Industrial Communication. Securing Industrial Wireless



Similar documents
How To Secure Wireless Networks

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Security Awareness. Wireless Network Security

How To Protect A Wireless Lan From A Rogue Access Point

WLAN Security Why Your Firewall, VPN, and IEEE i Aren t Enough to Protect Your Network

Link Layer and Network Layer Security for Wireless Networks

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Link Layer and Network Layer Security for Wireless Networks

Security in Wireless Local Area Network

Developing Network Security Strategies

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Recommended Wireless Local Area Network Architecture

Closing Wireless Loopholes for PCI Compliance and Security

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

The next generation of knowledge and expertise Wireless Security Basics

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

9 Simple steps to secure your Wi-Fi Network.

HANDBOOK 8 NETWORK SECURITY Version 1.0

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

Certified Wireless Security Professional (CWSP) Course Overview

Recommended IP Telephony Architecture

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

m-trilogix White Paper on Security in Wireless Networks

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Ensuring HIPAA Compliance in Healthcare

Basics of Internet Security

NXC5500/2500. Application Note w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015

Configuring Security Solutions

Best Practices for Outdoor Wireless Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Designing a security policy to protect your automation solution

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

CISCO WIRELESS CONTROL SYSTEM (WCS)

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

The following chart provides the breakdown of exam as to the weight of each section of the exam.

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

United States Trustee Program s Wireless LAN Security Checklist

Particularities of security design for wireless networks in small and medium business (SMB)

SCADA SYSTEMS AND SECURITY WHITEPAPER

chap18.wireless Network Security

DOS ATTACKS IN INTRUSION DETECTION AND INHIBITION TECHNOLOGY FOR WIRELESS COMPUTER NETWORK

Wireless Security with Cyberoam

Enterprise A Closer Look at Wireless Intrusion Detection:

Securing your Linksys Wireless Router BEFW11S4 Abstract

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

THE 123 OF WIRELESS SECURITY AT HOME 家 居 WIFI 保 安 123

Wireless Local Area Network Deployment and Security Practices

Remote Access Security

Technical Brief. Wireless Intrusion Protection

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

Cisco Wireless Control System (WCS)

Wireless Networks. Welcome to Wireless

Implementing Security for Wireless Networks

Understanding WiFi Security Vulnerabilities and Solutions. Dr. Hemant Chaskar Director of Technology AirTight Networks

Design and Implementation Guide. Apple iphone Compatibility

WIRELESS NETWORKING SECURITY

Wireless (In)Security Trends in the Enterprise

Wireless Security: Secure and Public Networks Kory Kirk

Chapter 3 Safeguarding Your Network

CS 356 Lecture 29 Wireless Security. Spring 2013

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Wireless Network Security

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices


White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

System 800xA Operations Operator Workplace Support for Mobile Devices

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Chapter 2 Configuring Your Wireless Network and Security Settings

"ASM s INTERNATIONAL E-Journal on Ongoing Research in Management and IT"

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

INFORMATION TECHNOLOGY. Revised May 07. Home Networking Guide

Wireless Intrusion Detection Systems (WIDS)

Domain 6.0: Network Security

Securing Cisco Network Devices (SND)

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Wireless Local Area. Network Security

PCI Wireless Compliance with AirTight WIPS

Transcription:

Industrial Communication Whitepaper Securing Industrial Wireless

Contents Introduction... 3 Wireless Applications... 4 Potential Threats... 5 Denial of Service... 5 Eavesdropping... 5 Rogue Access Point... 5 Identity Spoofing... 5 Security Features... 6 Virtual Private Network... 6 Access Control List... 6 SSID Broadcast Suppression... 6 Rogue Access Point Detection... 6 Encryption/Authentication... 6 Embedded Firewalls... 7 Lancom Enhanced Passphrase Security (LEPS)... 7 Best Practices... 7 Conclusion... 7 2

