| |
Description
Wireless Network Interface Card |
A wireless data communication system consists of two components: a "Wireless Access Point" (WAP), and a "Wireless Network Interface Card" (sometimes also referred to as a "Client"), which work together to complete the communications link. These wireless systems can link electronic devices, computers, and computer systems together using radio waves, thus eliminating the need for these individual components to be directly connected together through physical wires. While wireless data communications have widespread application in water and wastewater systems, they also have limitations. First, wireless data connections are limited by the distance between components (radio waves scatter over a long distance and cannot be received efficiently, unless special directional antenna are used). Second, these devices only function if the individual components are in a direct line of sight with each other, since radio waves are affected by interference from physical obstructions. However, in some cases, repeater units can be used to amplify and retransmit wireless signals to circumvent these problems. The two components of wireless devices are discussed in more detail below. WAP: The WAP provides the wireless data communication service. It usually consists of a housing (which is constructed from plastic or metal depending on the environment it will be used in) containing a circuit board; flash memory that holds software; one or two external ports to connect to existing wired networks; a wireless radio transmitter/receiver; and one or more antenna connections. Typically, the WAP requires a one-time user configuration to allow the device to interact with the Local Area Network (LAN). This configuration is usually done via a web-driven software application which is accessed via a computer.
Wireless Network Interface Card |
Wireless Network Interface Card/Client: A wireless card is a piece of hardware that is plugged in to a computer and enables that computer to make a wireless network connection. The card consists of a transmitter, functional circuitry, and a receiver for the wireless signal, all of which work together to enable communication between the computer, its wireless transmitter/receiver, and its antenna connection. Wireless cards are installed in a computer through a variety of connections, including USB Adapters, or Laptop CardBus (PCMCIA) or Desktop Peripheral (PCI) cards. As with the WAP, software is loaded onto the user's computer, allowing configuration of the card so that it may operate over the wireless network. Applications Two of the primary applications for wireless data communications systems are to enable mobile or remote connections to a LAN, and to establish wireless communications links between SCADA remote telemetry units (RTUs) and sensors in the field. Wireless card connections are usually used for LAN access from mobile computers. Wireless cards can also be incorporated into RTUs to allow them to communicate with sensing devices that are located remotely. For more information on SCADA systems, please refer to the Supervisory Control and Data Acquisition (SCADA) Product Guide. A graphic showing these connections is presented in the figure below.
Schematic of Wireless Connections to a SCADA System and to a LAN |
Attributes and Features There are two general classes of wireless data communication devices used in water and wastewater facilities: those used for accessing a facility or company's LAN (these devices are classified together in the 802.11 family of communication protocols); and specialized point-to-point transmission units for SCADA data collection from remote RTUs, most of which utilize proprietary protocols. These are discussed separately below.
Wireless Access Point Unit |
LAN Connections Remote LAN access is achieved by installing a wireless card in a desktop and/or notebook computer. This wireless card then locates a WAP and establishes a communications link with it through a predefined exchange of authorization information (known as a "synchronization handshake"). The synchronization handshake format and protocol were formally defined by the Institute of Electrical and Electronics Engineers (IEEE) in the 802.11 standards, which are discussed further below. Implementing a Virtual Private Network (VPN) system will provide a secure "tunnel" for users to communicate remotely. VPNs will be covered in a future Product Guide.
Modern wireless communications devices constructed for LAN use have been standardized to follow current specifications released by the IEEE. These specifications include the following: Table 1: Comparison of 802.11 Specifications | Wireless Standard | Frequency (GHz) | Data Transfer Rate (Megabits/second or Mbps) | Comments | | 802.11 | 2.4 | Up to 2 | •Relatively slow and considered outdated;
•Original Specification did not require encryption. | | 802.11B | 2.4 | 11 | •Also known as WI-FI;
•Only three non-overlapping channels;
•Susceptible to greater interference, yet has better range and decreased equipment cost over 802.11A
•Backwards compatible with 802.11 standard equipment | | 802.11A | 5.15-5.25 (Low Band)
5.25-5.35 (Med Band)
5.725-5.825 (High Band-Outside Only) | 54 | •Eight available non-overlapping channels;
•Less interference than 2.4 GHz devices;
•Shorter range than the 2.4 GHz devices;
•Not backward compatible with 802.11B;
•Equipment typically more expensive than the 802.11B/G compatible equipment. | | 802.11G | 2.4 | 54 (throughput is approximately 22) | •Has many o f the 802.11B characteristics;
•Backward compatible with the 802.11B standards;
•Higher data-transfer rates than 802.11B devices;
•Stronger security options than the 802.11B devices. |
802.11 - Original specification; no longer in widespread use.
