Documented within The Rack is Kismet, a tool that can be used for analysis of wireless within control systems and automation applications. With the use of wireless devices on the rise, we need to ensure they do not mistakenly get put into control systems. Scanning with Kismet is the first step to insure that this spectrum is free of rogue access points and wireless devices.
Kismet can detect access points, associated clients, probing clients and ad-hoc networks. Kismet is a wireless analysis tool that is built into most Linux distributions repositories as well as Macintosh and Windows with some additional software. Kismet has been used by many for years as part of war driving to collect information about open access points.
The risk of a rogue access point showing up undetected in control systems is rising. To manage this risk regular scans need to be performed to ensure that no unauthorized access points are within the control systems. With modern devices such as smart phones and MiFis acting as access points, the ability to locate and remove rogue access points is getting harder.
Authorized access points could include corporate networks, Guest networks, or BYOD access. As it was mentioned earlier you could also find devices that are phones or MiFis that are personal or work devices that are not connected any other networks. It is rare to include 802.11 in control systems as it can be an unreliable communication medium. The cost to implement is a reason why it has found its way into control systems in some specific areas.
An example of where 802.11 might be utilized in control systems is for low value monitoring of systems such as water levels in a water treatment facility. This is an example that I’ve heard many times about where wireless is being utilized in control systems. The risk to these systems are going to be low, because in most cases these are going to be engineered, authorized and tracked within asset management.
Unauthorized wireless access points, such as one brought into the network by an employee or a contractor that didn’t know that it might lead to a breach of security need to be scanned for on a regular basis. Even with devices such as the ones from PwnieExpress like the PowerPwn, 802.11 could be used for malicious purposes to gain access to the control system via wireless connections. Unauthorized access points that are connected to control systems provide a large risk as they become easy access into the control systems.
There are already working exploits of wireless access points, including DOS attacks that could cause issues for wireless in control systems. Other wireless protocols, like cellular networks, and wireless meshing protocols, are subject to some of the same issues that 802.11 are subject to. In many cases there are other tools that can be used to evaluate these protocols.
Image by Waldgeist86