Introduction Wireless technologies continue their expansion into industrial applications. In the past, security was one of the key issues hindering wireless growth. Industrial applications typically have more stringent security requirements than commercial networks as disruption of an industrial network can result in process shutdown, equipment damage, or loss of critical company data. Wireless networks are inherently less secure than wired networks as data is sent over the air, enabling easier access to data by malicious entities. Today, security is less of a concern due to the enhancements in security protocols. Wireless standards organizations and vendors have been incrementally enhancing security features within wireless products. This paper will provide a summary of security threats along with features and best practices designed to address security in industrial wireless applications. Source: RF/Microwave Industrial Wireless Monitoring and Control Products: Fore Discreet and Process Manufacturing March 2008. Venture Development Corporation. 3

Wireless Applications In commercial applications, wireless is typically implemented for convenience and cost savings. In industrial environments, wireless enables a variety of applications which can not be easily addressed with wires, including: Remote Locations Consider a drinking water application where a processing plant requires connectivity to a variety of remote wells, reservoirs, and pumping stations. Or a tank farm application where pressure, temperature a liquid levels are monitored. Or a scenario where connectivity is required on the other side of a river or highway. The cost of a wireless connection is trivial as compared to a wired connection in these scenarios. Moving Equipment Consider an application where instrumentation data is needed from a moving piece of equipment, like a rotating device, welding robot, or devices moving on a conveyor line. These applications are difficult to address with a fixed connection, in many cases making wireless connection the only effective option. Hazardous Equipment Access Consider connectivity to a device operating at medium or high voltage, or access to a device located at the top of a utility pole. Wireless provides a safe alternative to access such equipment. 4

Potential Threats Malicious entities attack wireless networks to: Utilize the internet connection The classic example of an individual using a neighbor s access point to access the internet for free. Individuals can also attempt to access corporate resources in the same manner. Accessing secure data A malicious entity accesses the network for the express purpose of gathering private company data. WLANs are often connected to wired networks. Many companies spend significant resources to secure their wired networks with extensive investments in firewalls, VPNs, and other security-enhancing technologies. Yet a malicious entity could circumvent the wired network security by accessing a wireless connection. Disabling the network A malicious entity attempts to prevent the monitoring or control of equipment by disrupting wireless communications. Techniques used by malicious entities to accomplish these objectives include denial of service attacks, eavesdropping, rogue access points and identity spoofing. Each type of attack will be briefly described below. WLANs can also create backdoors to wired networks. Many organizations spend thousands or millions of dollars on wired network security with extensive investments in firewalls, VPNs, and other security-enhancing technologies. A single unauthorized (rogue) wireless access point (WAP) connected to a wired network has the potential to create a backdoor to the wired network, circumventing the wired network security and thereby allowing a hacker to effortlessly gain access to a closed network. Denial of Service Denial of Service (DoS) attacks flood a wireless network with messages at either the network or transport protocol layers. The goal of a DoS attack is to disable a network by disrupting the communication between end points. Eavesdropping Data sent over a traditional LAN network is sent over wires. A hacker must connect to the network or have access to the wire to intercept data. In wireless networks, data is broadcast into the air, making it much easier to access. Eavesdropping is used to view data passing over the network and to gather authentication information to enable network access. This technique can be used to access the network, access data, or as a precursor to disable the network. Rogue Access Point A rogue access point is a wireless device that attempts to access a WLAN by posing as an access point or client belonging to the targeted network. Rogue access points are implemented to access secured areas of a network or to utilize a company s internet connection. A rogue access point can be consciously set up by a company employee or inadvertently created when device from an external entity happens to be in range of the targeted network and uses the same SSID and channel (default settings). Identity Spoofing Identity spoofing occurs when an attacker assumes the identity of an authorized user to access the network. One way that attackers gather password information is by setting up an access point in close proximity to the targeted network. The access point is designed to present the same authentication screen as the targeted network. Attackers are able to gather user information and passwords which are then used to access the targeted network. 5