802.11 B ("Wi-Fi") - "B&"/Wi-Fi- based devices use a 2.4 GHz frequency (rate of signal pulse) and have a maximum data transfer rate of 11 Mbps (speed enough to send 2 million characters per second). These devices are susceptible to household and electronic interference. "B"/Wi-Fi compliant devices offer support for Wireless Encryption Protocol (WEP) (see Wireless Security Enhancements - Encryption below for a discussion of the security considerations for WEP).
802.11 A - "A"-based devices use a 5 GHz frequency, which is faster than "B"/WiFi and less crowded than the "B" or "G" protocol frequencies. "A"-type devices are not compatible with "B"/WiFi or "G"-based devices because of the differences in the frequencies they use. WAPs and wireless cards based on the "A" specification have a maximum standardized transfer rate of 54 Mbps, although some vendors offer the ability to transfer at up to 108 Mbps or more, using proprietary compression technologies.
802.11 G - "G"-based wireless cards and WAPs also use the 2.4 GHz frequency and are faster and more secure than "B"/Wi-Fi devices. Some are also backwards-compatible with "B"/Wi-Fi based wireless cards. The 802.11G-based devices can support a transfer rate up to 54 Mbps and tend to have more comprehensive security mechanisms than do "B"/Wi-Fi devices, since "G" is a newer specification. Most "G"-based devices use Wireless Protected Access (WPA), which is a more secure way of encrypting information and authorizing users (see below for a discussion of the security considerations for WPA).
802.11 I - "I"-based devices are very new (the standard was approved in June 2004), and some products are just now beginning to appear in the marketplace. Devices conforming to this specification combine the abilities of WPA and add Advanced Encryption Standard (AES) Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) for data encryption (see Wireless Security Enhancements - Encryption below for more discussion on AES CCMP). 802.11 I does not deal with the frequency and modulation physical link layer that characterize the "A", "B", and "G" variations of 802.11, but rather governs the bits that run over the physical link. This affects the link traffic, but not the link itself. "A" and "G" devices may have an available hardware upgrade that will support this standard. A new feature called Message Integrity Check inspects the transmitted data stream for packet forgery (which verifies the integrity of the information being sent), and uses 802.1x Extensible Authentication Protocol- Transport Level Security (EAP-TLS) for the authentication element (see Wireless Security Enhancements - Authentication below for more discussion on EAP-TLS). AES meets the requirements for the Federal Information Processing Standard (FIPS) 140-2 specification. Because 8092.11 I does not address the frequency and modulation characteristics of the physical communications link, it is not covered in Table 1.
Note: 802.11 N is the proposed next generation of wireless communications. It proposes to support much higher throughput (theoretically up to 500Mbps) through multiple input and output multiplexing, and has a goal of backwards compatibility with existing equipment to the extent possible. Because 802.11 N is not yet fully developed, it is not covered in the table above. Wireless Internet Service Provider (ISP) Wireless ISP's typically use the 802.11B and 802.16 technologies to bring high-speed internet service to rural and metropolitan areas. Wireless ISP's use high gain semi-directional and omni-directional antennas to widen the area of coverage and provide service to more customers. In cases where the distance is great or the signal strength is low, highly directional antennas may be employed to enhance the service area. Most Wireless ISP's do not use encryption to scramble communications, as it reduces the available bandwidth to subscribers. Wireless ISP's that use the 802.16 technology do not need to have LOS (Line Of Sight) to the customer location. SCADA Connections SCADA data collection is conducted using RTUs (specialized sensor monitoring and transmission equipment), which are often used to collect information in the field and then send it back to a central monitoring location (the SCADA server). RTUs consist of sampling sensors; a basic logic core; a directional receiver-transmitter; and a connector, which sends and receives information to the SCADA server. Often, the physical arrangement of the SCADA/RTU system and the long distances between individual system components makes using a traditional wired SCADA connection prohibitively expensive or impractical. Wireless SCADA connections can often be used to overcome these obstacles because the RTU's wireless card concentrates its wireless transmission directly at the SCADA server's antenna, thereby communicating effectively at long ranges, over hilly terrain, or in urban areas. Most wireless SCADA systems utilize MODBUS protocol. Because the use of this communications protocol requires specialized equipment that is not readily available to the general public, the threat to the confidentiality, integrity, and availability of information transmitted using MODBUS is not as great as compared to threats to information communicated using 802.11-based wireless LANs.
