Operational Description

Printable Version

The Selcom LINESHIELD System provides an effective shield against cyber attacks on dialup devices in electrical substations. By allowing only authenticated and authorized connections between application computers and substation dial-up equipment (i.e. between SCADA Systems and IEDs, meters etc.) the LINESHIELD prevents unauthorized connections to your remote devices.

There are four variations of LINESHIELD Units (LS-101, LS-108, LS116 and LSP-101) that perform the authentication and authorization function. The type of Unit used is determined by application and location. Certain LINESHIELD units have built-in line sharing capability that allows you to connect up to 16 remote devices through a single phone line.

Making an Authenticated call using the Selcom LINESHIELD

In the above example, to make an authenticated call, a Selcom LINESHIELD unit is required at each end of the call.

If the number of the remote system is 555-1212 and you want to connect to the device attached to port 4 which has an access code of 44 then the Local System would dial: 5551212*44

The calling system dials the number of the remote system with a suffix that indicates the desired port number. The destination LINESHIELD unit will answer the call and authenticate the calling LINESHIELD unit. If the calling unit is authorized to call the remote unit it will ring the desired port and connect the call to the calling system. If the calling unit is not authorized to call the remote unit the call will be dropped and the local system will hear a busy tone.

Making a Non-authenticated Call to a Selcom LINESHIELD

In the above example, to make a non-authenticated call, a Selcom LINESHIELD unit is only required at the called end.

If the number of the remote system is 555-1212 and you want to connect to the device attached to port 4 which has an access code of 44, then the local system would dial: 5551212,,44

The calling system dials the number of the remote system with a suffix that indicates the desired port number. The destination LINESHIELD unit will answer the call and listens for the port code. If the requested port does not require authorization the remote unit will ring the desired port and connect the call to the calling system. If the requested port requires authorization the remote unit will send busy tone and then disconnects the call.

Security features

• Near silent operation. When a LINESHIELD unit answers a call only a short special tone is sent otherwise it is silent. This prevents war dialers from finding your remote devices
• No retries after authentication failures. If a LINESHIELD unit fails to authenticate it will immediately disconnect the call. This will severely inhibit security code cracking attempts.
• Remote security code updating. Using the CAS it is possible to expire and replace security codes remotely whenever there is a requirement to do so.
• All call activity is recorded and time stamped for collection and analysis by the CAS.
• Unique customer IDs. Only units with the same customer IDs will authenticate with each other.
• No master security codes. Each unit has its own unique security code.
• Decentralized system. Each LINESHIELD unit operates independently and does not require the CAS in order to operate.

The Centralized Administration System (CAS)

The Centralized Administration System (CAS) manages all the settings, security codes and collects the call activity logs from the LINESHIELD Units.

With the CAS one can manage all the functions of the LINESHIELD units including:

• setting security codes
• setting port authentication requirements
• setting port access codes
• setting authentication links
• collecting call activity logs
• storing activity records
• updating remote LINESHIELD units
• enable and disable remote LINESHIELD units

The CAS hardware consists of an industrial PC with up to 15 modems. The number of modems depends on the number of LINESHIELD units being managed and the frequency of system updates and data collection being done.