7 Key Questions for Industrial Wireless Security, Part 2 of 2
But, how do you deploy securely? These days, most cyber security articles talk about using Defense in Depth, or a layered approach to securing industrial networks. This means using a variety of defenses at various points in the system to protect the network or contain threats. The idea of layering, and the resulting benefits, is no different in wireless applications.
By implementing measures to address these seven key questions you will be building layers of protection that contribute to the best practice of Defense in Depth. Let’s take a look at the questions in detail.
While you may fear that industrial wireless is insecure, today’s reality is different.
By using current equipment and following our special Golden Rule, it is possible to design a robust and secure wireless application.
Question 1: Have I protected the network devices?
What are network devices? They include equipment such as switches, routers, access points and controllers. A wireless network should not impact the operation of these devices or the functioning of the wired network.
To ensure this, first and foremost, disable older, fairly unsecure configuration methods, like telnet, http and serial. Then, staying in the realm of the basics, make sure to change the configuration default passwords.
Once these fundamentals are covered, the best way to protect network devices is to utilize varying levels of access to them. Various people, machines and other pieces of equipment should not have the same level of access.
This can be done by considering the use of access control lists via:
- Individual local databases on a device
- A central integrated or external RADIUS1 server
- Using TACACS+2 for authentication and authorization
Question 2: Have I protected my network from misconfigured devices and bad behavior?
Wondering what is a misconfigured device or bad behavior? A misconfigured device could be anything on the network – a PLC, a drive, an access point, a computer, etc. When any of these are reconfigured, an error could be introduced:
- An old version of the configuration file with an incorrect IP address or older WEP/WPA authentication is used
- Unintended changes to the traffic routing or security settings are made
Instead of trying to communicate as it did before, a misconfigured device introduces a security vulnerability or asserts bad behavior by trying to access a portion of the wired or wireless network where it doesn’t belong. Similarly, a device may have been infected with a virus (consider Windows XP vulnerabilities) and instead of communicating to the machine next in line, it attempts to get out to the World Wide Web.
In any of these scenarios, there is a need to prevent rogue devices or users from affecting the network. Turn on WPA2, the highest level of user authentication, to enable only legitimate wireless devices.
For those using EtherNet/IP, Modbus, PROFINET, UDP or other industrial protocols, the best bet is to implement the Layer 2 or Layer 3 firewalls that are built into most wireless access points. Consider using these to limit network traffic to just expected and accepted traffic types. You might also add an extra measure of authentication by using certificates on the devices.
Question 3: Are the authenticated, legitimate wireless users or devices safeguarded from other users or equipment?
Here, we are looking to protect ourselves from a user or machine that has no business being on our network or a portion of the network. Back to the basics. First, turn on encryption to keep prying eyes out. Then be sure to turn on Management Frame Protection (aka 802.11w) in both the Access Points (APs) and Clients to further protect your devices.
From there, look at the possibility of a “man-in-the-middle” attack. This is a scenario where a device intercepts communications between two legitimate parties and then masquerades itself in order to sniff data frames and scan for credentials and data.
A man-in-the-middle attack is often done by sending fake or “spoofed” address resolution protocol (ARP) frames to associate the attacker’s MAC address with the IP address of another network device. The ARP packet is your discovery packet to figure out who belongs to which IP address.
Activating IP spoofing protection (aka address examination) within the APs’ firewall, the controller’s firewall or an external firewall will help you identify malicious network changes.
Good industrial wireless products let you take advantage of both Management Frame Protection and IP spoofing protection.
Question 4: In cases where you are using a Wireless LAN Controller, ask yourself, “Have I protected the network between the access point and the controller?”
It is a good practice to segment the wireless traffic from the rest of the network if using a WLAN controller.
The easiest way to do so is turn on the functionality of a CAPWAP3 tunnel. This is a very simple tunneling method and is available on most wireless access points and controllers.
Alternatively, consider the use of a VPN (Virtual Private Network) to encapsulate and encrypt data between your access point and a central VPN concentrator.
Features built into the Hirschmann family of wireless equipment
make it easy to deploy industrial wireless applications securely.
