What this page solves

A SCADA or substation gateway becomes the place where all IEDs, relays, PQ analyzers and feeder controllers meet. Instead of letting every device talk directly to the control center, this box collects measurements and events, normalizes protocols, and exposes only a few clean, secure channels upstream.

In a typical station or feeder bay, different vendors ship different protocols and time bases. Some devices still use IEC 60870-5-103 or Modbus over serial, others speak IEC 61850, and some only expose dry contacts. The gateway solves the headache of dealing with this protocol mosaic while keeping the OT network isolated from the SCADA or cloud network.

The gateway also acts as a timing, buffering and auditing point. Events from multiple bays are aligned to a common time source, short outages on the wide-area link are bridged with local buffering, and every remote command to the yard can be logged and checked at a single choke point instead of being scattered across dozens of devices.

From a lifecycle and cybersecurity view, this page focuses on how the SCADA or substation gateway can shield older IEDs from new security rules, provide a single place to deploy updated protocol stacks, and enforce secure boot, VPN and key management without rewriting every relay platform in the network.

• Consolidate southbound protocols into a few trusted northbound interfaces.
• Align timestamps and event ordering across many IEDs and feeders.
• Create a clear OT/IT security boundary with VPN, TLS and firewalls anchored at the gateway.
• Buffer and filter data so control centers see clean, actionable information instead of raw noise.
• Decouple substation assets from fast-moving SCADA and cloud upgrades by using the gateway as an adaptation layer.

System role & upstream/downstream placement

In a layered substation architecture, primary equipment is handled by relays, bay controllers and feeder automation units. These devices sit closest to the yard and implement protection, control and local interlocking. The SCADA or substation gateway sits one layer above them, on the station LAN, where it sees many bays at once but does not directly drive breaker coils or compute protection decisions.

Downstream or southbound, the gateway terminates a mix of serial links, legacy protocols and modern Ethernet-based services. It collects measurements, status and events from IEDs, transformer monitors, PQ analyzers, feeder terminals and smart LV panels. These connections are often spread across dedicated process or bay networks, so the gateway must support multiple isolated ports, VLANs and security zones while still presenting a coherent view of the station.

Upstream or northbound, the gateway exposes only a small number of carefully controlled interfaces towards SCADA, DMS, EMS or cloud systems. Typical choices are IEC 60870-5-104, DNP3 over TCP, IEC 61850 MMS or a secure MQTT or OPC-UA channel. These interfaces carry pre-filtered, time-aligned data and command paths that can be protected with VPN, TLS and strict access control, turning the gateway into a clear OT/IT demarcation point.

The gateway often operates alongside a local HMI or historian server in the station control room. That local system serves operators on site, while the gateway speaks to remote control centers. Understanding this split helps with decisions about where to place long-term storage, where to implement cyber security modules, and how to design redundancy so a gateway failure does not take down all remote visibility.

• Southbound: relays, IEDs, FTU/DTU/TTU, PQ and asset monitors on station or process networks.
• Mid-layer: SCADA gateway on the substation LAN, aggregating bays and enforcing security rules.
• Northbound: SCADA, DMS, EMS and cloud endpoints receiving filtered, time-aligned data streams.
• OT/IT boundary: firewalls, VPN tunnels, secure boot and key storage anchored at the gateway instead of at every individual IED.

Key requirements & constraints

A SCADA or substation gateway sits between mixed southbound devices and tightly controlled northbound SCADA links. Requirements therefore extend beyond basic throughput; constraints span protocol concurrency, event bursts, time synchronisation, power quality, EMC robustness and cybersecurity. The list below groups typical parameters that drive silicon and platform choices for this kind of gateway.

Values are indicative and should be adapted to the voltage level and station size. The intent is to highlight which questions must be answered early in a specification, so that controller selection, isolation levels, memory sizing and security hardware can be aligned with real operating conditions instead of nominal laboratory loads.

