1 August 2005
Don't make a hacker's job easy.
By Frank Williams
There's an old saying that locks were meant to keep honest people honest. So if someone wants to intrude into your operation, they'll find a way. But you shouldn't make it easy. Security is a vital aspect for proper use of wireless technology. As the benefits of wireless become more obvious, you'll need to pay greater vigilance to security. As security technology progresses, hackers and other malicious efforts will continue to evolve in an attempt to crack the code.
Although wireless technology isn't new to industrial applications, it still carries a certain mystique. But even though industrial engineers seem more comfortable with the perceived security and reliability associated with a wired approach; some are seeing the benefit in wireless. Look at Ethernet, a technology blooming in ubiquity because of its commercial communication applications and forcing the industrial community to take notice. Wired Ethernet's simplicity allows industry to more easily and cheaply deploy the technology. And newly developed standards allow quicker adoption, spurring more uses and further lowering cost.
Easier wireless access points connect wired and wireless devices, giving industrial engineers a new paradigm; they get access to operational data when and where they need it with quick install time and under more mobile conditions. Adding HMI visibility anywhere along the operation no longer requires hard wiring, electrician involvement, or system downtime.
Currently, the most common wireless access point is the 802.11 protocol. But it doesn't give too much thought to security, standards, or network management.
Early on in consumer use of wired Ethernet, the average deployment was one access point and two to four computer connections. We didn't think anyone would be interested in getting unauthorized access to our data. As wireless access points became more pervasive, would-be users recognized the inherent weakness in wired equivalent privacy (WEP) encrypted 802.11 wireless installs. And this concern leads to one question for industrial use: How secure is a wireless link compared to running wire? [See accompanying article on WEP.]
What protection do you need?
In industrial applications, you need to understand how the system will behave when transferring data about the factory or plant operation. Imagine if competitors could more easily access your plant data. They could model your plant, determine your cost of product, understand unused capacity, recognize the state of your equipment, and potentially predict some of your future maintenance needs. Therefore, engineers thinking of applying wireless solutions should understand:
- How to protect their system against hackers, competitors, and other perpetrators.
- How to protect their application from malicious damage (disgruntled employees).
- How to handle jamming unwanted messages into their process.
Determining how secure is secure and which wireless products best protect against unauthorized access to system operation can be daunting. Why? No wireless solution fits all applications. Application requirements tend to determine which wireless technology to apply. Security for a dairy farm or a small manufacturing firm might only require a minimum level of security, while mission-critical information on a process inside Procter & Gamble demands the highest security available to prevent competitive espionage. However, both applications can benefit through the secure use of wireless technology.
Wireless solutions suppliers sometimes rely on spread-spectrum as the only protection. The military developed spread spectrum to inhibit unwanted intrusions by using a frequency-hopping mode of data transmission. Data continually hops across a wide range of frequencies that constantly change in a random sequence. To listen to data, an intruder must know the hopping sequence. This is a good start, but it forces the perpetrator to use the same model wireless products they are hacking into, which isn't a big hurdle.
Divide wireless security into authentication and encryption. Authentication schemes, similar to passwords, verify users' identities, ensuring the identity of a wireless client to an access point and vice versa. It passes back and forth keys and other pre-programmed information known only to the client device and its host. Encryption involves enabling 128-bit capabilities established in wireless devices. Encryption defines the management of these keys that feed into an algorithm to encode or decode the data running over the network. These measures prevent unauthorized data sniffing.
WLAN products see use in short-distance wireless data communications, usually in a factory or small plant where normal security precautions are in effect. These devices operate in the 2.4GHz frequency range. Early on, 2.4GHz 802.11 used medium access control (MAC) for authentication and WEP for encryption. However, obvious weakness in the WEP encryption scheme, and some say the openness of the encryption information, made this approach an easy target for would-be hackers.
The IEEE task force worked to correct this security flaw and amended the standard, which the industry adopted in June 2004. The new standard, 802.11i, includes the basic security algorithm defined in the U.S. government's official cipher, Rijndael advanced encryption standard (AES). It adds stronger encryption, authentication, and key management strategies that go a long way toward guaranteeing data and system security. Industry is deploying more WLAN devices using this newer security approach with a higher degree of confidence.
