Wireless Security for Utilities:
Uses, Issues, and Solutions
Authored by Matt Bossom, Director of Wireless, Accuvant
Wireless Security for Utilities: Uses, Issues, and Solutions
While many utilities still rely on hard-wired networks for data and voice communication, these
brittle systems are being replaced and augmented by wireless networks that support both
traditional and multimedia data traffic. Wireless networks allow utilities to scale easily, to improve
communication, and to access systems remotely.
When comparing the option of wired versus wireless, concerns about security, infrastructure, and
regulations can make a utility wary of change.
A common misperception about going wireless is that making changes might add points of failure
or increase network vulnerability. In actuality, the advent of wireless devices that help utility and
energy facilities keep better track of data controls through secure networking can also aid in
compliance with regulations and standards. Not only do energy suppliers that make the switch
save money and increase productivity, they also improve their environments and facilitate
compliance.
Energy and utility companies reluctant to implement wireless systems cite several concerns:
•
•
•
Security - potential for jamming and hacking attacks, leading to service interruptions and
rendering the voice network and first response system useless and causing further
fallout; and differing access needs of the utilities workforce
Infrastructure – archaic construction or line-of-sight issues create the upgrade to a new
network infrastructure tricky
Service Interruptions – prospective downtime in the production environment may occur
during the migration cycle from wired to wireless
Utilities contemplating an upgrade to a wireless environment, or those who currently utilize
wireless technology and are looking to expand on its benefits, should have confidence in today’s
wireless capabilities. This paper will examine the above challenges faced by utility and energy
organizations and discuss solutions and approaches to alleviate these concerns when planning a
wireless deployment.
Issue #1: Security: Jamming, Hacking, and Access Control
Utility companies have unique security concerns. They rely on data and voice communication in a
number of ways that directly affect business efficiency and that have potential repercussions for
employee and community safety. On-site workers at power facilities, including electrical
engineers, architects, security guards, office personnel, and information technology professionals,
are in need of instant and reliable communication methods to relay critical data amongst each
other and with public safety officials. Staff members may rely on cellular phones as their
communication conduit, but these devices have posed several significant challenges. Cell phone
coverage is spotty or altogether unavailable in remote locations, and there is potential for cell
calls to be intercepted, creating the potential for critical data loss.
Utilities have been seeking to adopt newer technologies that address their communication needs
and wireless devices have been an attractive option. However concerns over security have
prevented utilities from considering this alternative - fears of jamming and hacking into systems
have been the primary obstacle. If a jamming attack were to take place or a wireless device is
configured improperly, the network could be compromised, causing a lapse of security that could
affect thousands, if not millions of customers, and worse, lead to a national security disaster.
Wireless Technology - Proven, Reliable and Secure
The evolution of wireless technology over the past decade has been significant and the notion of
deploying a wireless environment that was once a remote possibility is now a reality. The market
for wireless solutions is significant and the capabilities of today’s RF technology are impressive products are not only intuitive and provide an abundance of functionality, but are being
engineered with security in mind. Technology leaders in this space have reacted to the mounting
needs of their client base and have made unprecedented investments in research and
development.
Mobile computing devices, including handhelds, laptops and voice handsets, are standardized
with security features and protocols including VPNs, WPA2/802.11i, two factor authentication,
strong encryption, physical security, and wireless IPS monitoring to prevent network breaches
and RF jamming attacks. Mandatory security protocols embraced by utility and energy
organizations include:
User Access Control. Authentication must be handled at the earliest point of connection
for each client device attaching to the network. Devices have ‘user access’ settings which
allow them to be assigned to a specified user access group that define parameters and
guidelines for how information is received and distributed. Once a user has connected to
the network and their identify is validated, the network will provide access to where they
are allowed to go on the network, what data can be viewed, and what they are allowed to
do with this data.
Rarely does every user in the authentication database have the same privileges and
access rights. Authentication and authorization must be combined to provide the
necessary level of user access control.
Monitoring/Alerting/Reporting. Monitoring features are especially critical for wireless
used amongst utilities. RF network monitoring and reporting tools such as wireless IPS
identify anomalies in networking traffic and alert potential vulnerabilities and unauthorized
users to IT staff, ultimately facilitating increased uptime and customer satisfaction by
providing for uninterrupted data flow across the enterprise. Monitoring can be conducted
onsite or remotely but technologies such as IPS enable the monitoring of data and the
airwaves on which they traverse. This is critical to a utility and will block unauthorized
users and rogue devices from gaining access to the network or launching an RF jamming
attack that could interfere with production. Monitored information should include power
usage, SCADA control systems, engineering drawings for the plant or pipeline, IT
configurations and more. For example, a utility substation could be a primary target for a
hacker given the wealth of information/equipment represented by it (connected to the
primary energy source and the distributor of energy to residences/consumers). A hacker
could sit in their car a mile away and attempt to break in, but IPS technology will identify
the rogue user and will block access. An alert will also be sent to the appropriate utility
worker and data security group to help determine the seriousness of the attempted break
in and to determine the next course of action.
