WHITEPAPER
Multi-Network M2M communication platform for Siemens SCALANCE and RUGGEDCOM routers
June 2016
ENABLING GLOBAL IOT CONNECTIVITY
A new management platform for remote networks, SINEMA Remote Connect, is a server application which provides secure user access to remote plants or machines even when those machines are deployed in third-party networks or plants.
The management platform capability provided by SINEMA Remote Connect helps to simplify the configuration and management of remote access networks, terminal units and the associated OpenVPN connections. The intuitive user interface enables users to configure and manage security parameters associated with the point-to-point network connections either as groups or individually
Interconnecting users, remote systems and machines over the internet is most effectively performed using secure virtual private network (VPN) connections and industrial network routers. SINEMA Remote Connect makes configuration and maintenance of the required VPN tunnel keys and certificates easy and secure.
The SCALANCE M876-4 LTE industrial router is used to connect remote terminal units with the server. Setup is straightforward. When the SCALANCE router connects to the router to provide operational data it triggers an exchange of VPN certificate details between server and router via a secure https connection.
WHAT IS SINEMA REMOTE CONNECT
ENABLING GLOBAL IOT CONNECTIVITY
Since the VPN connection is always initiated by the industrial router, the field operator retains control of connecting their machine to the internet and to the SINEMA Remote Connect server.
Multiple devices can be setup in a similar way and can then be assigned into groups if appropriate and access permissions can be established for each group. Ultimately a secure network of machines and systems is created with the security credentials and access controlled by the central server.
In addition to managing the on-boarding of the terminals SINEMA Remote Connect also allows administration of various users. For example, service technicians must be provided with secure access to machines but that access can be limited to those machines and equipment which are individually relevant to them.
Access control and administration can be done via a secure web interface. User permissions and device or group assignments can be made ensuring that only authorised users can access the appropriate terminal units. This web interface access is via a secure VPN connection and using the SINEMA Remote Connect Client, which is included with the base package.
In addition, the SINEMA Remote Connect Server offers the machine manufacturer the opportunity to upgrade the SCALANCE industrial router. A new firmware version can be uploaded to the server, which is then subsequently uploaded to the SCALANCE devices via the connection to the server.
WHAT IS SINEMA REMOTE CONNECT
ENABLING GLOBAL IOT CONNECTIVITY
If the system components are in remote areas (such as water or sewage systems) or are mobile (eg, industrial vehicles, waste containers or compactors) then mobile wireless routers are used.
The SCALANCE M876-4 provided by SIEMENS is enabled with an LTE broadband connection for systems such as surveillance cameras. Lower data requirements and world-wide coverage is supported using 2G and 3G. (EV-DO for the US market is also supported). All mobile routers can be connected to the SINEMA Remote Connect management platform.
Local networking with PLCs, Camera’s and other terminals is achieved via the 2 or 4 (router version dependent) local LAN ports, via digital IO inputs or via SMS. This allows full control over the connections and connection duration of the remote stations. The SCALANCE router family meet the highest industrial requirements in terms of robustness, reliability and safety. Their intuitive usability also allows rapid troubleshooting by system personnel without deeper IT knowledge in the event of a breakdown. One option offered here is simple device replacement. This is made possible via the KEY-PLUG - a licensing and storage medium, which besides the automatic configuration interface and connection to the SINEMA Remote Connect Server, also enables the backup of the current device configuration.
In the unlikely event of the SCALANCE industrial router breaking down, the maintenance engineer on site only has to replace the device, insert the KEY-PLUG and after the next launch of the new SCALANCE device full functionality is available again.
SCALANCE M87X MOBILE WIRELESS ROUTER –MOBILE ENABLED
ENABLING GLOBAL IOT CONNECTIVITY
SINEMA Remote Connect
SINEMA Remote Connect
ClientOpenVPN -Tunnel
Application: using IT-Infrastructurewith SCALANCE S615 Router
Application: ADSL InfrastructureSCALANCE M816 Router
(not yet available)
Application: when no fixed lineinfrastructure available
SCALANCE M87x
e.g. Installation on customers own PC
Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten.
ENABLING GLOBAL IOT CONNECTIVITY
Arkessa is a Machine to Machine (M2M) and Internet of Things (IoT) managed service provider and offer MVNO-style services to help Enterprise’s connect to the Internet of Things in a secure, reliable and globally scalable manner.
An MVNO (Mobile Virtual Network Operator) does not own a mobile radio network but aggregates multiple different networks and offers customers access to those via a single provider. This creates a global Connectivity solution but without the significant complication of establishing and maintaining relationships with numerous different Mobile Networks Operators.
