Wireless cybersecurity in an industrial context — Part 2
Wireless networks have been creeping into process plants, factories and utilities for some time now — the convenience and efficiencies they provide being obvious, but the cybersecurity risks must be managed well.
The risk with WLAN deployments is that they effectively create additional potential points of ingress into plant networks. In Part 1 of this article we discussed how modern Wi-Fi access points provide a high level of data encryption that makes eavesdropping on data difficult if not impossible for most hackers. But this is not the whole story: there are also other types of flaws in many Wi-Fi access points that make it possible to insert rogue clients and access points.
There are, of course, many advantages in deploying wireless technologies for greater efficiencies and improved functionality at lower cost. However, the deployment of such technologies can potentially open up a veritable ‘can of worms’ in relation to plant cybersecurity, so understanding the inherent risks and applying effective firewall and intrusion detection techniques are important to mitigate cybersecurity risks.
The problem of management frames
The discussion in Part 1 about encryption and access control mainly applies to the issue of confidentiality — although once confidentiality is breached, it then makes more possible an attack on the availability and integrity of a system. However, there are other aspects of wireless network operation that are more directly related to the network’s availability and integrity.
One of the aspects of wireless networks that is not normally transparent to those managing the network is how the network manages itself. While network management in a wired network is largely related to physical connections and switches, all of which may be able to be monitored and controlled, WLAN networks tend to be self-managing. The protocols by which wireless devices manage their connections with each other are largely transparent to the user, in the interest of making them ‘user-friendly’.
The management functions of the network are controlled using ‘management frames’, which are transmitted wirelessly but instead of containing user data they are used to organise the internal operation of the network. Devices can use management frames to log on and off the network, initiate new key exchanges and report when they roam from one access point to another.
WPA2 does not encrypt or authenticate management frames, and so these data frames are vulnerable to tapping and being forged. Attackers can use forged management frames to send commands to an access point, and the access point has no means of detecting that the command came from the attacker and not the victim device. Not only could an attacker insert a new device in the network this way, they can also completely disrupt the network, causing communication failures, and even lock out the plant operators or network administrators.
Fortunately, the IEEE introduced a standard (IEEE 802.11w1) in which a technique called ‘protected management frames’ (PMF) was introduced. This feature makes it possible to encrypt and protect management frames against forgery. In doing so, the mechanism for authentication and encryption present in WPA2 is extended to achieve the confidentiality and integrity of the management frames. Currently, there are not many device vendors that support this function in industrial WLAN equipment, so this should be taken into consideration when designing a WLAN deployment and choosing your equipment.
Wired network integration
As has been well known in cybersecurity circles for many years, most cyber attacks are actually perpetrated from inside the network, rather than directly ‘hacked’ from outside. These security incidents can be caused by malicious insiders, or simply by accidents and poor internal policies, and now more often are caused by malware and phishing attacks (external adversaries acting from the inside). Even the most effective WLAN encryption does not offer protection when the attacker is coming from the internal wired network. In the interest of being consistent with the principles of defence in depth, it is important to establish barriers that deter internal attackers from extending their influence by compromising other systems in the network.
The issue also works the other way: as soon as a client device has been integrated into a WLAN, it can communicate with other devices in the same network or subnetwork, which means an attacker can use the wireless network to infiltrate additional network systems to extend their influence. It is therefore necessary, as part of a defence in depth strategy, to selectively limit communication between devices.
It is a feature of many wireless access points that they can be configured to suppress all communication between all connected clients, thereby isolating all clients from one another. This may not be useful, however, because the connected WLAN clients may have to directly relay information in order to perform a function. More fine-grained control of traffic is therefore required in order to allow desired communications while blocking all undesired communication.
An access point that incorporates a Layer 2 firewall can selectively filter traffic between WLAN clients, limiting the traffic to the required peers and protocol, which is more selective than a VLAN. Layer 3 firewalls are not of any use in this scenario, because they only filter between entire Ethernet or wireless networks, and therefore permit all devices on a given subnet to communicate with each other.
More on firewalls
According to the principles of defence in depth, individual segments of a plant network must be isolated from one another. Because an access point often wirelessly connects clients to the routed network or connects distant sites through wireless point-to-point links, it is a good device to help selectively enforce the isolation of the different devices and networks by providing firewalling functionality. An internal firewall in the access point or wireless router that can perform stateful packet inspection can be used to restrict communication to desired peers, communication protocols and protocol behaviours. In this case a Layer 3 firewall is performing the filtering for devices across network boundaries, such as across wireless links.
