Wi-Fi in plant environments: Convenience vs. risk
Wireless Ethernet is everywhere, including your manufacturing areas. It’s a great convenience, but are you protecting it adequately?
Wi-Fi is everywhere, in our homes, offices, and even plant environments. It is now the backbone of communication and has supplanted traditional wired Ethernet for most Internet-related traffic. It has also supplanted cellular-based communication in many instances due to lower costs, higher performance, and better security.
While Wi-Fi may be ubiquitous, it seems like few truly understand how it works, or what is necessary to provide secure communication. Personal experiences working in a variety of manufacturing contexts have shown this is particularly true in process plants and other manufacturing environments. But before we consider what problems have developed, let’s think about how we got to this point.
Strictly speaking, Wi-Fi is a wireless local area network (LAN) using IEEE 802.11 standards and the specific name is owned by the Wi-Fi Alliance. IEEE (Institute of Electrical and Electronics Engineers) published the 802.11b standard in 1999, providing the first practical mechanism to transmit data wirelessly at the relatively fast rates (at least at that time) of 1 to 2 Mbps. It achieved broad adoption very quickly as most prior data connections were wired.
Before Wi-Fi, wireless communications were usually based on proprietary analog radio protocols and were slow, chugging along at 9,600 bps, or to put it in a more directly comparable format, 0.0096 Mbps, which meant Wi-Fi was more than 100 times faster. Moreover, older systems had few data integrity protocols built-in, requiring the user to add those functions.
For industrial applications, Wi-Fi created the potential to implement sophisticated high-speed communication, although the end devices still typically used proprietary serial protocols. Security at this point was not much of an issue. Communication was largely point-to-point using Modbus remote terminal unit (RTU) or something similar. While a hacker might have wanted to disrupt a control system to make a point, there was probably little in the way of data worth stealing.
As PCs and other information technologies (IT) became more common in industrial automation, Ethernet made the move to the plant floor. Ethernet using Transmission Control Protocol/Internet Protocol (TCP/IP) became the norm, but still with a proprietary industrial protocol over it, such as EtherNet/IP, Modbus TCP/IP, Profinet, or another. These communication methods were much like the traditional IT networks, and the enterprise-level networks were becoming ever more connected to the industrial networks, bridging the air gap which kept the industrial side isolated. It was now possible to create a direct path from the lowest-level field device up to the business networks.
Stealing data from industrial networks was now easier because hackers could use the same tools and methods learned in IT networks, but in most environments there was still little worth stealing. Hackers did recognize, however, that industrial networks provided a means of entry over a path often less secure than enterprise IT networks.
They could use the same channels established to move manufacturing data to management-level IT systems and making such a move was usually pretty simple because the manufacturing-level networks were vulnerable.
Moving Wi-Fi to the plant
In most industrial environments, Wi-Fi deployments started popping up to solve specific application problems. Generally, they were simple point-to-point communication links where wiring was impractical or too expensive. The new technology was used in place of older proprietary systems because it was cheaper and easier to work with. Corporate IT folks usually had no idea what was going on, although these new plant networks might show up on listings of available networks if a wireless network scan was performed.
Early Wi-Fi networks did have provision for security if the user was aware of it, but usually the default was to leave the network unsecured to avoid having to bother with passwords. Prior to 2003, the available system was wired equivalent privacy (WEP), which was included in the original IEEE 802.11 standard and aimed at consumer markets (see Table 1).
|1999 to 2003
|2003 to 2006
|WPA with TKIP or AES
|2006 to present
|WPA2 with AES and CCMP
It was probably good enough to keep the neighbors out of home networks, but tools for breaking it quickly emerged. By 2003, Wi-Fi-protected access (WPA) emerged using temporal key integrity protocol (TKIP). It was much better and replacing TKIP with advanced encryption standard (AES) was yet another improvement. But before long those were broken as well.
In 2006, the problem was largely solved with the introduction of WPA2. It used AES and added counter cipher mode with block chaining message authentication code protocol (CCMP) as a replacement for TKIP. Even this proved possible to break though, although getting through it required a great deal of time and effort and simply wasn’t practical for most hackers.
Sloppy security practices
So WPA2 solves the hacker problem, at least technically, but not always in practice. Most Wi-Fi routers have provision for backwards compatibility so a user can configure the security settings using one of the earlier techniques.
A high-quality industrially hardened router can operate for many years even in a tough plant environment, so it’s common to find hardware installed in 2002 still working today. Unfortunately, a 12-year-old router only offers one security setting, WEP, because it was the only setting available when it was built. So, to make a new router work with the existing network, it must be set for WEP in spite of having more sophisticated security capabilities.
Many of the people installing this hardware in the plant are maintenance people, not the IT department. They install a new router and configure it for WEP to match the existing hardware, not realizing the differences in security capabilities. Security is security, right? The network shows up as secure on the available network list, so we’re covered, right?
Some wireless connections aren’t even installed by the company. Service people working in a plant might plug a wireless router into a programmable logic controller (PLC) or Ethernet process network to help solve a troubleshooting issue. Companies with a strong security culture prohibit this kind of thing, but in many firms it’s a common occurrence.
A conscientious technician will make sure the device is removed when the work is done, but those devices are cheap. If one is left behind, few technicians will make any special effort to retrieve it. Long after the job is done it may remain, still connected and unsecured. If a hacker discovers this small and vulnerable network, a new means of entry has just been provided, potentially to the entire company IT infrastructure.