Not only is network access simplified, a Management Platform enables customers to visualise, monitor and manage connections via a single user interface and in a standard way regardless of which mobile networks are actually used. These tools and management services help users optimise the deployment process, implement data and financial controls and apply additional security mechanisms across their IoT portfolio once operational.
Arkessa can also offer these same services on Satellite and Low-Power WAN technologies.
THE ROLE OF MVNOS IN PROVIDING OPTIMUM CONNECTIVITY FOR IOT PRODUCTS AND SERVICES
ENABLING GLOBAL IOT CONNECTIVITY
Global Cellular
Satellilte
Low Power WAN
BusinessSystemIntegration
ManagementPortal
Secure
Connectivity Management
Security
Monitoring
Reports & Alerts
Multi-Carrier Integration Secure Enterprise Integration
! !
!
!
!!
!
COMMUNICATION PLATFORM
ENABLING GLOBAL IOT CONNECTIVITY
The multi-network capabilities of an MVNO make it easier for IoT product companies to deploy nationally and internationally. Having a choice of networks for national deployments minimises coverage concerns. The ability to identify and connect to the network with the strongest signal and/or roam from one network to another means devices (whether stationary or mobile) can connect first time. Multi-network connectivity also provides the resiliency needed for ensuring superior customer experience be it a Consumer product or an Enterprise grade service in the Energy/Utility, Automotive, Building or Smart City domains.
These same benefits apply to multi-national deployments as well. The global network roaming capability allows Enterprises with facilities, people and assets deployed regionally or internationally to scale an MVNO solution to provide connectivity wherever they need it. Product and Service provisioning can be simplified, deployment and installation can be quicker and operational efficiencies and customer service can be optimised courtesy of the geographic and network roaming capabilities.
At the device level, a single SIM card slot is no longer a limitation on coverage and resiliency. Devices with two SIM card slots can now be optimised - the second connection can be used as a redundant or failover option, it could be used a maintenance, monitoring or management connection or it could be removed altogether.
BENEFITS OF DEPLOYING IOT PRODUCTS AND SERVICES WITH AN MVNO
ENABLING GLOBAL IOT CONNECTIVITY
Detailed usage & performance reports
ConnectionStatus
Panaromic view of connection portfolio
Notifications and Alerts
Security
DetailedDiagnostics
Self Service
Set Limits
Secure ResilientInfrastructure
Web Portal Business SystemIntegration
!
!
! �!"!!
!! !
�!!
CONNECTIVITY MANAGEMENT PLATFORM
ENABLING GLOBAL IOT CONNECTIVITY
SOME IMPORTANT DECISIONS TO BE MADE DURING PLANNING STAGES.
It is beneficial to check which service providers are available within the target countries. The appropriate tariffs can be selected to allow access to all national networks or perhaps to constrain access to only certain networks. These choices will impact monthly service charges once in-service.
By selecting a tariff which grants access to all networks, a costly on-site signal strength measurement can be avoided. Purchasing higher volumes of just one type of SIM card will help with service provision and costs.
ENABLING GLOBAL IOT CONNECTIVITY
MANAGING CONNECTIVITY IMPROVES OPERATIONS, SECURITY AND FINANCIAL CONTROL
Most MVNO’s will provide a Connectivity Management platform which enables users to securely manage device connections in and out of the system and to monitor data usage. Operational management, reporting and financial forecasting for the entire IoT portfolio can be performed via a single user interface regardless of which networks are actually employed.
Growth : Efficient planning and operations accelerate time to market
• Devices can now be shipped and connect first time out-of-the box• Support for pilot programs and field testing • Billing activation after pre-defined time or data threshold has been reached • De-activate connections to avoid billings on inactive devices
Security : Build an extra security layer into IoT deployments
• Minimise the risk of un-authorised use by setting secure username & passwords• Private IP Addresses – permanent, unique identifiers much like a phone number• Identify rogue device activity or misuse• Suspend problem connections and prevent new data sessions being started
Analysis : Retrieve information quickly. Make smart judgments
• Granular viewpoints – global audit down to individual connections• Display connection data over a period to highlight trends and patterns in usage• Set data alerts & caps. Get early warnings on approach to data limits• Conduct fault analysis by sending PING command to the device
Productivity : Visualise and manage connections
• Create custom filters & graphs based on specific criteria• Powerful graphical filtering & group tagging features provide focussed views• Assess data usage at-a-glance and in real-time• Quickly produce data usage reports ahead of monthly invoices
ENABLING GLOBAL IOT CONNECTIVITY
Secure transfer of user and mission-critical data is an essential aspect in creating IoT systems. The MVNO can make a significant impact on IoT system security by underpinning network security and resiliency, providing secure and private interconnects to both radio access networks and Enterprise systems and by provisioning secure connection features like fixed, private IP addresses.
