Security policy and c37.118


We ask for an indication in order to comply ICT security policy.
We want to connect two OPENPDC in order to visualize and elaborate data flowing.
The point is that the first OPEPDC is in the “forbidden” zone of the process System so the connecction between client/server is accepted only a “one WAY” communication with applications in the office zone.
The problem is that C37.118 protocol needs that Client contact the server (OPEN PDC) opening a socket and after the server starts to send data. This is not accepted by our ICT department because is not “one WAY” but “bi-directional” communication. So the question: is it possible to adopt a solution based on your framework where the Source (OPENPDC) push on a Client or Other in order to realize a “one way” communication architecture ?


Hi pietropau,

For the IEEE C37.118 protocol, the openPDC supports many different modes of operation using both TCP and UDP to work around security policies like these. In the strictest mode, the openPDC can stream unsolicited data to a UDP port and automatically issue the configuration frame once per minute so that absolutely no packets need to be provided to the openPDC in order to consume the data. This would be a true one-way communication architecture.

Many security policies only restrict the direction in which TCP connections can be initiated. For these cases, the openPDC also supports both TCP server and client modes, regardless of the direction of the data flow. Since TCP allows bidirectional communication over the socket, this would not be a true one-way communication architecture, but if your security policy allows it, you would be able to issue commands to the openPDC after the connection has been established.



Also, you can use two instances of the Synchrophasor Stream Splitter to cross security boundaries in the desired direction:

Then the openPDC can connect to the Stream Splitter.