Comnet RLGE2FE16R-S-AC-28P-S22-CH+, RLGE2FE16R-S-AC-28P-S22, RLGE2FE16R-S-AC-28P, RLGE2FE16R-S-AC-28P-S22-CEU, RLGE2FE16R-S-AC-28P-S22-CGU Specsheet

Substation-Rated, Enhanced Security SCADA-Aware Ethernet Layer 2 Managed

Switch/Layer 3 Router With Optional 2G/3G & 4G LTE Cellular Radio Link,

Enhanced Network Security, Terminal Server, PoE+, and 100FX SFP Ports

RLGE2FE16R

EXCLUSIVE

DIN RAIL FIREWALLFLEXIBILIT Y

ComNet product series RLGE2FE16R are substation-rated and industrially
hardened layer 2 managed switches/layer 3 routers, with a unique and highly
robust packet processing SCADA-aware security firewall for the most mission­critical and demanding cyber-security applications. The RLGE2FE16R is intended
for deployment in environments where high levels of electromagnetic noise and
interference (EMI) and severe voltage transients and surges are routinely encountered,
such as electrical utility substations and switchyards, heavy manufacturing facilities,
track-side electronic equipment, and other difficult out-of-plant installations.
Layer 3 routing functionality allows for the participation and foundation of a core
network infrastructure.

The RLGE2FE16R is an ideal platform for deploying a secure communications
and networking gateway for remote electrical utility sites, and other critical
infrastructure applications.

-40º TO +85ºCSUBSTATION LAYER 3

FEATURES

› Fully compliant with the requirements of IEC 61850-3 and

IEEE 1613 Class 2, for use in electrical utility substations; and
NEMA TS-1/TS-2 for Traffic Signal Control Equipment

› For NERC-CIP-5 and NERC-CIP-014 compliance, or any network

application demanding effective cyber-security protection

› Up to (16) 10/100 Mbps Ethernet RJ-45 communications

ports, with (2) 100/1000 Mbps SFP uplink ports. Available
with optional (8) 100 Mbps SFP ports for network aggregation
applications, or where it is desirable to provide optical
connectivity directly to the switch/router or in electrically
noisy environments.

› Optional internal 2G/3G/4G LTE GPRS/UMTS cellular radio

modem with 2 SIM card slots, for maximum network reliability
and availability

› Optional serial interface supports 4 ports of RS-232 serial

data, with serial gateway and serial tunneling

› Optional PoE+: 30 watts per port, 8 ports max.

› Highly advanced and sophisticated security suite: Per Port

Deep Packet Inspection (DPI) SCADA-aware firewall supports
DNP-3, ModBus, IEC 104/101, and IEC 61850 protocols for
NERC-CIP-5 compliance

› Network Learning allows the user to easily create secure and

highly effective SCADA firewall rules

› Supports IEEE 1588v2 Precision Timing Protocol, Transparent

Clock (TC), 10/100 Mbps communications ports only. (Gigabit
uplink ports to be supported in future firmware release.)

› IEEE 802.1X Port-based network access control

› L-2/3/4 ACL for incoming traffic, and layer 2/layer 3 VPN

with IPsec

UPLINKS

› The user APA (Authentication Proxy Access) controls remote

access and communications to end-point/edge of network
devices by all users, with extreme granularity across the
users, time, physical Ethernet or serial data ports, TCP ports,
and SCADA protocols. It also provides PCAP for the entire
allowed maintenance or access session.

› IPsec VPN with X.509 certificates, for use over any cellular or

fiber-optic network

› Ethernet layer 2 switching & layer 3 IP routing with integrated

VPN and link protection per ITU-T G.8032

› Fault/event notification provided through Syslog and SNMP

traps

› Environmentally hardened for deployment in difficult

unconditioned out-of-plant installations: Extended ambient
operating temperature range of -40˚ C to +85˚ C, for use in
virtually any environment. Conformal coating is optionally
available for humidity with condensation or airborne
particulate matter environments.

› Rugged metal housing. DIN-rail mountable & rated for IP-30

ingress protection

› Internal/self-contained universal power supply: Available in

operating voltage ranges from 9 to 270 VDC, or 90 to 250 VAC.