• Southbound device scale and ports. Plan for at least 8–16 serial channels (RS-485/RS-232), 4–8 Ethernet ports and several digital inputs/outputs to accommodate relays, feeder terminals, PQ analyzers and LV panels without external multiplexers.
• Event throughput and burst handling. Dimension CPU and protocol stacks for a sustained load of 500–2 000 events per second, with capacity to absorb short bursts an order of magnitude higher during fault storms without dropping critical alarms.
• Northbound bandwidth and latency. Provide at least one 100 Mb/s link, preferably GbE, with a station-side contribution to end-to-end control-command latency below 50–100 ms for the chosen SCADA protocols.
• Connection concurrency. Support multiple simultaneous southbound sessions per protocol and at least two to four independent northbound sessions (for main SCADA, backup SCADA, security monitoring or analytics platforms).
• Time synchronisation accuracy. Use PTP (IEEE 1588) or GNSS as a primary time base and keep event timestamp accuracy within ±1 ms for protection and status events, including during holdover when the grandmaster signal is briefly lost.
• Local buffering depth. Size non-volatile storage so that key events and compressed measurement summaries from all bays can be buffered for at least 24–72 hours during WAN outages, with clear rules for priority and discard.
• Operating temperature and environment class. Match the enclosure rating and silicon temperature grade to the intended location: typical control rooms use –20 °C to +55 °C, while outdoor cabinet or pole-mounted installations often require –40 °C to +70 °C and enhanced humidity protection.
• EMC and surge immunity. Align immunity levels with utility practice, for example IEC 61000-4 series for electrostatic discharge, fast transients and conducted disturbances, and surge capability on communication and power ports suited to the station’s overvoltage category.
• Availability and redundancy. Target MTBF in the 100 000 hour class and consider dual power inputs, dual Ethernet uplinks and support for PRP/HSR or ring topologies to avoid single-point failures on the gateway path.
• Power input range and ride-through. Accept common substation DC supplies such as nominal 24 V, 48 V or 110 V with adequate range (for example 9–36 V or 18–72 V) and ride through short-term dips without uncontrolled reboot.
• Isolation and grounding strategy. Specify minimum isolation voltages for serial ports, digital I/O and power domains (often >2.5 kVrms for reinforced isolation) and define how protective earth, functional earth and shield connections are managed inside the gateway.
• Secure boot and firmware integrity. Require a hardware root of trust that verifies bootloaders and application images at startup and during updates, preventing unsigned or tampered firmware from running on the gateway.
• Cryptographic performance and key storage. Dimension hardware accelerators for TLS/VPN load associated with the planned number of northbound sessions, and store private keys and sensitive credentials in a secure element or HSM rather than general-purpose flash.
• Security logging and retention. Ensure that configuration changes, remote logins and control commands are written to a protected audit log with at least several weeks of retention, and that logs can be exported in standard formats to central security monitoring systems.

Architecture & implementation options

Gateway architecture choices determine how easily a station can absorb legacy devices, support modern IEC 61850 or TSN networks, and expose data to one or many control centres. Options range from compact RTU-style designs with a few serial ports and a single SCADA protocol to Linux-based edge nodes with multiple protocol stacks, VPN endpoints and virtualised services.

The following patterns focus on three axes: southbound integration strategy, northbound protocol and tenancy model, and the compute platform. Each combination has different implications for silicon selection, memory, isolation and security modules, and should be matched to the station size and regulatory context rather than copied from unrelated projects.

• Southbound option A – serial aggregation gateway. A design focused on IEC 60870-5-103, Modbus RTU and vendor-specific serial links, with multiple isolated RS-485/RS-232 channels and one or two Ethernet ports for configuration and SCADA uplink. Well suited for upgrades of legacy yards but limited when future IEC 61850 station or process bus requirements appear.
• Southbound option B – Ethernet-centric station bus node. A design where most IEDs already speak IEC 61850 MMS or similar Ethernet services and the gateway connects primarily to a segmented station LAN with VLANs or TSN. Serial ports are used mainly for a small number of legacy devices, and emphasis moves to switch integration, PTP and cybersecurity on the LAN.
• Southbound option C – mixed station assets including IoT nodes. A design that combines conventional relays and bay controllers with line monitors, pole-top controllers or transformer monitors that use cellular, LoRa or NB-IoT links. This drives stronger local buffering and consolidation logic to hide intermittent links from SCADA.
• Northbound option A – single control centre, single protocol. A simple model where the gateway speaks only IEC 60870-5-104 or only DNP3/TCP to a single SCADA system. Implementation complexity stays modest, but adding second control centres or analytics platforms later can require hardware replacement or extra gateways.
• Northbound option B – multi-host and multi-protocol. A richer model where data is simultaneously delivered to main SCADA, backup SCADA and cloud analytics or APM systems using combinations of 104, DNP3, IEC 61850 MMS, MQTT or OPC-UA. This increases demands on CPU, memory, bandwidth and security isolation between tenants.
• Northbound option C – separation from local HMI and historian. A model where the gateway concentrates external connectivity while a local HMI or historian server handles operator interfaces and long-term storage. This separation clarifies roles and allows different lifecycles and hardware platforms for local and remote functions.
• Platform option A – RTU-class MCU platform. An architecture based on a microcontroller and RTOS, optimised for low power and high MTBF. Suitable for a limited number of protocols and modest security requirements, but not ideal for heavy TLS/VPN loads or frequent updates of larger protocol stacks.
• Platform option B – Linux / Cortex-A edge node. An architecture using an application processor with MMU and Linux or similar OS, giving headroom for multiple protocol stacks, deep logging, VPN endpoints and containerised services. This approach requires stronger secure boot and patching strategies to control the expanded attack surface.
• Deployment option A – single gateway with network redundancy. A single physical gateway that uses PRP/HSR or redundant Ethernet rings for path resilience. Simpler to operate than dual-gateway schemes but still a single point of failure for hardware faults on the device itself.
• Deployment option B – dual gateways with hot or warm standby. Two gateways are installed in parallel, sharing southbound sources and presenting an active and a standby uplink to SCADA. This arrangement requires robust configuration synchronisation and clear failover rules but significantly improves availability.
• Deployment option C – virtualised or centralised gateway. Gateway logic runs as a virtual machine or container in a central platform, with stations connected via remote I/O racks or direct IED connections. This model simplifies hardware maintenance but enlarges the fault domain and pushes stricter demands onto the WAN and security architecture.

