classic | mobile
 

Search...

SA Instrumentation & Control Buyers' Guide

 

Protect the wireless network
November 2016, Industrial Wireless


Wireless is not new to manufacturing and industrial environments. It has been used for years in applications such as point-to-point data transfer and supervisory control and data acquisition (scada). However, as wireless is increasingly used for mission-critical applications and real-time control, demands on the technology are changing.

Particularly as more manufacturers build a Connected Enterprise and converge their industrial and enterprise systems into an Ethernet-based network architecture, they need reliable wireless communications with low levels of latency and jitter to achieve uninterrupted control and data access. More than that, they need to confirm their wireless communications are secure.

Given the unique risks that wireless communications face – which include the interception and monitoring of data, wireless frame spoofing, and denial-of-service attacks – security is essential. This includes using device authentication and data encryption methods that align with IEEE 802.11, which is increasingly becoming the standard for deploying reliable and secure wireless networks for industrial automation and control system (IACS) applications.

When implementing an industrial wireless network, keep in mind some of the following design and security considerations from the guide 'Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture', developed by Rockwell Automation and its strategic alliance partner Cisco.

Autonomous vs unified

It is important to consider the two different wireless local area network (WLAN) architecture types used in IACS settings, as the security considerations are different for each. An autonomous architecture type uses standalone wireless access points to implement all WLAN functions. Each autonomous access point is individually configured and managed. An autonomous architecture typically is used only for small-scale deployments or standalone wireless applications. It has a lower initial hardware cost, simplified design and deployment, and offers more granular control of quality of service to help prioritise IACS application traffic on the network.

A unified architecture is used for large-scale plant-wide deployments that require a range of clients and applications. It offers foundational services, including intrusion prevention and wireless guest access, and provides the foundation for enabling plant-wide mobility.

A unified architecture solution splits functionality between lightweight access points (LWAP) and wireless LAN controllers (WLC). It has ‘zero touch’ deployment and replacement of access points, requires less effort for updating configuration and firmware, and provides centralised control and visibility.

Autonomous architecture security

The WiFi Protected Access 2 (WPA2) security standard with Advanced Encryption Standard (AES)-level encryption is the only security mechanism recommended for industrial WLAN applications. WPA2 offers the most advanced security available today for WLANs in industrial settings, while AES encryption is implemented at the hardware level and doesn’t affect an application’s performance. In an autonomous architecture, WPA2 can support both pre-shared key authentication and 802.1X/ Extensible Authentication Protocol (EAP) authentication. Factors such as your security policy, infrastructure support and ease of deployment can help you determine which of these two authentication methods is most appropriate for your autonomous WLAN.

Users also might choose to use multiple authentication methods in a single autonomous architecture, such as to support different client types.

Pre-shared key authentication uses a common password that is shared across all devices in the architecture. Keep in mind, this method can’t restrict access to specific clients – anyone with the password can authenticate to the WLAN. As a result, pre-shared key authentication is best suited for small-scale WLANs in which the clients are tightly controlled. This could include an application containing a fixed number of wireless machines using work group bridges (WGB).

802.1X/EAP authentication uses an EAP framework to provide access to a WLAN. Using the 802.1X IEEE standard for port-based access control, this authentication method offers strong security through access control based on individual user credentials. It can be used when pre-shared key authentication can’t satisfy your security requirements.

Configuration recommendations for this approach include using the EAP-FAST protocol to authenticate WGBs to the autonomous WLAN. The dedicated access point should be configured as a Remote Access Dial-In User Service (RADIUS) server to store the WGB credentials, but it should not accept any wireless clients.

MAC address authentication is a third method for authentication but isn’t secure when used alone because MAC addresses can be detected and spoofed. Rather than using this as your lone security approach, use it to supplement pre-shared key or 802.1X/EAP authentication as an additional safeguard against incidental connections in critical control applications.

Unified architecture security

A unified WLAN architecture requires certificates and other EAP protocols for authentication beyond what 802.1X/EAP authentication can provide. Additionally, pre-shared key authentication will not work in a unified architecture because it cannot provide the fast-roaming security that a unified architecture requires.

Unified architectures should use EAP-Transport Layer Security (TLS) authentication for plant-wide WLAN security. This method requires a RADIUS server located in the Industrial Zone Level 3, while local EAP certificates must be supported on the controller.

Additionally, non-roaming applications may not require EAPS-TLS authentication, but using it for both fast roaming and non-roaming will help simplify deployment and reduce confusion regarding which security method is used for different devices.

Other considerations

The hardware you select for your WLAN architecture should support your goal of achieving secure and reliable wireless communications. This includes using wireless access point (WAP) and WGB hardware, such as the Allen-Bradley Stratix 5100 wireless access point (WAP), that conforms to widely adopted IEEE 802.11 a/b/g/n standards, and provides 2.4 GHz and 5 GHz spectrum availability to meet a range of operational needs.

