Detection Strategies for Securing Wireless

Wednesday, October 14, 2015 @ 05:10 PM gHale

By Heather MacKenzie
Industrial wireless is seeing action to improve availability and reduce costs in a wide variety of applications.

The use cases go on: A large coal preparation facility uses a tablet application for mobile ICS system monitoring and troubleshooting.

Securing a Wireless Application
Viewing a System with NMS
How to Start Up ICS Security
IT, OT Must Adapt for IoT: Experts Share How

An offshore drilling rig company uses it for wireless data collection.

An oil refinery uses it for remote monitoring of its cooling towers, reducing wear and tear on equipment and lowering monitoring expenses.

A transit network uses it to distribute system updates and to automatically retrieve trip data.

How are these industrial wireless applications secured? Part of the answer is to make sure to use products that have excellent security capabilities built-in. Another part is to follow ICS security best practices such as Defense in Depth. Both of these approaches were discussed in the first article in this series.

In this last part of the series, we look at another important industrial wireless security strategy – detecting attacks and anomalies.

WIDS to Detect Anomalies
In wireless applications, operations and communication end up performed automatically and are completely invisible, even by network administrators. While this simplifies wireless network management, it also makes it difficult to recognize attacks and suspicious user behavior.

This is particularly true for industrial networks that provide machine-to-machine communication and operate autonomously over long timeframes. It is thus very important that an industrial WLAN solution quickly detects unusual communication transmissions before an attacker can affect plant operations.

The way to do this is to use wireless Access Points that include a Wireless Intrusion Detection System (WIDS). A WIDS detects and reports a wide range of suspicious behaviors such as whether an attacker:
• Scans for open networks
• Forges management frames
• Tries to disrupt network communication with forged authentication messages

The WIDS detects and records these behaviors and informs you of them by email or system log messages or simple network management protocol (SNMP) traps.

Intrusion detection can be very efficient in industrial networks because the network traffic patterns are usually predictable. This makes it easy to detect suspicious behaviors.

Monitor Wireless Environment
There are two dangerous situations for wireless networks not related to the protected company network but rather to unsanctioned or counterfeit networks.

Rogue access points are access points that provide unsanctioned and insecure access to the production network. For example, an employee might connect his/her private wireless device to the wired network, thus creating an entry point for attackers.

Wireless Phishing, or WiPhishing, is when unauthorized access points are located near the industrial WLAN network in order to lure legitimate WLAN clients into a fake network. The fake access points use the same network name or service set identified (SSID) as the industrial network, but often without password protection. This makes authorized devices vulnerable to disclosing sensitive data.

Both of these attacks stem from the same problem: Insufficient awareness of the wireless environment. A comprehensive, secure and reliable WLAN solution should provide rogue access point detection and wireless environment visualization.

Secure Wireless Network Design

Diagram showing the key protection and detection tools needed to secure industrial wireless applications.

Diagram showing the key protection and detection tools needed to secure industrial wireless applications.

The diagram depicts all of the security functions grouped according to communication layers. Endpoints, the devices that actually run the industrial applications, are also indicated.

In some cases, endpoints can themselves be protected, but this depends on the type of endpoint. If they are industrial PCs for example, anti-virus software is useful. If they are embedded systems, however, it is not possible to enable additional security measures. Thus a comprehensive, reliable security strategy cannot rely on endpoint security. Instead, Defense in Depth is required.

There are options for securing WLANs against external and internal threats. Each security mechanism described serves a different purpose and should be used in conjunction with one another to create a holistic construction kit for ICS security. When these features combine in an industrial network their application results in a highly effective Defense in Depth threat mitigation scheme.
Heather MacKenzie is with Tofino Security, a Belden company. Mark Cooksley is a product manager with Hirschmann Automation and Control and an expert on industrial cyber security. Click here to view Heather’s blog. This article is from the White Paper “A Construction Kit for Secure Wireless” written by Dr. Tobias Heer. Dr. Heer is the manager of embedded software development and functions for our Hirschmann industrial networking group.