Today, methods of wireless communication used in industrial environments for the communication between the different devices that make up the industrial process are many and widely used. Among them are WiFi, WiMAX y WirelessHART. The CERTSI has already published a guide in which the best security practises for these protocols are presented and analysed.
Security Audit for Industrial Wireless Protocols
An industrial wireless communication audit is a process similar to a wireless security audit corporate environments in which the particulars of the environments and protocols specific to SCI must be taken into account. The main objective is to determine the level of security of the wireless IT infrastructure of the client company; for this different tests are taken with the help of different applications for the purpose of finding possible faults and/or weaknesses in the security of the wireless network. When intrusion or vulnerability evaluation tests are carried out, this must be taken into account as it might compromise system security and the continuity of industrial processes.
Advantages of industrial wireless protocol audits
Industrial communication networks can be affected by different problems and security threats, some critical to the industrial process, e.g. denial of service. That's why audits of the security of these wireless networks increase the security status of the communications in a way that will allows us to:
- Detect defect configurations.
- Detect vulnerabilities in devices.
- Detect problems in network access control.
- Detect errors in the implementation of the networks in a way that allows us to identify and apply mitigating countermeasures.
- Reduce possible attacks and security incidents.
- Implement corrective actions.
- Check the version in use and potential vulnerabilities.
Tests to be performed
There are different problems in the wireless protocols used in control systems and the possibilities of attacking same. For this reason, all the security measures available must be applied with the intention of preventing any compromise of wireless communications. Therefore, the tests to be carried out in an audit depend largely on the communication protocols used in the in the organisation's technological installation. Below are some of the tests to be carried out for each of the wireless protocols most used in the industry:
The tests for WiFi networks are the following:
- Check for password request to join network or to capture traffic of same.
- Check of encryption system used in the network is robust or weak.
- Check to ensure the defect password of the supplier has been modified.
- Verify the robustness of network passwords through dictionary attacks.
- Denial of Service (DoS) attacks on the WiFi network. There are many possibilities, among them various types that cause interference in the frequency channels used or attacks on access points of the network.
- Network phishing tests, creating a false access point (AP) impersonating a real one so that users will connect to it.
With respect to WiMax, the tests to be carried out are the following:
- Denial of Service (DoS) on the physical layer (PHY):
- Aimed at the communications channels, introducing a noise source in the frequency used.
- Aimed at the data package, causing interference during short spaces of time and aimed at specific packages or specific headers.
- Aimed at the Subscription Station through false packages to consume its resources.
- Denial of Service (DoS) in the medium access control (MAC) layer.
- Verification of robustness of authentication mechanism.
Finally, for WirelessHART communications, the tests to perform are:
- Validation of the security mechanisms implemented to prevent the injection of commands in the network.
- Verification that the Join Key password encryption has been modified and is robust.
There are many and varied tools for carrying out security audits which, for example, allow us to capture and analyse network traffic or to perform brute-force attacks on credentials.
An essential tool that can be used in audits of wired and wireless protocols is Wireshark, which allows for the capture and analysis of network traffic, whether the packets are wireless, WirelessHART, WiMAX or other wired and wireless protocols, for the purpose of discovering faults in configuration or implementation, intrusions, plain text credentials, etc.
In terms of specific tools for each protocol, WiFi boasts the most audit tools among them:
- WiFiSlax and WiFiway: these are GNU/Linux distributions intended and designed for security audits in general and for wireless protocol audits in particular. Both include a long list of wireless security and audit tools.
- Aircrack-ng: This is a suite of tools that allows for the capture and analysis of network packets, cracking different encryptions (WEP and WPA2-PSK), repetitions attacks, false access points, etc.
- Kismet: Traffic capture tool and intrusion detection system (IDS) for wireless networks.
- Reaver: Implements brute force attacks against WPS networks.
For WiMAX network audits we have WaveJudge, which allows us to capture complete message conversation from the outer layers, including the characteristics of the radio frequency characteristics (errors included) for subsequent offline analysis.
In terms of WirelessHART devices and networks we can use the following tools:
- WirelessHART Test Suite: Tool for the Linux operating system that allows for the verification of compliance with the standard WirelessHART devices and compatibility and interoperability with HART systems.
- WirelessHART Fuzzer: Helps manufacturers identify security failures in the early stages of the development of WirelessHART devices.
Due to the extensive development, deployment and use of wireless technologies and protocols in industrial environments, securing these communications is essential in order to ensure the security of the industrial processes they service. Their security control must exceed that of wired communications, as the physical environment used is shared and freely accessed, which affords easier access to potential attackers. That's why periodic completion of the analysis and verification of certain basic parameters must be added to the agenda of security tests of all industries that use these technologies.