Editor’s Note: Julia Santogatta, Belden’s director responsible for the wireless initiatives, with expertise from Daniel Wade, chief architect-wireless products and Jeffrey Caldwell, chief architect-security contributed to this two-part report. This is part 2 of a two-part series.
By Heather MacKenzie
Last week we talked about the Golden Rule of Industrial Wireless Security – Deploy Securely, Monitor Regularly. Following this rule ensures that unwanted access to your wireless LAN and the rest of your network does not occur.
But, how do you deploy securely? These days, most cyber security articles talk about using Defense in Depth, or a layered approach to securing industrial networks. This means using a variety of defenses at various points in the system to protect the network or contain threats. The idea of layering, and the resulting benefits, is no different in wireless applications.
By implementing measures to address these seven key questions you will be building layers of protection that contribute to the best practice of Defense in Depth. Let’s take a look at the questions in detail.
Question 1: Have I protected the network devices?
What are network devices? They include equipment such as switches, routers, access points and controllers. A wireless network should not impact the operation of these devices or the functioning of the wired network.
To ensure this, first and foremost, disable older, fairly unsecure configuration methods, like telnet, http and serial. Then, staying in the realm of the basics, make sure to change the configuration default passwords.
Once these fundamentals end up covered, the best way to protect network devices is to utilize varying levels of access to them. Various people, machines and other pieces of equipment should not have the same level of access.
This can happen by considering the use of access control lists via:
• Individual local databases on a device
• A central integrated or external RADIUS1 server
• Using TACACS+2 for authentication and authorization
Question 2: Have I protected my network from misconfigured devices and bad behavior?
Wondering what is a misconfigured device or bad behavior? A misconfigured device could be anything on the network – a PLC, a drive, an access point, a computer, etc. When any of these are reconfigured, an error could be introduced:
• An old version of the configuration file with an incorrect IP address or older WEP/WPA authentication is used
• Unintended changes to the traffic routing or security settings are made
Instead of trying to communicate as it did before, a misconfigured device introduces a security vulnerability or asserts bad behavior by trying to access a portion of the wired or wireless network where it doesn’t belong. Similarly, a device may have been infected with a virus (consider Windows XP vulnerabilities) and instead of communicating to the machine next in line, it attempts to get out to the World Wide Web.
In any of these scenarios, there is a need to prevent rogue devices or users from affecting the network. Turn on WPA2, the highest level of user authentication, to enable only legitimate wireless devices.
For those using EtherNet/IP, Modbus, PROFINET, UDP or other industrial protocols, the best bet is to implement the Layer 2 or Layer 3 firewalls that are built into most wireless access points. Consider using these to limit network traffic to just expected and accepted traffic types. You might also add an extra measure of authentication by using certificates on the devices.
Question 3: Are the authenticated, legitimate wireless users or devices safeguarded from other users or equipment?
Here, we are looking to protect ourselves from a user or machine that has no business being on our network or a portion of the network. Back to the basics. First, turn on encryption to keep prying eyes out. Then be sure to turn on Management Frame Protection (aka 802.11w) in both the Access Points (APs) and Clients to further protect your devices.
From there, look at the possibility of a “man-in-the-middle” attack. This is a scenario where a device intercepts communications between two legitimate parties and then masquerades itself in order to sniff data frames and scan for credentials and data.
A man-in-the-middle attack occurs by sending fake or “spoofed” address resolution protocol (ARP) frames to associate the attacker’s MAC address with the IP address of another network device. The ARP packet is your discovery packet to figure out who belongs to which IP address.
Activating IP spoofing protection (aka address examination) within the APs’ firewall, the controller’s firewall or an external firewall will help you identify malicious network changes.
Good industrial wireless products let you take advantage of both Management Frame Protection and IP spoofing protection.
Question 4: In cases where you are using a Wireless LAN Controller, ask yourself, “Have I protected the network between the access point and the controller?”
It is a good practice to segment the wireless traffic from the rest of the network if using a WLAN controller.
The easiest way to do so is turn on the functionality of a CAPWAP tunnel. This is a very simple tunneling method and is available on most wireless access points and controllers.
Alternatively, consider the use of a VPN (Virtual Private Network) to encapsulate and encrypt data between your access point and a central VPN concentrator.
Question 5: Can I recognize interference, “denial of service” or other “bad behavor?”
Ask yourself if your system is set up to recognize “denial of service” (DoS) attacks, air interference or other “bad stuff.” Whether someone or something is purposely trying to jam your network, or something has simply caused interference – you want to know about it. In a shared medium, things can happen.
When setting up your WLAN bridge or infrastructure, set yourself up for success by using a wireless intrusion detection system (WIDS). Within the WIDS, set up SNMP traps to notify you when access points go away and rogue access points are detected.
Once something is detected – for instance, a wireless connection to a security camera is jammed – the administrator will be alerted. WIDS will also automatically detect DoS attack points and notify interested staff by SNMP alerts, log messages and email.
Question 6: Have I handled legacy devices?
The reality is we all likely have some type of legacy device in our facility. It isn’t possible to update everything all the time. That wireless barcode scanner from seven years ago? Yeah, that’s the one. Having these devices is often the reality and that’s OK, just be sure to take note of it.
You may want to consider addressing a security gap here by:
• Using a Layer 2 or Layer 3 firewall to isolate these legacy devices
• Using a private PSK per device on a separate WLAN SSID
Question 7: Have I physically secured the wireless devices and the coverage areas?
Last, but not least, think though the physical aspects. Will your wireless LAN travel to areas you may not want it to? You’ll want to take this into consideration and possibly turn down the radio frequency (RF) transmit power on devices to limit coverage to just the area needed.
In extreme cases, you could also restrict the RF to required areas only by using RF shield tint on windows or RF paint on walls.
Beyond this, remember to ensure the authenticity of any users, access points or end devices, as previously discussed. This layers your security for added assurance, contributing to Defense in Depth.
Finally, basics once more, check that your cabinets and racks are locked and secure to prevent physical access.
Asking yourself the questions outlined above helps ensure you’ve thought through a secure deployment for your industrial wireless application. While it may seem that implementing wireless security is a large and complex task, modern industrial wireless equipment makes it easy to do.
Here is a summary of the key features to look for:
• Easy disablement of telnet, http and serial configuration methods
• Support of WPA2 authentication protocol
• Integrated Access Control List functionality
• Built-in Layer 2 and Layer 3 firewalls
• The ability to use certificates on devices
• The option to enable IP spoofing protection
• Support for standards-based 802.11w, Management Frame Protection functionality
• The support of CAPWAP tunnels and VPNs
• Inclusion of wireless intrusion detection functionality
Now, the most important part is to be sure to make use of these features as part of your layered strategy. Don’t forget to turn them on or implement them because they’re the good stuff that lets you sleep knowing your wireless application is secure.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view her blog.