Protocol stacks & security layers

A SCADA or substation gateway rarely runs a single protocol in isolation. IEC 60870-5-104, DNP3 and IEC 61850 MMS or GOOSE are typically layered together, each placing different demands on CPU performance, memory, Ethernet MAC/PHY, time synchronisation and cryptographic hardware. On top of these stacks, VPN and TLS layers impose additional requirements on secure key storage and hardware acceleration.

Matching protocol and security requirements to SoC and companion IC features early in a design helps avoid underpowered platforms that struggle with event storms or encrypted multi-host links. The points below frame 60870-5-104, DNP3 and IEC 61850 in terms of their typical behaviour on a gateway and highlight the silicon features that support reliable long-term operation in a substation environment.

IEC 60870-5-104 – TCP-based station links

• Connection model. 104 sessions are persistent TCP connections, often with one or more control centres and several hundred information objects per gateway. SoC selection should consider the number of simultaneous TCP sockets and buffer space in the IP stack.
• CPU load profile. Message sizes are modest but frequent, combining cyclic measurements with spontaneous events. A mid-range MCU can handle single-host traffic, but multi-host, high-density stations benefit from Cortex-A class processors or high-end MCUs with efficient TCP/IP offload.
• Memory and buffering. Adequate RAM is required for frame queues, per-connection buffers and event lists. Design targets typically allocate tens of kilobytes per active 104 link plus shared buffers for event bursts.
• Security wrapping. When 104 is carried inside VPN tunnels or protected using IEC 62351 techniques, SoC crypto acceleration for AES-GCM and SHA, and a secure place to store certificates and keys, becomes critical.

DNP3 – event-oriented and weak-link tolerant

• Transport flexibility. DNP3 often runs over both serial and TCP. This drives the need for multiple UART channels with DMA support and a robust TCP/IP stack, all bound to tight timers and retry handling in firmware.
• Event buffering behaviour. Class structures and confirm/ retry logic rely on local event queues. Non-volatile memory technology with good endurance, such as FRAM or carefully managed eMMC, helps preserve events across power dips and restarts.
• Timing and state machines. DNP3 places less stress on raw compute power and more on accurate timers and robust state machines. A real-time OS with precise tick resolution and watchdog supervision supports predictable behaviour.
• Secure Authentication impact. Implementations using DNP3 Secure Authentication add HMAC and asymmetric cryptography into protocol flows. Hardware blocks for AES and SHA, plus efficient ECC or RSA, reduce latency and free the main CPU for application logic.

IEC 61850 MMS, GOOSE and time-aware networking

• MMS object modelling. MMS services and data models consume more memory than basic SCADA frames. Gateways that act as MMS servers for many IEDs typically require larger RAM footprints and favour Linux-capable SoCs over small microcontrollers.
• GOOSE and fast event paths. GOOSE messaging depends on multicast Ethernet, VLAN priorities and tight latency budgets. Ethernet MACs with hardware VLAN support, priority queues and optionally TSN features reduce the scheduling burden on the CPU.
• Time synchronisation and PTP. 61850 deployments often rely on IEEE 1588 PTP. MACs or PHYs with hardware timestamping, together with an external GNSS or stable oscillator, greatly simplify high-accuracy time stamping.
• Secure profiles and IEC 62351. Securing MMS and GOOSE with IEC 62351 profiles drives additional TLS session load. Hardware accelerators for AES-GCM and ECC, combined with off-chip or on-chip secure elements, help maintain real-time behaviour under encryption.

