Revelation this week of a security vulnerability in the WPA2 encryption protocol used for most wireless internet connections raised questions about overall security of wireless device networks that make up the Internet of things (IoT).
WPA2 has been the go-to encryption protocol for wi-fi internet connections for many years, replacing earlier options including WEP and WPA as intruders found ways to beat them. As covered widely in the technology media, a security vulnerability revealed this week called KRACK (for Key Reinstallation Attack) exposes a flaw in the way WPA2 reauthorizes connections left an opening for spoofing the encryption keys. The upshot is that an intruder can hijack the connection and decrypt it to collect or insert data.
Many IoT devices that connect to the internet via wi-fi rely on WPA2 for security. Most software providers have now released patches and wireless experts in the electrical industry believe those patches are sufficient to restore security. At the same time, the incident highlights the importance of diligent attention to information security at all levels.
For companies providing wireless systems that manage mission critical manufacturing and process control equipment, security must be top-of-mind from the beginning. Bob Karschnia, vice president and general manager, wireless, Emerson Automation Solutions, says encryption is always a key concern when controlling processes in refineries and manufacturing plants.
Emerson Automation Solutions has been providing wireless process control systems for over ten years now, with over 33,000 of the company’s wirelessHART systems installed and over 10 billion hours of operation combined. Karschnia, who joined Emerson after working on wireless communications security in the U.S. Air Force, talked with EM about how such a system differs from consumer-level WPA2 wi-fi security and principles that can be applied to keep any wireless system more secure.
Wi-fi networks weren’t originally built with security in mind. When security problems arose encryption such as WPA2 was added as a shell around the communications protocols. That’s why with wi-fi it’s possible to turn the security off. Wireless process control systems such as Emerson’s begin with encryption at the base layer and add more layers of encryption on top of it.
“Security has to be built into the basic system, not added as an afterthought,” Karschnia said. “With wirelessHART, which is now an industry standard for sensors in process control, encryption is on all the time. You can’t turn it off because you can’t make it depend on the implementation – you’ll always get somebody who doesn’t configure it properly,” he said. Data packets coming from a sensor in the network are encrypted before they leave the sensor, then re-encrypted for transmission over the air. “We assumed from the beginning that wireless is insecure.”
The system uses a combination of “hash tables” – which make it so a change of a single character will change everything that comes after it, making an intrusion immediately apparent – and “frequency hopping” across 15 channels to break up the signals, making it even harder for an intruder to put the data together. Wi-fi routers, by comparison, typically use one channel to send and receive data.
Emerson has security teams inside and outside the company, including customer IT departments and third-party security experts, constantly trying to hack into wirelessHART systems. None has ever succeeded, he said.
Many of Emerson’s customers do have separate wi-fi networks in their plants for use by mobile operators. Those connections do use WPA2 encryption. Emerson partners with Cisco Systems to provide that access and Cisco already has a patch available.
Ultimately keeping a wireless data system secure comes back to the basics: Change your passwords. Update the system with security patches as soon as they become available. Use virtual private networks (VPNs) to encrypt any communications across a standard wi-fi connection.
Emerson donated wirelessHART security protocols to the FieldComm Group, an organization promoting interoperable systems in the process industries, to help the industry do security better. “I don’t think it’s a good thing for companies to differentiate on security,” Karschnia said. “You’ll never hear me say my security is better than somebody else’s because if my competitor has a problem everybody gets nervous about using the products. Everybody has to be supporting security. We should all have the best interests of the industry as a whole in mind.”