Securing Industrial Wireless Applications

 

At our recent Industrial Ethernet Infrastructure Design Seminar, Jeff Caldwell, chief architect for security at Belden, posed this question to the audience – is wireless more secure or less secure than a wired network? Crazy question, right?

 

But when you start thinking about it and boiling it down to the basics, maybe he has something here. Consider this:

 

• Passwords generally aren’t needed to plug a wired PC into a router and access a network, but they are required to connect to a wireless network. You can lay down a hub, use Wireshark or the like and see all of your data streams.
• Not the case with wireless, even if you’ve only set up the most basic and common place security, which 95% of the population does.

 

Thus while saying wireless is more secure than wired networking may be hard to grasp, comparing the reality of the two options can be helpful.

 

I know. You’re probably thinking to yourself, “I still worry. I hear about so many attacks these days.”

 

Well, today I’d like to introduce you to the 7 key questions to ask yourself when planning your WLAN. Shared medium or not, wireless can be secure. So let’s combine these questions with the “Golden Rule of Industrial Wireless Security” and calm your fears a bit.

 

While you may fear that industrial wireless is insecure, today’s reality is different. By turning on the security features available in current equipment offerings and following our Wireless Golden Rule, it is possible to secure wireless applications.

 

The Golden Rule of Industrial Wireless Security: Deploy Securely, Monitor Regularly

 

How do you deploy securely? We’ll get into that in a second, but let’s briefly talk about the importance of monitoring regularly.

 

You can have the best security strategy in the world – wired or wireless – but things change. Researchers continually identify new threats, automation equipment vulnerabilities are frequently revealed and unintential cyber security incidents happen regularly.

 

Therefore, an important part of your security strategy must be setting up systems to monitor your network, automatically alerting for unusual activity. In addition, establishing a process for regularly updating the system, software and plan is critical.

 

The Secure Way to Deploy Industrial Wireless

 

Now onto the other stuff – how can wireless systems be deployed securely?

 

While you need to consider several different aspects, it doesn’t have to be overwhelming. If you want to ensure you’ve covered all of your bases, ask yourself these seven questions:

 

• Have I protected the network devices?
• Have I set up protection for my network from misconfigured devices and from bad behavior?
• Are the authenticated, legitimate wireless users or devices safeguarded from other users or equipment?
• If using a WLAN controller, have I protected the network between the access point and controller?
• Have I set myself up to recognize Denial of Service (DoS) potentials, air interference, or when other “bad stuff” might be happening?
• Do I have legacy devices? Have I handled them properly so I don’t open up accidental vulnerabilities?
• Are there physical considerations around the wireless devices themselves or the wireless coverage areas I need to address?

If you’re not sure how to address some of these questions, let me give you a hint. Today’s industrial wireless equipment has numerous security features built-in. It’s often just a question of making sure you use them!

 

Defense in Depth

 

I've introduced the Golden Rule of Industrial Wireless Security – Deploy Securely, Monitor Regularly. Following this rule ensures that unwanted access to your wireless LAN and the rest of your network does not occur.

 

But, how do you deploy securely? These days, most cyber security articles talk about using Defense in Depth, or a layered approach to securing industrial networks. This means using a variety of defenses at various points in the system to protect the network or contain threats. The idea of layering, and the resulting benefits, is no different in wireless applications.

 

By implementing measures to address these seven key questions you will be building layers of protection that contribute to the best practice of Defense in Depth. Let’s take a look at the questions in detail.  

 

7 Key Questions for Best Practice of Defense in Depth

 

1. Have I protected the network devices?
2. Have I protected my network from misconfigured devices and bad behavior?
3. Are the authenticated, legitimate wireless users or devices safeguarded from other users or equipment?
4. In cases where you are using a Wireless LAN Controller, ask yourself, “Have I protected the network between the access point and the controller?”
5. Can I recognize interference, “denial of service” or other “bad behavior?”
6. Have I handled legacy devices?
7. Have I physically secured the wireless devices and the coverage areas?

 

Have I protected the network devices?

 

What are network devices? They include equipment such as switches, routers, access points and controllers. A wireless network should not impact the operation of these devices or the functioning of the wired network.

 

To ensure this, first and foremost, disable older, fairly unsecure configuration methods, like telnet, http and serial. Then, staying in the realm of the basics, make sure to change the configuration default passwords.

 

Once these fundamentals are covered, the best way to protect network devices is to utilize varying levels of access to them. Various people, machines and other pieces of equipment should not have the same level of access.

 

This can be done by considering the use of access control lists via:

 

• Individual local databases on a device
• A central integrated or external  RADIUS1 server
• Using TACACS+2 for authentication and authorization

 

Have I protected my network from misconfigured devices and bad behavior?

 

Wondering what is a misconfigured device or bad behavior? A misconfigured device could be anything on the network – a PLC, a drive, an access point, a computer, etc. When any of these are reconfigured, an error could be introduced:

 

• An old version of the configuration file with an incorrect IP address or older WEP/WPA authentication is used
• Unintended changes to the traffic routing or security settings are made

Instead of trying to communicate as it did before, a misconfigured device introduces a security vulnerability or asserts bad behavior by trying to access a portion of the wired or wireless network where it doesn’t belong. Similarly, a device may have been infected with a virus (consider Windows XP vulnerabilities) and instead of communicating to the machine next in line, it attempts to get out to the World Wide Web.

 

In any of these scenarios, there is a need to prevent rogue devices or users from affecting the network. Turn on WPA2, the highest level of user authentication, to enable only legitimate wireless devices.

