Wireless cybersecurity in an industrial context – Part 1

Wireless networks have been creeping into process plants, factories and utilities for some time now, the convenience and efficiencies they provide being obvious, but the cybersecurity risks must be managed well.

These days Wi-Fi can be found everywhere: in our homes and offices, and now even plant environments. In many cases it has replaced traditional wired Ethernet for most internet-related traffic.

While wireless instrument and sensor mesh networks such as those based on WirelessHART and ISA-100.11a have been with us for some years now, and provide low-power, redundant and relatively secure wireless networking for industrial process instrumentation in particular, many plants would still be reluctant to deploy them in mission-critical functions where wired fieldbus or industrial Ethernet is available.

In contrast to this we find now that in most industrial environments, Wi-Fi deployments have started popping up to solve specific application problems, despite the fact that Wi-Fi is a higher powered radio signal with greater range and is a technology well understood by the general population — including potential cyber threat adversaries. Generally, they were originally used for simple point-to-point communication links where wiring was impractical or too expensive. Now they are popping up to enable greater bandwidth applications such as security devices, and to give roaming personnel access to information from smartphones and tablets.

There are, of course, many advantages in deploying wireless technologies for greater efficiencies and improved functionality at lower cost. However, the deployment of such technologies can potentially open up a veritable ‘can of worms’ in relation to plant cybersecurity.

ICS security: misunderstanding the importance of confidentiality

In general terms, managing security on a data network involves mitigating risk in three areas of potential impact: confidentiality, integrity and availability (the now well-known CIA trio). Historically, as vulnerabilities in hardware and software systems are discovered and classified, they are ranked against various vulnerability metrics, including the abovementioned impact metrics¹.

In most organisations, the confidentiality metric is considered the most crucial, while availability may also be highly important, if the loss of access to systems can cause business disruption. However, we often read in industrial cybersecurity articles and blogs that confidentiality is not as important as availability in an industrial control system (ICS). Obviously the availability of the processing or manufacturing process and its safety is of the highest concern in an ICS, but we should be careful in making generalisations like this in relation to an industrial organisation as a whole, or even in relation to the ICS itself.

Why? Because the importance of confidentiality is true in general of all organisations at the business level: all organisations should be very careful of the confidentiality of their financial and business data and their intellectual property. But we should also remember that any information that might give a potential intruder information that could be used to impact the availability of an ICS (such as engineering design data) also needs to be protected. In other words, the compromising of the confidentiality of information can lead to an increased risk of ICS attack and loss of availability. If your organisation is a critical infrastructure organisation, you would (and should) be aware that your organisation will be a potential target for an advanced persistent threat (APT). Such adversaries with advanced hacking skills may well attack your ICS only after a long period of engaging in stealthy cyber-espionage against your company’s business and engineering data^2,3. It is therefore crucial that the confidentiality metric is taken seriously, and not ‘brushed off’ as less important in an ICS scenario.

With the business drive towards Industry 4.0 and increasing interconnectivity between IT and operational systems (IT/OT integration) — as well as the increasing tendency towards the use of commercial and enterprise networking technologies such as Wi-Fi (WLANs) in industrial environments — all vulnerability metrics should be taken seriously. The increasing flow of data both ways, between the ICS and the business network, as well as the increasing use of operational wireless-based tools such as tablets and smartphones to carry and access engineering data, should all be considered in mitigating cybersecurity risk. This also applies to third-party support organisations you may engage, the technology they bring with them and the information they have access to or take with them.

This article will focus on the issues of maintaining cybersecurity in a WLAN environment, as this type of technology is gaining increased use in industrial networks.

Defence in Depth

The concept of Defence in Depth has been well described in the literature. In general, the concept involves using a strategy that seeks to delay an attacker by creating a resilient infrastructure that resists attack long enough to allow time for detection and response. Basically it can be said that the plant is secure if:

where t_p is the time needed to penetrate, t_d is the time needed to detect the penetration and t_r is the time needed to respond to it.

The architecture of the network, in which the ICS is segmented and firewalled internally at various levels, firewalled off from the business network, and where the business network employs firewalled segments, has been variously described. Layering the network in this way, with careful well-designed firewall rules provides multiple layers of defence that an intruder must penetrate to get to the critical control system components.

Figure 1: Defence in Depth architecture.⁴ For a larger image click here.

This is all very well if the only ‘outside world’ access is via the corporate internet connection. Such a design in which even remote VPN access for contractors and mobile staff must pass through all these layers from a single point of ingress is relatively (with correct planning) easy to protect. But what happens when Wi-Fi nodes are placed at the lower levels? Even with all the best intentions and careful planning, the installation of WLAN access points in the ICS network effectively provides a potential unlimited range of other points of ingress if not managed correctly.

