Fortified Networks

Wireless technologies continue expansion into industrial applications

  • By Dan DesRuisseaux
  • Jun 01, 2010

One of the key issues hindering the growth of wireless is security. Industrial applications typically have more stringent security requirements than commercial networks -- as disruption of an industrial network can result in process shutdown, equipment damage or loss of critical company data.

Wireless networks are inherently less secure than wired networks as data is sent through the air, enabling easier access to data by malicious entities. Wireless standards organizations and vendors have been responding to this threat by incrementally enhancing security features within wireless products.

Wireless Applications
In commercial applications, wireless is typically implemented for convenience and cost savings. In industrial environments, wireless enables a variety of applications that can not easily be addressed with wires.

Remote locations. Consider a drinking water application where a processing plant requires connectivity to a variety of remote wells, reservoirs and pumping stations; a tank farm application where the pressure and the temperature of a liquid are monitored; or a scenario where connectivity is required on the other side of a river or highway. In these scenarios, the cost of a wireless connection is trivial compared to a wired connection.

Moving equipment. Consider an application in which instrumentation data is needed from a moving piece of equipment, like a rotating device, welding robot or devices moving on a conveyor line. These applications are difficult to address with a fixed connection, in many cases making wireless connection the only effective option.

Hazardous equipment access. Consider connectivity to a device operating at medium or high voltage, or access to a device located at the top of a utility pole. Wireless provides a safe alternative to access such equipment.

Malicious entities attack wireless networks for a range of reasons. Here are a few examples:

  • To use the Internet connection. People may attempt to access corporate resources to use the Internet for free.
  • To access secure data. A malicious entity accesses the network for the express purpose of gathering private company data. WLANs are often connected to wired networks, and despite firewalls, VPNs and other security-enhancing technologies, a malicious entity could circumvent the wired network security by accessing a wireless connection.
  • To disable the network. A malicious entity attempts to prevent the monitoring or control of equipment by disrupting wireless communications. Techniques used by malicious entities to accomplish these objectives include denial of service attacks, eavesdropping, rogue access points and identity spoofing.

WLANs also can create backdoors to wired networks. A single unauthorized wireless access point connected to a wired network has the potential to create a backdoor to the wired network, circumventing the wired network security and thereby allowing a hacker to effortlessly gain access to a closed network.

Denial of service attacks flood a wireless network with messages at either the network or transport protocol layer. The goal of a DOS attack is to disable a network by disrupting the communication between end points.

Data sent over a traditional local area network is sent over wires. A hacker must connect to the network or have access to the wire to intercept data. In wireless networks, data is broadcast into the air, making it much easier to access. Eavesdropping is used to view data passing over the network and gather authentication information to enable network access. This technique can be used to access the network, to access data or as a precursor to disable the network.

A rogue access point is a wireless device that attempts to access a wireless LAN by posing as an access point or client belonging to the targeted network.

Rogue access points are implemented to access secured areas of a network or to use a company’s Internet connection. A rogue access point can be created maliciously by an employee or inadvertently when a device from an external entity is in range of the targeted network and uses the same SSID and channel.

Identity Spoofing
Identity spoofing occurs when an attacker assumes the identity of an authorized user to access the network.

One way attackers gather password information is by setting up an access point in close proximity to the targeted network. The access point is designedto present the same authentication screen as the targeted network.

Wireless standard organizations and equipment vendors have developed a variety of features to improve wireless network security. Enabling these features will increase the level of expertise required to illegally access the network. These features should be used in conjunction with security policies to properly secure a network.

An access control list is a table of MAC addresses that a device is authorized to connect. An external device cannot connect to network devices if it is not on the ACL. In larger configurations, the ACL can be administered by a centralized RADIUS server.

The first step to connecting to a WLAN is finding access points that are within range of a wireless device.

Access points announce themselves to other wireless devices by transmitting their SSIDs. Wireless devices can be configured to suppress SSID transmission, preventing easy identification of the wireless network. Wireless networks can use advanced tools even if an SSID broadcast is suppressed, but it requires advanced tools and knowledge. SSID broadcast suppression can be used in conjunction with a feature requiring nodes wishing to enter the network to supply the network SSID as part of the authentication process.

Many industrial wireless products come with the ability to detect rogue access points and clients. These products use background scanning to record neighboring wireless devices into a table. Devices in the table are designated as known, unknown or rogue devices.

It is difficult to prevent access to wireless signals, thus, data must be encrypted for proper protection. There are a variety of encryption techniques available for wireless products. The options below are listed in order of increasing encryption/authentication strength.

Wired equivalent privacy. WEP provides a basic level of encryption that can easily be compromised by an experienced hacker.

Wi-Fi protected access. A software-based encryption method using dynamic keys.

802.11i. Enhances security via a hardware accelerated encryption algorithm.

802.11x. Enables authentication of every WLAN connection using Extensible Authentication Protocol. Requires advanced networking knowledge to implement.

IPsec. Enabling a VPN gateway in the access point using IPsec protocol.

Some access points feature embedded firewalls.

Including a firewall within the product decreases deployment costs as it removes the requirement to deploy a separate firewall with the access point.

LEPs use an additional column in the ACL to assign a pass phrase to each MAC address. Connection to the access point requires both the correct MAC address and pass phrase. This feature makes it difficult to spoof a MAC address.

Best Practices
Network administrators should implement security policies and features to optimize network security. Policies designed to enhance WLAN security include the following.

  • Network access points should be arranged so the useful signal strength is limited as much as possible within the physically secured perimeter. Directional antennas can assist in forming a wireless footprint.
  • Place all access points and clients behind security gateways. Configure devices to limit communication to known wireless devices to prevent rogue access points.
  • Use mutual authentication and per-packet authentication techniques to hinder rogue access points.
  • User name and password combinations should not be stored permanently on a machine. Users need to be prompted to enter their user name and password each time they access the network.
  • Store user credentials, such as certificates, private key pairs and confidential data, on password-protected machines.
  • Mandate the use of strong passwords to prevent attackers from guessing user passwords.
  • Use ACL or RADIUS servers for authentication. The ability to provision approved clients should be restricted to key staff.
  • Do not use WEP encryption. Use a minimum of 802.11i or equivalent encryption. Use enhanced security (802.11x, IPsec) in more sensitive applications.
  • Do not broadcast SSIDs to prevent a network from showing up in wireless network scans. Also, do not enable ad-hoc connections.
  • Monitor networks for denial of service attacks and alarm if detected.
  • Implement firewall functionality on access points to provide access control of services and to differentiate user/group access.
  • Use devices with rogue access point detection.

Wireless networks are required to cost effectively address a variety of applications not suitable for wired communication. Wireless products are commonly used in industrial applications, and deployment is projected to grow at more than 15 percent a year.

Selecting products with advanced security features coupled with the implementation of well-defined security policies will enable the deployment of secure wireless networks in industrial applications.

Featured

  • The Evolution of IP Camera Intelligence

    As the 30th anniversary of the IP camera approaches in 2026, it is worth reflecting on how far we have come. The first network camera, launched in 1996, delivered one frame every 17 seconds—not impressive by today’s standards, but groundbreaking at the time. It did something that no analog system could: transmit video over a standard IP network. Read Now

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

  • Cost: Reactive vs. Proactive Security

    Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now

  • Achieving Clear Audio

    In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now

  • Beyond Apps: Access Control for Today’s Residents

    The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now

Most   Popular

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.