Many users believe the above headline to be an oxymoron, and that wireless devices are inherently less secure than wired devices. Yet these same individuals regularly connect to public wireless hot spots. One of the consequences of using wireless hot spots in airports, coffee shops and hotels is the sharing of some amount of personal information—and oftentimes that information is unwittingly shared with a honey-pot access point with a legitimate sounding name.
Similarly, on the home front, Wi-Fi is the “default” network for connecting your smart television, voice-activated assistant, security cameras, and doorbells—yet your neighbors or anyone driving by can potentially access that same network.
Statistics indicate that 35% of people don't change default passwords, and when they do, the chosen password is considered weak—certainly not encouraging for your personal security. Consequently, to protect us from ourselves, governments are introducing legislation. U.K. laws ban default passwords, and a similar law in California mandates that IIoT devices must prompt for a change in password, so the factory default password can only be used for the initial power-on and setup.
This begs the question. If people are generally so careless with the personal wireless that's ubiquitous in our daily lives, why then are we unwilling to use wireless in industrial settings, especially when, as I describe below, we have better controls in that environment?
More secure than most personal wireless
OT networks will, as a minimum expectation, have administrators who change default passwords to strong ones. These networks, normally used as the backhaul and hence are part of the overall facility infrastructure, will also be installed using good design practices, including the ability to support further cybersecurity practices as defined by ISO 2700n and IEC 62443 series documents. Then, depending on the industry, there will also likely be related regulations and requirements on top of these industry standards.
Supervised networks also have tools to collect, analyze and report identified incidents to operators or administrators, and in some cases, automatically respond to these incidents to prevent their escalation. Of course, they also support segmentation into zones and conduits to limit the spread of any event. At home, your house/hotspot is in theory the zone, but with many of us working remotely, it doesn't take much imagination to see how this could be a backdoor into your company’s corporate systems, and continue from there through a VPN into whichever systems are connected at the other end.
Industrial networks almost always support OSI Layer 4 Transport Layer Security (TLS) or mTLS, which is akin to using https: vs http: in your web browser. TLS evolved from Secure Socket Layer (SSL), a lightweight cryptographic protocol that provides end-to-end security of data sent between applications to ensure that eavesdroppers and hackers are unable to see what you transmit.
Wireless sensor networks (WSN) require provisioning that entails a built-in level of security. And while wired sensor connections and networks act more like USB devices—where when you plug them in, the system recognizes them—WSNs also support whitelists and use frequency hopping to make it more difficult to connect to the network if you don't know the pattern.
All networks have vulnerabilities. Wireless networks have the potential to be accessed without “physically” connecting, which potentially makes it easier to connect. However, with good cybersecurity practices and hygiene monitoring of all the traffic on the network, including packet inspection, AI analysis, etc., the relative risk of wired versus wireless is roughly the same. The weakest link in most cases continues to be the people themselves.
As Joe Weiss regularly reminds us in his Unfettered blog, all the above steps certainly help, but defense and attack strategies continue to evolve on both sides of the cybersecurity equation.
About the author: Ian Verhappen