Encryption. Two factor authentication and strong encryption ensures the delivery and
transmittal of secure, critical data. The utility workforce uses many types of mobile
devices — mobile computing handhelds, two-way radios, laptops and voice handsets —
requiring a segmented network with differentiated access for each user group. WPA2 is
recommended for all handhelds and laptops, while WPA-PSK might be used for voice
handsets that do not support stronger authentication and encryption. Devices that do not
support WPA2 should be segmented from the rest of the wireless network ensuring
attackers do not use the less secure devices to gain access to critical information
systems. Designing the wireless network with the proper authentication and authorization
will eliminate many of these issues.
Issue #2 - Infrastructure: Archaic Construction and Line-of-Sight
Obstructions
Whether power plants are a quarter-century old or are currently under construction, utility
companies must deal with a range of infrastructure issues when designing, deploying, and
configuring wireless environments.
Integrating voice and data flow between multiple buildings, guard shacks, utility substations,
pipelines, and power blocks can be difficult when line-of-sight obstructions exist (such as towers
and new construction) between existing RF links. Environmental concerns such as curvature of
the earth, rain, snow, wind, fog, etc. also present design challenges.
When designing a wireless network, an inventory of all potential obstacles should be accounted
for. Similarly, a compilation of all potential ‘physical assets and infrastructure objects’ needs to be
identified as potential mounting locations for wireless access points. Mobile towers, light poles,
building roof tops, etc, are often overlooked and can provide a clean, useable signal for point-topoint, point-to-multipoint, and mesh designs. Fresnel Zones must remain clear between these
locations and leveraging taller, existing mounting locations can be a cost effective way to
overcome many interfering RF line-of-sight obstructions. Online satellite maps and link calculators
can also be used to improve accuracy in areas where live RF site survey testing is not allowed
due to plant restrictions.
Utilizing wireless technology enables some established utilities the prospect of a network
upgrade. Many utilities and energy organizations have struggled with a number of factors
including on-site physical perils such as chemicals, as well as OSHA standards/guidelines,
making the architecture of a new network challenging. Wireless technology, however, makes a
network update practical, realistic, and simplified.
A well-designed mesh wireless architecture provides utility and energy organizations an optimal
solution that overcomes the associated physical challenges of archaic networking environments.
Mesh devices including access points, bridges, handhelds, and CPE devices can be used along
with movable towers and light poles to communicate with each other using different mesh routing
protocols. Wireless communications can take multiple hops and then get back to the backhaul
link in the middle of the site without an engineer configuring it that way on a daily basis or when
the environment changes.
Mesh networks also have several layers of security built into them so that different classifications
of workers can only access certain types of data remotely. Mesh networks allow employees to
communicate with each other and other devices securely. For example, if service trucks are
equipped with handhelds and they roam from one coverage zone to the next, the systems are
intuitive enough to seamlessly transition and switch to a new secure frequency setting. Additional
software can be used to roam between the mesh network and a cellular network for coverage in
remote areas. Many utility vehicles are now being equipped with this technology.
Using wireless in a mesh configuration is a cost-effective solution, providing greater capabilities
including:
• WLAN connectivity for laptop users passing pertinent data such as AutoCAD drawings,
mechanical information, SCADA updates, power consumption, OSHA information for
contractors, IT configuration data, etc
• Wireless handsets providing converged voice and data experience for those who need it
• PDA user ability to log in anywhere around the power block to update automation and
control maintenance records
• First responder access uses real-time location tracking to search for workers in case of
emergency
• Remote monitoring of meters, systems, and downtime or service breaches
Issue #3 - Service Interruptions: A Smooth Conversion
Adding to an existing communications system or switching to wireless altogether must be handled
carefully, in order to ensure that no service interruptions take place during implementation.
Organizations must use a detailed phased approach that incorporates the following key steps:
Flawless Design. Before implementing a wireless technology solution, an organization
must have an understanding of the impact the solution will have on its overall IT
environment. The organization's existing wired and wireless infrastructure should be
leveraged to maximize effectiveness. Long-term scalability is weighed against short-term
cost savings and compliance mandates influence business decisions. Crafting the right
wireless solution is the first step to successful project. Project goals and business drivers
need to be incorporated.
Product Selection. Numerous wireless products exist in the market but utilities need to
undergo a product selection process to help mitigate risk. Sufficient time should be
allocated to a due diligence cycle to review available options and map solutions to one’s
business, compliance, and technical needs. Accuvant recommends testing equipment
and conducting proof of concepts to validate the viability and functionality of a given
wireless solution set. Utilities should opt for industry leading, best-of-breed solutions that
are proven, scaleable, highly functional, easy to integrate, and secure.
Testing. Rolling out back-up technology and building in communications redundancies is
instrumental. Fallback testing and disaster recovery must be planned out to ensure a
smooth transition in frequencies and security controls in the event of a network failure.
Deployment/Configuration. Once an organization has architected a wireless design
strategy, they must deploy and integrate the solution into their environment. Because of
the critical nature of a utility, special attention should be given to this phase in having a
thoughtful, well crafted strategy around the deployment.
