inside process Wi-Fi in plant environments: Convenience vs. risk Wireless Ethernet is everywhere, including your manufacturing areas. It’s a great convenience, but are you protecting it adequately? W i-Fi is everywhere, in our homes, offices, and even plant environments. It is now the backbone of communication and has supplanted traditional wired Ethernet for most Internet-related traffic. It has also supplanted cellular-based communication in many instances due to lower costs, higher performance, and better security. While Wi-Fi may be ubiquitous, it seems like few truly understand how it works, or how to provide secure communication. Personal experiences working in a variety of manufacturing contexts have shown this is particularly true in process plants. How did we get to this point? Wi-Fi history Strictly speaking, Wi-Fi is a wireless local area network (LAN) using IEEE 802.11 standards and the specific name is owned by the Wi-Fi Alliance. IEEE (Institute of Electrical and Electronics Engineers) published the 802.11b standard in 1999, providing the first practical mechanism to transmit data wirelessly at the relatively fast rates (at least at that time) of 1 to 2 Mbps. It achieved broad adoption very quickly as most prior data connections were wired. Before Wi-Fi, wireless communications were usually based on proprietary analog radio protocols and were slow, chugging along at 9,600 bps, or to put it in a more directly comparable format, 0.0096 Mbps, which meant Wi-Fi was more than 100 times faster. Moreover, older systems had few data integrity protocols built-in, requiring the user to add those functions. For industrial applications, Wi-Fi created the potential to implement sophisticated high-speed communication, although the end devices still typically used proprietary serial protocols. Security at this point was not much of an issue. Communication was largely point-to-point using Modbus remote terminal unit (RTU) or something similar. While a hacker might have wanted to disrupt a control system to make a point, there was probably little in the way of data worth stealing. Evolving technology As PCs and other information technologies (IT) became more common in industrial automation, Ethernet made the move to the plant floor. Ethernet using Transmission Control Protocol/ Internet Protocol (TCP/IP) became the norm, but still with a proprietary industrial protocol over it, such as EtherNet/IP, Modbus TCP/IP, Profinet, or another. These were much like the traditional IT networks, and the enterprise-level networks were becoming ever more connected to the industrial networks, bridging the air gap which kept the industrial side isolated. It was now possible to create a direct path from the lowest-level field device up to the business networks. Stealing data from industrial networks was now easier because hackers could use the same methods learned in IT networks, but in most environments there was little worth stealing. Hackers did recognize that industrial networks were often less secure than enterprise IT networks. They could use the same channels established to move manufacturing data to management-level IT systems and making such a move was usually pretty simple. Moving Wi-Fi to the plant In most industrial environments, Wi-Fi deployments started popping up to solve specific application problems. Generally, they were simple point-to-point communication links where wiring was impractical or too expensive. The new technology was used in place of older proprietary systems because it was cheaper and easier to work with. Corporate IT folks usually had no idea what was going on, although these new plant networks might show up on listings of available networks if a wireless network scan was performed. Early Wi-Fi networks had provision for security, but usually the default was to leave the network unsecured to avoid having to bother with passwords. Prior to 2003, the available system was wired equivalent privacy (WEP), which was included in the original IEEE 802.11 standard and aimed at consumer markets (see Table 1). It was probably good enough to keep the www.controleng.com ● Here is a typical industrial router as you might see installed in your plant. Is it the latest version? Or is it one that’s been there for many years and cannot be secured adequately to keep your network safe? This one is a current design, but can you tell the difference just by looking? Courtesy: Moxa Key concepts  Wi-Fi adds many ways to communicate, but also introduces new potential attack vectors.  