The Industrial Wi-Fi Shop Podcast – Ep. 8 Respect My Securit-ahh!

• CWISA Guide Giveaway details
  • There are two copies of the Certified Wireless IoT Solutions Administrator (CWISA) study/reference guides
  • Winners will be drawn randomly on episode 10 (episode title TBD)
  • ONE winner will be from IT
  • ONE winner will be from OT
  • Click the link below to enter the drawing! (One entry per person)
  • —>  https://forms.gle/eE4rYtixhbppyMti8  ←- (link now inactive)

• Let’s talk security – Owning your industrial airspace
  • Three things you need to consider
    • Situational awareness of your site
    • Understanding the current RF landscape
    • Securing your wireless assets
  • Situational awareness
    • Where is your site
    • Is it in an industrial park?
    • Is it in an urban area close to other buildings and businesses?
    • Is it out in the middle of “nowhere”?
  • What is around your site
    • Residential?
    • Commercial?
    • Industrial / manufacturing? 
  • Who is around your site
    • Static residential 
    • High volume transient population
    • Lions, tigers and bears, oh my!
    • What is your risk
• Understand your RF landscape
  • What other structured wireless networks are operating on your site?
    • 802.11
    • 802.15.4
    • Proprietary wireless
  • Are there transient wireless networks
    • Mobile hotspots
    • Transportation and fleet management  
  • Are there and sources of EMI / RFI
    • How bad
    • What frequencies
  • What is your risk?
• Securing your wireless assets
  • 802.11 security
    • Obviously, do not use WEP or WPA (granted I do know that there are still legacy devices in production environments out there and that sometimes you have no choice. Be sure to document what you cannot mitigate!)
    • WPA2 still the most common, enable Protected Management Frames if you can/have the option
    • WPA3 the most preferable
      • Advanced and improved encryption
      • MFP is mandatory  
  • 802.15.4 security
    • 128-bit AES encryption is built into the standard
    • After layer 2 in the OSI, these compliant devices often implement other security options from onboarding to CRCs, it depends on the vendor
    • Want to know more about Bluetooth security – check out episode 6
    • Want to know more about WirelessHART or ISA100 security – check out episode 4
  • Proprietary wireless security
    • Usually have encryption options
    • Unique onboarding processes for mesh devices
    • Contextless data transfer 
  • Management access
    • Disable Over-the-air (OTA) management
    • Use HTTPS/SSH whenever possible
    • VLAN/segment out management IP addresses whenever possible
    • NEVER use default passwords and security settings

• Key takeaways
  • Owning your industrial airspace is much more than simply encrypting wireless traffic
  • You need to look at your site as a whole to fully realize and understand your overall risk
  • You do not have the luxury of deciding whether or not you are a target

This is what my 900MHz signal generator looks like in spectrum analysis. It’s definitely a unique signature from the Density view at the top to the Waterfall view in the middle. You can also see in the bottom panel how it just eats up airtime utilization.

If you would like to know more about our guests, check them out on LinkedIn:

Jeremy Baker – https://www.linkedin.com/in/jeremyabaker/

If you would like to connect with me or learn more about my employer, Global Process Automation (GPA), then check the following:

Scott McNeil – https://www.linkedin.com/in/americanmcneil/

GPA – https://www.global-business.net/