Security Features Wireless standard organizations and equipment vendors have developed a variety of features to improve wireless network security. Major features available in products today are described below. Most security features can not individually provide 100% protection against malicious attacks. Enabling these features make it more difficult to access a network and increase the level of expertise required by a hacker to access the network. These features should be used in conjunction with other features and security policies to properly secure a network. Virtual Private Network One of the most used methods to insure secure wireless connections is running a VPN application over a wireless network. A VPN client application is needed on the wireless client to establish a connection to the network. The resulting connection is authenticated and encrypted. Access Control List An Access Control List (ACL) is a table of MAC addresses that a device is authorized to connect to. A device can not connect to devices not configured on its ACL. In larger configurations, the ACL can be administered by a centralized RADIUS server. SSID Broadcast Suppression The first step to connecting to a WLAN is viewing access points that are within range of a wireless device. Access points announce themselves to other wireless devices by transmitting their SSIDs. Wireless devices can be configured to suppress SSID transmission, preventing easy identification of the wireless network. Note that wireless networks can still be found using advanced tools even if SSID broadcast is suppressed, but it requires advanced tools/knowledge to do so. SSID broadcast suppression can be used in conjunction with a feature requiring nodes wishing to enter the network to supply the network SSID as part of the authentication process. Rogue Access Point Detection Many industrial wireless products come with the ability to detect rogue access points and clients. These products utilize background scanning to record neighboring wireless devices into a table. Devices in the table are designated as known, unknown, or rogue devices. Encryption/Authentication It is difficult to prevent access to wireless signals, thus, data must be encrypted to for proper protection. There are a variety of encryption techniques available to wireless products. The options are shown below in order of increasing encryption/authentication strength. Wired Equivalent Privacy (WEP) WEP provides a basic level of encryption that can be easily compromised by an experienced hacker. More advanced encryption protocols should be used in industrial applications. WiFi Protected Access (WPA/WPA2) Software based encryption method using dynamic keys. 802.11i Enhances security via a hardware accelerated encryption algorithm. 802.11x Enables authentication of every WLAN connection using Extensible Authentication Protocol (EAP). Requires advanced networking knowledge to implement. IPsec Enabling a VPN gateway in the access point utilizing IPsec protocol. 6

Embedded Firewalls Some access points feature embedded firewalls. Inclusion of a firewall within the product decreases deployment costs as it removes the requirement to deploy a separate firewall with the access point. Lancom Enhanced Passphrase Security (LEPS) LEPs utilizes an additional column in the ACL to assign a pass phrase to each MAC address. Connection to the access point requires both the correct MAC address and pass phrase. This feature makes it very difficult to spoof a MAC address Best Practices Network administrators should implement security policies along with security features to optimize network security. Policies designed to enhance WLAN security are provided below. Network access points should be positioned and arranged such that the useful signal strength is limited as far as possible to within the physically secured perimeter. Directional antennas can assist in forming wireless footprint. Place all access points and clients behind security gateways. Configure devices to limit communication to known wireless devices to prevent rogue access points. Utilize mutual authentication and per packet authentication techniques to hinder rogue access points. User name and password combinations should not be stored permanently on a machine. Users need to be prompted to enter their user name and password each time they access the network. Store user credentials such as certificates, private key pairs, and any confidential data on password protected machines. Mandating the use of strong passwords can prevent attackers from guessing user passwords. Utilize ACL or RADIUS servers for authentication. The ability to provision approved client should be restricted to key personnel. Do not utilize WEP encryption. Utilize a minimum of 802.11i or equivalent encryption. Utilize enhanced security (802.11x, IPsec) in more sensitive applications. Do not broadcast SSIDs to prevent network from showing up in wireless network scans. Also, do not enable ad-hoc connections. Monitor networks for denial of service attacks and alarm if detected. Implement firewall functionality on access points to provide access control of services and to differentiate user/group access. Utilize devices with rogue access point detection. Conclusion Wireless networks are required to cost effectively address a variety of applications not suitable for wired communication. Wireless products are utilized in industrial applications today, and deployment is projected to grow at more than 15% each year in the pending years. Selecting products with advanced security features coupled with the implementation of well defined security policies will enable the deployment of secure wireless networks in industrial applications. 7

> Make the most of your energy Schneider Electric Industries SAS 8 35, rue Joseph Monier Due to possible changes in standards and equipment, the features described in this document F-92500 Rueil-Malmaison in the form of text and images are subject to confirmation by Schneider Electric. FRANCE Written by: Dan DesRuisseaux

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information