Security layers and trusted hardware

• VPN and tunnel endpoints. IPsec, OpenVPN or WireGuard endpoints add continuous symmetric crypto load. SoCs should integrate AES, ChaCha/Poly, SHA and possibly public-key accelerators to keep CPU utilisation predictable at the target bandwidth.
• TLS for SCADA sessions. TLS-wrapped 104, DNP3 or MMS sessions require strong random number generation, certificate storage and efficient session resumption. A true random number generator and secure element for private keys significantly reduce implementation risk.
• Secure boot and firmware validation. A hardware root of trust in the SoC or a companion security MCU enforces signed bootloaders and images, preventing unauthorised firmware from executing on the gateway.
• Audit logs and secure storage. Security layers produce logs for authentication attempts, configuration changes and remote controls. Non-volatile storage with wear management and optional signing or sealing by an HSM keeps these logs durable and trustworthy over years of service.

Design pitfalls & isolation strategies

Substation gateways are exposed to long field cables, harsh EMC environments and occasional lightning-induced surges. Designs that look acceptable in the lab often develop intermittent failures or repeated port damage after months in service. Common weak points include shared grounds on long serial runs, unprotected Ethernet ports, non-isolated digital inputs/outputs, simplistic dual-power schemes and poorly defined surge paths.

Robust isolation and protection strategies start with clear partitioning: separate power input, southbound I/O, northbound Ethernet, engineering ports and security functions into distinct domains, each with appropriate isolation, surge handling and grounding rules. The list below highlights typical pitfalls and outlines isolation patterns that translate into IC choices for isolators, protection devices, DC-DC converters and redundancy controllers.

Typical design pitfalls in SCADA gateways

• Non-isolated multi-drop serial ports. Grouping all RS-485 ports on a common ground without isolation exposes the whole board to ground potential differences and surge currents along long cable runs. Isolated transceivers or digital isolators per port group significantly reduce this risk.
• Ethernet ports with only connector magnetics. Relying solely on RJ45 transformers and omitting dedicated surge and ESD protection devices leaves PHYs vulnerable to induced lightning and switching transients on long copper cables. TVS arrays, common-mode chokes and, where necessary, gas discharge tubes should be planned near the connectors.
• Directly coupled digital inputs and outputs. Driving external contacts and status signals from MCU pins without isolation or adequate current limiting leads to latch-up and damage during faults. Opto-isolated or digitally isolated DI/DO stages with input filtering and output snubbers are strongly recommended.
• Poorly defined power entry and surge paths. TVS diodes and surge components scattered across the board without a clear return path to chassis or protective earth create unpredictable current loops. A defined surge path at the power entry, combined with structured ground and shield connections, improves survivability.
• Dual power feeds simply wired in parallel. Connecting two DC feeds directly together without active ORing or fault isolation allows a short or reverse fault on one source to compromise the other. Ideal-diode controllers or eFuse-based ORing devices provide controlled redundancy.
• Unprotected maintenance and engineering ports. USB or UART ports exposed on the front panel without protection or isolation can inject ESD and ground shifts straight into core logic. USB isolators, protected bridge ICs and clear separation of engineering and operational domains reduce this hazard.
• Inconsistent grounding and shield terminations. Mixing signal returns, logic ground and cable shields arbitrarily leads to EMI issues and unpredictable surge behaviour. Shields should connect in a controlled way to chassis or protective earth, with logic ground referencing through defined components.

Isolation domains inside a substation gateway

• Power entry domain. The incoming DC supply, surge protection, EMI filtering and primary DC-DC conversion form a distinct domain. Isolation-type DC-DC converters and dedicated protection ICs create a clean low-voltage rail for logic and communication circuits.
• Southbound serial and I/O domain. Groups of RS-485/RS-232 transceivers and digital inputs/outputs are separated from the SoC using digital isolators or optocouplers. Each group can reference local field grounds and still protect central logic from transients and ground shifts.
• Northbound Ethernet domain. Ethernet PHYs, magnetics and surge protection form a boundary between external cabling and the SoC. Designs may use isolated PHYs or rely on transformer isolation combined with careful layout and robust protection components.
• Engineering and service domain. Maintenance ports are treated as a separate domain with their own protection and, where feasible, isolation so that service laptops and tools cannot directly disturb operational circuitry.
• Security island. Security MCUs, secure elements or HSMs may sit in their own power and ground island with controlled interfaces to the main SoC, safeguarding keys and root-of-trust functions even when other domains experience disturbances.

