Wireless for control systems has been a hot topic for a few years now, and recently we have been treated to the efforts of different groups, i.e. ISA 100 and WirelessHart, to develop a standard that includes security. Which leads to the question how does the use of wireless increase the risk to a control system?
Of course, many loyal blog readers would certainly point out that wireless WAN communications have been used for years. So when people use the shorthand term of wireless, they are typically talking about wireless LAN or MAN protocols, many of which are based on protocols commonly used in IT networks.
Sometimes it pays to go back to basics. Risk is a function of consequence, vulnerability and threat.
Much of the focus when discussing wireless is on the vulnerability factor. This is reasonable because wireless LAN protocols have a poor security history, and the technical security controls warrant a serious peer review even though that has failed in the past.
Threat is the factor that will cause the greatest increase in risk of wireless over wired networks. In wired systems a typical attacker needs to gain physical access to a port or at least a cable to launch an attack. With wireless, an attacker only needs access to the wireless signal to launch an attack. This increases the potential population of threat agents, to perhaps anyone who can get to the parking lot.
The argument can be made that the vulnerability factor can be reduced to such a low number that the risk is acceptable regardless of the threat and consequence. This same argument can be made for using the Internet for control system WAN communication. However, most people in the community recoil at the idea of using the Internet.
The key is to have management understand the risk and weigh this against the costs of not accepting the risk and benefits of accepting the risk. As long as the right level of management makes an informed decision on risk acceptance, wireless is fine.
Unfortunately, what we commonly run into, and it happened again with a client on Friday with an issue unrelated to wireless, is a focus almost solely on decreasing vulnerabilities without a focus on decreasing threat. One control is piled upon another. Two-factor authentication plus encryption plus IPS plus multiple firewall plus … It still is to great of a risk – – well what other security can we deploy?
And we are going to deploy these security controls perfectly and there are no zero-days in these security products. What are we going to do if a new vulnerability is found in the wireless protocol? Or maybe the protocol is fine, but a vendor implementation is vulnerable. It has been known to happen. What is the response? Pull out the wireless until it can be patched?
Consider taking a step back and determining are there ways of reducing potential threat agents, such as someone sitting in the parking lot. Consider if the benefits to wireless or other approaches that increase threat agents are truly required. What would be the hard cost and soft cost in using solutions that do not increase threat agents?
Just to be clear, this is not a blog saying do not use wireless. There are situations where the benefits would be worth the increased threat and an increased risk. What I would argue is a small cost savings or convenience might not be worth it and management needs to consider this.
This is not unique to wireless. Another area where this is common is routine access from the corporate network. It is too inconvenient to place people in a physically secure area or make them get up and walk to a secured HMI, so access is allowed from the corporate network, albeit with security controls, and the threat is increased.
To summarize this semi-rant, more security hardware and software is not always the answer. Sometimes the answer is to not expose yourself to the threat. This seems to be the knee-jerk answer to Internet use for control systems no matter how much security is in place.