Question 5: Can I recognize interference, “denial of service” or other “bad behavor?”
Ask yourself if your system is set up to recognize “denial of service” (DoS) attacks, air interference or other “bad stuff.” Whether someone or something is purposely trying to jam your network, or something has simply caused interference – you want to know about it. In a shared medium, things can happen.
When setting up your WLAN bridge or infrastructure, set yourself up for success by using a wireless intrusion detection system (WIDS). Within the WIDS, set up SNMP4 traps to notify you when access points go away and rogue access points are detected.
Once something is detected – for instance, a wireless connection to a security camera is jammed – the administrator will be alerted. WIDS will also automatically detect DoS attack points and notify interested staff by SNMP alerts, log messages and email.
Question 6: Have I handled legacy devices?
The reality is we all likely have some type of legacy device in our facility. It isn’t possible to update everything all the time. That wireless barcode scanner from seven years ago? Yeah, that’s the one. Having these devices is often the reality and that’s OK, just be sure to take note of it.
You may want to consider addressing a security gap here by:
- Using a Layer 2 or Layer 3 firewall to isolate these legacy devices
- Using a private PSK5 per device on a separate WLAN SSID6
Question 7: Have I physically secured the wireless devices and the coverage areas?
Last, but not least, think though the physical aspects. Will your wireless LAN travel to areas you may not want it to? You’ll want to take this into consideration and possibly turn down the radio frequency (RF) transmit power on devices to limit coverage to just the area needed.
In extreme cases, you could also restrict the RF to required areas only by using RF shield tint on windows or RF paint on walls.
Beyond this, remember to ensure the authenticity of any users, access points or end devices, as previously discussed. This layers your security for added assurance, contributing to Defense in Depth.
Finally, basics once more, check that your cabinets and racks are locked and secure to prevent physical access.
The Industrial Wireless “Golden Rule” – Deploy Securely, Monitor Regularly.
Asking yourself the questions outlined above helps ensure you’ve thought through a secure deployment for your industrial wireless application. While it may seem that implementing wireless security is a large and complex task, modern industrial wireless equipment makes it easy to do.
Here is a summary of the key features to look for:
- Easy disablement of telnet, http and serial configuration methods
- Support of WPA2 authentication protocol
- Integrated Access Control List functionality
- Built-in Layer 2 and Layer 3 firewalls
- The ability to use certificates on devices
- The option to enable IP spoofing protection
- Support for standards-based 802.11w, Management Frame Protection functionality
- The support of CAPWAP tunnels and VPNs
- Inclusion of wireless intrusion detection functionality
Now, the most important part is to be sure to make use of these features as part of your layered strategy. Don’t forget to turn them on or implement them because they’re the good stuff that lets you sleep knowing your wireless application is secure.
And remember – wireless doesn’t have to be overwhelming. Think about the Golden Rule: “Configure Securely, Monitor Regularly” and get started handling the basics by considering the seven key questions.
What questions do you ask yourself when working on your wireless security? Did you find these seven questions to be a helpful starting point? I look forward to your comments.
1RADIUS is Remote Authentication Dial In User Service
2TACACS+ is Terminal Access Controller Access-Control System Plus
3CAPWAP is Control and Providing of Wireless Access Points Protocol
4SNMP is simple network management protocol
5PSK is pre-shared key
6SSID stands for service set identifier. It is a unique identifier for a wireless LAN.
- Blog: 7 Key Questions for Industrial Wireless Security, Part 1 of 2
- Webpage: Wireless products
- Webpage: Hirschmann BAT Wireless Solutions
- YouTube video: Hirschmann Wireless Industrial Ethernet Solutions
- Blog: Oil Refinery uses Industrial Wireless for Remote Monitoring
- Blog: Windows XP End of Service – What it Means for Industrial Applications, Part 1 of 2
- Blog: Cyber Threats Increase for U.S. Critical Infrastructure
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Blog: Why Industrial Networks are Different than IT Networks (and What to do About It)
- Blog: Why Patching for SCADA and ICS Security is a Broken Model