Here's a cautionary word on 128-bit encryption. Most security encryption in familiar Internet applications uses 128-bit encryption. The Internet does not use one type of encryption technique. The term 128-bit refers to the length of the security key. All encryption techniques use a key to encrypt, and de-crypt the data. The use of 128-bit encryption has led some to believe data encryption requires 128-bit to be effective. Some encryption techniques using a 128-bit key are not very effective. The size of the key is not a measure of effectiveness. The ultimate measure is how difficult it is to break the encryption method.
To break down any encryption method, the intruder needs to collect and process a lot of encrypted data samples. Therefore, make the data transmission random, and the collection becomes harder. If you have wireless devices with exception-reporting protocol, the time to collect the necessary number of data samples can be 1,000 times longer than communications media, such as Internet, conventional wired data buses, and most wireless communications. The longer it takes, the less likely the intruder will spend the necessary time.
Experienced providers of wireless products know security becomes even more of an issue for longer wireless data transmission. Standards are important, and historically these work, but industrial providers of wireless solutions are finding strength in proprietary encryption. This means the encryption information is not out there. Proprietary encryption using a weak standard can be as effective as a strong public standard. Proprietary status forces the hacker to do research and data sampling to intrude, thus making his job harder.
Experienced suppliers of wireless solutions use multiple levels of proprietary encryption. Anyone who wants to steal or inject a wireless message has to overcome levels of protection. To be successful, the perpetrators have to work out how all levels work to obtain wireless data. And they cannot bypass these security levels by using an identical manufacturer's wireless product.
These multiple levels of protection include: 1) modulation techniques, 2) unique data format structure with added security encryption, 3) network and address validation, and 4) transmitting messages intermittently. This last one is important. Most commercial-grade wireless products transmit continuously. Users should seek wireless suppliers who transmit wireless data on an exception-reporting basis, transmitting when there is a change. This increases difficulty in collecting wireless samples for decoding and enhances secure transfer of wireless data.
You should also ensure security is embedded in the wireless interface (gateway) as well as the wireless messaging. There is little point in securing the wireless data if you can feed messages via an interface device, such as a gateway, unless some form of firewall protection is in effect.
Firewalls are one of the core components of network security implementation. They can be standalone hardware solutions or built into the software scheme. Level protection seven should be the minimum acceptable firewall specification for industrial applications.
Finally, jamming is another form of security risk. The security protection must withstand jamming as well as unwanted messages. If a perpetrator can do damage by shutting down the wireless system with jamming, they've met their objectives. This has nothing to do with encryption. The wider the band, the harder it is to jam. Suppliers who use frequency-hopping suggest this is part of a strong protection, but this isn't exactly true.
Most frequency hopping is synchronized. The master unit transmits a regular beat, and the slave units hop to the beat. A jamming signal covering a couple of consecutive channels, which are not very wide, is enough to interrupt the hopping sequence on every hopping cycle. This effectively stops the system from working. Savvy wireless providers use non-synchronized frequency-hopping, which gives much better performance against this type of attack.
Behind the byline
Frank Williams is alliance manager with industrial-grade wireless solutions provider ELPRO Technologies in El Cajon, Calif.
Wireless LAN security: What every technical professional should know
By David Molnar
There is much more to a wireless local area network (WLAN) security than the link layer. The WLAN is part of your overall network, and security measures to protect it should be part of your organization's overall security policy. Traditional security considerations for authentication, authorization, data privacy and confidentiality, and data integrity are equally important.
Look at security at the data link layer, securing the data that travels between a laptop and the access point for the wireless (WLAN). In the context of 802.11b, this means talking about the wired equivalent privacy (WEP) protocol and its problems.
What is WEP?
