BlackSER AES

The Black•SER AES is an in-line Serial Data Encryptor with FIPS 140-2 Level 3 compliant cryptography and hardware. Serial data received on the DCE interface is encrypted using a 256 bit AES key and sent out the DTE interface. Serial data received on the DTE interface is decrypted using an 256 bit AES key and sent out the DCE interface.

Retrofit existing serial communications systems easily with the Black•SER AES's simple bump-in-the-wire design protects: meters, protective relays, programmable logic controllers (PLCs), remote terminal units (RTUs), and computers from unauthorized access, control, eavesdropping, and malicious attack by authenticating and encrypting all serial data communications.

The Black•SER AES securely boots up as a protocol agnostic asynchronous Serial Data Encryptor executing inside of a tamper reactive cryptographic boundary. All cryptographic functions, including private and public key generation are performed inside FIPS Level 3 protected hardware. The cryptographic algorithms are FIPS certified. Internally generated keys use a NIST certified hardware seeded random number generator to ensure key entropy.

Master key is secured within CPU Die Shield's Cryptographic Boundary. Dynamic fault detection with real time environmental and active tamper detection circuitry.
• Achieves Active Level 3+ Tamper
• Transport Safe

Management interface is accessed by a web browser GUI. Connection is establish via HTTPS operating in the web browser.

The Black•SER AES core cryptography is based upon our FIPS approved Hardware Security Module. FIPs requires a sophisticated protection private key generation, exportation and importation.

Securing Serial Communication Between an Energy Management System and a Remote Telemetry Unit

Scenario Overview:

A utility company operates an Energy Management System (EMS) at its central operations center. The EMS communicates with various Remote Telemetry Units (RTUs) installed at substations, transformers, and other field equipment sites. These RTUs collect critical operational data—such as voltage, current, frequency, and status of breakers—and send control signals back to the EMS over RS232 serial links.

While functional, these legacy serial communications are inherently unencrypted, exposing the system to potential cybersecurity threats, including interception, tampering, and spoofing of control commands.

Solution: BlackSER AES RS232 Serial Encryptor

By deploying a pair of BlackSER AES encryptors—one at the EMS side and one at the RTU side—the utility company can:

1. Ensure Confidentiality:

All RS232 serial data between the EMS and RTU is encrypted using AES 256-bit encryption, making it unreadable to unauthorized entities.

2. Preserve Legacy Infrastructure:

The BlackSER units work transparently with existing serial devices, allowing the utility to enhance security without replacing or modifying the EMS or RTUs.

3. Prevent Unauthorized Commands:

Encrypted channels help protect against malicious actors sending unauthorized control commands to field devices, which could otherwise cause grid disruptions or equipment damage.

Example Deployment:

• Location A – Control Center (EMS)

  • EMS communicates via RS232 to a BlackSER AES unit.

  • The BlackSER encrypts the serial data and sends it over a communication medium (e.g., leased line, serial radio modem).

• Location B – Substation (RTU)

  • A second BlackSER AES decrypts the incoming serial data and passes it to the RTU.

  • Outbound data from the RTU is encrypted in reverse and sent securely back to the EMS.

Key Benefits:

• Enhanced cybersecurity compliance (e.g., with NERC CIP, NIST 800-171).

• No need for protocol conversion—transparent serial encryption.

• Tamper-resistant hardware design.

• Field-deployable with minimal setup.

Securing RS232-Based Alarm Circuits in Industrial Facilities

Scenario Overview: Many industrial facilities, utility substations, and remote infrastructure sites still rely on RS232-based alarm circuits to monitor critical systems like fire alarms, gas leak detectors, intrusion sensors, or environmental controls.

These alarm circuits transmit real-time status data from sensors and controllers to centralized monitoring stations over serial lines. When these circuits use leased lines, microwave links, or serial radio links, they are often unencrypted, exposing them to:

• Data interception

• False alarm injection

• Tampering or spoofing of alarm statuses

Solution: Deploying BlackSER AES for Alarm Circuit Encryption By placing BlackSER AES encryptors at each end of the alarm circuit, organizations can securely encrypt all alarm data over RS232 without changing existing sensors or control systems.

Deployment Example:

Remote Facility Site

• Alarm controller sends RS232 data to a BlackSER AES encryptor.

• BlackSER encrypts the data and forwards it over a communication medium (e.g., serial radio or leased line).

Central Monitoring Station

• Incoming encrypted data is received and passed to a second BlackSER AES.

• The data is decrypted and forwarded to the alarm monitoring console or SCADA system.

Benefits:

• Security for Legacy Infrastructure: Adds AES-256 encryption to unprotected RS232 alarm circuits.

• Tamper Protection: Prevents spoofing or replay attacks on alarm signals.

• Zero System Disruption: Transparent operation with existing alarm hardware and protocols.

• Improved Compliance: Helps satisfy industrial cybersecurity standards such as ISA/IEC 62443 or NIST 800-82.

Conclusion: Using BlackSER AES units to protect RS232 alarm circuits enhances the integrity and confidentiality of alarm data—providing peace of mind and regulatory alignment for operators of industrial and critical infrastructure sites.