Industrial wireless is being used to improve availability and reduce costs in a wide variety of applications. For example, a large coal preparation facility uses a tablet application for mobile ICS system monitoring and troubleshooting.

An offshore drilling rig company uses it for wireless data collection.

An oil refinery uses it for remote monitoring of its cooling towers, reducing wear and tear on equipment and lowering monitoring expenses.

A transit network uses it to distribute system updates and to automatically retrieve trip data.

How are these industrial wireless applications secured? Part of the answer is to make sure to use products that have excellent security capabilities built-in. Another part is to follow ICS security best practices such as Defense in Depth. Both of these approaches were discussed in the first article in this series.

In this concluding article I take a look at another important industrial wireless security strategy – detecting attacks and anomalies.

Decision-is-Part-of-Secure-Industrial-WirelessDetection strategies are in important part of a Defense in Depth approach to industrial wireless security.

Detection Technique #1 – Use WIDS to Detect Communication Anomalies

In wireless applications, operations and communication are performed automatically and are completely invisible, even by network administrators. While this simplifies wireless network management, it also makes it difficult to recognize attacks and suspicious user behavior.

This is particularly true for industrial networks that provide machine-to-machine communication and operate autonomously over long timeframes. It is thus very important that an industrial WLAN solution quickly detects unusual communication transmissions before an attacker can affect plant operations.

The way to do this is to use wireless Access Points that include a Wireless Intrusion Detection System (WIDS). A WIDS
detects and reports a wide range of suspicious behaviors such as whether an attacker:

  • scans for open networks
  • forges management frames (see Part 1 of this article for an explanation of management frames)
  • tries to disrupt network communication with forged authentication messages

The WIDS detects and records these behaviors and informs you of them by email or system log messages or simple network management protocol (SNMP) traps.

Intrusion detection can be very efficient in industrial networks because the network traffic patterns are usually predictable. This makes it easy to detect suspicious behaviors.

Detection Technique #2 – Monitor the Wireless Environment

There are two dangerous situations for wireless networks that are not related to the protected company network but rather to unsanctioned or counterfeit networks.

Rogue access points are access points that provide unsanctioned and insecure access to the production network. For example, an employee might connect his/her private wireless device to the wired network, thus creating an entry point for attackers.

Wireless Phishing, or WiPhishing, is when unauthorized access points are located near the industrial WLAN network in order to lure legitimate WLAN clients into a fake network. The fake access points use the same network name or service set identified (SSID) as the industrial network, but often without password protection.  This makes authorized devices vulnerable to disclosing sensitive data.

Both of these attacks stem from the same problem: insufficient awareness of the wireless environment. A comprehensive, secure and reliable WLAN solution should provide rogues access point detection and wireless environment visualization.

Construction Kit for Secure Wireless Network Design  Industrial-Wireless-Security-Construction-Kit

Diagram showing the key Protection and Detection tools needed to secure industrial wireless applications. This “construction kit for WLAN security” is discussed in detail in the white paper available for download below.

The figure shown above depicts all of the security functions discussed in both parts of this article, grouped according to communication layers. Endpoints, the devices that actually run the industrial applications, are also indicated.

In some cases, endpoints can themselves be protected, but this depends on the type of endpoint. If they are industrial PCs for example, anti-virus software is useful. If they are embedded systems, however, it is not possible to enable additional security measures. Thus a comprehensive, reliable security strategy cannot rely on endpoint security. Instead, Defense in Depth is required.

There are many options for securing WLANs against both external and internal threats. Each security mechanism described here serves a different purpose and should be used in conjunction with one another to create a holistic construction kit for ICS security. When these features are combined in an industrial network their application results in a highly effective Defense in Depth threat mitigation scheme.

Are you comfortable with the security techniques available for WLAN networks?  I look forward to hearing your thoughts.

This article is based on the White Paper “A Construction Kit for Secure Wireless” written by Dr. Tobias Heer. Dr. Heer is the manager of embedded software development and functions for our Hirschmann industrial networking group.

Related Links

Industrial Wireless Resources

Belden Products for Secure Industrial Wireless

Industrial Cyber Security Resources