› Redundant power supply input capability significantly reduces

the possibility of a single-point-of-failure, for the highest
possible system and network reliability (DC-powered units only)

› No fans or forced-air cooling; cooling via natural convection

eliminates unreliable and troublesome fans/moving parts,
with no periodic maintenance requirements

* Small Form-Factor Pluggable Module. Sold separately.

216

LIFETIME WARRANTY W WW.COMNET.NET TECH SUPPORT: 1.888.678.9427

RLGE2FE16R

Substation-Rated, Enhanced Security SCADA-Aware Ethernet Layer 2 Managed

Switch/Layer 3 Router With Optional 2G/3G & 4G LTE Cellular Radio Link,

Enhanced Network Security, Terminal Server, PoE+, and 100FX SFP Ports

PRODUCT DESCRIPTION

Seamless & Reliable Connection to Any Network

The RLGE2FE16R provides connectivity to any copper, fiber optic, or cellular radio-based Ethernet network. Fiber optic networks
are supported by the use of two 100/1000FX SFP uplink ports. The optional highly resilient 2G/3G/4G LTE cellular radio uplink with
2 SIM card slots for network redundancy, is ideal where fiber optic infrastructure is not available, and may be used as a back-up link
for those applications where interruption of service is not tolerable. The 8 optional 100 Mbps SFP communications ports provide a
simple to implement aggregation capability to the user’s network.

Extremely Effective Network Security

The RLGE2FE16R is available with two dif ferent levels of network security software: Standard Security; or Enhanced Security, for the
most mission-critical applications.

Standard Security Software Package Version:

Service Gateway

The RLGE2FE16R service gateway includes a highly robust application layer, and provides legacy suppor t, an enterprise-class
firewall, serial tunnelling, protocol gateway, and extremely effective encryption technologies. The service gateway offers a
uniquely capable feature set which may serve as the hardware foundation to a secure industrial controls network, and includes
Protocol Gateway, VPN, and IPsec features.

Protocol Gateway

Gateway functionality between a DNP3 TCP client (master) and a DNP3 Serial RTU, IED, PLC, or other compatible device is
supported. This same functionality is supported across MODBUS TCP to MODBUS RTU, and IEC 61850 101/104 TCP to IEC 61850
101/104 RTU. This level of protocol conversion allows legacy protocols to be secured by enterprise and industry best practice
level encryption across a TCP IP-based network.

VPN

VPN tunnels are included for secure inter-site connectivity with IPsec, DM-VPN, and VPN GRE tunnels with key management
certificates. The supported VPN modes allow both layer-2 and layer-3 services, to best suit the user’s application-specific cyber­protection needs.

IPSec

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and/
or encrypting each IP packet of a communication session. IPsec-VPN as well as IPsec encryption are supported over other VPN
technologies. By implementing this level of industry-accepted encryption, data may traverse the network in a guaranteed
delivery method, as well as providing a cohesive and secure methodology for network communication across legacy and
modern networks.

Enhanced Security Software Version:

Includes all of the security features of the Standard Security version, plus:

Identity Management and Authentication Proxy Access (APA)

NERC-CIP-5 defines the important requirement for network security protection of remote and unattended facilities. The
capability of identifying the user and creating specific network privileges per identified and authenticated user prior to granting
the user access to the network therefore becomes critical

The Authentication Proxy Access (APA) is a highly sophisticated security feature, which allows the network operator to manage
the substation or any other facility maintenance process. This feature gives full control of the maintenance process to the operator
by granting the capability to create dynamic policies to specific tasks within an explicitly defined time window. Following this time
window, operators receive reporting on activities performed during the task. This audit trail comes in the form of an overview log,
and a full packet capture (PCAP) of the session.

Before a user is allowed access to the network, they must log in to ComNet’s internal authentication process with their unique
user name and password. Upon validation of the user profile, specific access is granted to predefined devices and functions, and
each operation is logged. Multi-factor authentication is available when combined with the Cyber-Physical Integration feature.