The 802.11 standard specifies an algorithm, WEP, intended to protect wireless communication from eavesdropping, ensuring confidentiality of data on wireless networks. Although not a stated goal within 802.11, a secondary function of WEP is to prevent unauthorized access to a wireless network. The goals of WEP were to provide sufficient privacy and to peacefully coexist with U.S. export control laws in 1999. On a WEP-enabled network, all users employ a secret key, shared between the mobile client and an access point. The shared secret key encrypts all packets. An adversary who wants access to the network, or so the thinking goes, cannot decrypt the packets without that shared secret key.
Unfortunately the WEP mechanism has significant security flaws. Perhaps the most significant is that manufacturers ship access points with WEP turned off by default. No security mechanism can help unless you use it. Even when you enable WEP, the factory often leaves keys as the factory defaults, allowing for easy access to anyone who happens to know these default values.
Even when you turn on WEP and set new shared secrets, the mechanism has major flaws. For encrypting data, WEP uses an algorithm called RC4, short for Ron's Code 4 and named after cryptographer Ron Rivest, a founder of RSA Security. While RC4 is a secure algorithm if you use it properly, the way you use it in WEP opens it up to significant attack.
Another major problem with WEP is it addresses confidentiality but not authentication. It ensures privacy, but it doesn't ensure the user or the accessing stations really are who they say they are. Anyone who knows the WEP shared secret and network service set identifier (SSID) can access the network. There is no way for administrators to selectively confirm or deny access based on who is connecting. Also, if someone guesses the shared key or loses it, you'll have to manually re-key all stations on the network. This can be a major administrative headache, as well as a security risk.
Best WEP practices
Despite the issues with WEP, it is better than no security at all. By following a few simple practices, you can prevent casual adversaries from simply walking into your network.
Turn on WEP. All Wi-FI Alliance certified 802.11a, 802.11b, and 802.11g access points and wireless network interface cards (NICs) support WEP. This defeats accidental intruders, such as passersby with laptops in public places. Many urban businesses have reported problems when pedestrian laptops simply found and automatically associated with their network.
Change the default SSID and shared key. It is easy to write programs that automatically scan for factory default SSIDs and default keys. If you change your SSID and key, even if just by setting your organization with the new values, you will no longer show up as such a target of opportunity. Be warned, however, the SSID is easy to sniff from the airwaves, so you won't stop an adversary targeting your organization.
Use MAC address filtering. Configure your access points and routers to accept packets only from known MAC addresses. Then even if someone hits on the correct SSID and key, he or she can't get to the rest of your network. Again, this counter measure is not perfect. It is easy to face MAC addresses, and MAC addresses are in the clear for packets going over the air.
Behind the byline
David Molnar is security consultant at Legra Systems, Inc. in Burlington, Mass.
Attitudes shift with maturity
By Ellen Fussell Policastro
There are two things going on with the attitude swing toward wireless technology. One is reducing costs, saving money with hundreds of sensors. The other is plant operator mobility, said Rashesh Mody, CTO at Wonderware in Lake Forest, Calif.
The second scenario is happening now, he said. Companies such as Cisco are using industrial Wi-Fi and "creating gears for a lot of industrial automation (routers and switches). WiMax is still coming up as a standard, and companies like Intel are putting money into it," he said.
The gamut of wireless technologies, from lowest to highest field of range, goes in this order: RFID, Zigbee, 802.15.4 (Bluetooth type), Wi-Fi, and WiMax, said Mody, who believes the promise of wireless will lead to its standardizing automation control in the next few years. "I think automation lags behind three to five years," he said. "But the next round is on the industry automation side. A lot of potential software and hardware vendors are working on standards to make sure we can apply."
Yet, reliability is one concern that is slowing the progress of wireless in automation, Mody said. "If you look at the issue of security in virtual private networks (VPNs), without authentication you can't get access to wireless technology," he said. Noise is a big problem in the industrial arena. There's a lot of radio frequency (RF) noise. Security is being addressed by platform vendors like Intel and Microsoft as the technology matures.
In the next five years, "if you look at it in terms of industrial automation vendors, the big vendors, whether hardware or software or sensor, will adopt their offerings on wireless networks," he said. "It's just a question of time and maturity of the technology when we will see more adoption. But it will happen."