November 28, 2024

Wires? We don’t need no stinking wires!
SECURITY SESSIONS: Volume 3 No. 2

by William T. (Tim) Shaw, PhD, CISSP
It seems as if you can’t pick up a magazine on automation or read an article about automation without running across an ad for or reference about some wireless instrument or device. Wireless is the new “hot” technology. Just a couple of years ago every vendor was rushing to bolt an Ethernet port onto their devices, but today they are all gluing antennas to their equipment. On its surface wireless seems to be a wonderful enabling technology. You save a bundle on wiring costs, you can just stick equipment anywhere you want and move it if you need, everything interoperates in one big happy wireless network and it even automatically fixes problems if there are failures. Oh, and it’s totally secure because it uses all sorts of high-tech encryption. Maybe I should point out that this list of sunny observations was enumerated to me by a control system engineer who was planning to “go wireless” on his next (and I believe first, but possibly last) major automation project. Maybe you have heard the same good things? – Tim.

William T. (Tim) Shaw
PhD, CISSP

I have no issue with wireless technologies. A good bit of my earlier career was spent designing, building and commissioning SCADA systems. Wireless communications was (and still is) an essential component of such systems for the practical reason that it was not possible to run wires across the countryside in order to communicate with dozens of outstations that could be tens to hundreds of miles distant. Of course the wireless technology used years ago was analog and “dumb” and operated on fixed/licensed frequencies at high levels of transmission power.

Mostly it was voice-grade radio equipment to which we attached a MODEM and then send our message traffic out over the airwaves at the blindingly fast rate of 300 to 1200 bits per second. Because of the low data rates we were forced to use we devised or adopted highly efficient protocols (like Modbus RTU©) that required minimal communications overhead to successfully deliver our messages. Of course today that strategy is one of the reasons that such systems are highly susceptible to a cyber attack. We didn’t incorporate any defensive or protective mechanisms into those old protocols and now we are scrambling to find a quick and easy bolt-on solution to protect and secure those communications.

Wireless technology has evolved quite a bit in the past two decades. Today a typical ‘digital’ radio has an embedded microprocessor, uses digital encoding schemes and may hop around over a number of frequencies while transmitting. The presence of an embedded microprocessor was a major game-changer for wireless. A basic radio has no identity, but a computer can be programmed to understand ID numbers and addresses.

A radio has no storage, but a computer can buffer messages in memory. A radio doesn’t listen to the messages it is receiving, but a computer can do that and determine if the message is corrupted. A modern digital radio that only costs a few hundred dollars can automatically detect the presence of other similar radios, exchange messages with those radios to determine the presence of radios that are too distant for direct communications and establish message-forwarding agreements to provide a means for communicating with even the most distant radio. The radios can even identify alternative routes in the event of a radio failure.

All of these things are possible only because the radios contain a microcomputer, and of course, the applicable program logic. That message-passing scheme is what is popularly called a Wireless Mesh Network. Since these radios have computer memory they can keep a copy of a message in case the intended recipient is momentarily out of communications and then send it later when communications are restored, often called Store-and-Forward.) Radios can request that the recipient of a message send a return verification message confirming successful receipt. If necessary the initiating radio can attempt to resend the message several times until delivery is successful.

Years back you could not operate a radio transmitter unless you were granted a license (and assigned a specific operating frequency) by the F.C.C. That became a cumbersome burden and eventually the F.C.C. allocated a range of frequencies (a ‘band’) in the 900 Mhz, 2.4 Ghz and 4.8 Ghz frequency range. Each of these bands was further subdivided into some number of channels (specific frequencies) and you were allowed to operate low-power radio equipment within these bands without getting a license (i.e., unlicensed operation).

These frequency bands are collectively called the industrial, scientific and medical (ISM) band. A large number of devices share these bands including RFID scanners, cell phones, microwave ovens, cordless phones, some airport radar systems and all of your wireless Ethernet (WiFi) equipment. It is actually quite a busy and crowded place. One of the reasons for developing frequency-hopping radios was to address the problem of having lots of other equipment in the same physical proximity trying to share the same band. By “hopping” around to different channels while sending each bit in a message, the hope is that one of the channels would be clear and the data would make it through. The embedded microcomputers in all of the participating radios would agree on a pseudo-random number sequence and switch their operating frequencies among the available channels at the same time and in the same pseudo-random order.

Of course, all of those capabilities and features deal with reliability and availability, not with security, although many people mistakenly believe that frequency-hopping is a security mechanism. Radio as a transmission medium has the general problem that unless blocked or focused in some manner a radio signal will propagate outward in all directions. Hackers have an annual competition wherein they attempt to see how far away from a WiFi (IEEE 802.11) ‘access point’ they can be and still establish a wireless connection. The current record is about 30 miles or so, which is quite a bit further than the functional specifications for that technology would suggest. But the hackers use special high-gain antennas and amplifiers to achieve those stunning results. Sure, that’s cheating, but they are HACKERS after all! The point being that hoping that no one hears your wireless communications because your plant is geographically large is probably pushing your luck.

