by Stefan Petschat, ICS Cyber Security Integrator
Wireless technology is more commonly used in industrial manufacturing than ever before. While in some distributed remote Industrial Control Systems (ICS) environments the use of wireless technology provides an unavoidable necessity, it is becoming more widely used in manufacturing areas as a sheer tool of convenience. Especially, with the development towards Factory of the Future and Industry 4.0, wireless communication is one of the key enablers. As a consequence, cyber security for wireless communication has become an increased necessity for these environments. In this article we explore the most common technologies as well as security practices.
Securing wireless communication
Wireless devices have seen an increase in usage in the field of distributed ICS environments, mobile transportation systems and IoT devices are a low cost alternative when deploying large quantities of endpoints in a short amount of time. In ICS environments, wireless technologies can range from satellite uplinks (e.g. VSAT 4-40 GHZ, BGAN 1,5-1,6 GHZ) to cellular (LTE (2,5-2,7GHZ, GSM ~0,7GHZ), radio (75-105 MHZ), as well as WI-FI (~2,5 / 5 GHZ) or Bluetooth (~2,4 GHZ).
These widely used commercial services use known frequency bands, as well as tools that are widely available. This availability of tools and their common understanding, especially when using household frequency bands like WI-FI or Bluetooth, open new vulnerabilities for attackers into the companies’ networks.
Figure 1: Popular Frequencies use in IoT Manufacturing
A risk based approach on securing wireless communication in industrial manufacturing
A risk assessment is a systematic approach to discover, evaluate and record potential risks that can harm an underlying system or process. Risk Assessments should be performed both before deploying new technologies as well as on legacy infrastructure. These assessments are conducted on a high and detailed-level approach. IT is advised to regularly reassess the risk on a high-level basis. When analysing in detail the risk faced in wireless communication, from a security point of view, four layers of wireless security need to be addressed (see Figure 2). The following paragraphs shortly describe each layer.
Figure 2: Four Levels of Wireless Security
Essential for Wireless Security is an awareness of the context and location that the system will operate in. The system’s context and location must be kept in mind when setting up wireless access points. An attacker, when in physical range to receive the communication, can already perform a wide range of attacks, including packet capture or jamming the signal. Even proprietary frequencies and protocols can be detected via spectrum analysers and replicated via software defined radios.
As soon as an attacker can physically receive the signal they can start encoding its communication protocol, which can be based on Open Source standards or proprietary. These communication protocols alone can give the attacker a surface to act upon. At this level, an attacker might be able to set up rogue access points, reroute traffic or influence the connection and disconnection of devices. Functions like modulations or frequency hopping protocols do not serve as reliable security features, since their pattern can be analysed and replicated by an attacker.
Security features in these underlying base protocols (e.g. WPA in WI-FI) can delay an attacker’s progress and limit their abilities but are uncommon or sometimes badly implemented in other ICS frequency bands and technologies. A wide range of tools exist for breaking well-known protocol encryptions.
Once an attacker has understood the communication protocol and bypassed any possible security feature, they can observe the application messages being transmitted. The communications between applications provide attackers valuable information about the target systems (e.g. device type, application type, and version). Furthermore, it provides the attacker a larger attack surface to compromise the availability, integrity and confidentiality of messages.
Security on the application level for transported information (e.g. additional encryption, authorisation, message integrity check, etc.) is vital to ensure secure communication. In connected manufacturing environments, this additional communication layer is often ignored due to convenience or neglect. The wide spread believes that the transmitted information is not security relevant or that existing protocol level encryption is enough, which leads to exposed entry points into a company network.
Some IoT protocols are light and easy to use but do not include strong encryption or other security measures, leading to fully rely on lower security measures. Message Queuing Telemetry Transport (MQTT) is an IoT protocol often found in smart manufacturing contexts. The MQTT protocol is an example for a wide range of attack possibilities while offering little to no application security.
The final layer of defence is the implementation of the applications communicating wirelessly. This is the last level to defend wireless communications besides those previously mentioned. It can involve endpoint and router monitoring to detect abnormal communication requests, commands or logins.
As mitigation, Network Intrusion Detection Systems (IDS) can be used to create a baseline of all communication and alerts when detecting anomalies such as rogue access points, jamming or sudden disconnections. More advanced IDS can analyse process values or commands being transmitted and alert if anomalies occur. This information can be collectively processed in a centralised Security Operations Centre (SOC) to get a complete overview of occurring incidents.
Cyber security in wireless connections can be a subject difficult to handle. For an attacker it can provide direct access into the heart of industrial networks. Detailed risk assessments provide feedback on effective measures on how to prevent cyber-attacks on all levels. These assessments should be performed by leading industry experts with long experience in assessing, implementing and managing complex wireless manufacturing environments.
What we offer/provide
We are specialised in IT and OT cyber security solutions covering the full application security life cycle (see Figure 3). We help our customers assess the risk on all levels of wireless communication and support them during planning and integration of solutions. For future industrial solutions in the Factory of Future, we developed an adapted approach to perform this risk assessment in an abstract development area. You can read about in our Blog Article on Risk Assessments in Factory of the Future environments. We offer security audits and penetration tests on protocol, an application as part of our OT pentesting service. On implementation level network monitoring and managed security services such as IDS systems and SOC monitoring can be provided.
As a contributor of the European CyberFactory#1 research project, we supported the assessment, securing and continuous monitoring of wireless connections in smart manufacturing and are responsible for the implementation of an IT/OT collaborative SOC for continuous monitoring on all wireless security levels.