 

For those using EtherNet/IP, Modbus, PROFINET, UDP or other industrial protocols, the best bet is to implement the Layer 2 or Layer 3 firewalls that are built into most wireless access points. Consider using these to limit network traffic to just expected and accepted traffic types. You might also add an extra measure of authentication by using certificates on the devices.

 

Are the authenticated, legitimate wireless users or devices safeguarded from other users or equipment?

 

Here, we are looking to protect ourselves from a user or machine that has no business being on our network or a portion of the network. Back to the basics. First, turn on encryption to keep prying eyes out. Then be sure to turn on Management Frame Protection (aka 802.11w) in both the Access Points (APs) and Clients to further protect your devices.

 

From there, look at the possibility of a “man-in-the-middle” attack. This is a scenario where a device intercepts communications between two legitimate parties and then masquerades itself in order to sniff data frames and scan for credentials and data.

 

A man-in-the-middle attack is often done by sending fake or “spoofed” address resolution protocol (ARP) frames to associate the attacker’s MAC address with the IP address of another network device. The ARP packet is your discovery packet to figure out who belongs to which IP address.

 

Activating IP spoofing protection (aka address examination) within the APs’ firewall, the controller’s firewall or an external firewall will help you identify malicious network changes.

 

Good industrial wireless products let you take advantage of both Management Frame Protection and IP spoofing protection.

 

In cases where you are using a Wireless LAN Controller, ask yourself, “Have I protected the network between the access point and the controller?”

 

It is a good practice to segment the wireless traffic from the rest of the network if using a WLAN controller.

 

The easiest way to do so is turn on the functionality of a CAPWAP3 tunnel. This is a very simple tunneling method and is available on most wireless access points and controllers.

 

Alternatively, consider the use of a VPN (Virtual Private Network) to encapsulate and encrypt data between your access point and a central VPN concentrator.

 

Features built into the Hirschmann family of wireless equipment make it easy to deploy industrial wireless applications securely.

 

Can I recognize interference, “denial of service” or other “bad behavior?”

 

Ask yourself if your system is set up to recognize “denial of service” (DoS) attacks, air interference or other “bad stuff.” Whether someone or something is purposely trying to jam your network, or something has simply caused interference – you want to know about it. In a shared medium, things can happen.

 

When setting up your WLAN bridge or infrastructure, set yourself up for success by using a wireless intrusion detection system (WIDS). Within the WIDS, set up SNMP4 traps to notify you when access points go away and rogue access points are detected.

 

Once something is detected – for instance, a wireless connection to a security camera is jammed – the administrator will be alerted. WIDS will also automatically detect DoS attack points and notify interested staff by SNMP alerts, log messages and email.

 

Have I handled legacy devices?

 

The reality is we all likely have some type of legacy device in our facility. It isn’t possible to update everything all the time. That wireless barcode scanner from seven years ago? Yeah, that’s the one. Having these devices is often the reality and that’s OK, just be sure to take note of it.

 

You may want to consider addressing a security gap here by:

 

• Using a Layer 2 or Layer 3 firewall to isolate these legacy devices
• Using a private PSK5 per device on a separate WLAN SSID6

 

Have I physically secured the wireless devices and the coverage areas?

 

Last, but not least, think though the physical aspects. Will your wireless LAN travel to areas you may not want it to? You’ll want to take this into consideration and possibly turn down the radio frequency (RF) transmit power on devices to limit coverage to just the area needed.

 

In extreme cases, you could also restrict the RF to required areas only by using RF shield tint on windows or RF paint on walls.

 

Beyond this, remember to ensure the authenticity of any users, access points or end devices, as previously discussed. This layers your security for added assurance, contributing to Defense in Depth.

 

Finally, basics once more, check that your cabinets and racks are locked and secure to prevent physical access.

 

The Industrial Wireless “Golden Rule” – Deploy Securely, Monitor Regularly.

 

Asking yourself the questions outlined above helps ensure you’ve thought through a secure deployment for your industrial wireless application. While it may seem that implementing wireless security is a large and complex task, modern industrial wireless equipment makes it easy to do.

 

Here is a summary of the key features to look for:

 

• Easy disablement of telnet, http and serial configuration methods
• Support of WPA2 authentication protocol
• Integrated Access Control List functionality
• Built-in Layer 2 and Layer 3 firewalls
• The ability to use certificates on devices
• The option to enable IP spoofing protection
• Support for standards-based 802.11w, Management Frame Protection functionality
• The support of CAPWAP tunnels and VPNs
• Inclusion of wireless intrusion detection functionality

 

Now, the most important part is to be sure to make use of these features as part of your layered strategy. Don’t forget to turn them on or implement them because they’re the good stuff that lets you sleep knowing your wireless application is secure.

 

And remember – wireless doesn’t have to be overwhelming. Think about the Golden Rule: “Configure Securely, Monitor Regularly” and get started handling the basics by considering the seven key questions.

 

1RADIUS is Remote Authentication Dial In User Service 
2TACACS+ is Terminal Access Controller Access-Control System Plus 
3CAPWAP is Control and Providing of Wireless Access Points Protocol 
4SNMP is simple network management protocol 
5PSK is pre-shared key
6SSID stands for service set identifier. It is a unique identifier for a wireless LAN.

 

Related Links

Wireless

• Webpage: Wireless products
• Blog: Oil Refinery uses Industrial Wireless for Remote Monitoring
  

Cyber Security

• Webpage: Cyber Security Solutions
• Blog: Defense in Depth Part 2: Layering Multiple Defenses