Black•Tube RS232 CEP
Converts RS232 serial data connections into AES encrypted IP packets
Black•Tube RS232 CEP
Converts RS232 serial data connections into AES encrypted IP packets
- Encrypted RS232 Over IP -
- Dual LAN Interfaces -
- Assured Delivery Protocol -
- CEP Management -
SIZE
9" (L) x 7.3” (W) x 1.50” (H)
Overview
The Black•Tube CEP RS232 converts RS232 serial data connections into AES encrypted IP packets, extending the serial data over very cost effective Ethernet or MPLS based LAN/WAN/MAN wired and wireless networks. Synchronous, Asynchronous, Isochronous or HDLC serial data is encrypted then encapsulated into IP packets. This facilitates the interconnection of Serial Data over IP between Serial Bulk Encryptors (KIV7/OMNI), Data Terminals, Data Acquisition Systems, WAN Routers and Bridgesand SCADA RTUs.
Layer 1 with Isochronous Support
In Layer 1 operating mode every bit is encapsulated into an IP packet. The size and frequency of the IP packets can be set with data bit rates from 75 bits to 256 kilobits per second. Isochronous serial protocols, such as Conitel, are transported synchronously to maintain message alignment. A configured number of incoming packets are buffered in order to compensate for the packet delivery jitter introduced by the network. The size of the Tube bit buffer is configurable to accommodate the peak amount of jitter.
Asynchronous Over IP
HDLC Over IP
SCADA Protocol Transparency
Assured Delivery Protocol
intermittent or noisy performance, such as Wireless.
Protector Option -PRO
The protector option utilizes the second LAN interface as a redundant path for the interconnection of the IP encapsulated RS232 data. The extension of the RS232 has a fault tolerant link that is configured to always on, or with
switch over criteria.
Applications
Black•Tube CEP RS232 Utility Applications
NERC -CIP mandates control center redundancy. RTUs must be accessible from, and be able to connect to, multiple control centers. Black•Tube CEP continuously monitors connectivity to the active control center and automatically switches to the active backup control center (1 to 4 supported).
- Meets NERC mandates for control center redundancy
- Preserves investment in RTU and Central site SCADA
- Facilitates control center redundancy with IP flexibility
- Supports up to four redundant control centers
⁻ Redundant and diverse connectivity
Black•Tube CEP Multidrop
In order to minimize the number of analog telephone circuits required to connect Data Center Front End SCADA controllers to Substation Remote Terminal Units Multi-Drop communication protocol was implemented. The CEP Multi-Drop feature allows a single RS-232 SCADA host connection to communicate with up to 8 remote terminals over a packet based network
The Black•Tube CEP transparently supports Multi-Drop by simultaneously transmitting IP packetized Front End SCADA messages to up to eight remote Black•Tube CEPs. The Black•Tube CEP connected to the addressed RTU detects a control signal and sends the SCADA response back to the Serial interface connected to the Front End polling port.
WAN Data Over IP
Black•Tube SER RS232 provides a transparent bandwidth regulated IP Tunnel for securely interconnecting remote Networks. WAN Protocols, such as PPP and Frame Relay, that utilize HDLC framing are encapsulated with HDLC Over IP. Broadband Service providers are able to transport Enterprise Wide Area Network connections with inband management of the Committed Information Rates. The Black•Tube SER RS232's IP Tunnel can also be utilized as a secondary path for fault tolerant mission critical applications.
Black•Tube CEP Management
Management Module
Black•Tube CEP isolates management and data plane functionality with the use of two separate processor modules. Management processor access is limited to encrypted sessions via SSH, or SNMPv3, that employ AES 256 bit keys and sophisticated NIST passwords. These sessions may be established after authentication via TACACS+ or Radius.
The independent Linux based management plane of the Black•Tube CEP ensures Critical Infrastructure Data is isolated from management network access. The Management Module uses internal serial ports to connect to the Data Plane processor.
Administration and User Logs are available with Syslog.
NERC CIP Compliance
The Black•Tube CEP installations achieve NERC CIP compliance with a combination of internal and external functions.
Internally the Management Module software has the sophistication to implement comprehensive policies and privileges for administrator and user accounts. Administrator policy includes removal, disabling or renaming.
Interoperability with external functions such as Syslog, Network Timing Protocol, TACACS+ and Radius with its support for RSA SecureID delivers trusted compliance.
Electronic Security Perimeter
The Black•Tube CEP in combination with industry standard services meets the Electronic Security Perimeter's NERC CIP-005 specifications. In addition Control Plane isolation from the Data plane provides a higher level of security for the Cyber Assets.
CIP-005 Requirement & IP•Tube CEP Solutions
R2.1 - Deny Access by Default
Solution: Accounts must be created to allow access
R2.2 - Enable only needed ports
Solution: Each Port may be enabled or disabled
R2.4 - Strong Technical Controls
Solution: RSA's SecureID two-factor Authentication
R3.2 - Unauthorized Access
Solution: Alert messages via Syslog or TACACS+
R5.3 - Access Logging
Solution: Syslog of Access and Command interactions
CIP-005 Requirement
IP•Tube CEP Solution
R2.1 - Deny Access by Default
Accounts must be created to allow access
R2.2 - Enable only needed ports
Each Port may be enabled or disabled
R2.4 - Strong Technical Controls
RSA's SecureID two-factor Authentication
R3.2 - Unauthorized Access
Alert messages via Syslog or TACACS+
R5.3 - Access Logging
Syslog of Access and Command interactions
System Security Management
Access control is Authenticated, Authorized and Accounted for with TACACS+.
