Securing industrial wireless networks

The information age’s arrival in manufacturing is significant not only for what data you can access in your manufacturing operations but also how you can access it.

By Divya Venkataraman October 25, 2015

Wireless technology provides freedom to figuratively cut the cord and imagine operations in transformative ways.

It could involve using mobile devices to monitor operations from anywhere in the plant or to connect maintenance technicians to remote experts. It could involve wireless, Internet Protocol (IP)-enabled cameras that monitor operations from hard-to-reach areas. It also could involve connecting to wireless connected devices in the ever-growing Internet of Things (IoT) to collect quality, safety, and other data from your manufacturing processes.

Beyond these advantages, wireless technology also can offer savings in the form of lower installation costs, due to reduced hardware and cabling and decreased maintenance demands.

Wireless is not new to manufacturing and industrial environments. It’s been used for years in applications such as point-to-point data transfer and supervisory control and data acquisition (SCADA). However, as wireless is used increasingly for critical applications and real-time control, demands on the technology are changing as well.

As more manufacturers build a connected enterprise and converge their industrial and enterprise systems into an Ethernet-based network architecture, they need reliable wireless communications with low levels of latency and jitter to achieve uninterrupted control and data access. More than that, they need to confirm their wireless communications are secure.

Given the unique risks that wireless communications face-such as the interception and monitoring of data, wireless frame spoofing, and denial-of-service attacks-security is essential. This includes using device authentication and data encryption methods that align with IEEE 802.11, which is becoming the standard for deploying reliable and secure wireless networks for industrial automation and control system (IACS) applications.

When implementing an industrial wireless network, keep in mind some of the following design and security considerations from the guide, "Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture," developed by Cisco and Rockwell Automation.

Autonomous vs. unified

First, it’s important to consider the two different wireless local area network (WLAN) architecture types used in IACS settings, as the security considerations are different for each.

An autonomous architecture type uses standalone wireless access points to implement all WLAN functions. Each autonomous access point is individually configured and managed.

An autonomous architecture is typically used only for small-scale deployments or standalone wireless applications. It has a lower initial hardware cost, simplified design and deployment, and offers more granular control of quality of service to help prioritize IACS application traffic on the network.

A unified architecture (UA) is used for large-scale, plantwide deployments that require a wide range of clients and applications. It offers foundational services, including intrusion prevention and wireless guest access, and provides the foundation for enabling plantwide mobility.

A unified architecture solution splits functionality between light-weight access points (LWAP) and wireless LAN controllers (WLC). It has "zero touch" deployment and replacement of access points, requires less effort for updating configuration and firmware, and provides centralized control and visibility.

Security considerations

The Wi-Fi Protected Access 2 (WPA2) security standard with Advanced Encryption Standard (AES)-level encryption is the only security mechanism recommended for industrial WLAN applications. WPA2 offers the most advanced security available today for WLANs in industrial settings, while AES encryption is implemented at the hardware level and, therefore, does not affect an application’s performance.

In an autonomous architecture, WPA2 can support pre-shared key authentication and 802.1X/ Extensible Authentication Protocol (EAP) authentication. Factors such as security policy, infrastructure support, and ease of deployment can help determine which of these two authentication methods is most appropriate for an autonomous WLAN. There is also an option to use multiple authentication methods in a single autonomous architecture, such as to support different client types.

Pre-shared key authentication uses a common password that is shared across all devices in the architecture. Keep in mind that this method cannot restrict access only to specific clients-anyone with the password can authenticate to the WLAN.

As a result, pre-shared key authentication is best suited for small-scale WLANs, wherein clients are tightly controlled. This could include an application containing a fixed number of wireless machines using work group bridges (WGB).

802.1X/EAP authentication uses an Extensible Authentication Protocol (EAP) framework to provide access to a WLAN. Based on the 802.1X IEEE standard for port-based access control, this authentication method offers strong security through access control that is based on individual user credentials and can be used when pre-shared key authentication cannot satisfy your security requirements.

Configuration recommendations for this approach include using the EAP-FAST protocol to authenticate WGBs to the autonomous WLAN. The dedicated access point should be configured as a remote access dial-in user service (RADIUS) server to store the WGB credentials, but it should not accept any wireless clients.

MAC address authentication is a third method for authentication but is not secure when used alone because MAC addresses can be detected and spoofed. Rather than using this as your lone security approach, use it to supplement pre-shared key or 802.1X/EAP authentication as an additional safeguard against incidental connections in critical control applications.

A unified WLAN architecture requires certificates and other EAP protocols for authentication beyond what 802.1X/EAP authentication can provide. Additionally, pre-shared key authentication will not suffice in a unified architecture because it cannot provide the fast-roaming security that a unified architecture requires.

Unified architectures should use EAP-transport layer security (TLS) authentication for plantwide WLAN security. This method requires a RADIUS server located in the industrial zone level 3, while local EAP certificates must be supported on the controller.

Additionally, non-roaming applications may not require EAPS-TLS authentication, but using it for fast-roaming and non-roaming applications will help simplify deployment and reduce confusion regarding which security method is used for different devices. 

Other considerations

The hardware selected for WLAN architecture should support a goal of achieving secure and reliable wireless communications. This includes using wireless access point (WAP) and WGB hardware that conform to widely adopted IEEE 802.11 a/b/g/n standards and provide 2.4-GHz and 5-GHz spectrum availability to meet your range of operational needs.

Newer hardware can function as either an access point in an autonomous architecture or as a WGB in autonomous and unified architectures enable secure and reliable wireless networks deployment using just one device. As an access point, these devices can serve as a router to securely bring wireless clients into a wired network. As a WGB, they can securely connect up to 19 wired IP address clients to a wireless network.

In a unified architecture, also verify that the WLC offers full control and provisioning of wireless access points (CAPWAP) access-point-to-controller encryption. It should also provide support for detecting rogue access points and denial-of-service attacks.

Lastly, network segmentation can create separation between control and enterprise networks. This allows for the use of different security practices in each network and can help confirm that workers in production areas are only able to access production-related data, while data from enterprise-related applications remains isolated.

Following these standards-aligned security best practices will assist in harnessing the power of wireless technology and IoT while protecting operations and intellectual property against wireless-based threats.

– Divya Venkataraman is a product manager at Rockwell Automation. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, eeissler@cfemedia.com

Key concepts

  • MAC address authentication is a third method for authentication but is not secure when used alone because MAC addresses can be detected and spoofed.
  • Newer hardware can function as either an access point in an autonomous architecture or as a WGB in autonomous and unified architectures.

Consider this

In a unified architecture, also verify that the WLC offers full control and provisioning of wireless access points (CAPWAP) access-point-to-controller encryption. It should also provide support for detecting rogue access points and denial-of-service attacks.

ONLINE extra 

Click here to watch a training video on Serial to Ethernet.

Tutorials on industrial wireless are available from Control Engineering.

– See related stories linked below.