How to secure your plant’s wireless networks in an insecure world
By Bryan Singer
By Bryan Singer
We see examples of poor wireless security all the time. A local reporter on the evening news exposes social security numbers, personal information, intellectual property and other sensitive issues. Someone with a wireless connection and a computer exposes the insecurity of a local industrial company’s wireless network. Unfortunately this embarrassing scenario happens far too often. As any security consultant will freely divulge, wireless networks abound that lack the necessary features to ensure confidentiality, integrity and availability of critical network assets.
Without the confines of a cabled network, anyone with a computer and wireless network card is free to grab the signal off the air. Quoting the 2005 sci-fi sleeper hit, Serenity, “You can’t stop the signal, Mal. Everything goes somewhere, and I go everywhere.” One might conclude from this that organizations should shy away from wireless networks, but the drivers for using wireless are significant. The problem is that the cost of insecurity can be great if it means losing either confidential information or control of an automation network.
This paradox is certainly complex, but with today’s technology, there simply is no reason that a wireless network must be less secure than a wired network. On the contrary, many properly deployed wireless networks are probably more secure than their wired counterparts. There are many excellent resources that deal with the deployment of wireless networks in industrial settings, but readers would do well to focus first on the basic requirements of wireless security: performance, confidentiality and emission management.
Wireless networks often are slower than their wired counterparts. Users must take care to ensure that their networks properly meet bandwidth and performance requirements for industrial assets. Predicting and analyzing network load as well as additional startup and commissioning time will add some costs to a wireless project, but the end results will prevent costly post-installation fixes. Users should also be very careful using wireless in a real-time control scenario (such as device I/O, etc.) where any blips in network communications could cause network failures or safety issues. Using wireless in slower environments and industrial information systems such as MES, historians, LIMS and HMI communications is often fine, but implement I/O and high speed wireless communications with the utmost of care.
The two main problems that can affect wireless performance are interference and network saturation. Wireless networks suffer more potential interference than wired networks. Devices such as cordless phones, microwaves and others operate in the in the 2.4GHz and 5 GHz areas of the radio spectrum and 802.11a and g networks, which means those devices can interfere and slow down wireless communications. Site surveys and analysis with spectrum analyzers can prevent these bandwidth draining problems. Buying high quality antennas and access points helps further ensure performance. Access points purchased at a local chain electronics store are fine for home and small office use, but should never find their way into an industrial automation environment.
Additionally, a wireless network should be isolated as much as possible from other networks to prevent saturation from non-essential network traffic. This can be accomplished through bridges, access point isolation and using VLAN’s to limit the amount of non-essential traffic that encroaches on the wireless domain.
Confidentiality, or encrypting wireless network traffic, is the most critical component of wireless security. A wireless network without encryption is open for anyone to see and use, exposing internal assets. Considering the ease of deployment of wireless encryption today, it is simply irresponsible to deploy a network without encryption. Wireless encryption not only protects data, but it also limits access to the network to authorized users only.
There are several technologies that users should consider: encryption, MAC filtering and strong authentication. Encryption today comes in a variety of forms, well beyond the scope of this short article. Suffice it to state that WEP is no longer a viable option.
Asset owners should deploy networks with a minimum of WPA or WPA2 (favored today) security. WEP can be cracked in a matter of minutes with widely available tools, making it little better than no security at all. MAC filtering can also be bypassed, but it does still have a place in wireless security. The MAC (hardware) address of each authorized computer’s network card is configured into the wireless router so that only authorized MAC addresses are allowed to attempt a connection.
Strong authentication using WPA2 Enterprise, 802.1x, or combining with other sorts of RADIUS or TACACS servers provides additional layers of protection in ensuring only valid computers and users can access the wireless network. Additional technologies are available as vendor-specific solutions that provide rapid rotation of encryption keys, making it increasingly difficult to crack a wireless network encryption scheme. None of these are difficult to deploy today and they are critical to ensuring only authorized users gain access to the wireless network and confidential information is not exposed.
But even though there are many technologies out there to prevent unauthorized access, you still need to use common sense when it comes to security. For example, why put out a signal that can be read from miles away when you only need it to go 300 feet? Excessive radiated power increases the chances that someone outside the facility can, over time, gain access to the internal network. Too little power saps performance and increases deadspots. Using the right antennas and selecting the proper power outputs are the two key elements in emissions management.
Many users compensate for poor quality or limited gain omni directional antennas by increasing power output. This is a critical mistake, particularly if someone is using a high gain directional Yagi, grid, dish, or other antenna (such as the popular “cantenna”). Higher quality antennas or directional antennas like the above help ensure performance while limiting emissions.
This is not only a security issue, but can be a human welfare issue as well by limiting RF exposure. A suitable site survey here will again help ensure that there is suitable RF coverage for wireless performance. Post-installation emissions studies with a RF field strength meter can further help strike the right balance.
Wireless networking certainly offers a number of potential benefits, but asset owners should still take care to ensure those networks are secure and reliable. Many additional resources are available to help in selecting and deploying such technology, but you can’t forget the three key areas to ensure success when considering a wireless network. Focusing on performance, confidentiality and emissions management will help ensure lower costs of ownership and a successful network deployment,without creating unnecessary risk. W
Bryan Singer is the vice president of security services for Wurldtech Security Technologies, and is the co-chair of the ISA-99 Industrial Automation and Control Systems Security Standard. He has worked for more than 17 years in industrial automation and information technology, and has personally designed and deployed dozens of wired and wireless networks for many of the largest industrial asset owners. He holds the CISM and CISSP certifications and has been an active contributor to numerous standards bodies and technical advisory panels for industrial cybersecurity. You can reach him at firstname.lastname@example.org.