Today, the developers of wireless technology understand the need for security mechanisms and most modern wireless technologies at least offer reasonable security features as an option, if not as an integral and mandatory function. Yes, I said that ‘today’ wireless technology developers offer reasonable security features. This is a direct result of the debacle that ensued when the original IEEE 802.11 (“WiFi”) was introduced and include an optional security feature set called (WEP – wired equivalent privacy.) It turned out that WEP had a number of security weaknesses and hacker tools for ‘breaking’ the encryption and obtaining unauthorized access into WEP-protected wireless networks were popping-up in a matter of months after WEP’s introduction. So today, with any number of readily available utility programs (like ‘aircrack’), it only takes a few minutes to break into a WEP-protected wireless network.

Because of the unfortunate security weakness of WEP and the rapidity with which hackers made Swiss cheese out of it, the successors in the wireless arena all made sure that they could offer a much better level of security. Even WiFi has supplanted WEP with a series of security technology improvements include WPA, WPA2 and finally IEEE 802.11i. The current wireless technology offerings – from Bluetooth and its ‘personal area network’ (PAN) technology all the way up to WiMAX and its ‘municipal area network’ (MAN) technology – all of these technologies support advanced and cryptographically ‘strong’ encryption algorithms, large ‘key’ sizes (at least 128 bits) and some level of end-point authentication. But then, for these techniques to provide protection, you DO have to enable the security features! (NOTE: For several wireless technologies, the default mode is: No Security Features Enabled.)

All of this information is factually accurate, and it sounds great, doesn’t it? It sort of makes you wonder why anyone would use wired communications when wireless is so flexible, powerful and secure. The problem is that when you get into actual implementation of most wireless technologies you run into surprises. Also, there are number of wireless technologies to consider and, unlike men, they are not all created equal. The most popular wireless technologies being used in industrial applications and/or automation products include:

  • IEEE 802.11 (often called “WiFi®”) either a, b, g or now n
     
  • IEEE 802.16 (also called “WiMAX®”)
     
  • Cellular (with three competing, incompatible underlying technologies)
     
  • Bluetooth©
     
  • ZigBee©
     
  • WirelessHART©


Each of these technologies has different implementation requirements and issues, they vary quite a bit in their officially specified usable range, and they also differ with respect to use in fixed, portable and mobile applications. A good starting point for comparison is the basic requirement for wiring. Elimination – or at least a major reduction – of wiring is often touted as a major justification for using wireless technologies. Radios (digital and otherwise) are electrical machines and they require power to operate. So do the associated sensory electronics of the wireless instrument. It is possible to have battery powered devices, but running on battery power means you can’t be transmitting all the time or the battery will die. Your cell phone is battery powered, but if you make heavy use of it on a regular basis, your battery will probably only last a couple of days, at most.

Battery technology also imposes environmental limits on the wireless device applications. A battery can freeze or bake and die an early death. ZigBee allows for end devices that can be battery powered. But you should only poll them for measurements every few minutes – or even less frequently if you want adequate battery life. Even though these end devices can be wireless, they depend on powered routers to be nearby. Basically most wireless technologies still require power wiring even if they can eliminate signal wiring.

Many wireless technologies give you the best range and most reliable connectivity in high noise environments (or in situations where signal reflections, called ‘multi-path distortion’, are created due to lots of structural metal) when you implement them using high-gain, directional antennas. Unfortunately, directional antennas create a problem with mobile wireless applications and don’t work for point-to-multipoint applications. The higher frequency signals used in unlicensed radios also mean that the cable distance allowed between the radio and the antenna is quite limited – often as short as only a few inches.

All of this means that radios usually have to be mounted with the antenna, and you need to run wire to a power source. Antennas can be mounted with vertical or horizontal polarization to improve performance, but this can also create problems for any node that can physically be mounted to accommodate that orientation. Some wireless technologies can deal with mobile operation – cellular technologies were specifically designed for this – but others don’t handle this or produce unexpected results. For example, walking around with a WiFi device can automatically re-associate with other access points (AP) if they are generating a stronger signal.

This may have undesirable consequences if that AP doesn’t have a path to the systems with which you were previously communicating via the prior AP. Radio equipment can also be effected by weather – including solar events – when used out of doors. When used inside a facility momentary outages can occur when equipment movement or repositioning (e.g., vehicles, cranes, etc.) blocks the signal path.

As far as interoperability and compatibility go, wireless doesn’t actually fulfill that promise any better than the numerous Ethernet variations created by the conversion of proprietary serial standards into proprietary Ethernet standards. If two wireless Ethernet devices have a “WiFi” sticker then they are likely to interoperate. But each of the wireless technologies listed previously are incompatible with each other, and in fact, here in the USA we have three incompatible cellular systems, as noted previously. (Therefore, choose your carrier carefully!)

The main point here is that wireless technologies sound great on paper, but you are not going to implement them on paper; you must be able to make them actually work in your plant. People who buy a WiFi router and get it up and running often think that a similar level of effort will be needed to apply wireless technologies in an industrial setting. That rarely (okay, never in my personal experience!) ends up being the case.

Then there is still the basic argument about the actual reliability and security of using wireless communications. Wires have fewer failure modes than do electronic circuitry… but that will be the subject matter for a future column. – Tim.

About the Author

Dr. Shaw is a Certified Information Systems Security Professional (CISSP) and has been active in industrial automation for more than 30 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics and has also contributed to several other books. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net.