1 April 2007
Oil and gas processor goes wireless on the LAN
Proper data protection is a mandatory requirement to ensure PAN communications' security and safety
By Mohammed Al-Saeed, Soliman Al-Walaie, and Majed Al-Subaie
Oil and gas industry systems and networks may include, but are not limited to, process automation networks (PAN), distributed control systems, remote terminal units, programmable logic controllers, and Supervisory Control and Data Acquisition systems.
Industrial wireless technology can apply to several process automation applications including:
Oil/gas well heads automation
Cathodic protection monitoring and control
Vibration monitoring system
Power monitoring system
Remote surveillance and alerting solutions
Micro-seismic sensing application
Industrial wireless solutions must ensure security, interoperability, coexistence, reliable and scalable communication, and quality of service.
While security remains as the major concern in the use of a industrial WLAN, or wireless local area network, it should be robust following a well defined standard and meeting the industrial safety and security regulations including premises protection and detection of rogue nodes like unauthorized access points (APs).
An attractive solution
Industrial wireless technologies standards include 802.11a, b, and g (WiFi), and 802.15.4-based wireless mesh networking, ZigBee, WiMAX, and cellular networks.
Industrial WLAN (Wi-Fi) is one of the current standardized industrial wireless solutions. Currently, there are three dominant WLAN standards in the market. Wi-Fi is an open standard solution, and we can think of it as "wireless Ethernet" since it uses technology similar to the original Ethernet access mechanism "CSMA/CA."
Many remote facilities, processes, and field operations may utilize industrial WLAN connectivity to access a PAN, which can result in improving productivity, less downtime, faster, more accurate data analysis, and reduced capital and operating expenditures.
Industrial WLAN technology is the most extensive deployment in the industrial environment and has a potential to spread in the future. Due to its flexibility, fast deployment, cost reduction, and simplicity, WLAN technology is an attractive solution to industry.
Another security threat
Securing and protecting industrial systems and process control networks is very critical in today's world.
First of all, these systems are mission-critical and should be up and running round-the-clock.
Moreover, PAN technologies are changing rapidly as well as moving to open standards in terms of protocols and operating systems such as Ethernet (TCP/IP based) and the Microsoft Windows platform.
In addition, recent studies and research reported a significant increase in virus attacks and hacking incidents over the Internet, which are additional threats to industrial and control systems that require an Internet connection.
Therefore, it is important to secure PANs to keep them functioning at all times.
WLAN has several threats related to the data integrity and securing the network against hacking or denial of service attacks. WLAN broadcast data uses radio signals, which makes it vulnerable to unauthorized access.
In other words, anyone with the proper wireless equipment and located within the coverage range can tap in and connect.
In addition, there are more threats, including misconfigured access points, ad hoc wireless networks, and client disassociations that may create rogue access points, honeypot APs, and AP media access control (MAC) spoofing.
The industrial wireless networks are subject to unauthorized client access, denial of service, man in the middle, IP spoofing, and hijacking.
Another security threat to WLAN is the interference from overlapping wireless networks' broadcasting range. For example, environmental or accidental radio frequency (RF) noise and dynamic changes in RF Site characterization could interfere with the industrial WLAN and affect its performance.
Due to these security threats, the need for protecting process control systems is a mandatory requirement.
Securing industrial WLAN
The three key wireless security factors are:
Authentication: Prior to exchanging any data traffic over the WLAN, the network node (client) identity must be identified and (depending on the authentication method) submit its credentials for validation.
Encryption: The network node encrypts data before sending, to ensure data confidentiality.
Data integrity: Preventing any accidental or intentional but unauthorized insertion or modification of data during the transmission.
Robust authentication and access control mechanisms are important to industrial WLAN. Intrusion detection and a prevention mechanism are unique to the WLAN technology. It has the capability to scan and detect rogue APs and ad hoc networks. IEEE 802.11 defines "open system authentication" and "shared key authentication."
Open system authentication does not provide user verification, only identification using the wireless adapter's MAC address. This authentication is for when no authentication is required and it is the default authentication algorithm.
Shared key authentication verifies an authentication-initiating station has knowledge of a shared secret. The IEEE 802.11 standard currently assumes the shared secret goes to the participating wireless clients by means of a secure channel independent of IEEE 802.11.
In practice, this secret is a sequence of characters typed during the configuration of the wireless AP and the wireless client.
Shared key authentication
The IEEE 802.1x standard defines port-based network access control used to provide authenticated network access for Ethernet networks.
This type of access control uses the physical character-istics of the switched LAN infrastructure to authenticate devices attached to a LAN port.
Access to the port does not go through if the authentication process fails. Although this standard was originally for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
Open system authentication
Validation via physicals
Due to the vulnerabilities in the WLAN 802.11 security standard mechanism WEP, or Wired Equivalency Privacy, the creation and approval of IEEE 802.11i took place to serve as a wireless security solution with the Advanced Encryption Standard (AES) that replaced WEP.
The Wi-Fi Alliance certifies 802.11i de-vices under Wi-Fi Protected Access 2 (WPA2).
The old forms of security are Service Set Identifier (SSID) and authentication process. SSID is a network-naming scheme, which both the client and AP use and share.