Securing networks is not difficult, but it requires dilligence from those installing the hardware. CONTROL ENGINEERING JULY 2015 ● P1 inside process Table 1: IEEE802.11 security approaches Time used: Protocol: Effectiveness: 1999 to 2003 WEP Easy to break using common tools 2003 to 2006 WPA with TKIP or AES Better, but can be penetrated 2006 to present WPA2 with AES and CCMP Very difficult to penetrate neighbors out of home networks, but tools for breaking it quickly emerged. By 2003, Wi-Fiprotected access (WPA) emerged using temporal key integrity protocol (TKIP). It was much better and replacing TKIP with advanced encryption standard (AES) was yet another improvement. But before long those were broken as well. In 2006, the problem was largely solved with the introduction of WPA2. It used AES and added counter cipher mode with block chaining message authentication code protocol (CCMP) as a replacement for TKIP. Even this proved possible to break though, although getting through it required a great deal of time and effort and simply wasn’t practical for most hackers. Sloppy security practices So WPA2 solves the hacker problem, at least technically, but not always in practice. Most Wi-Fi routers have provision for backwards compatibility so a user can configure the security settings using one of the earlier techniques. A high-quality industrially hardened router can operate for many years even in a tough plant environment, so it’s common to find hardware installed in 2002 still working today. Unfortunately, a 12-year-old router only offers one secu- rity setting, WEP, because it was the only setting available when it was built. Many of the people installing this hardware in the plant are maintenance people, not the IT department. They install a new router and configure it for WEP to match the existing hardware, not realizing the differences in security capabilities. Security is security, right? The network shows up as secure on the available network list, so we’re covered, right? Some wireless connections aren’t even installed by the company. Service people working in a plant might plug a wireless router into a PLC or Ethernet process network to help solve a troubleshooting issue. Companies with a strong security culture prohibit this kind of thing, but in many firms it’s a common occurrence. A conscientious technician will make sure the device is removed when the work is done, but if one is left behind, few technicians will make any special effort to retrieve it. Long after the job is done it may remain, still connected and unsecured. If a hacker discovers this small and vulnerable network, a new means of entry has just been provided, potentially to the entire company IT infrastructure. Why security is so important A hacker trying to break into a company network is going to choose the path of least resistance, and an unsecured or minimally secured wireless network in a process plant is a prime target. The main constraint for the hacker is getting close enough to the plant to pick up the radio signal. Since most transmitters carry beyond the fence line this might be inconvenient, but is probably not a serious limitation. What needs protection on plant networks? O ne of the common discussions relating to cyber security is the necessity of protecting sensitive manufacturing data. Information coming from the plant in some situations can indeed be very valuable if it involves critical CNC programming for aircraft parts or closely guarded chemical processes. However, the data available in most manufacturing operations such as reactor temperatures or how many pieces came out of a stamping press in a shift will not be valuable enough to steal. So why do hackers break into industrial networks? Some hackers simply want to disrupt production one way or another; shut off a critical piece of equipment, delete the program from a PLC, or open the wrong valve to create an environmental mishap. These may be possible, but it’s important to keep the situation in perspective. Under the worst circumstances, what is it possible for a cyber criminal to do? If the control systems in a plant P2 ● JULY 2015 CONTROL ENGINEERING ● www.controleng.com can be operated in such a way to create a health or safety issue, those systems are designed badly and should be reevaluated. This may seem shocking, but if plant operators working in the control room or cyber criminals coming in from outside can create a truly threatening situation and safety systems cannot transition the plant to a safe state, there is something drastically wrong. In a properly designed control system, a hacker might be able to create immediate problems but nothing that would leave long-lasting effects. This concept of proportionality, however, is not an excuse to leave plant-level networks unprotected, especially wireless ones. A cyber security defense plan should reflect the value of what it’s protecting. The safety aspects of a properly designed control system should be virtually impossible to disrupt, either through intentional efforts or human error. inside process ‘ If a hacker can only reach an isolated plant network, the amount of potential damage should responsible for be limited (see sidebar). The more serious probconfiguring these lem is when a successful invasion of the plant network provides a path into corporate IT netsystems have a works, where far more valuable data is stored. high level of The connection between a plant network and corporate networks normally allows for data to familiarity with flow up the chain. Downward flow should be industrial networks, limited to avoid any possibility of someone in an office meddling with settings in the plant and firewall rules are to protect against hackers moving into the plant rarely configured from corporate networks. But some companies either want or need to have communications in as they should be. both directions, for example to download desired production instructions. Most corporate IT groups will place Table 2: Critical barriers between the IT and plant netWi-Fi protections works, typically