Power redundancy and surge protection strategy

• Redundant feeds with controlled ORing. Dual inputs from independent DC buses should be combined using ideal-diode controllers or eFuse ICs that provide reverse blocking, fault isolation and accurate current monitoring, rather than passive diodes or simple wire links.
• Layered surge protection. Power and communication entries benefit from staged protection: gas discharge tubes or MOVs at the cabinet level, followed by TVS diodes and common-mode chokes close to the gateway connectors, and finally robust layout to guide surge currents away from sensitive devices.
• Grounding and shield management. Clear rules for connecting shields to chassis or protective earth at defined points minimise loop formation. Logic ground is referenced through controlled impedance or protection devices rather than arbitrarily tied to shields.
• Short-term ride-through and orderly shutdown. Local energy storage, such as supercapacitors or small backup batteries, allows the gateway to ride through brief power interruptions and complete logging or protocol housekeeping before shutting down, improving resilience and data integrity.

Cybersecurity & secure boot

A SCADA or substation gateway represents a narrow and highly privileged point between field assets and control centres. If an attacker gains control of this device or its firmware, the monitoring and control view of the grid can be quietly altered. A practical security concept therefore starts with a clear trust anchor, extends through secure boot and firmware update, and finishes with robust key storage, communication protection and audit logging.

Cybersecurity for a gateway is not limited to encrypting IEC 60870-5-104, DNP3 or IEC 61850 traffic. Hardware security modules, secure elements, cryptographic accelerators and carefully designed firmware processes are needed so that keys remain protected, only authorised code can run, and security controls continue to function reliably over the full service life of the installation.

Layered security view for a gateway

• Root of trust in hardware. A minimal and verifiable trust anchor is required, typically in SoC ROM code or a companion security MCU, anchored by eFuse or OTP-stored public keys and configuration fingerprints.
• Secure boot chain. Firmware images and bootloaders are signed and verified at each boot stage. Anti-rollback counters and integrity checks prevent older, vulnerable images from being reloaded.
• Key and credential management. Device identities, SCADA client certificates and VPN credentials are stored only inside secure elements or HSMs, never as exportable plaintext in generic flash.
• Protected communication channels. IEC 60870-5-104, DNP3 and 61850 traffic is carried over VPN tunnels or TLS connections, often following IEC 62351-style profiles, with cryptographic load offloaded into hardware accelerators.
• Access control and audit. Role-based access control, hardening of local and remote management interfaces, and durable audit logs create an operational envelope around the device that matches utility security policies.

HSM, secure element and crypto accelerator roles

• Hardware Security Module (HSM). A dedicated HSM can provide high-assurance key generation, storage and cryptographic services, including tamper detection and protected monotonic counters. This device typically terminates VPN and TLS sessions and enforces separation between sensitive keys and the main application processor.
• Secure Element (SE). A compact secure element focuses on device identity and key vault functions. It stores long-term keys and certificates for TLS and VPN, exposes sign/decrypt operations over I²C or SPI, and resists key extraction even if the main SoC is compromised.
• Crypto accelerators inside the SoC. Integrated AES, SHA and public-key blocks reduce CPU load when many encrypted sessions or high-bandwidth tunnels are active. Suitable accelerators are sized according to the expected mix of 104, DNP3, 61850 and management traffic.
• Randomness and entropy. A true random number generator is essential for key generation and session establishment. Hardware-based entropy sources outperform firmware-only solutions that rely on timing noise.

Secure boot chain and anti-rollback controls

• Stage 0 – immutable ROM boot. The first code executed after reset resides in SoC ROM and contains just enough logic to verify the first-stage bootloader using a public key or hash stored in eFuse or OTP memory.
• Stage 1 – authenticating bootloader. The bootloader validates operating system and application images before they run. It reads version numbers and rollback counters from secure storage to ensure that only up-to-date and signed images are accepted.
• Stage 2 – operating system and services. Once the OS is active, integrity checks can extend to critical configuration, protocol stack binaries and security services, supporting a secure baseline for runtime operation.
• Monotonic counters and rollback resistance. Anti-rollback relies on monotonic counters stored in secure elements, HSMs or secure SoC memory that cannot be reset by normal software operations, enforcing forward-only firmware updates.