If the client does not have the proper SSID, then the client will not be able to join the network.
IEEE 802.1X standard secures 802.11 WLANs.
802.1X has different authentication methods using Extensible Authentica-tion Protocol (EAP), such as EAP-LEAP (EAP-Lightweight Extensible Authen-tication Protocol), EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), EAP-TLS (EAP-Trans-port Layer Security), and EAP-PEAP (EAP-Protected Extensible Authentication Protocol).
802.1x port series
802.1X Standard uses RADIUS Server to authenticate clients to the network.
IEEE 802.11 WEP standard is for data encryption, which uses the RC4 algorithm and therefore has vulnerabilities.
Wi-Fi Protected Access (WPA) standard is for authentication and encryption of WLANs and has improved security in WEP, by using the current hardware with some modifications on firmware or software.
The Wi-Fi Alliance developed the 802.11i standard calls it "WPA Version 2." It provides 802.1X for Authenti-cation, AES for Encryption, and key management.
Security mechanisms for wireless networks are open authentication without WEP, Cisco WEP Extensions (CKIP + CMIC), WPA, and WPA2.
WEP uses CRC-32 (RC4) Encryption and pre-shared key authentication. WPA is using TKIP (RC4) encryption and 802.1X authentication. WPA2 (802.11i) is using CCMP (AES) encryption and 802.1X authentication.
Security solutions must embrace these:
Integrity with existing security systems
Require low administrative maintenance
Transparent to end-users
Must not affect network performance
To secure an industrial wireless network, an RF survey should take place, and the APs should set up and configure with authentication and encryption mechanisms.
The RF survey helps in recognizing the facility area that needs coverage by the wireless network, AP numbers and locations, and antenna types and strengths.
Industrial wireless security nodes such as the APs should also prevent any unauthorized access to industrial systems and networks and encrypt the data transmitted to prevent eavesdropping.
For that, they should be compatible with 802.11 and 802.1x standards and be able to encrypt the data with dynamic or rotating keys, filter, and block MAC addresses, and to disable SSI broadcasting.
A firewall should go in to protect PAN and wireless network using MS Windows Domain Controller (DC), which includes Internet Authentica-tion Service (IAS). IAS supports the 802.1x RADIUS protocol that authenticates any wireless device. The DC supplements the firewall as an additional protection layer. The Firewall should allow only traffic between the DC and APs that the wireless nodes access.
To secure APs, use unique SSID, disable the SSID broadcast, and use 802.1x and EAP authentication. In addition, MAC filtering and specifying the MAC addresses for all wireless nodes should happen.
Encryption and data integrity
Data confidentiality and integrity of transmitted data over the air is possible by applying encryption techniques.
There are two main encryption mechanisms for a wireless LAN solution:
Rivest's Cipher (RC), which is being used in WEP, and the Temporal Key Integrity Protocol (TKIP) or Dynamic WEP. Due to its encryption weakness, WEP encryption algorithm did not provide the level of security necessary for corporate and critical process automation applications.
AES, which provides a robust enhancement to the aforementioned TKIP, and its RC encryption. AES encryption algorithm performs hashing as well as encryption assuring integrity.
Modern industrial wireless security has matured by combining data confidentiality and integrity, authentication and access control, and intrusion detection and protection mechanisms.
The original 802.11 standard defined two types of authentication (open system and shared key) and WEP, which provides encryption and data integrity. The security methods used by the original 802.11 standard proved to be relatively weak for PAN networks.
The 802.1X standard was adapted for 802.11 wireless networks to provide much stronger authentication and automated encryption key management.
It is best to use WPA2 product certification for the security features of the IEEE 802.11i standard.
That includes mandatory use of AES for encryption and data integrity.
Using WPA or WPA2 will mitigate common attacks against wireless PAN networks.
ABOUT THE AUTHORS
Mohammed Al-Saeed Saeed (email@example.com) is a member of ISA and IEEE. He has degrees in computer science and business. He works for the Saudi Aramco Company as an industrial computer engineer. Soliman Al-Walaie is an ISA and IEEE member. He is a communications engineer at Saudi Aramco and has degrees in electrical engineering and telecommunications. Majed Al-Subaey is a computer engineer Saudi Aramco, and he has degrees in computer engineering information technology.
AP, or access point, is a hardware device or software used in conjunction with a computer that serves as a communications hub for wireless clients and provides a connection to a wired LAN. An AP can double the range of wireless clients and provide enhanced security.
Honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. It consists of a computer, data, or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.
Spoofing: Impersonating another person or computer, usually by providing a false e-mail name, URL, or IP address.
DSSS: Direct Signal Spread Spectrum
FHSS: Frequency Hopping Spread Spectrum
Man in the middle: In cryptography, a man in the middle attack is when an attacker is able to read, insert, and modify at will messages between two parties without either party knowing.
Advanced encryption standard is a symmetric 128-bit block cipher that the U.S. Government has adopted as its data encryption standard replacing the DES encryption. The National Institute of Standards and Technology of the U.S. Department of Commerce selected the algorithm-Rijndael (pronounced Rhine Dahl or Rain Doll). The algorithm has to work with key sizes of 128 bits, 192 bits, or 256 bits depending on the application security requirement.