Emerson has been in the forefront of industrial wireless applications for instrumentation and device-level networks since 2005. Emerson was an early implementer of WirelessHART and has led the industry in that effort. In spite of thousands of successful installations of WirelessHART networks, some prospective users still express concerns about cyber security. This is a justifiable question and it is good to see users are paying attention to this important issue. It has been a major part of Emerson’s efforts since the beginning.
Bob Karschnia has been the face of Emerson’s wireless efforts from the outset, and he addresses the issue of cyber security for industrial wireless networks directly, including WirelessHART, in the April 2019 issue of CIO Applications in an article titled Addressing the Complex Cyber Security Needs of Digital Manufacturing. He makes the point that industrial applications involve a mix of networks, and the interface points are often where vulnerabilities crop up.
Today’s digital manufacturing applications typically use a mix of wired and wireless communication on interconnected networks for transmitting data collected by sensors to host systems. Industrial wireless networks connect to wired system to hand off data, introducing possible points of vulnerability. This means someone trying to secure the network must look at the infrastructure from end-to-end to create an effective defensive strategy.
Looking at all the networks from end-to-end is complicated in industrial contexts by the long-standing split between the plant (OT networks) and the office (IT networks). Where those two divisions encounter each other, the interface can be particularly awkward and potentially vulnerable.
Operations technology (OT) personnel have to move data to IT systems so management and accounting can access it. If a hacker can find a vulnerability in the OT applications and networks, this can often provide a path to move into the IT networks. This is a tried-and-true method since OT networks are usually not as well protected as IT networks. Adding industrial wireless networks and extensions make the problem worse by creating additional hand-off points and a larger attack surface.
Bob examines a variety of attack vectors hackers might use to invade wired and wireless networks. Some are crude and can do nothing more than disrupt communications, while others are more sophisticated and aim at gaining access to larger networks. The encryption used with WirelessHART and the mechanisms to legitimately join devices to a network are effectively unbreakable, but that doesn’t keep hackers from looking for gaps in the protection at the hand-off points, often due to careless implementations.
In spite of all these security measures, careless users and poor network managers can create vulnerabilities by being lax with passwords and join keys. If these are not applied to their greatest advantage and workers trained to understand their importance, they can fall into the hands of hackers allowing them to gain access.
So, never forget the human element since it is a major contributor, for better or worse, to security efforts. It’s also important to make sure you’re working with a partner that can provide the necessary support.
Creating a new cyber security strategy or evaluating an existing one requires working with a vendor able to manage the big picture to create a network with the required security features. Once the proper network is selected, users must be vigilant to ensure ongoing cyber security. If these steps are taken, the network will be sufficiently secure for the most critical applications.
You can find more information like this and meet with other people looking at the same kinds of situations in the Emerson Exchange365 community. It’s a place where you can communicate and exchange information with experts and peers in all sorts of industries around the world. Look for the Wireless and IIoT Groups, and other specialty areas for suggestions and answers.