Firewalls can also provide alerting about attempts to violate the firewall rules, notifying administrators and operators that a device on the network is acting inappropriately.
Firewalls other than those built in to Wi-Fi access points are also of importance in the network particularly at Layer 3, regardless of whether WLANs are deployed or not. However, there are firewalls and there are firewalls. A firewall that is easy to use is important: it can be an enabler of better security. Firewalls that are complex and need an extensive training course or a degree in data communications to manage can inadvertently become security risks.
When a firewall software or device is too complex, and the user cannot be sure of how it is working, it may be too easy to implement security holes, rather than walls, albeit inadvertently. In complex networks where many different secure access paths and protocols must be finely managed, complexity in the firewall itself can lead to erroneous and insecure configurations, while at the same time creating a false sense of security. In environments where modifications and the deployment of new technology is commonplace — or where there are technical problems that are being managed — it is often tempting to introduce ‘temporary’ firewall rules that open the security to ‘make life easier’. The risk here is that these temporary fixes get forgotten after the fact, leaving a potential gaping hole in the defence the firewall is meant to be providing.
In summary, a firewall that provides support for all the necessary protocols, while at the same time is simple and clear to manage is the best solution.
The management of firewalls should also be clearly documented and reviewed — ALWAYS. Ad hoc undocumented changes should be completely against policy in any organisation.
As described above, there are many functions that occur on networks that are invisible to the network users, such as those that occur via wireless management frames. For this reason, it is important that a WLAN system can detect anomalies in the wireless communication before an attacker can affect the operation of the plant.
Some access points offer a wireless intrusion detection system (WIDS) that can detect suspicious behaviour, such as forged management frames, forged authentication messages or open network scanning. WIDS solutions can also be installed as a solution separate to the access points, but they are typically more expensive and may only be cost effective where a large number of access points need to be monitored.
So-called ‘rogue’ access points are also a common attack vector. A rogue access point may be an unsanctioned access point added by an employee for their own reasons (malicious or not) or an access point maliciously deployed by an intruder within the wireless range of the network. The employee may only be doing this for some perceived convenience to themselves in performing their job (a security awareness issue), but a malicious actor will have done it to attempt to join the network and gain access.
Wireless phishing (‘wiphishing’) is an attack in which a rogue access point is used in an attempt to lure wireless clients to connect to it instead of the legitimate wireless network. This is done by configuring the access point with the same SSID (service set identifier) and no password protection to allow legitimate clients to connect to it. Because the names are the same, it is difficult to detect when this has happened. In connecting to the fake access point a WLAN client may disclose sensitive data or internal information regarding the structure of the industrial network. Man-in-the-middle attacks are also possible and may go undetected.
Rogue access points and wiphishing are only possible when there is insufficient visibility of the structure of the wireless network. Having the right type of WIDS solution and management tools that clearly show the network structure, including rogue access point detection, is essential.
WLANs provide many possibilities for increased efficiencies in process plants, factories and critical infrastructure organisations. However, the possibilities for network intrusion, and also the options for securing against them, are more diverse once WLAN networks are deployed. Adding Wi-Fi in a plant environment effectively multiplies the potential attack surface for a cyber adversary and should be well planned, and the extra cost of protecting the network taken into account.
A well-planned and structured strategy of deployment and cybersecurity protections can help to mitigate the risk associated with WLAN deployment in your plant. As always, cybersecurity expertise is rare in most industrial control system environments, and engaging an appropriate cybersecurity consultant — vendor based or independent — may well be crucial in making sure that all your wireless cybersecurity issues are covered.
- Institute of Electrical and Electronics Engineers, Inc. 2012, ANSI/IEEE 802.11-2012: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.
- US Department of Homeland Security 2016, Recommended Practice: Improving Industrial Control System Cyber Security with Defense-in-Depth Strategies.
Wireless networks have been creeping into process plants, factories and utilities for some time...
Wireless networks have been creeping into process plants, factories and utilities for some time...
Innovation is, of course, partly about technology. But it is also about massive improvements in...