Newer hardware solutions that can function as either an access point in an autonomous architecture or as a WGB in both autonomous and unified architectures enable you to deploy secure and reliable wireless networks using just one device. As an access point, these devices can serve as a router to bring wireless clients into a wired network. As a WGB, they can securely connect up to 19 wired IP address clients to a wireless network.

In a unified architecture, also verify that your WLC offers full control and provisioning of wireless access points (CAPWAP) access-point-to-controller encryption. It should also provide support for detecting rogue access points and denial-of-service attacks.

Lastly, network segmentation can create separation between your control and enterprise networks. This enables you to use different security practices in each network, and can help confirm that workers in production areas are only able to access production-related data, while data from enterprise-related applications remains isolated.

Whether deploying a small wireless network based on a single access point or a larger, plant-wide network, following these standards-aligned security best practices will help harness wireless technology and the IIoT while protecting operations and intellectual property against wireless-based threats.

For more information contact Christo Buys, Rockwell Automation, +27 (0)11 654 9700, cbuys@ra.rockwell.com, www.rockwellautomation.co.za


Credit(s)
Supplied By: Rockwell Automation
Tel: +27 11 654 9700
Fax: +27 11 654 9702
Email: mjunius@ra.rockwell.com
www: www.rockwellautomation.co.za
Share via email     Share via LinkedIn   Print this page

Further reading:

  • Bluetooth technology brings safety and convenience to process instrumentation
    August 2017, VEGA Controls SA, Industrial Wireless
    Plicscom with Bluetooth is bound to open up a new world of possibilities for the display and adjustment of all plics sensors.
  • Rockwell Automation introduces STEM initiative to SA
    August 2017, Rockwell Automation, News
    The Rockwell Automation Science, Technology, Engineering and Mathematics (STEM) initiative for senior schoolchildren made its South African début at Emperors Palace in May this year. The intention was ...
  • Nurturing high-performing teams
    August 2017, Rockwell Automation, News
    How can leaders develop and nurture high-performing teams in the workplace? Rockwell Automation sub-Saharan Africa managing director, Barry Elliott, unpacks these requirements in this discussion on ...
  • Allen-Bradley Stratix 2500 lightly managed switch
    August 2017, Rockwell Automation, IT in Manufacturing
    Manufacturers that use unmanaged network switches but struggle with downtime or security concerns now have an alternative to using managed switches. The Allen-Bradley Stratix 2500 lightly managed switch ...
  • Belden introduces compact wireless access point
    August 2017, IAC - Industrial Automation & Control, Industrial Wireless
    BAT 867-R employs cost-effective features to meet fastest data rate standards.
  • Bluetooth field devices now a reality
    August 2017, Endress+Hauser, Industrial Wireless
    Instrument suppliers are developing field devices with HART, Foundation Fieldbus, Profibus and other standard protocols, which allow users easy access to the configuration data. Bluetooth has subsequently ...
  • Simulation of wireless instrumentation networks
    August 2017, DesSoft, Industrial Wireless
    Wireless instrumentation is a new concept for some, as it is still considered to have limited use in the industry. Yet, it is becoming more popular for monitoring of non-critical processes, like tank ...
  • Emerson expands Plantweb with dual wireless gateway
    August 2017, Emerson Automation Solutions, Industrial Wireless
    Emerson has announced a new dual-mode wireless gateway which supports both IEC 62951 WirelessHART and ISA100.11a industrial wireless communications standards. This latest addition expands Emerson’s wireless ...
  • Precision data-logging systems
    August 2017, GHM Messtechnik SA, Industrial Wireless
    GHM Messtechnik South Africa has introduced the Delta OHM HD35 wireless data-logging device into the local market. With wireless capabilities, the logging system enables users to remotely access all monitored ...
  • Secure remote maintenance of machines
    July 2017, Phoenix Contact, Industrial Wireless
    The TC Cloud Client remote maintenance modules from Phoenix Contact connect machines to the mGuard Secure Cloud securely over the Internet. The clients provide an inexpensive basis for scalable remote ...
  • Predictive analytics reduce downtime
    July 2017, Rockwell Automation, IT in Manufacturing
    Rockwell Automation has combined professional services, powerful machine-learning algorithms and predictive analytics software to offer predictive and prescriptive maintenance. With these new capabilities, ...
  • Individual connection to a PLC by means of reloadable apps
    Technews Industry Guide: Industrial Internet of Things 2017, ifm Electronic RSA, Industrial Wireless
    Modern sensors offer more and more intelligent functions that can also be made available to the PLC via interfaces like IO-Link or TCP/IP. To use them, the PLC programmer has to individually implement ...

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual





 

         
    classic | mobile

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.