Wi-Fi communications in ICS

Updated on 06/06/2024
Autor
INCIBE (INCIBE)
Imagen de planta de una fábrica

The implementation of wireless networks in industrial environments solves interoperability problems between devices but, as is always the case when we add new elements to our ecosystem, new problems may arise that we must take into account. In the case of Wi-Fi communications, not only the cybersecurity part is important, but also the availability of the deployed networks themselves. Given that the deployments are carried out in industrial environments, such as warehouses, access between control posts and machines, devices deployed by suppliers or maintainers for the execution of their tasks, etc. it is necessary to control certain aspects, such as:

  • The range performance of the access point broadcasting the Wi-Fi network. This is the maximum distance over which a client device can maintain a stable and reliable Wi-Fi connection to the wireless access point. Although it is rare to find Wi-Fi networks that allow direct access to industrial networks, they are sometimes detected and may be reachable even from outside the organisation's premises. Given that technology is constantly changing, as are the offensive techniques applied to it, it is recommended that the range of action that the access point has is controlled to avoid possible continuous attacks on the networks.
  • Working bands and available channels, industrial environments are usually characterised by the large number of technologies present in the same space and, therefore, it is necessary to control the frequency bands at which communication technologies work and other elements that may influence them. At Wi-Fi level, it will be necessary to control the 2.4 GHz band which has 13 channels and the 5GHz band which offers more channels compared to the 2.4 GHz band, reaching a total of 25 available channels. It is also important to control the geographical region where the Wi-Fi technology is deployed since, for example, in the United States only 11 of the channels related to the 2.4 GHz band are used due to regulatory restrictions that limit the use of channels 12 and 13.
  • Signal losses due to a number of elements present in the industrial plant where Wi-Fi networks are deployed. Some of these elements are:
    • Distance between the access point and the assets interacting in the Wi-Fi network. The further away a client device is from the access point (device generating the Wi-Fi network), the weaker the Wi-Fi signal and the more prone it is to a loss in communications.
    • Physical obstacles, such as walls, industrial machines, mobile elements, etc. present in industrial plants that can attenuate the Wi-Fi signal, causing signal loss.
    • Electromagnetic interference the number of devices present in an industrial plant that could operate in the same frequency band, such as barcode scanning guns, video transmission devices inside machines for production analysis, etc. 
    • Internal interference problems: faulty electronics or malfunctioning components within the access point asset or client device can cause internal interference and loss of signal. This point is of interest as production or plant floor managers are often confronted with hardware-related issues that have an impact at the logical level.

There are more issues related to the deployment of Wi-Fi communications in industrial environments, but the points discussed cover the main issues.

Protection measures and best practices

When protecting Wi-Fi networks from potential attackers in industrial environments, it will be necessary to bear in mind a series of characteristics related to the tuning of the Wi-Fi communications standard, the configuration of the devices present in the network itself and the environment surrounding all the above-mentioned elements. As good practices, it is recommended that:

  • Team coordination: have internal procedures to inform those responsible, both in the plant and in other departments, of the deployment to be carried out. It is common for suppliers or industrial maintainers to carry out a deployment and only have one contact in the industrial organisation, but perhaps this contact is not the only one who should be aware of the deployment to be carried out. In this case, the point relates to the fact that if the environment is not known, it will not be possible to protect it adequately.
  • Control at the range level: restricting the range of the Wi-Fi network so that it does not propagate beyond the industrial premises will allow the organisation to prevent proximity attacks. This attack vector is covered in the MITRE ICS matrix, as the Initial Access tactic and the Wireless Compromise technique (ID: T0860). A real example of this attack vector can be found in the article 'Threats in Industrial Control Systems' (Maroochy water treatment plant).
  • Cybersecurity at the protocol level: the application of robust encryption with support for all the assets involved in Wi-Fi communication will allow information to be exchanged securely. Although Wi-Fi communications technology is closely related to the world of information technologies, it is necessary to understand that the problems present in this area in terms of cybersecurity will affect deployments in the industrial sector. 
  • Hardening of the assets present in the Wi-Fi network: both in the device that acts as an access point and in the industrial devices that connect to the network, it will be important to harden the configuration and communications. Some security configurations, such as MAC filtering or SSID (network identifier) masking, can give a false sense of security as there are widespread techniques to bypass these restrictions. In addition, the installation of devices that function as access points must be controlled as the management of the device can be compromised, both wired and wireless, if access is not filtered and restricted.

Conclusions

When deploying a Wi-Fi network in industrial environments, it is important to consider all possible options as the signal emitted by the access points may be attenuated or even denied in some scenarios. Availability is a fundamental pillar in industry, so this factor must always be taken into account when deploying any technology in an industrial environment. It is also important to control the levels of reach that networks have and to apply all cybersecurity measures supported by the assets within them. 
    
Finally, proper segmentation, restricting communication flows between wireless and wired networks, will allow the industrial organisation to have greater control over communications and monitor them for potential anomalies.

Etiquetas