SCADA-class systems usually run in three different frequency ranges. These are:
5.8 GHz - This is a high frequency, short wavelength transmission which allows a large amount of information to be communicated quickly. Because the information is transmitted at such high speeds, the wireless RTUs must be in a straight line, and there can be little interference between the units in order to receive a clear signal.
2.4 GHz - This is a mid-range frequency, that offers a high communication speed while also delivering range and reliability between that of 5.8 GHz and 900 MHz appliances. Devices on the 2.4 GHz frequencies may be susceptible to interference from common household electronics including wireless phones, LAN devices, Personal Digital Assistants (PDAs), or even microwave ovens. This interference can require the devices to retransmit several times before they can connect and transfer data (users may notice this problem because communications will appear to be slow). In the worst case, this interference may even deny the availability of the unit, which means that data will not be communicated at all.
900 MHz - The 900 MHz frequency uses a "long" wavelength and sends less information per second than either of the other two previously described frequencies; however, because the signal from 900 MHz devices can suffer more degradation and still be readable than can signals from devices using the other two frequencies described above, 900 MHz devices can usually communicate at a greater range than these other devices, thus increasing their overall reliability. Wireless Security Enhancements Each of the wireless devices described above utilizes a number of technologies to protect the information that they send and receive. These security technologies are designed to improve the security of wireless systems in one of three ways, including:
- Authenticating authorized users;
-
Restricting access to authorized users of the network; or
-
Encrypting the information being sent.
These security enhancements are discussed below.
Authentication is a method for verifying a user's identity, and thus allowing that authenticated user access to the system. Authentication technologies include:
- Remote Authentication Dial-In User Service (RADIUS)- An open-source client-server system used to verify users on a network. Cisco Access Control Server (CISCO ACS) - Cisco Systems' proprietary system for network access control.
-
Extensible Authentication Protocol (EAP) - A remote access protocol that acts as a framework for specific authentication and encryption technologies.
-
Extensible Authentication Protocol - Transport Level Security (EAP-TLS) - A certificate-based authentication method to authenticate users and then provide WEP-based encryption on data sent and received on the network (see Encryption below for a discussion of the security considerations for WEP).
-
Extensible Authentication Protocol - Tunneled TLS (EAP-TTLS) - A method of implementing TLS so that the information used to authenticate the user and ask for a certificate is secured throughout transmission from the client to the authentication server.
-
Protected Extensible Authentication Protocol (PEAP) - A way of providing security services to wireless users without requiring that they have a certificate.
Access Limitation is a method for deterring unauthorized access to the LAN. Access limitation technologies include:
- Service Set Identifier Disable (SSID)- Provides the ability to configure the WAP so it behaves as a closed system and does not announce its presence to unauthorized clients. If the SSID is enabled, anyone with a wireless card can see that there is a wireless network present, even if other security measures are in place to prevent them from making an uninvited connection. Conversely, disabling the SSID will hide the network from the uninvited and therefore make it more secure.
-
Media Access Control (MAC) Filtering - Each network interface device has a unique ID given to it. This ID is known as a MAC address. The WAP can be configured so that it will only respond to a predefined list of MAC addresses, thus placing another security layer in front of potential threats.
