Secure Industrial Wireless Networks

Salon Communication et  Contrôles Industriels Anixter Banner

Many industrial control applications have benefited from the ease of using wireless technology to gather information for years. However, the technology covered in the 802.11 (Wi-Fi) standards has not come into broad usage for industrial applications until recently. Following a similar path to Ethernet, Wi-Fi wireless networks have been adopted into almost every commercial business imaginable because of its ease of use, fast data speeds and the breadth of products that support it. The allure and convenience of being able to implement a secure and robust wireless network in your ICS or SCADA system goes without saying. This article will focus mostly on methods to secure a Wi-Fi network for control system usage. Many of the concepts and techniques mentioned here can also be applied to other wireless technologies used in IoT and M2M applications, some of which will be introduced in this article as well.

Data and Management Traffic

The first step to securing a Wi-Fi network is to understand the types of traffic being passed on your network and understanding how to make this traffic secure and reliable. The two main categories of traffic passed on a network are data traffic and management traffic. Data traffic should always be encrypted, and the IEEE has passed Standard 802.11i (known as Wi-Fi Protected Access 2, or WPA2) to accomplish this. WPA2 comes in two types: personal and enterprise. The personal WPA2 functions like the Wi-Fi served up in homes and coffee shops, where clients enter a password and get access. For large networks, it makes sense to use enterprise WPA2, as it allows much more scalability and security in the network. It enables network administrators to assign each client or device an authentication key and manage them in a central server. It also allows for 802.1x port authentication. This allows administrators to keep unwanted devices off of the network and remove access from old, missing, or broken pieces of equipment.  

WPA2 is a very secure way to send data wirelessly. As a matter of fact, at the time of publication, the only known way to crack WPA2 is by “brute forcing” PSK password guesses. However, enabling WPA2 alone does not secure your network entirely, because it only encrypts the data on your network but not the network management frames. This leaves sensitive network management frames open to be snooped so that hackers can find sensitive information about your network, or spoofed so that hackers can cause havoc on your network. Luckily, there is the IEEE 802.11w standard which encrypts network management frames with the same security as WPA2 traffic. This is called Protected Management Frames (PMF). This measure helps to ensure the networks confidentiality and data integrity, but it also helps to maximize uptime by reducing the risk of DDoS attacks or spoofed network management frames taking parts of the network offline.

In any network, segmentation is a key security measure, and VLANs and subnetting should be included in any strategy. There are many articles and guides on segmenting networks, a topic too vast to fit into this article.  

Intrusion Detection Systems

Having a system for detecting network threats and attacks is important on any industrial or enterprise network, and a wireless network is no exception. There are a variety of wireless intrusion detection systems (WIDS) on the market, some as enterprise software, and some built into the access point(s.) WIDS can detect and report suspicious behavior. How these threats are dealt with becomes important on an industrial wireless network because, in many cases, these networks cannot simply be shut down or reset. Rogue access points and rogue or suspicious clients present threats which must be dealt with in a granular fashion that will not remove access to critical parts of the control system. There are access points available that offer client isolation, which will restrict access to suspect clients. Taking this one step further, access points can also be used in conjunction with a layer 2 firewall to selectively drop suspicious packets while maintaining connectivity to all clients.

Other Ways to Secure Wireless Networks

Other techniques to further secure a wireless network that go beyond device configuration and software are:

  • Select antenna gains and patterns so that the signal spill-over is minimized
  • SSIDs can be hidden (not advertised) making your network harder to find for snoopers, hackers, operators, contractors, etc.
  • Look at other application-specific wireless protocols and technologies in your application.

Wireless IoT Network Protocols

There are countless wireless IoT Network Protocols in use today. Below is a brief introduction to some of those technologies and common applications.

  • Cellular 2G, 3G, 4G and LTE
  • Bluetooth and Bluetooth Low Energy (BLE)
    • 2.4 GHz and short range
    • M2M data transfers, speakers
    • BLE devices remain asleep unless actively sending data
    • BLE allows for sensor data to be polled every few minutes and has an extremely long battery life
  • ZigBee
    • Similar to Bluetooth
    • Used in building automation, lighting, etc.
    • Common application – CREE Smartcast or similar lighting control
  • Wi-Fi-ah
    • Newer Wi-Fi standard designed for low data rates, low energy usage and longer range applications; passed in 2017 and may prove to be an important player in the IoT marketplace
  • RFID
    • Currently widely used in access control and tag and batch tracking applications; typically only one device
  • DigiMesh
    • Proprietary mesh, similar to Zig-Bee
  • WirelessHART
    • Commonly used in applications where HART is widely used, that is to say, process control networks; primary uses are for gathering analog sensor data.

References

For more information on securing an industrial wireless network, please contact your Anixter Industrial Network Specialist or refer to the sources below.