP packets can be set to bit rates from 2.4 Kilobits per second to 250 Kilobits per second with N times 2.4K, 56K and 64K clocking.

Flexible RS232 Serial Data Extensions over IP
Black•Tube SER RS232 facilitates the transport of bulk data across a combination of IP and TDM WAN infrastructures. The Black•Tube SER RS232 are deployed flexibly to support internetworking across varied LAN/WAN/MAN networks.

WAN Data Over IP

Black•Tube SER RS232 provides a transparent bandwidth regulated IP Tunnel for securely interconnecting remote Networks. WAN Protocols, such as PPP and Frame Relay, that utilize HDLC framing are encapsulated with HDLC Over IP. Broadband Service providers are able to transport Enterprise Wide Area Network connections with inband management of the Committed Information Rates. The Black•Tube SER RS232's IP Tunnel can also be utilized as a secondary path for fault tolerant mission critical applications.

IP•Tube SER 202T
4-Wire Modem Over IP

Flexible Serial Data Extensions over Packet Networks
The IP•Tube SER 202T has integrated Bell 202T modem interfaces that connect to the Bell 202T 4 Wire modem interface of Data Communication Equipment and transports their serial communication over IP Packet networks. This conversion facilitates a cost effective path for Utility and Pipeline industries to migrate their SCADA communication from end of life analog circuits to Ethernet based LAN/WAN/MAN wired and wireless networks.
Asynchronous Serial Over IP Asynchronous characters with 5 to 8 data bits, a baud rate 1.2 kilobits, 1 or 2 stop bits, and with or without parity are efficiently encapsulated into IP packets. The latency is controlled by setting the maximum number of consecutive async characters per IP packet.
SCADA Protocol Transparency The IP•Tube SER 202T transports asynchronous SCADA protocols transparently because of its unique TDM circuit emulation capability. RTU transmit data is encapsulated into IP packets at 64,000 samples per second and de-encapsulated at the far end at the same rate, ensuring proper RTU receive data delivery. Multiple RTUs can be IP multiplexed onto T1 circuits for routing to existing cross-connect and channel bank equipment.
IP•Tube SER 202T Standard Features
Dual LAN Interfaces All IP•Tube SER 202T models ship with dual 10/100 BaseT Ethernet LAN ports. The dual Ethernet interfaces provide for: • Management interface on LAN port 2 when LAN port 1 is connected to a VPN tunnel • Protector Option for Redundant Packet Path connections with Constant or Switch Over Criteria Assured Delivery Protocol In order to assure high quality communications over links with intermittent or noisy performance, such as Wireless, the IP•Tube SER 202T employs Engage’s robust Assured Delivery Protocol with the following benefits: • Packet out of sequence detection and re-sequencing • Duplicate skipping • Lost packet retransmissions with configured delay
IP•Tube SER 202T Optional Features
Protector OPTION -PRO The protector option utilizes the second LAN interface as a redundant path for the interconnection of the IP encapsulated SER 202T data. The extension of the SER 202T has a fault tolerant link that is configured to always on, or with switch over criteria.

IP•Tube SER Bell 202 T

Bell 202 T 4-Wire Modem Over IP MPLS Ethernet

Overview & Applications

Flexible Bell 202 Serial Data Extensions over Packet Networks The IP•Tube SER 202 T has integrated Bell 202 T modem interfaces that connect to the Bell 202 T 4 Wire modem interface of Data Communication Equipment and transports their serial communication over IP Packet networks. This conversion facilitates a cost effective path for Utility and Pipeline industries to migrate their SCADA communication from end of life analog circuits to Ethernet based LAN/WAN/MAN wired and wireless networks.
Asynchronous Serial Over IP Asynchronous characters with 5 to 8 data bits, a baud rate 1.2 kilobits, 1 or 2 stop bits, and with or without parity are efficiently encapsulated into IP packets. The latency is controlled by setting the maximum number of consecutive async characters per IP packet.
SCADA Protocol Transparency The IP•Tube SER 202T transports asynchronous SCADA protocols transparently because of its unique TDM circuit emulation capability. RTU transmit data is encapsulated into IP packets at 64,000 samples per second and de-encapsulated at the far end at the same rate, ensuring proper RTU receive data delivery. Multiple RTUs can be IP multiplexed onto T1 circuits for routing to existing cross-connect and channel bank equipment.
IP•Tube SER 202T Standard Features
Dual LAN Interfaces All IP•Tube SER 202T models ship with dual 10/100 BaseT Ethernet LAN ports. The dual Ethernet interfaces provide for: • Management interface on LAN port 2 when LAN port 1 is connected to a VPN tunnel • Protector Option for Redundant Packet Path connections with Constant or Switch Over Criteria Assured Delivery Protocol In order to assure high quality communications over links with intermittent or noisy performance, such as Wireless, the IP•Tube SER 202T employs Engage’s robust Assured Delivery Protocol with the following benefits: • Packet out of sequence detection and re-sequencing • Duplicate skipping • Lost packet retransmissions with configured delay
IP•Tube SER 202 T Optional Features
Protector OPTION -PRO The protector option utilizes the second LAN interface as a redundant path for the interconnection of the IP encapsulated Bell 202 T data. The extension of the Bell 202T has a fault tolerant link that is configured to always on, or with switch over criteria.