Encryption is a method for scrambling information so that it is unusable even if it is intercepted. Encryption technologies include:
- Wired Equivalent Privacy (WEP) - is a method of streaming wireless information through an encryption mechanism on the wireless transmitter and decoding it on the receiving end. WEP is based on a user-generated key shared by the transmitter and the receiver. The length of this key (called the "bit-length" or just "bit") specifies how strong the encryption is. The larger the bit-length, the stronger the security of the system. Standard key sizes are 64-, 128-, 154-, and 256-bit. Since this security measure is based on a user-generated key, WEP-secured transmissions can be compromised, although the greater the bit-length of the key, the more time it will take to compromise.
-
Wi-Fi Protected Access (WPA) - A wireless technology integrated into recent wireless products combining encryption and user authentication in order to secure the network. WPA uses the Advanced Encryption Standard to secure communications.
-
Advanced Encryption Standard (AES) - uses a variable-length key that is changed regularly based on TKIP (see below) to encrypt and decrypt information in 128-bit blocks. AES meets the requirements for FIPS 197, (Federal Information Processing Standards, recommended for agencies and departments with sensitive information).
-
Temporal Key Integrity Protocol (TKIP) ? A key-changing system used by WPA to ensure that the same key is not used long enough to be cracked by anyone monitoring a wireless network. Provides base level key management functions, (i.e., storage, changing, transferring, and updating scheme for keys).
-
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP, part of AES) - CCMP utilizes a 128-bit key with a 48-bit initialization vector for replay detection.
Within the same class of wireless products, different wireless clients and WAP support different security technologies. Individual vendors can be consulted to determine which security technologies their products support. Cost The cost of a wireless LAN using 802.11 can be under $50 each for a WAP and a wireless card. A small system can be securely set up in a few hours by a knowledgeable computer technician. The cost of a wireless SCADA/RTU communication system can vary greatly depending upon the distance and terrain that the system needs to traverse. A basic wireless SCADA/RTU system can range between $1,500 and $3,000 per site for hardware, plus the cost of any necessary antennas or radio towers. Depending on the complexity of the project, the installation time may vary. Most of the wireless systems in use for wireless LANs and SCADA RTU connections are over the public airwaves, so there is no service provider and no commensurate fees. Some O&M time will be required to ensure that the wireless systems continue to be secure. Examples of O&M-type activities will include monitoring changes in the wireless industry, especially for security patches or announced vulnerabilities, and ensuring that the network is still functioning without undue interference, is meeting the user's needs, and is remaining secure. Vendors
Disclaimer: The information provided in this guide does not constitute an endorsement by the Environmental Protection Agency of any non-Federal entity, its products or its services. In addition, EPA does not endorse the vendors and products listed on this site. EPA is publishing lists of vendors on this site in an effort to further public awareness of vendors identified as possible contacts for further information and possible purchase of the different types of security equipment. The Agency has selected the listed vendors on that basis. The list of vendors is not a complete list, and EPA does not endorse the products or services of these vendors. Wireless LAN 3Com
350 Campus Drive
Marlborough, Massachusetts 01752-3064
(800) 638-3266
www.3com.com
| Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
(800) 553-6387
www.cisco.com
| Linksys
121 Theory Dr.
Irvine, California 92612
(800) 546-5797
www.linksys.com
| Netgear Inc.
4500 Great America Parkway
Santa Clara, California 95054
(408) 907-8000
www.netgear.com
| SMC Networks
38 Tesla
Irvine, California 92618
(800) 762-4968
www.smc.com
| D-Link Systems
17595 Mt. Herrmann
Fountain Valley, California 92708
(800) 326-1688
www.dlink.com
| Proxim
935 Stewart Drive
Sunnyvale, California
(800) 229-1630
www.proxim.com
| Symbol Technologies, Inc.
555 12th Street, Suite 1850
Oakland, California 94607
(510) 891-3000
www.symbol.com
|
SCADA Network RTUs Freewave Technologies, Inc.
1880 S. Flatiron Court
Suite F
Boulder, Colorado 80301
(800) 584-5616
www.freewave.com
| 4RF
26 Glover St
Ngauranga
Wellington
New Zealand
+64 4 499 6000
www.4rf.com
| Motorola Communications
1303 E. Algonquin Road
Schaumburg, Illinois 60196
(888) 567-7347
www.motorola.com
| Microwave Data Systems Inc.
175 Science Parkway
Rochester, New York 14620
(585) 242-9600
www.microwavedata.com
|
|