firewalls, a demilitan Replace any Wi-Fi router rized zone (DMZ), or point server, to manufactured before 2006 control what passes back and forth. But as mentioned, these are normally far n Configure all networks with WPA2 security more concerned about traffic going down from IT to the plant and may not be as n Use strong passwords vigilant when monitoring communications in the other direction. n Manage passwords Moreover, unless individuals respon- Unless individuals ’ sible for configuring these systems have a high level of familiarity with industrial networks and common manufacturing hardware, the rules controlling the traffic are rarely configured as they should be. So if a hacker wants to invade the larger system via a plant Wi-Fi network, he often only needs to get physically close enough to establish communication. If he manages to move up to the corporate networks and is skilled, he might be able to create a door and go in via the Internet on subsequent visits. If IT security is too tight to create a new opening, the user might have to install a small device near the plant capable of communicating with the Wi-Fi network and then send the information to a more convenient location using a cellular connection. In any case, there are multiple ways to establish a more permanent foothold in the corporate networks via Wi-Fi networks. What’s the solution? Fixing the problem requires diligence and plant personnel need to pay attention. Here are some recommended procedures (see Table 2): n Replace any Wi-Fi router manufactured before 2006. Older routers may be working perfectly well but if they do not support Maximizing safety. Improving signal performance. Advancing technology. K-System Interface Technology Intrinsically safe isolated barriers  Reduced wiring with Power Rail mounting  Simple maintenance with integrated diagnostics  Wide variety of modules Signal conditioners  Conversion, standardization, and splitting of signals  High-quality galvanic isolation for maximum protection of measurement and control circuits  Comprehensive portfolio for all signal types www.pepperl-fuchs.com/k-system input #23 at www.controleng.com/information WPA2 security they should be replaced with current units. Moreover, just because a unit was made in 2006 does not necessarily ensure it can support WPA2, so verify that this capability exists. n Configure all networks with WPA2 security. When all routers are equipped with WPA2 make it your default security protocol and enforce it for all routers. n Use strong passwords. Routers need to be set up with passwords, and they must be effective passwords. Critical elements are length and variety. The more characters of different types, the better, with a minimum of 16 characters. Including numerals and symbols can help, but the sheer number of characters matters the most. Creating phrases can help: “MyHouseHasPurpleShutters” has 24 characters, but is still easy to remember and type. n Manage passwords. A password won’t help if it’s on a slip of paper taped to the router. All passwords should be written down on paper and kept somewhere outside the plant. Someone in the office should have it in a secure file cabinet. Password management must include changing passwords and logins immediately when an employee with knowledge of passwords leaves the company. Don’t wait until a more convenient time; change the passwords as soon as the employee leaves. A disgruntled employee is far more dangerous than the most skilled hacker because he or she could have intimate knowledge of how everything works and how things are configured. A former employee with grievances providing guidance to a skilled hacker is the worst possible combination. These security measures are effective, simple to implement, inexpensive, and can be carried out by plant personnel without bringing IT people into the process. When the people responsible for plant Wi-Fi and other networks can maintain an appropriate level of security, they are making an important contribution to the company. ce - Bruce Billedeaux, PE, is a senior consultant for Maverick Technologies; edited by Peter Welander, content manager, Control Engineering, pwelander@cfemedia.com.. Go Online Read the Real World Engineering blog at www.controleng.com/blogs www.mavtechglobal.com MONITOR VISCOSITY SIMPLY SENSE MIXER MOTOR HORSEPOWER WITH UNIVERSAL POWER CELL EASY INSTALLATION • No holes in tanks or pipes • Away from sensitive processes VERSATILE • One size adjusts to motors, from small up to 150hp • Works on 3 phase, fixed or variable frequency, DC and single phase power SENSITIVE • 10 times more sensitive than just sensing amps CONVENIENT OUTPUTS • For meters, controllers, computers 4-20 milliamps 0-10 volts PROFILING A PROCESS 24 • Power changes reflect viscosity changes • Good batches will fit the normal “profile” for that product POWER DECREAS SHOWS BATCH IS DONE 22 20 18 POWER SENSOR 16 14 12 10 8 DRY MIX HIGH SPEED ADD LIQUID LOW SPEED MIXER MOTOR BEGIN HIGH SPEED MIX 6 4 2 0 BATCH 1 BATCH 2 BATCH 3 CALL NOW FOR YOUR FREE 30-DAY TRIAL 888-600-3247 WWW.LOADCONTROLS.COM input #24 at www.controleng.com/information Copyright of Control Engineering is the property of CFE Media and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
Purchase answer to see full attachment