Policy and Procedures Development. Information security policies, standards, and
procedures form the foundation of a strong security program and are instrumental to
ensuring no security breaches within a utility. Organizational requirements must be
determined and mapped back to regulations, industry standards, and other controls.
These will serve as the framework for policy and procedural development.
User Awareness/Training. Training is often viewed as a reaction after a project
deployment. Training needs to be viewed as a proactive means for utilities to prevent
issues with their wireless environment. Education raises awareness to employees,
contractors and emergency personnel and teaches them how to utilize wireless
technology accordingly.
Wireless in Action
Accuvant has had the privilege of assisting dozens of utilities embrace wireless technology to
improve productivity, create a more secure environment, and help achieve compliance. Several
unique scenarios are showcased, demonstrating the wide use of wireless.
Case Study #1
A nuclear reactor facility powering energy for several states needed to upgrade their environment
and required a wireless solution. Running a cable through three-foot thick walls—with chemical
dangers and OSHA standards—wasn’t practical. Because few places existed to run fiber optics,
black holes of communication were present inside their facilities. The organization also wanted to
upgrade their two-way radio system for better communication. A wireless network was deployed
including the use of handheld wireless devices by its workforce.
The company relies on an integrated plan to keep handhelds communicating properly while also
monitoring for possible anomalies on the network. Currently, the utility is upgrading to a P25
system, which will allow large groups of plant workers and first responders to communicate and to
input data. Mobile computers, wireless laptops, and dual mode voice handsets are used for the
data and voice needs for field workers, contractors, and IT staff. A mobile Windows operating
system allows workers to scan in bar codes or scan in images to perform multiple functions
across a wireless device. Additionally, the P25 system allows public safety organizations to drive
up to the facility and gain secure access to the voice/radio system.
Case Study #2
This energy company engages a field group that travels to 400 substations. Each substation is an
aggregation point for power lines for highly populated areas. No one works at the substations—at
most, field service employees visit substations to fix problems or to monitor data controls in order
to be sure that they are functioning properly.
The utility could potentially lose millions of dollars per day if the network goes down and ceases
to provide power to such large population groups. It could also face large fines if it does not follow
compliance regulations for reading meters and billing customers; the company must be able to
monitor and control substations remotely and securely.
Wireless access points were deployed at every substation. IPS technology is in place to verify
that rogue users are not making unapproved Wi-Fi connections. In addition, service trucks are
equipped with handhelds that communicate on multiple wireless frequencies. If a utility truck
comes by the substation, the driver will only have to pull within 300 feet with the handheld
scanner and data will be logged instantly. If drivers go beyond 300 feet of the facility, they get
wireless secure roaming on a handheld tablet with a 3G signal and fast speeds. This ensures that
they will never be out of touch, no matter how remote the truck location. The trucks will also have
a fallback third frequency for public safety so they are never out of range of connectivity in the
event of an emergency in a very remote area.
These services ensure that the utility can accurately report network downtime or breaches of
service to auditors. The deployment of this system improves productivity and public safety in
addition to providing faster communication.
Related to this type of remote access for utility trucks is Bluetooth interface on pole tops. Utility
workers do not have to climb to the top to make changes to the boards or update devices - they
can pull up to the pole and make changes from the truck.
Case Study #3
This power entity has surveyed dozens of inactive strip mine sites to be converted into nuclear
power plants for energy production within the United States. In a massive undertaking, the utility
is building out nuclear facilities on several identified sites.
Unlike the first two utilities, where the plants are 30+ years old, with existing networks that need
to be updated to wireless, this company contends with SCADA issues involving a complete lack
of a cabling infrastructure and a constantly changing landscape.
There is no existing network infrastructure at these sites – just large holes in the ground where
mining once took place, and the landscape at these sites changes on a daily basis as towers,
substations, and trailers are continually constructed and moved. Yet the organization needs to
have secure, consistent connectivity among these structures and with the outside world.
The organization has deployed a ‘mesh communications system’ with movable towers to maintain
communications. APs mounted on movable towers listen to other APs and handhelds around the
site and come up with a RF mesh canopy. The wireless communication devices can take multiple
hops—2 to 8 of them—and then get back to the tower in the middle of the site without an
engineer configuring it that way on a daily basis. The system is a self-healing network that
provides the energy provider with a vast number of solutions, using trailers and substations to
communicate back to the central tower. The mesh network has several layers of security built into
the system, so that different classifications of workers can only access certain types of data
remotely.
Making Wireless a Reality
In summary, there are several strategies for ensuring a successful wireless deployment within a
utility environment:
•
•
•
•
•
•
•
•
•
Identify devices and services that meet the unique needs of the network
Consider physical components and security of the critical infrastructure in your design
and deployment methodology
Utilize security protocols that monitor access and detect anomalies
Determine and analyze roles within an organization and how each person should access
data and what types of data
Create solutions that allow public safety officials direct access to communications when
appropriate
Leverage two-factor authentication for authorized users to gain access only to the
resources that they require
Implement the highest level of encryption supported by each mobile device
Devise a holistic wireless plan that includes disaster recovery as a component
Undergo the proper level of due diligence when evaluating wireless products