Wireless networks can save money and speed turnarounds


Wireless plant networks

WPNs are often implemented using Wi-Fi (IEEE 802.11-2007) and are used for applications like video, mobile worker, location tracking, video over wireless, field data backhaul, and control network bridging, each with its own characteristics and requirements. Messages can be much longer than those of a wireless field network, and may include such traffic as streaming video.

It’s important to note that WPNs use a set of protocols that were developed by the IT community, not industrial networking designers with knowledge of process plant operations.

A professional site assessment is critical to the successful implementation of a WPN. This generally requires engineers to visit the plant to conduct an RF FEED (radio frequency front-end engineering design), determine access point locations, and collect other on-site information. This is followed by system architecture design; based on the site survey result and the plant’s requirements, engineers design the overall system architecture, including the network infrastructure and the appropriate applications. This is followed by the network design and planning process, which creates a detailed network infrastructure. The last step is physical network installation management and system commissioning.

Keeping wireless systems secure

A frequent question raised when wireless networks are discussed is, what about security? Can’t someone outside the plant monitor the signals and gather intelligence on plant activities, production rates, and so on? And what about hacking? If an intruder can get into the system to monitor it, can’t he also make changes? What if someone changes setpoints to cause a shutdown or even a catastrophe?

That’s where modern security comes in. Wireless field networks and WPNs are different: field networks use mesh architecture that is generally considered secure thanks to a series of critical features:

  • Channel hopping on top of the standard direct-sequence spread spectrum. This makes the system inherently resistant to jamming attacks.
  • AES-128 encryption (NIST/IEEE compliant) for all communications within the device mesh network and the gateway. At this point AES-128 can be considered secure against all expected attacks.
  • Individual device session keys to ensure end-to-end message authenticity, data integrity, receipt validation, and secrecy through data encryption. This makes eavesdropping almost impossible.
  • Hop-by-hop CRC (cyclical redundancy check) and MIC (message integrity code) calculations to ensure message authentication and verification as to source and receiver of communications. This blocks man-in-the-middle (backdoor) attacks.
  • Devices must have a join key pre-configured on the device. This can be either a common join key per WFN, or optionally an individual join key per device. This prevents replay (or delay) attacks.
  • White listing with individual join keys gives devices explicit permission to join the network via the gateway/network manager via an ACL entry, which also includes their globally unique HART address.

In general, although an unauthorized person might be able to detect that wireless communication exists on a wireless field network, he would be unable to gain access, eavesdrop, or otherwise disrupt the device-level network.

While the WirelessHART field network is itself secure, the host gateway by which it connects to the host may use a wired connection or a WPN. For a gateway connected to the host via Ethernet (particularly if the gateway is in an unsecured location), the best choice is to install a firewall in a secure location on the plant side of the wire. For a gateway connected via a WPN, there are additional considerations.

Security for WPNs

Fig. 4: Technical measures to protect a WPN include a wireless intrusion prevention system (wIPS), a wireless control system (WCS), and a firewall. Courtesy: Emerson Process ManagementWPNs generally use Wi-Fi (IEEE 802.11-2007) and are more vulnerable to attack than are wireless field networks. There are plenty of warnings and horror stories about Wi-Fi networks being hacked, and in fact it wasn’t long after Wi-Fi first appeared that wardriving—traveling about with a laptop, PDA, or smartphone, often connected to a homemade high gain antenna, in an effort to find unsecured Wi-Fi networks—became popular. There are multiple types of threat vectors by which the ill-intentioned can attack a WPN, including rogue access points, ad-hoc wireless bridges, man-in-the-middle (e.g., evil twin, honey pot app, MAC spoofing, etc.) attacks, denial of service (DoS) attacks, jamming (also considered DoS), reconnaissance, and cracking.