Secure firmware update and runtime protection

• Signed update packages. Update images include metadata such as target hardware, version and dependencies, and are signed by a trusted authority. Verification reuses the same root keys and security hardware used for secure boot.
• A/B images and automatic fallback. Dual image layouts allow new firmware to be written to an inactive slot. If boot or self-test fails, the bootloader automatically falls back to the previous image, preventing permanent outages after field updates.
• Protection of debug and maintenance interfaces. JTAG and similar interfaces are locked or fused off in normal operation. Temporary service access requires controlled procedures, such as time-limited unlock tokens or on-site hardware actions.
• Security logging and forensics. Authentication attempts, configuration changes and remote control commands are recorded in persistent logs. Suitable non-volatile memory and secure time sources are chosen to keep logs durable and trustworthy over many years.

IC selection & vendor mapping

A SCADA or substation gateway is assembled from a repeatable set of functional IC blocks: compute, security, industrial Ethernet, serial and I/O interfaces, power conversion, time synchronisation, storage and protection. Mapping these functional blocks to vendor families helps create a consistent bill of materials that is easier to qualify, maintain and extend across multiple projects and product generations.

Instead of choosing parts in isolation, it is useful to treat each functional block as a column in a vendor map. Each column groups compatible device families from industrial MCU/SoC suppliers, security specialists, industrial Ethernet providers, power vendors and protection component manufacturers. This section outlines those blocks and the typical IC categories behind them, without naming specific part numbers.

Compute platform and power management

• Industrial MCU and SoC families. Gateways can be built around industrial-grade 32-bit microcontrollers or application processors with extended temperature range, long-term availability and comprehensive peripheral sets for Ethernet, serial ports and security features.
• PMIC and point-of-load regulators. Dedicated PMICs and DC-DC controllers supply the core, memory, I/O and PHY rails. These devices should support wide input ranges, sequencing, fault monitoring and integration with supervisor ICs.
• Vendor mapping. Compute and power devices typically come from industrial-focused MCU and power vendors that offer long product lifetimes, strong documentation and references for grid automation and substation use cases.

Security and identity devices

• Secure elements. Compact secure elements store long-term private keys, device certificates and sensitive credentials and provide cryptographic services over I²C or SPI, often with pre-provisioned trust anchors for cloud and utility ecosystems.
• Hardware security modules and secure MCUs. Larger security devices or secure MCU variants add more processing power, secure storage and anti-tamper features for demanding deployments or gateways that terminate many tunnels and sessions.
• Vendor mapping. Security components are normally sourced from specialised security IC vendors and MCU suppliers that provide secure element, HSM or security island families, together with firmware libraries and certification support.

Industrial Ethernet, TSN and PHYs

• Ethernet PHYs and magnetics. Copper and fibre PHYs with industrial temperature ratings, low EMI emissions and suitable surge tolerance are core to station-bus and SCADA connections. Matching magnetics and RJ45 connectors complete these links.
• TSN and industrial switch devices. Gateways that sit inside IEC 61850 or TSN-based station networks depend on managed switch or TSN switch ICs with support for VLANs, priority queues, time-aware scheduling and PTP timestamping.
• Vendor mapping. Ethernet and TSN devices are usually drawn from industrial networking vendors focusing on deterministic Ethernet, substation automation and factory automation markets.

Serial, digital I/O and isolation components

• RS-485/RS-232 transceivers. Multi-drop, high-ESD and, where appropriate, galvanically isolated serial transceivers connect relays, bay controllers and remote I/O. Their selection is tied to cable lengths, line speeds and surge requirements.
• Digital isolators and optocouplers. Isolators provide boundaries between field wiring and the logic domain, and between power entry and low-voltage rails. Devices are chosen based on isolation rating, CMTI and channel count.
• Driver and input front-end ICs. High-side and low-side drivers, relay drivers and protected digital input front-ends round out the interface layer and are often sourced from vendors focused on industrial I/O protection and automation.

Power entry, conversion and protection

• Wide-input DC-DC and isolation modules. Controllers or modules that accept typical substation DC rails (for example 24 V, 48 V or 110 V) with wide operating ranges and isolation form the foundation of the internal power architecture.
• eFuse, hot-swap and ideal-diode controllers. These devices implement controlled inrush, fault isolation, redundancy ORing and accurate monitoring for dual-feed and battery-backed installations.
• Vendor mapping. Power devices are typically selected from power-focused vendors with industrial and telecom portfolios that cover isolated conversion, protection and supervision functions.

