VCL-2243 is a high-security, high-reliability, ruggedized, failsafe transparent RTU Firewall that is designed to be installed between the RTU and the SCADA server without having to reconfigure any element of the network. VCL-2243 firewall supports IEC 60870-5-104 (IEC 104), IEC 61850 MMS protocol, MODBUS TCP/IP protocol options with extremely advanced features that may be installed to secure and protect RTUs (Remote Terminal Units) in critical infrastructure such as Sub-Stations, Smart Grid Distribution Systems, Oil and Gas Infrastructure and Railway Signaling Networks from being compromised, attacked, or accessed by hostile elements.

Protocol Supported

  • IEC 60870-5-104: 10/100BaseT ETH Port
  • IEC 61850 MMS: 10/100BaseT ETH Port
  • MODBUS TCP/IP: 10/100BaseT ETH Port
Download Brochure


Versions and Technology Deployment:

  • High-Security, High-Reliability, Ruggedized RTU Firewall.
  • Failsafe – Never itself becomes a point of failure, even in a power down condition.
  • Transparent Firewall – No modification required in the existing network.
  • Does not add any measurable latency. The latency added under full load conditions is less than 1ms.
  • Installed in sub-stations to protect RTUs from network side intrusion and hostile access.
  • MAC based lock. Allows user to lock to specified MAC addresses of known network devices in the utility network such as SCADA servers, and network management devices, computers etc. The RTU shall only accept or transmit data to known network devices in the MAC white-list.
  • IP Address based lock. Allows lock to user specified IP address. The RTU shall only accept or transmit data to known network devices in the IP address white-list.
  • Port based lock. Allows transmission only on user selected ports. Blocks communication and access on all other ports.
  • Deep Packet Inspection. Allows only SCADA (-104/MODBUS TCP/IP/ MMS) packets to pass through. Blocks all other packets.
  • Comprehensive logging of all -104/MODBUS TCP/IP/MMS packets. Finger-prints and logs all unauthorized traffic and access attempts.
  • Time keeping: Fetches time from NTP Server to maintain millisecond accuracy.


  • Utilities: Electric generation, transmission and distribution.
  • May be installed to Firewall RTU Terminals and server(s) located in Load Dispatch Centres / SCADA Management Centres and Rail Traffic Control.
  • Smart Grid Distribution Systems.
  • Oil & Gas production, pipelines.
  • Railway Signalling Infrastructure: Rail Traffic Control Room(s).
  • All distributed data networks consisting of a central server and multiple edge locations.

Firewall – Features and Capabilities:

  • Protocols supported:
    • IEC 60870-5-104 (IEC 104)
    • IEC 61850 MMS
  • Lock to user specified MAC addresses.
  • Lock to user specified IP address.
  • Allows transmission of only -104, MODBUS TCP/IP, MMS packets.
  • Port based lock. Allows transmission only on user selected ports. Blocks access on all other ports.
  • Deep Packet Inspection. Allows only SCADA (-104 / MODBUS TCP/IP / MMS) packets to pass through. Blocks all other packets.
  • Per-frame/packet authentication
  • Firewall
    • Port (Soft) based
    • MAC based
    • IP Address based
    • IP Domain based
  • White-List and Black-List options
    • White-List Exception allowed and blocks all other traffic by default (system default mode)
    • Black-List Exception blocked and allows all other traffic
  • Seamless scalability
  • Infrastructure neutral: maybe used with SDH, IP/MPLS, MPLS-TP networks
  • Transparent to network and applications
  • Easy installation and management

Monitoring and Access Control:

  • Password Strength Monitor
  • Device Management and Alarm Monitoring
  • Command Line Interface – Telnet, SSH
  • SNMPv2 Alarm Monitoring
  • Alarm condition detection and reporting (traps and SNMP alarm table)
  • Syslog

Firewall and Security:

  • Secure Boot
  • Firewall Security:
    • Inclusion Policy – Access Control based upon White-List IP addresses, MAC address and IP Domain
    • Exclusion Policy – Access Control based on Black-List
  • Resistance to Denial of Service (DoS) Attack
  • Encrypted Firmware Updates
  • Non-volatile Access Log with capability to “fingerprint” all successful log-in attempts and keep a log of the IP and MAC addresses of all successful logins.
  • SNMP trap generation, along with LED and external alarm indication
  • Password Protection with password strength monitor
  • RADIUS Password Authentication
  • SSH (Secure Access Control) with encrypted Password Protection

Interfaces – Terminal:

  • Total Number of Ethernet Interfaces: 2
    • One, 10/100 RJ45 equipment interface for the local (trusted) RTU side
    • One 10/100 RJ45 network interface to the WAN (untrusted) network side
  • Auto MDI/X (straight or crossover Ethernet cable correction)
  • Management interfaces:
    • Ethernet, RS-232, RS-485, USB

CE Compliances:

  • Immunity as per EN 60255-26
  • Low voltage directive as per EN 60255-27

Other Regulatory Compliances:

  • RoHS
  • Meets CE requirements
  • Complies with FCC Part 68 and EMC FCC Part 15
  • Telcordia GR-1089 Surge and Power Contact

Application Diagram:


 RTU Modbus Firewall