Ensuring industrial wireless security

The biggest concern about wireless solutions in the industrial world often comes down to either reliability or security. However, on a wired network, passwords are not generally needed to plug a PC into a router and get onto the network. Further, there is no requirement for the data to be encrypted. Hubs can be laid down using tools such as Wireshark with all of the data streams being visible. This is not the case with wireless, even with only the most basic and common security measures in place. Wireless has extensive built-in security and, as the standards evolve, mandated security requirements have expanded, making wireless inherently more secure.

Wireless can be an extremely secure, shared medium if you follow an important ‘Wireless Golden Rule’ – deploy securely, monitor regularly –and begin by asking some typical questions about wireless local area network (WLAN) implementation and security.

Even with the best security strategy in the world – wired or wireless – things change over time. It is key that security strategies include setting up systems to monitor the network, automatically alerting for unusual activity, as well as having a regular update process for the system, software and plan. Researchers regularly identify new threats. In order to stay protected, regular monitoring is vital.

How can wireless systems be deployed securely? To get started it helps to answer seven simple questions about the implementation:

1. Are the network devices protected? Network devices can include switches, routers, other access points and controllers. The wireless network should not open up potential trouble for the rest of the network. Firstly, disable older, unsecure configuration methods such as telnet, http and serial. Then change the configuration default passwords. Then, the best way to protect the network devices is to utilise varying levels of access to the devices. This can be done by considering the use of access control lists – either through individual local databases on a device, a central integrated or external RADIUS server, or by using TACACS+ authentication and authorisation.

2. Is the network protected from misconfigured devices and bad behaviour? A misconfigured device could be anything on the network – a PLC, a drive, an access point, or a computer. It can be possible to have a device re-configured and to introduce errors, such an uploaded of an old version with the wrong IP address set or unintended changes to the traffic routing or security settings. A device may have been infected with a virus and instead of communicating to the machine next in line, it attempts to connect to the internet. 

In such scenarios, there is a need to prevent rogue devices or users from affecting the network. For those using EtherNet/IP, Modbus, Profinet UDP or other industrial protocols, the best solution is to implement the Layer 2 or Layer 3 firewalls that are built into the access points. Use these to consider limiting network traffic to only expected and accepted traffic types. An extra measure of authentication can also be added by using certificates on devices.

3. Are the authenticated, legitimate wireless users or devices (safeguarded from other equipment? There needs to be protection from users or machines that should not be on the network, or even a specific portion of the network so first turn on encryption. Then, take into consideration the possibility of ‘man-in-the-middle’ – a scenario in which a device intercepts communications between two legitimate parties and then masquerades itself in order to sniff data frames and scan for credentials and data it is interested in. Man-in-the-middle is often done by sending fake address resolution protocol (ARP) frames to associate the attackers’ MAC address with the IP address of another network device. The ARP packet is the discovery packet to figure out who belongs to what IP address. 

To prevent modification, consider enabling IP spoofing protection. Finally, consider utilizing 802.11w functionality, such as management frame protection to further protect wireless devices and users.

4. If using a WLAN controller, is the network protected between the access point and controller? It is good practice to segment the wireless traffic from the rest of the network if using a WLAN controller. Consider turning on the functionality of a control and provisioning of wireless access points (CAPWAP) tunnel – a simple tunneling method available on most wireless access points and controllers. Alternatively, consider the use of a virtual private network (VPN) to encapsulate and encrypt data between access points and a central VPN concentrator.

5. Will the security measures recognise Denial of Service (DoS) potentials, air interference, or when other ‘bad stuff’ might be happening? Whether someone or something is purposely trying to jam the network, or something has simply caused interference – network managers need to know about it. When setting up a WLAN bridge or infrastructure, use a wireless intrusion detection system (WIDS). Within the WIDS, for example, set up simple network management protocol (SNMP) traps to send notifications when access points go away and rogue access points are detected. Once something is detected – for example, a wireless connection to a security camera is jammed – the administrator will be alerted. A WIDS will also automatically detect DoS attack points and notify interested staff by SNMP alerts, log messages and email.

6. Are there legacy devices to consider? Have they been handled properly so accidental vulnerabilities are not opened up? Most companies will have some type of legacy device in their facility. It is not realistic to update everything all the time. Take note of these devices and consider addressing any security gaps by isolation with Layer 2 or Layer 3 firewalls and per device PSK (private PSK) on a separate WLAN service set identifier (SSID).

7. Do physical considerations around the wireless devices themselves or the wireless coverage areas need to be addressed? Finally, think though the physical aspects. Will the wireless LAN travel to unintended areas? Take this into consideration and possibly turn down the radio frequency (RF) transmit power on the devices to limit coverage to approved areas. In extreme cases, it is possible to restrict the RF to necessary areas by using RF shield tint on windows or RF paint on walls. Beyond this, remember if the RF is leaking into extra areas and ensure the authenticity of any users, access points or end devices as previously mentioned. Finally, check that any cabinets and racks are locked and secure to prevent physical access.

Wireless security does not need to be overwhelming. Remember the Golden Rule – Configure securely, monitor regularly – and get started by handling the basics and more with these key questions.