Time synchronisation and clocking

• TCXO and OCXO devices. Temperature-compensated and oven-controlled oscillators provide the frequency stability required for accurate PTP operation and synchrophasor-aligned measurements.
• PTP clock and timing ICs. Dedicated timing chips handle PTP event timestamping, time distribution and jitter cleaning, easing the burden on the main SoC and Ethernet devices.
• GNSS receivers. GNSS modules or chipsets lock the station time to an external reference, generating PPS and time-of-day signals for the PTP or system time base.

Storage, monitoring and protection components

• NOR, NAND, eMMC and FRAM. Non-volatile memories host boot images, file systems, event buffers and audit logs. Endurance and data retention requirements often lead to mixed use of flash and FRAM or other high-endurance technologies.
• Supervisors, watchdogs and sensors. Voltage supervisors, external watchdogs and temperature or voltage monitor ICs protect the gateway from brownout, lockup and thermal stress.
• EMI, surge and magnetics. TVS diodes, gas discharge tubes, MOVs, common-mode chokes, LAN magnetics and connectors form the outer shield against lightning, switching surges and conducted EMI, and are typically selected from dedicated protection and magnetics vendors.

Application examples

The following mini-stories illustrate how a SCADA or substation gateway can be applied in real grid projects. Each example links system-level drivers to concrete IC building blocks, from the main controller and security devices down to industrial interfaces, power and protection components.

Part numbers and device families are indicative only. They are selected to reflect typical choices in modern deployments where IEC 60870-5-104, DNP3, IEC 61850, VPN, TLS and secure boot must coexist on a single hardware platform.

Example 1 – Upgrading legacy substations to IEC 61850 and TSN

Context and upgrade goals

A fleet of older substations exposes only serial IEC 60870-5-103 links and basic IEC 60870-5-104 connections through RTUs. Station LANs do not support IEC 61850, TSN or PRP/HSR, and security is provided by external VPN appliances without integration into gateway firmware. Firmware updates are performed via local serial tools and are not protected by secure boot or signed images.

A new substation gateway platform is introduced to modernise this environment. The gateway terminates IEC 61850 MMS and GOOSE on a TSN-capable station LAN, aggregates legacy 103/104 and DNP3 traffic, and consolidates VPN and TLS functions on the same hardware. The design requires secure boot, strong key protection and a long-term maintainable IC portfolio.

Key building blocks and IC choices

Main controller and TSN networking.

• NXP LS1028A – dual Cortex-A72 industrial SoC with integrated TSN switch, Gigabit Ethernet MACs, secure boot and hardware crypto blocks, used as the primary controller running IEC 61850, IEC 60870-5-104, DNP3 and management services.
• Microchip LAN9668 – 8-port TSN Ethernet switch device providing IEEE 802.1Qbv/Qbu/Qci/AS support and PRP/HSR-capable topologies where a discrete switch is preferred over an integrated SoC switch.
• Microchip KSZ9031RNX or Texas Instruments DP83867 – Gigabit Ethernet PHYs with industrial temperature capability and low EMI, paired with suitable RJ45 magnetics at station-bus and process-bus ports.

Security and device identity.

• NXP SE050 secure element – stores device certificates, VPN credentials and TLS client keys, and exposes ECC operations over I²C, keeping long-term keys out of main SoC memory.
• Infineon SLB 9670 TPM 2.0 – SPI-connected TPM used to anchor platform integrity measurements, secure boot logs and potentially sign audit trails for compliance with utility security policies.

Serial interfaces and isolated I/O.

• Texas Instruments ISO1410 – isolated RS-485 transceiver with high CMTI, used for long multi-drop links to bay controllers, protection relays and legacy RTUs in harsh substation environments.
• Analog Devices ADuM141D – quad-channel digital isolator providing safe isolation for SPI and control signals crossing from the SoC domain into field I/O and power domains.

Power conversion and surge protection.

• Texas Instruments LM5017 – wide-input buck regulator handling 48 V or 110 V DC rails and generating an intermediate DC bus for further regulation stages inside the gateway.
• Texas Instruments TPS2662 – industrial eFuse implementing controlled inrush, over-current protection and ORing for dual DC feeds to the gateway.
• Littelfuse SM712 and Bourns TBU-CA065-200-WH – surge and transient protection devices used on RS-485 lines and long external cables to improve lightning and switching surge robustness.