A critical infrastructure component is the APN (Access Point Name) which is essentially a gateway which interconnects with the Radio Access Networks and the ordinarily the public internet. MVNO’s will typically implement their own private APNs and provide private IP address ranges which keeps IoT data separate from the public internet. This has the benefit of avoiding the security risks associated with the internet and improving system latency.
A single private APN can be provided for each customer. This approach allows all devices to be configured in a common but customer specific way and still allow connection in all countries and all networks.
PRIVATE MVNO INFRASTRUCTURE IMPROVES SECURITY, DEPLOYMENT AND QUALITY OF SERVICE
ENABLING GLOBAL IOT CONNECTIVITY
!!!
Secure, Resilient Radio Network
Private APN
Secure, Resilient Data Network
Customer
! !
!
SECURE RESILIENT NETWORK INFRASTRUCTURE
ENABLING GLOBAL IOT CONNECTIVITY
1 2 3• SIM authentication with MNO
guarantees only genuine devices can connect to M2M network.
• IPsec VPN secures data flow between device and network.
• Arkessa offer fixed IP addresses as standard for no extra cost. This is a unique identifier, much like a mobile phone number.
• SIM theft or hacking is mitigated by Arkessa. Service/usage restrictions can be enforced via EMPort.
• Support for eUICC or “SIM-on-a-chip” is also provided which is an additional physical security layer in itself.
• Security and Resiliency is achieved courtesy of a comprehensive architectural provisioning.
• Dual interconnects between Arkessa’sM2M platform and the mobile networks ensures that if an interconnect fails, automatic failover maintains data flow via the alternative route.
• Arkessa’s platform is itself hosted in multiple data centres, providing complete resilience even in the event of data centre outage.
• All mobile networks connect with our M2M platform via Arkessa specific or customer Private APNs, meaning that at no point is the data transferred across the Internet.
• Dual interconnects between Arkessa’splatform and the customer Enterprise networks ensure that if an interconnect fails, automatic failover maintains data flow via the alternative route.
• IPsec, SSL or TLS virtual private network (VPN) connections are used to secure interconnections.
• The customer can exert control and limits on usage and service via there preferred business systems once integrated with EMPort :• Data authentication & accounting• Usage alerts and reporting• Limits on service. Caps on usage• Deactivation of connections
ENABLING GLOBAL IOT CONNECTIVITY
NETWORK AGNOSTIC MVNO’S PROVIDE MORE RELIABLE CONNECTIVITY, REDUCE THE NEED FOR SITE VISITS AND HELP PRESERVE BATTERY LIFE IN IOT DEVICES
Most Mobile Network Operators (MNO’s) will attempt to orchestrate network connections onto home or roaming partner networks. For consumer devices, like smartphones or tablets this is arguably the best policy but for IoT devices this kind of approach can lead to unreliable connectivity and consume power un-necessarily – a critical issue for battery operated devices.
ENABLING GLOBAL IOT CONNECTIVITY
Network access can be controlled via policies and lists contained in the SIM card. This allows networks to be blocked, it allows network access to be prioritised or ‘steered’. Most MNOs will prioritise their own networks out of commercial interest but also to ensure that they can best deliver on the customer service level agreement (SLA) and bill at the agreed rates. This results in ‘steering’ of the connection not only at power-on but at regular periodic intervals thereafter.
For smartphones and tablets the user is in direct possession and control of the device and can therefore easily identify and often enough manage any discontinuities in connectivity. (switch to WiFi for example).
For IoT devices, often mobile, often deployed in basements, stairwells, situated in congested city environments or off the beaten track and regularly deployed multi-nationally this situation is inevitably troublesome.
• IoT devices are almost always un-manned. Connectivity issues have to be identified and managed remotely.
• Repeated attempts at ‘steering’ the connection back to home or prioritised networks will consume energy and drain the battery.
• Lack of flexibility or limits on network access will complicate deployment planning, slow time-to-market and make it more difficult to manage costs – bill shock is often the result.
SOURCES OF UNRELIABILITY IN NETWORK ACCESS
ENABLING GLOBAL IOT CONNECTIVITY
IOT SPECIALISTS
MVNOs like Arkessa will provide specialist M2M and IoT support pre- and post-sales. This expertise will enable the optimal decisions to be made regarding network (single or multiple, in country or multi-national) and tariff choices to be made. In service, specialist support personnel will help with management and troubleshooting. EMPort, the Arkessa Connectivity Management platform provides users with the ability to monitor, manage and control their IoT portfolio for themselves.Arkessa connect with more than 540 mobile networks in more than 200 countries. By aggregating all mobile networks into a single managed service Arkessa will help put you in control of your mobile network planning and deployment. Managing them all from one place through one provider gives you the flexibility, reliability and coverage you need without the hassle of forming numerous relationships with service providers around the world.