Security Patches managed proactively.
CIP-007 Requirement
IP•Tube CEP Solution
R2.1-3 - Ports and Services
Unused Serial Ports and Services are disabled
R3 - Security Patch Management
Kernel and application upgrade alerts
R5.3 - Secure Passwords
Require minimum length, strength, frequencyRequire minimum length, strength, frequency
R6.4 - Security Status Logs
Syslog and AAA via TACACS+
CIP-007 Requirement & IP•Tube CEP Solutions
R2.1-3 - Ports and Services
Solution: Unused Serial Ports and Services are disabled
R3 - Security Patch Management
Solution: Kernel and application upgrade alerts
R5.3 - Secure Passwords
Solution: Require minimum length, strength, frequencyRequire minimum length, strength, frequency
R6.4 - Security Status Logs
Solution: Syslog and AAA via TACACS+
Specifications
LAN Network Interface
- LAN1/LAN2: Two Data Plane 10/100 Base T
- MLAN: Control Plane 10/100 Base T
LAN Network Protocols Supported
- IP, TCP, UDP, ICMP, Telnet, DHCP, DDNS, SSH
- Network Time Protocol - NTP
RS232 Interfaces
- 1-3 DCE/DTE RS232: 2 DB25F Connectors; 1 DB60F connector: Requires an adaptor cable- DB60M to 1 DB25M
RS232 Interface Clocking
Synchronous: 75 bits to 256 kilobits per seconds
Asynchronous, Isochronous : 75 / 300 / 600 bits per second 1.2 / 2.4 / 4.8 / 9.6 / 19.2 / 38.4 Kilobits per second
RS232 Interface Control Signal Extension
- Comprehensive DTR / DSR / RTS / CTS / DCD State Processing and Extension
- DTR & RTS Enveloped Transmission
- CD Reception
RS232 Over IP Protocol
- Serial Over IP
- Circuit Extension Services Over IP
- HDLC Over IP
- Multi-Drop: 2 to 8
Protocols Supported
- HDLC, SDLC, PPP, Frame Relay
- Conitel, Modbus, DNP, Proprietary, Bit or Byte, AutoBaud
SCADA Encryption Algorithm
- AES 256-bit
- Fully Automatic key management
Management
Secure Socket Shell - SSH V2 - Session Encryption
Centralized Authentication, Authorization and Accounting
- TACACS+, RADIUS, Two Factor Authentication
Syslog with NTP Time Stamping
Console Port for Out of Band Management
SNMP V3 Public and Private MIB support with configured traps
Quality of Service Support
- IP Type of Service (TOS) CLI configured
- IANA Registered UDP Port 3175
- 802.1p/q mac level prioritization
Regulatory
- CE
- Safety -IEC60950
- EMC - CFR 47 Part 15 Sub Part B:2002, EN55022: 1994 + A1 & A2, EN55024, ICES-003 1997, CISPR 22 Level A
Environmental
- 0° to 132° F (-10° to 50°C) operating temperature
- Up to 90% operating humidity (non-condensing)
- Optional Extended Temperature Range (-40°C to 70°C)
Dimensions
- Dimensions: 9" (L) x 7.3” (W) x 1.50” (H)
Power
- 12-30 VDC, 1.0A.
- Screw Locking Connector
- Universal Adapter 100/240 VAC 50/60 Hz
- Optional -48V 0.25 Amp
- Hot Standby
Ordering Information
Chassis Slot Card: Black•Tube CEP RS232
Rack Mount & Power Supply Options:
Part No.
Description
CEP-007-2232-0x*
Black•Tube CEP RS232, *Note: x = Number of specified RS232 ports enabled (1 to 3)
CH-CEP-007-2232-0x*
Chassis Slot Card: Black•Tube CEP RS232, *Note: x = Number of specified RS232 ports enabled (1 to 3)
Optional Features
Optional Features
Y
Serial Redundancy, Complete hardware redundancy
EXT
Extended Temperature, -40C to 70C
PRO
Protector Option, Fault Tolerant Network Interconnect. The protector option utilizes the second LAN interface as a redundant path for the interconnection of the IP encapsulated data. The extension of the IP-Tube has a fault tolerant link that is configured to always on, or with switch over criteria. Learn more.
Power Supply Options
Power Supply Options
094-2418
90-220 VAC Universal International/Domestic Adapter
094-2418-R
DUAL REDUNDANT, 90-220 VAC Adapter
094-N48V
Internal Power Module, -48 VDC Screw Terminals
094-N48V-02
DUAL REDUNDANT, -48 VDC Screw Terminals
094-1500
WIREDC Option, +24 VDC Screw Terminals
094-WIREDC-R
DUAL REDUNDANT, +24VDC
Rack Mount Options
Rack Mount Option
095-1000
Rack Mount Kit - for single 7" products (Fits both 19" and 23" racks)
095-2000
2 unit 19" x 1RU Rack Mount Kit for 7" products
094-WIREDC-R
DUAL REDUNDANT, +24VDC
095-3000-RTANG
Right Angle Wall Mount Bracket Kit