Operational impact

After deployment, the control centre sees a uniform IEC 61850 and IEC 60870-5-104 view of each station, independent of the age and protocol mix of individual IEDs. VPN and TLS termination move into the gateway platform, where keys are anchored in the SE050 and TPM rather than in external appliances. Signed firmware images and A/B update slots on the LS1028A-based platform reduce upgrade risk and enable remote patching of multiple substations under a consistent security policy.

Example 2 – Feeder automation and DTU/FTU upgrade with compact gateways

Context and upgrade goals

Urban feeder automation relies on a mixture of FTUs, DTUs and TTUs from different generations. Some terminals expose only IEC 60870-5-101 or Modbus over serial links, others support 104 over low-bandwidth cellular modems. Security is inconsistent, and firmware upgrades for field devices require site visits and manual access to individual cabinets.

New compact SCADA gateways are installed in ring-main units and distribution cabinets. Each gateway concentrates legacy terminals, adds DNP3 Secure Authentication and 104/TLS, and provides NB-IoT or LTE-Cat.1 connectivity back to the control centre. The design must fit within tight space and power budgets while maintaining industrial robustness.

Key building blocks and IC choices

MCU and Ethernet.

• STMicroelectronics STM32H753 – Cortex-M7 MCU with integrated Ethernet MAC, cryptographic accelerators and rich serial interfaces, acting as the main controller running DNP3, IEC 60870-5-104 and the local management stack.
• Microchip LAN8742A or Texas Instruments DP83848 – Fast Ethernet PHYs for cabinet-level Ethernet and backhaul ports, paired with industrial RJ45 connectors and magnetics.
• u-blox SARA-R4/N4 module family – NB-IoT or LTE-M/LTE-Cat.1 cellular modules providing secure IP transport for DNP3 over TCP and 104/TLS where wired backhaul is not available.

Security and identities.

• Microchip ATECC608B – secure element used to store TLS client keys and DNP3 Secure Authentication credentials, and to offload ECC operations from the STM32H753.

Serial ports, digital I/O and isolation.

• Texas Instruments SN65HVD72 – robust RS-485 transceiver used on short to medium-length links where isolation is provided separately at the board level.
• Analog Devices ADM2582E – integrated isolated RS-485 transceiver with on-board DC-DC converter, selected for the longest or harshest feeder links to remote terminals.
• Analog Devices ADuM1250 and ADuM131D – I²C and multi-channel digital isolators separating low-voltage logic from field I/O and power domains.
• Texas Instruments ISO1212 – isolated industrial digital input front-end device for 24 V status signals from switchgear and auxiliary contacts.

Power conversion, ride-through and protection.

• Analog Devices LT8609S – synchronous buck converter handling 24 V feeder DC rails and generating stable logic supplies with good efficiency at light load.
• Analog Devices LTC3350 – supercapacitor backup controller providing a few seconds of energy storage, enough to flush critical events and last measurements to the control centre before complete power loss.
• ST STEF12 or Texas Instruments TPS25982 – eFuse devices implementing soft-start, short-circuit protection and controlled fault isolation for the gateway’s DC input.
• Littelfuse SP485, Littelfuse SM24CANA and Bourns SM712 – TVS arrays used on RS-485, CAN-like interfaces and supply rails to withstand surge and ESD events on exposed cabling.

Operational impact

After rollout, the control centre interacts with a consistent class of feeder gateways rather than a patchwork of legacy RTUs and FTUs. Each compact gateway concentrates local serial and I/O connections, applies DNP3 Secure Authentication and TLS where required, and forwards data over NB-IoT or LTE with keys anchored in the ATECC608B. Supercapacitor ride-through based on the LTC3350 allows the gateway to report last-gasp events and voltage dips before power completely fails, improving fault localisation and post-event analysis for distribution planners and operators.

Recommended topics you might also need

• Substation IED (IEC 61850)
• Protection Relay (OC/EF/Diff/Distance)
• PMU / Synchrophasor (IEEE C37.118)
• Feeder/Dist Automation (FTU/DTU/TTU)
• Industrial Ethernet & TSN
• Grid Cybersecurity Module

FAQs about SCADA and substation gateways

This section collects common questions that come up when specifying, designing or deploying SCADA and substation gateways. Each answer gives a compact, practical guideline that can be used as a checklist during planning, vendor comparison and detailed hardware or firmware design.