LIFETIME WARRANTY W WW.COMNET.NET TECH SUPPORT: 1.888.678.9427

RLGE2FE16R

Substation-Rated, Enhanced Security SCADA-Aware Ethernet Layer 2 Managed

Switch/Layer 3 Router With Optional 2G/3G & 4G LTE Cellular Radio Link,

Enhanced Network Security, Terminal Server, PoE+, and 100FX SFP Ports

PRODUCT DESCRIPTION (Cont’d)

Event logger

The event logger feature allows the operator to receive events and logs from any number of remote OT devices. It supports
multiple formats (Syslog, SNMP, & HTTP), and is also capable of polling event tables from IP, access control, and serial data
devices. The events are received and sent outbound in Syslog format, with additional fields appended, completing a unified
Event Log Aggregator (e.g. location, source sub-system, and severity). Following this aggregation, the Event Logger stores
normalized events locally, and forwards formatted events upstream to a central SIEM tool, providing encrypted, reliable, and
guaranteed logging in accordance with NERC-CIP-5 standards.

X.509 Certificate Exchange for VPN Connections

VPN tunnels for secure inter-site connectivity with IPsec VPN, GRE Tunnels, and DMVPN technologies are fully supported. In
addition to IPsec encryption, X.509 key management certificates are provided. This certificate support allows for a secure signed
key exchange between a Certificate Authority, and two secure nodes. Having a third-party authority as a signing participant
offers end-to-end security that may be managed and reissued from a trusted central source within the user’s network.

Cyber-Physical Integration

Integrated within the enhanced-security RLGE2FE16R, is a physical identity server system, allowing the use of external
authentication hardware, such as magnetic card readers, biometric identification sensors, facial recognition cameras, etc., to
create a two-factor authentication to the APA feature. This provides an additional level of validation of the user and his/her
credentials, prior to granting the user network access. Once the authentication is validated and approved, a set of defined
policies allow the authenticated technician to perform their task.

The cyber-physical integration also allows the Event Logger feature to poll and deliver events from physical access control
assets and devices. These assets include but are not limited to access control panels and access control head-end systems
and databases.

Enhanced SCADA-Aware Firewall

A whitelist-based firewall is provided for every Ethernet and serial data port, so full firewall protection is available at all remote
sites within the network. Every SCADA protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is
scanned and validated by the firewall engine for its source and destination, as well as its protocol and packet content.

The structure of the distributed firewall allows the creation of a unique firewall at each access point to the network. This is critical
for securing against insider cyber-attacks, compromised field devices, man-in-the-middle attacks, and a myriad of alternate
attack vectors, by providing a secure baseline.

Two firewall states are included: Monitoring, and enforcing. The monitoring state provides an alarm at the control center for any
network violation, without blocking the network traffic. The enforcing state is extremely effective for blocking suspicious traffic,
while also triggering a violation alarm at the control center.

DPI (Deep Packet Inspection) SCADA Protocols Firewall

ComNet’s distributed DPI firewall ensures that the operator will have full control over the network, even when faced with a
sophisticated attempt at breaching the network. Monitoring SCADA commands, this highly robust whitelist-based firewall
analyses SCADA network traffic, and is provided for every Ethernet and serial data port, so full firewall protection is available
at all remote sites within the network, as well as all IEDs, RTUs, PLCs, or any other device connected to the network. Every
SCADA protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is scanned and validated by the
firewall engine for its source and destination, as well as its protocol and its specific packet

Any detected abnormal traffic behavioral patterns are blocked, any affected subnets are isolated, and alerts are
automatically generated.

Ease of Installation and Network Integration

High levels of cyber-security experience are not required to successfully deploy the RLGE2FE16R. It is fully supported by
ComNet’s Reliance Product Configuration Utility and CLI, allowing the secure switch/router to be easily configured, and to
diagnose network and security functions.

Configuration of the secure firewall is also simple. Once connected to the user’s network, the RLGE2FE16R immediately
begins to collect and analyse information across the network, including from other connected devices, traffic behavior, etc.

LIFETIME WARRANTY W WW.COMNET.NET TECH SUPPORT: 1.888.678.9427