Learn more about why security is important as well some solutions and best practices to follow.
Why security is so important
A hacker trying to break into a company network is going to choose the path of least resistance, and an unsecured or minimally secured wireless network in a process plant is a prime target. The main constraint for the hacker is getting close enough to the plant to pick up the radio signal. Since most transmitters carry beyond the fence line this might be inconvenient, but is probably not a serious limitation.
If a hacker can only reach an isolated plant network, the amount of potential damage should be limited (see sidebar). The more serious problem is when a successful invasion of the plant network provides a path into corporate IT networks, where money changes hands, and far more valuable data is stored.
The connection between a plant network and corporate networks normally allows for data to flow up the chain. Downward flow should be limited to avoid any possibility of someone in an office meddling with settings in the plant and to protect against hackers moving into the plant from corporate networks. But some companies either want or need to have communications in both directions, for example to download desired production instructions.
Most corporate IT groups will place barriers between the IT and plant networks, typically firewalls, a demilitarized zone (DMZ), or point server, to control what passes back and forth. But as mentioned, these are normally far more concerned about traffic going down from IT to the plant and may not be as vigilant when monitoring communications in the other direction.
Moreover, unless individuals responsible for configuring these systems have a high level of familiarity with industrial networks and hardware common to manufacturing environments, the rules controlling the traffic are rarely configured as they should be.
So if a hacker is determined and wants to invade the larger system via a plant Wi-Fi network, he often only needs to get physically close enough to establish communication. If the hacker does manage to move up to the corporate networks and is skilled, he might be able to create a door for himself and go in directly via the Internet on subsequent visits.
If IT security is too tight to create a new opening, the user might have to install a small device near the plant capable of communicating with the Wi-Fi network and then send the information to a more convenient location using a cellular connection. In any case, there are multiple ways to establish a more permanent foothold in the corporate networks via Wi-Fi networks.
What’s the solution?
This problem is not difficult to fix, but it requires some diligence and plant personnel need to pay attention to what they’re doing. Here are some recommended procedures (see Table 2):
|Replace any Wi-Fi router manufactured before 2006
|Configure all networks with WPA2 security
|Use strong passwords
- Replace any Wi-Fi router manufactured before 2006. Older routers may be working perfectly well but if they do not support WPA2 security they should be replaced with current units. Moreover, just because a unit was made in 2006 does not necessarily ensure it can support WPA2, so verify that this capability exists.
- Configure all networks with WPA2 security. When all routers are equipped with WPA2 make it your default security protocol and enforce it for all routers in the plant.
- Use strong passwords. Routers need to be set up with passwords, and they must be effective passwords. Everybody knows passwords can be broken, but the critical elements are length and variety. The more characters of different types, the better. Your minimum password length should be 16 characters. Including numerals and symbols can help, but the sheer number of characters matters the most. Creating phrases can help individuals memorize passwords and does not reduce their effectiveness. For example "MyHouseHasPurpleShutters" has 24 characters, but is still easy to remember and type.
- Manage passwords. The best password won’t help if it’s written on a slip of paper taped to the router. A record of all passwords should be written down on paper and kept somewhere outside the plant. Someone in the office should have it in a secure file cabinet. Password management must include changing passwords and logins immediately when an employee with knowledge of passwords leaves the company. Don’t wait until a more convenient time; instead change the passwords as soon as the employee leaves the company. A disgruntled employee is far more dangerous than the most skilled hacker because he or she could have intimate knowledge of how everything works and how things are configured. A former employee with grievances providing guidance to a skilled hacker is the worst possible combination.
These security measures are effective, simple to implement, inexpensive, and can be carried out by plant personnel without bringing IT people into the process. When the people responsible for plant Wi-Fi and other networks can maintain an appropriate level of security, they are making an important contribution to the company.
What needs protection on plant networks?
One of the common discussions relating to cyber security is the necessity of protecting sensitive manufacturing data. Information coming from the plant in some situations can indeed be very valuable if it involves critical CNC programming for aircraft parts or closely guarded chemical processes.
However, the data available in most manufacturing operations such as reactor temperatures or how many pieces came out of a stamping press in a shift will not be valuable enough to steal. So why do hackers break into industrial networks?
Some hackers simply want to disrupt production one way or another; shut off a critical piece of equipment, delete the program from a PLC, or open the wrong valve to create an environmental mishap. These may be possible, but it’s important to keep the situation in perspective. Under the worst circumstances, what is it possible for a cyber criminal to do? If the control systems in a plant can be operated in such a way to create a health or safety issue, those systems are designed badly and should be reevaluated.
This may seem shocking, but if plant operators working in the control room or cyber criminals coming in from outside can create a truly threatening situation and safety systems cannot transition the plant to a safe state, there is something drastically wrong. In a properly designed control system, a hacker might be able to create immediate problems but nothing that would leave long-lasting effects.
This concept of proportionality, however, is not an excuse to leave plant-level networks unprotected, especially wireless ones. A cyber security defense plan should reflect the value of what it’s protecting. The safety aspects of a properly designed control system should be virtually impossible to disrupt, either through intentional efforts or human error.
– Bruce Billedeaux, PE, is a senior consultant for Maverick Technologies; edited by Peter Welander, content manager, Control Engineering, firstname.lastname@example.org.
Maverick Technologies is a CSIA member as of 7/20/2015
See the Real World Engineering blog and the Wireless Tutorial blog at www.controleng.com/blogs/