Applications

4-Wire Bell 202 Modem Over IP
Utility and Pipeline industries use 4 wire leased line communication circuits to connect remote SCADA equipment to control centers. A significant number of SCADA Remote Telemetry Units only have integrated 4 wire modem interfaces. The IP•Tube SER 202 T extends the life of proven SCADA systems by converting Bell 202 4 Wire modem interfaces to Ethernet for IP Packet network connectivity.

The IP•Tube SER 202 T interfaces directly to the 4 wire analog interface of the RTU, transparently encapsulates SCADA protocols from the RTU into IP packets, and transports those packets onto the IP network. At the control center, the central site SER Bell 202 Tseamlessly converts the packets back into their original 202T modem data format; or directly to an RS232 DCE interface with an IP•Tube SER RS232.

How to Order – Black•Tube CEP RS530
Part No.	Description	Notes

CEP-007-2530-0x	Black•Tube CEP RS530	Specify # of RS530 Ports Enabled (1 to 3)
CH-CEP-007-2530-0x	Chassis Slot Card: Black•Tube CEP RS530	Specify # of RS530 Ports Enabled (1 to 3)

Base Option		Specify as suffix

-EXT	Extended Temperature	-40C to 70C
-PRO	Protector Option	Fault Tolerant Network Interconnect
-Y	Serial Redundancy	Serial Interface hardware redundancy

Power Options	Specify as suffix	Hot Standby Configuration 2nd Power Suffix

-DCMOD	Power Supply Module 12/26 VDC ADP CON	Ships with Universal Adapter 90/240 50/60
-WIREDC	Power Supply Module 12/26 VDC Screw Term
-N48VDC	Power Supply Module Negative 48 Volt DC	Isolated Negative 48 Volt Power

Rack Mount Option		Specify as suffix

-RACKMNT	19" Wide Rack Mount Brackets	Enclosure Nut Serts Installed
Wall Mount Option
-WALLMNT	Right Angle Wall Mount Brackets	Enclosure Nut Serts Installed

NEW BlackDoor

Ethernet Packet Encryptors

Leased Line Cost Elimination

Convert Voice Circuits to Ethernet

• ROI Measured in Weeks

• Exploits Efficiency of Packet Networks

• Supports Legacy Switches and PBXs

Critical Circuit Redundancy

Always ON Critical Circuit Protection

Circuit Encryption

Encrypt:Voice, Video, and WAN Data

Critical Infrastructure

Ensure Continuous Operation of Your Critical Infrastructure Systems

Hardware Security Platform

Embedded Hardware Security Module

Converts RS530 serial data connections into AES encrypted IP packets

Flexible Serial Data Extensions over Packet Switch Networks

Overview & Applications

Technical Specifications

Data Sheet Download

User Manual Download

How To Order

Black•Vault CA

Certificate Authority with Harware Security Module

Black•Tube SER RS232

Encrypted RS232 Over IP

Overview & Applications

Technical Specifications

Data Sheet Download

User Manual Download

How to Order

IP•Tube SER 202T

4-Wire Modem Over IP

Flexible Serial Data Extensions over Packet Networks

IP•Tube SER Bell 202 T

Bell 202 T 4-Wire Modem Over IP MPLS Ethernet

Overview & Applications

Flexible Bell 202 Serial Data Extensions over Packet Networks

Technical Specifications

Data Sheet Download

User Manual Download

How to Order

Encrypt:
Voice, Video, and WAN Data