The Invisible Threat

By Dan Hebert, PE, senior technical editor

Franklin D. Roosevelt famously said the only thing we have to fear is fear itself. This appears to be true when it comes to wireless security. Whether real or groundless, security fears and concerns delay and often scuttle otherwise justifiable wireless projects.

Much fear, uncertainty, and doubt (FUD) exist when it comes to wireless security. The best way to overcome this is to acknowledge its existence, find out how and where it originates, and see how it affects new wireless projects. These insecurity levels then can be reduced by looking at best practices in wireless security.

The best FUD gauge is the collective opinion of end users and the consultants who serve them as these groups control the purse strings and the rate at which industrial wireless projects proceed.  “Wireless networks are more accessible than wired networks,” says Gary Crenshaw, senior electrical engineer with Beam Global Wine and Spirits, part of Fortune Brands in Lincolnshire, Ill. “A wireless network in a populated area is more likely to be hacked than a network in a remote area, simply because there are more people and more computers in populated areas, and it is harder to limit signal strength and access.”

Mark Atanasoff, principal electrical engineer at Osram Sylvania, is another end user who is also concerned with unauthorized access. “Inherently, wireless networks are not and cannot be as secure as their wired counterparts,” says Atanasoff. “You can control bits flying through a wire, but it is harder to keep a handle on bits flowing through air. But without intimate knowledge of how the wireless system is set up—such as frequencies, addressing, and protocols—it would be difficult to steal any usable data.”

The risks can be minimized. “Wireless never can be as secure as wired networks, but there are techniques to make them secure enough for automation projects,” argues Dick Caro, certified automation professional and CEO of CMC Associates, Hanover, Mass. Caro is a consultant in the field and works with ISA to develop wireless standards that will include built-in security.

Atanasoff makes a good point by separating access from understanding what accessed data means. There are two main components to security on any network. The first is controlling access, and the second is encrypting information. An analogy can be drawn to eavesdropping on a conversation. Proximity to the speakers gives access, and understanding the language breaks the encryption.
It might be easier to access a wireless network than it is to access a wired network, but this relatively easy access has been turned from a wireless weakness to a wireless strength. Because physical access to wired networks can be controlled, at least in theory, most wired networks don’t use message encryption.

On the other hand, wireless networks look at unauthorized access as an ongoing threat, and most wireless applications employ sophisticated encryption to prevent damage from access. “What would someone do with an intercepted and encrypted data packet?” asks Chris Gibbons, engineering associate with Sasol North America, a specialty chemicals producer in Houston.
Most end users don’t think wireless is quite as secure as all that. But overall, many think that wireless security is good enough right now for industrial applications.

Vendors Optimistic

Wireless vendors are even more optimistic. They know that overcoming security concerns is key to selling wireless products, so they have devoted lots of time and money to wireless security. “The majority of wireless networks available today are protected by the Advanced Encryption Standard (AES), which provides a high degree of security against external threats,” says John Guite, division engineering manager at Parker Hannifin. “Additionally, non-Ethernet-based wireless networks such as ZigBee are protected further because they are personal area networks. A PAN requires a potential hacker to be in relatively close proximity—usually within the facility—to detect the network, further protecting the integrity of the network.”

Part of making a network secure is keeping it up and running. “Wired communications are subject to damage from digging, collisions with mobile machinery, animals eating cable insulation, or degradation due to weather,” observes Ira Sharp, product marketing specialist with Phoenix Contact. “The absence of readily damaged cables is a big advantage with wireless communications.”

A main cause of wireless FUD is poor implementations of wireless security measures in the past. “Obviously, one can set up a completely unsecured wireless network by turning off the security features,” says Joel Young, vice president of R&D and CTO of Digi International.

As Young hints, end users bear considerable responsibility for securing wireless networks. Wireless products often are delivered by vendors with security features disabled to ease initial setup and let end users customize security for their particular needs. Unfortunately, some end users don’t follow proper procedures to activate the security features.

“End users must perform an initial security assessment to determine what level of security is needed,” adds Young. “They must then use available security tools, just as with wired networks. In practice, many wireless network installations actually are more secure than their wired counterparts because end users have become paranoid enough about wireless that they actually perform the security assessment. On the wired side, many are lulled into a false sense of security. Keep in mind that most security breaches are not from some sophisticated form of electronic listening, but rather due to a failure to use basic authentication systems effectively.”