Securing Industrial Wireless to Its Fullest

  • October 24, 2014
  • Belden
  • Feature

By: Julia Santogatta, Belden’s director responsible for the wireless initiatives. Incudes contributions from Jeffrey Caldwell, chief engineer of security solutions and Daniel Wade, chief engineer of wireless solutions for Belden.

What is the No. 1 concern when it comes to wireless solutions in the industrial world? While the answer might be debatable, it often comes down to one of two things – is it reliable enough and can I secure it?

One way to ease your thoughts about wireless security is to ponder the question – is wireless more secure or less secure than a wired network? Some may feel this question is foolish, but, when you think about the basics of a wired network, you will realize that passwords aren’t generally needed to plug a PC into a router and get onto the network. On top of that, there is no requirement for the data to be encrypted. Hubs can be laid down using Wireshark or the like, and all of the data streams are visible. This is not the case with wireless, even with only the most basic and common security measures in place, elements which 95 percent of the population probably implements.

So while saying wireless is more secure may still be hard to grasp – thinking about it in parallel with the fundamentals of wired networks can be advantageous to building comfort levels. Wireless has extensive security built into it and as the standards evolve, mandated security requirements have and will continue to expand, thus making wireless inherently more and more secure.

Despite this, many may still think to themselves, “I hear about so many attacks these days, I’m still worried,” but there is a road to wireless security that can calm these fears. Wireless can actually be extremely secure, shared medium or not, if you follow an important “Wireless Golden Rule” and begin by asking yourself some typical questions about your wireless local area network (WLAN) implementation and security.

The“Wireless Golden Rule” – Deploy Securely. Monitor Regularly.

Deploying securely is the big question, but first, why mention monitoring regularly? Even with the best security strategy in the world – wired or wireless – things change. It is key that security strategies include setting up systems to monitor the network, automatically alerting for unusual activity, as well as having a regular update process for the system, software and plan. Researchers regularly identify new threats. In order to stay protected, monitoring regularly is vital.

Next is deploying securely. How can wireless systems be deployed securely? While there are several different aspects to consider, it doesn’t have to be overwhelming. To get started, answer seven, simple questions about your implementation:

1. Are the network devices protected?

Network devices can include switches, routers, other access points and controllers. The wireless network shouldn’t open up potential trouble for the rest of the network. First and foremost, disable older, fairly unsecure configuration methods, like telnet, http and serial. Then, while it may seem basic, change the configuration default passwords. Once these fundamentals are covered, the best way to protect the network devices is to utilize varying levels of access to the devices. Everyone, including any people, machines or other pieces of equipment, should not have the same level of access. This can be done by considering the use of access control lists – either through individual local databases on a device, a central integrated or external RADIUS server, or by using TACACS+ authentication and authorization.

2. Is the network protected from misconfigured devices and from bad behavior?

Wondering what a misconfigured device or bad behavior is? A misconfigured device could be anything on the network – a programmable logic controller (PLC), a drive, an access point, a computer, etc. It can be possible to have a device re-configured and an error is introduced, such an uploaded of an old version with the wrong IP address set or unintended changes to the traffic routing or security settings. Instead of trying to communicate as it did before, the device has been misconfigured and is now asserting bad behavior by trying access a portion of the network it shouldn’t have access to or attach to a wireless network it should not. Similarly, a device may have been infected with a virus and instead of communicating to the machine next in line, it attempts to connect to the internet. This scenario has recently been discussed with frequency due to the quantity of Windows XP devices and the recent end of support. In any of these scenarios, there is a need to prevent rogue devices or users from affecting the network. For those using EtherNet/IP, Modbus, Profinet UDP or other industrial protocols, the best bet is to implement the Layer 2 or Layer 3 firewalls that are built into the access points. Use these to consider limiting network traffic to only expected and accepted traffic types. An extra measure of authentication can also be added by using certificates on devices.

3. Are the authenticated, legitimate wireless users or devices (automation equipment) safeguarded from other users (equipment)?

There needs to be protection from users or machines that should not be on the network, or even a specific portion of the network. Remember the basics? First, turn on encryption to keep prying eyes out. Then, take into consideration the possibility of “man-in-the-middle” – a scenario in which a device intercepts communications between two legitimate parties and then masquerades itself in order to sniff data frames and scan for credentials and data it is interested in. Man-in-the-middle is often done by sending fake or “spoofed” address resolution protocol (ARP) frames to associate the attackers’ MAC address with the IP address of another network device. The ARP packet is the discovery packet to figure out who belongs to what IP address. To prevent modification and safeguard your organization, consider enabling IP spoofing protection. Finally, consider utilizing 802.11w functionality, such as management frame protection to further protect wireless devices and users.

4. If using a WLAN controller, is the network protected between the access point and controller?

It is a good practice to segment the wireless traffic from the rest of the network if using a WLAN controller. In these cases, consider turning on the functionality of a control and provisioning of wireless access points (CAPWAP) tunnel – a very simple tunneling method available on most wireless access points and controllers. Alternatively, consider the use of a virtual private network (VPN) to encapsulate and encrypt data between access points and a central VPN concentrator.

5. Will the security measures recognize Denial of Service (DoS) potentials, air interference, or when other “bad stuff” might be happening?

Whether someone or something is purposely trying to jam the network, or something has simply caused interference – network managers need to know about it. In a shared medium things can happen. When setting up a WLAN bridge or infrastructure, use a wireless intrusion detection system (WIDS). Within the WIDS, for instance, set up simple network management protocol (SNMP) traps to send notifications when access points go away and rogue access points are detected. Once something is detected – for instance, a wireless connection to a security camera is jammed – the administrator will be alerted. A WIDS will also automatically detect DoS attack points and notify interested staff by SNMP alerts, log messages and email.

6. Are there legacy devices to consider? Have they been handled properly so accidental vulnerabilities aren’t opened up?

The reality is most companies have some type of legacy device in their facility. It isn’t realistic to update everything all the time. There is likely a seven-year-old barcode scanner somewhere, just take note of these legacy devices and consider addressing any security gaps by isolation with Layer 2 or Layer 3 firewalls and per device PSK (private PSK) on a separate WLAN service set identifier (SSID).

7. Do physical considerations around the wireless devices themselves or the wireless coverage areas need to be addressed?

Last, but not least, think though the physical aspects. Will the wireless LAN travel to unintended areas? Take this into consideration and possibly turn down the radio frequency (RF) transmit power on the devices to limit coverage to approved areas. In extreme cases, it’s possible to restrict the RF to necessary areas by using RF shield tint on windows or RF paint on walls. Beyond this, remember if the RF is leaking into extra areas and ensure the authenticity of any users, access points or end devices as previously mentioned. This layered security approach adds extra assurance. Finally, check that any cabinets and racks are locked and secure to prevent physical access.

Ultimately, wireless security doesn’t need to be overwhelming. Remember the Golden RuleConfigure Securely. Monitor Regularly – and get started by handling the basics and more with these key questions.

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..