This 13-page white paper provides an introduction on wireless data communication systems, security issues and strategies to thwart breaches to devices and networks. The paper identifies security intrusions and denial of service as the main security challenge for all plant and factory environments. Baseline network and security strategies are explored in the research, along with information on a typical wireless network—Grant Gerke, Digital Managing Editor
A good network security strategy needs to address and implement policies that serve as safeguards, making it difficult to circumvent security measures and limit the potential impact of a security breach of the wireless network. Consider those added layers of security.
Limitation of Permitted Activities
One method to implement safeguarding is to limit permitted activities on the wireless network to only those absolutely required on the network. The basic idea is that if a wireless network were to be compromised, the impact would be limited. In other words, a wireless network primarily used for sensor data collection and remote control of devices should not allow a hacker that compromised the network to gain access to financial or other critical data.
Such a limitation of permitted activities can be achieved through the following:
1. Firewalls and packet filters: These essentially separate the limitation as needed on the wireless network from that available on the other parts of the network.
2. Virtual local area network (LAN): Separating the wireless network infrastructure and its management from the production network and devices of communication endpoints by using virtual LAN’s introduces another level of security, especially if combined with Quality of Service (QoS) mechanisms. Think of it as an emergency access to your wireless network infrastructure for remote management and control in case a Denial of Service (DoS) attack overwhelms the actual payload and production network.
3. User level access: By implementing user level access (password protected), you can provide access to your wireless infrastructure and devices to e.g. maintenance personnel, but limited to monitoring system health or performance without opening the system up to misuse or sabotage because configuration and other privileges are reserved for a different user level and password.
4. Access limitation of local ports: By controlling who is allowed access from local ports (e.g. through MAC address filtering) or even completely turning off local port access when it is not in use, you can essentially make it impossible (or at least very hard) for someone who gained physical access to your network infrastructure and devices to get connected and gain access to your network.
5/ Audit logs: Not really limiting permitted activities; activity logs do provide a trail of access and activities and can be a useful tool in auditing and tracing potential security breaches and issues.
This is by no means a complete list of options to secure a data communication network, although it does provide a good baseline. When considering wireless data communication devices and equipment for critical infrastructure applications, find out if they only provide basic connectivity, or if they support these advanced features and even Secure Shell (SSH) for their own configuration menus.
Link to the full version of this white paper at bit.ly/awtech006
This white paper was written by Matthias H. van Doorna, FreeWave Technologies.
Publication Date: July 2010
