Wi-Fi in plant environments: Convenience vs. risk
Wireless Ethernet is everywhere, including your manufacturing areas. It’s a great convenience, but are you protecting it adequately?
Wi-Fi is everywhere, in our homes, offices, and even plant environments. It is now the backbone of communication and has supplanted traditional wired Ethernet for most Internet-related traffic. It has also supplanted cellular-based communication in many instances due to lower costs, higher performance, and better security.
While Wi-Fi may be ubiquitous, it seems like few truly understand how it works, or what is necessary to provide secure communication. Personal experiences working in a variety of manufacturing contexts have shown this is particularly true in process plants and other manufacturing environments. But before we consider what problems have developed, let's think about how we got to this point.
Strictly speaking, Wi-Fi is a wireless local area network (LAN) using IEEE 802.11 standards and the specific name is owned by the Wi-Fi Alliance. IEEE (Institute of Electrical and Electronics Engineers) published the 802.11b standard in 1999, providing the first practical mechanism to transmit data wirelessly at the relatively fast rates (at least at that time) of 1 to 2 Mbps. It achieved broad adoption very quickly as most prior data connections were wired.
Before Wi-Fi, wireless communications were usually based on proprietary analog radio protocols and were slow, chugging along at 9,600 bps, or to put it in a more directly comparable format, 0.0096 Mbps, which meant Wi-Fi was more than 100 times faster. Moreover, older systems had few data integrity protocols built-in, requiring the user to add those functions.
For industrial applications, Wi-Fi created the potential to implement sophisticated high-speed communication, although the end devices still typically used proprietary serial protocols. Security at this point was not much of an issue. Communication was largely point-to-point using Modbus remote terminal unit (RTU) or something similar. While a hacker might have wanted to disrupt a control system to make a point, there was probably little in the way of data worth stealing.
As PCs and other information technologies (IT) became more common in industrial automation, Ethernet made the move to the plant floor. Ethernet using Transmission Control Protocol/Internet Protocol (TCP/IP) became the norm, but still with a proprietary industrial protocol over it, such as EtherNet/IP, Modbus TCP/IP, Profinet, or another. These communication methods were much like the traditional IT networks, and the enterprise-level networks were becoming ever more connected to the industrial networks, bridging the air gap which kept the industrial side isolated. It was now possible to create a direct path from the lowest-level field device up to the business networks.
Stealing data from industrial networks was now easier because hackers could use the same tools and methods learned in IT networks, but in most environments there was still little worth stealing. Hackers did recognize, however, that industrial networks provided a means of entry over a path often less secure than enterprise IT networks.
They could use the same channels established to move manufacturing data to management-level IT systems and making such a move was usually pretty simple because the manufacturing-level networks were vulnerable.
Moving Wi-Fi to the plant
In most industrial environments, Wi-Fi deployments started popping up to solve specific application problems. Generally, they were simple point-to-point communication links where wiring was impractical or too expensive. The new technology was used in place of older proprietary systems because it was cheaper and easier to work with. Corporate IT folks usually had no idea what was going on, although these new plant networks might show up on listings of available networks if a wireless network scan was performed.
Early Wi-Fi networks did have provision for security if the user was aware of it, but usually the default was to leave the network unsecured to avoid having to bother with passwords. Prior to 2003, the available system was wired equivalent privacy (WEP), which was included in the original IEEE 802.11 standard and aimed at consumer markets (see Table 1).
1999 to 2003
2003 to 2006
WPA with TKIP or AES
2006 to present
WPA2 with AES and CCMP
It was probably good enough to keep the neighbors out of home networks, but tools for breaking it quickly emerged. By 2003, Wi-Fi-protected access (WPA) emerged using temporal key integrity protocol (TKIP). It was much better and replacing TKIP with advanced encryption standard (AES) was yet another improvement. But before long those were broken as well.
In 2006, the problem was largely solved with the introduction of WPA2. It used AES and added counter cipher mode with block chaining message authentication code protocol (CCMP) as a replacement for TKIP. Even this proved possible to break though, although getting through it required a great deal of time and effort and simply wasn't practical for most hackers.
Sloppy security practices
So WPA2 solves the hacker problem, at least technically, but not always in practice. Most Wi-Fi routers have provision for backwards compatibility so a user can configure the security settings using one of the earlier techniques.
A high-quality industrially hardened router can operate for many years even in a tough plant environment, so it's common to find hardware installed in 2002 still working today. Unfortunately, a 12-year-old router only offers one security setting, WEP, because it was the only setting available when it was built. So, to make a new router work with the existing network, it must be set for WEP in spite of having more sophisticated security capabilities.
Many of the people installing this hardware in the plant are maintenance people, not the IT department. They install a new router and configure it for WEP to match the existing hardware, not realizing the differences in security capabilities. Security is security, right? The network shows up as secure on the available network list, so we're covered, right?
Some wireless connections aren't even installed by the company. Service people working in a plant might plug a wireless router into a programmable logic controller (PLC) or Ethernet process network to help solve a troubleshooting issue. Companies with a strong security culture prohibit this kind of thing, but in many firms it's a common occurrence.
A conscientious technician will make sure the device is removed when the work is done, but those devices are cheap. If one is left behind, few technicians will make any special effort to retrieve it. Long after the job is done it may remain, still connected and unsecured. If a hacker discovers this small and vulnerable network, a new means of entry has just been provided, potentially to the entire company IT infrastructure.
Learn more about why security is important as well some solutions and best practices to follow.