You are here
Automating the NOC in the Era of Industrial IoT
After reviewing, at length, zero-touch provisioning (ZTP) for uCPEs, in this blog post we will focus on secure ZTP for IIoT over public networks.
In recent years, the demand for improved network visibility is growing at an exponential rate. The constant pressure to reduce OpEx and become more efficient, forces organizations to better monitor their networks and invest in new automation systems. They need to dramatically improve their resource management and be able to run preventive maintenance to minimize downtime and loss due to unplanned service outages. This, in turn, requires a rapid scale-up in the communication means that are used to backhaul the data collected by the many different sensors in multiple remote sites to the central control systems.
In many cases, public utilities (e.g., electric, oil/gas and water), railways and many other organizations, do not have their own communications infrastructure to reach all remote sites. To backhaul traffic for their critical services many of them use cellular or other public networks.
The Burden of Manual Provisioning
Deploying hundreds and thousands of communications devices using public networks (off the private network or just off-net), poses two main challenges. First, there is the operational costs involved in the devices’ setup (configuration) and second is the need to ensure that all communications between the remote sites and the network operations center (NOC) are secured from the moment the devices are turned on.
Traditionally, all devices would arrive at the organization’s warehouse, where skilled personnel unbox and load them with the relevant configuration and certificates that are needed to establish a secure VPN over the public networks. These devices would then be packed and shipped to their final destination. Alternatively, skilled technicians would perform the configuration on-site using prepared scripts and, in some cases, with only pre-shared keys instead of certificates. However, these two methods are inefficient, costly and more susceptible to human errors.
And Then There’s ZTP
ZTP, on the other hand, greatly simplifies operations with a remarkable impact on OpEx. When a new device is installed in the network, ZTP provides a “miraculous” way for the device to securely “call home” and connect to the organization’s NOC, from where it can be further managed.
In addition to the communications equipment, several elements and functions are required to successfully setup secure ZTP. These include a central management system at the NOC to orchestrate and prepare the different configurations for the multiple devices, and a Bootstrap server in the organization’s DMZ with a reachable IP address. The Bootstrap server holds a configuration file and/or a software image, marked with a unique identifier, for each device that needs to be connected to the network.
How Does it Work?
The process mandates that the equipment vendor securely pre-loads the certificates and performs minimal configuration setup (e.g., the Bootstrap server’s IP address, domain name, APN, etc.). These are needed to establish secure communications and ensure device authentication, data integrity and encryption throughout the process.
The ZTP process itself begins as the remote device powers up for the first time and securely connect to the pre-configured address of the Bootstrap server. Once authenticated, the device can extract from the server the configuration and possibly a new software image using its unique identifier to minimize errors. After it is loaded with the new configuration and/or software image, the device will re-boot for the changes to take effect. Once it is up, the device is ready to deliver the services needed to the NOC over a secure VPN that was established using the pre-loaded certificates. From this point on the organization can replace the certificates at any time using standard PKI with X.509 and a SCEP server.
The Benefits of Automation
After all these steps are fulfilled, the device is unboxed for the first time when installed on site. The ZTP process is fully automated. A LED indicator signals the different stages in the ZTP process. In parallel, the device informs the NOC on its progress and alerts it of issues in the process. The NOC can remotely perform multiple re-tries, if needed.
Thanks to ZTP’s efficiency and simplicity, device handling and installation can be performed by entry-level technicians, resulting in much lower deployment and service costs and making the transition to IIoT that much easier.
Check out our ZTP-enabled Industrial IoT gateway here.
About RAD's Blog
We’ll be blogging on a wide range of hot topics affecting service providers and critical infrastructure network operators. Our resident experts will be discussing vCPE, Cyber Security, 5G, Industrial IoT and much, much more.