Securing against these threats requires both administrative and technical measures. Administrative measures include managing identities such as assigning and terminating privileges as each employee’s situation changes, authentication, authorization, and accounting. Authentication ensures that a person is who he or she claims to be. It can be done using a shared secret arrangement or the IEEE 802.1x extensible authentication protocol (EAP). Authorization determines what a person is allowed to do, while accounting monitors what each person does and when, while monitoring attempts to perform unauthorized actions.

Technical measures include a wireless intrusion prevention system (wIPS), a wireless control system (WCS), and a firewall (Fig. 4). A wIPS is a system to monitor the wireless network and the RF signals in the open air. Its purpose is to detect suspicious clients or access points.

The WCS is the graphical tool that allows the administrator to configure and manage the entire wireless network easily by allowing network managers to design, control, and monitor enterprise wireless networks from a single location, simplifying operations. It oversees a series of WLAN controllers. This software provides network management including diagnostics and troubleshooting tools to keep the network running smoothly.

A firewall should be installed at each network level to serve as a belt-and-suspenders measure to ensure only traffic meant for each network level is routed through. The table summarizes common plant network threats and strategies to mitigate them.

Table 1: Threats and mitigations

It is not difficult to secure a WPN, yet unsecured installations certainly exist. In a presentation at Emerson’s 2012 Global Users Exchange, Neil Peterson, Emerson’s wireless plant solution marketing manager, suggested the main reasons for unsecured networks are human factors, poorly formulated policy (or none at all), poor configuration, bad assumptions, lack of understanding of the problem, and failure to stay up-to-date. “The latest encryption algorithm,” Peterson points out, “cannot make up for poor business processes.”

Wireless networks, at both field level and plant level, can have multiple benefits. Wireless field networks allow field devices to be installed in places where wired devices could not be economically justified, or in some cases installed at all. Wireless plant networks make it possible to speed up plant restarts, and give field operators the ability to perform actions that previously could be done only in the control room. They also allow for personnel tracking and much more. But to make such a network worthwhile it must be installed with care, and with close attention to security.

Steve Elwart, PE, PhD, is director of systems engineering, Ergon Refining, Inc., and he thanks Neil Peterson for contributions to this article.




Read more about worker mobility below.

For more on wireless security, see “Emerson Wireless Security: WirelessHART and Wi-Fi Security” 

Key concepts:

  • Wireless networks can allow operators to perform control-room functions anywhere in the plant
  • In a plant context, there is usually more than one kind of wireless network to cover all needed functionalities
  • Wireless networks can provide a major cyber attack surface if not deployed with sufficient thought to security

<< First < Previous 1 2 Next > Last >>

Anonymous , 05/05/14 06:44 PM:

Very good. As shows how applicable WiFI can be used in Oil & Gas environments.
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
A cool solution: Collaboration, chemistry leads to foundry coat product development; See the 2015 Product of the Year Finalists
Raising the standard: What's new with NFPA 70E; A global view of manufacturing; Maintenance data; Fit bearings properly
Sister act: Building on their father's legacy, a new generation moves Bales Metal Surface Solutions forward; Meet the 2015 Engineering Leaders Under 40
Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security
Upgrading secondary control systems; Keeping enclosures conditioned; Diagnostics increase equipment uptime; Mechatronics simplifies machine design
Designing positive-energy buildings; Ensuring power quality; Complying with NFPA 110; Minimizing arc flash hazards
Building high availability into industrial computers; Of key metrics and myth busting; The truth about five common VFD myths

Annual Salary Survey

After almost a decade of uncertainty, the confidence of plant floor managers is soaring. Even with a number of challenges and while implementing new technologies, there is a renewed sense of optimism among plant managers about their business and their future.

The respondents to the 2014 Plant Engineering Salary Survey come from throughout the U.S. and serve a variety of industries, but they are uniform in their optimism about manufacturing. This year’s survey found 79% consider manufacturing a secure career. That’s up from 75% in 2013 and significantly higher than the 63% figure when Plant Engineering first started asking that question a decade ago.

Read more: 2014 Salary Survey: Confidence rises amid the challenges

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.