Edge protection: encryption and VLANs

The most obvious difference between wired and wireless networks is that wireless networks cannot easily be constrained to a physical space. While wired networks can be tapped electromagnetically (and government agencies that work with highly classified data mandate optic fibre networks, and sometimes electromagnetically shielded building spaces), this is generally only the realm of sophisticated and expensive spying technology. Wireless networks on the other hand — particularly in process plants where most of the action occurs ‘outdoors’ — have signals available to anyone who simply parks a vehicle outside the plant fence. The physical network layer (Layer 1) and the media access control layer (Layer 2) are therefore not protectable in a wireless scenario, regardless of technology or protocol.

Without appropriate security in place, the signals of a WLAN could be received and manipulated by an attacker, and as a result, not only might confidential information from the network be captured, but an attacker could also feed false information or control messages into the network and interfere with its operation. The need to protect against these types of attacks is so fundamental that standardised security processes have been built in to the IEEE 802.11i standard⁵.

Early WLAN networks did have provision for security, but usually the default was to leave the network unsecured to avoid having to bother with passwords. Prior to 2003, the only available method was wired equivalent privacy (WEP), which was included in the original IEEE 802.11 standard and aimed at consumer markets. Tools for breaking it quickly emerged. By 2003, Wi-Fi-protected access (WPA) emerged using temporal key integrity protocol (TKIP). It was much better, and replacing TKIP with advanced encryption standard (AES) was yet another improvement. But before long those were broken as well.

In 2006 with the introduction of WPA2, in addition to AES, counter cipher mode with block chaining message authentication code protocol (CCMP) was added as a replacement for TKIP. Even this has proven possible to break, although getting through it requires a great deal of time and effort and simply isn’t practical for most hackers.

WPA2 is a security procedure published by the Wi-Fi Alliance⁶ that is based on the requirements of the IEEE 802.11i standard, which specifies procedures for key negotiations, data encryption and data verification for transmission of user data within a WLAN. The applicable architecture specifies the individual encryption of each and every wireless data transmission. In order to achieve this, pair-wise encryption keys are present between the communication partners (the session key). In addition, built-in integrity protection ensures that the transmitted data is not only confidential, but also unchanged.

WPA2 includes two modes (Personal and Enterprise) which specify different methods of device authentication. Using WPA Personal mode, there is one common pre-shared key for all devices in the network. This password is preconfigured individually for all devices and access points. This type of key management might be practical for very small networks, but becomes a restrictive overhead in the management of larger networks. Typical recurring procedures, such as the replacement of an old key or the exclusion of a lost or stolen WLAN device from a network, usually require a manual and complex reconfiguration of all access points and clients.

The WPA Enterprise mode allows each device to be issued a different key and to manage those keys in a central authentication database (such as a RADIUS server). Using the IEEE standard 802.1x for port-based authentication, the access point can validate every WLAN device individually when a connection is established. Keys can therefore be managed centrally, while lost or stolen devices can be simply disconnected from the network by removing their key information from the database.

As stated above, however, WPA2 is not a panacea. It is still crackable, although it takes much time and effort. Those in critical infrastructure industries should bear in mind that if they are a potential target of a state-based actor (in the form of what is known as an ‘advanced persistent threat’ or APT), then perhaps deploying WLAN technology might want to be considered more carefully, or restricted to non-mission-critical use in a way that is isolated from any essential control network infrastructure.

The more advanced WLAN access points that are available allow devices to be assigned to different virtual LANs (VLANs), so that devices with different roles can be clearly differentiated. For example, a WLAN-connected vibration monitor and a WLAN surveillance camera could be isolated from each other by assigning them to different VLANs. This results in the sensor only communicating with the CMMS, while the camera’s communication is limited to a security surveillance system. The segmentation makes it difficult for attackers to gain further access to the network should a simpler device be compromised – which is of course an example of the application of Defence in Depth.

In Part 2

Even though WLAN deployments effectively create additional points of ingress into the plant networks, modern Wi-Fi access points provide a high level of data encryption that makes eavesdropping on data difficult if not impossible for most hackers. But this is not the whole story.

In Part 2 of this article we will examine flaws in many Wi-Fi access points that make it possible to insert rogue clients and access points, and discuss firewalls and intrusion detection.

References

1. National Institute of Standards and Technology (NIST), ‘National Vulnerability Database (NVD) Common Vulnerability Scoring System’, <<https://nvd.nist.gov/cvss.cfm>>.
2. Johnson G 2016, ‘The control system kill chain: Understanding external ICS cyber threats – Part 1’, What’s New in Process Technology, vol. 29, no. 10, April 2016.
3. Johnson G 2016, ‘The control system kill chain: Understanding external ICS cyber threats – Part 1’, ProcessOnline, 11 April 2016, <<http://www.processonline.com.au/content/software-it/article/the-control-system-kill-chain-understanding-external-ics-cyber-threats-part-1-1431691019>>.
4. US Department of Homeland Security 2016, Recommended Practice: Improving Industrial Control System Cyber Security with Defense-in-Depth Strategies.
5. Institute of Electrical and Electronics Engineers, Inc. 2012, ANSI/IEEE 802.11-2012: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.
6. Wi-Fi Alliance, <<http://www.wi-fi.org/>>.

Image credit: ©stock.adobe.com/nirutft