New wireless mesh network systems offer mines almost unlimited flexibility in voice and data communications. Have network security measures kept pace with expanding wireless capabilities?
By Russell A. Carter, Managing Editor
Industrial espionage has been practiced for centuries and its more overt sibling, sabotage, has been its frequent companion. Spy tradecraft in the industrial sector has evolved dramatically from the smuggled handwritten documents and material samples that disclosed the secrets of China’s coveted porcelain production process to the Western world in the 18th century: Cyber-espionage is the latest spy tool to emerge, and the discovery of the Stuxnet computer worm in 2010 crystallized the notion of destructive electronic espionage and warfare from a mostly Hollywood-cinematic concept into hard fact. Stuxnet was malware that not only spied on but also attacked a widely used class of equipment-control systems—Siemens SCADA or supervisory control and data acquisition software and the programming software used in connected PLCs (programmable logic controllers)—that control countless industrial processes and technologies.
The Stuxnet worm, however, was designed to focus on specific equipment and software used in nuclear enrichment processes, and reportedly had features that stopped it from seriously affecting unrelated industrial processes or from transmitting itself from an infected computer to more than three others; it also was programmed to erase itself on a specified date. Nevertheless, its apparent success in achieving its objectives served as a wake-up call to a number of critical industries—public utilities, defense contractors and telecommunications carriers, to name just a few—that their embedded control systems might be highly vulnerable to catastrophic electronic attacks.
Mining, with its hardscrabble image and publicly perceived low-tech methods, has generally been absent in discussions of potential industrial disasters resulting from the cyber attack following the Stuxnet episode, even though mineral production is usually considered a strategic industry by most developed nations and the industry itself uses thousands of PLCs—the same equipment targeted by Stuxnet. The mental image of a 42-ft-diameter SAG mill suddenly spinning out of control is unsettling, but it appears that mining hasn’t yet blipped onto the radar screen of cyber marauders, or if it has, it’s still only a faint image on the fringe. However, recent developments hint that this could be changing and, in the words of an industry observer, “security by obscurity” may not be a viable option for the industry in the future.
Over the past few years, newspaper articles and television news programs have reported on incidents in which major mining companies such as Rio Tinto and BHP Billiton came under cyber attack, possibly aimed at access to sensitive product pricing and project information. Australian miner Lynas Corp.’s website was temporarily incapacitated earlier this year, allegedly by a hacker protesting the company’s plans to open a rare-earths processing facility in Malaysia.
At the other end of the networking spectrum, mines located near large population centers, or those in close proximity to competing operations, run the risk of having their local wireless network data or voice traffic inadvertently or purposely disclosed to outside parties.
Mine-site mobile networks and plant-based SCADA systems are geographically and conceptually distant from the average corporation’s website and other forms of its public Internet presence, but recent developments show they have something in common—any of them can be attacked by cyber methods that may result in physical and economic damage. To complicate the situation, several trends are converging to make each of these networks even more crucial to a company’s strategic plan:
- Mine- and plant-site data transmission volume is growing at a speed-of-light pace, with new equipment and data streams requiring additional network nodes and devices that could represent weak links in a data-security chain if not configured properly.
- Companies and sites that may have started out using proprietary network setups are moving toward integrated, open-standard Internet Protocol (IP) architecture when upgrading—added enhanced functionality and value to the network but requiring closer attention to network security.
- Large mining companies with operations scattered around the globe are pursuing standardization in as many areas of their operations as possible, enabling personnel to be familiar with corporate practices, technology and equipment wherever they are located. The flip side of the coin is that a flaw in one installation of a standardized system could mean a similar flaw exists in all installations.
- Companies are increasingly turning to the Internet to enable remote monitoring and control of equipment and processes to cut costs, increase resource efficiency and allow remote users access to important information—but this also increases network vulnerability to digital snoopers, hackers or even disgruntled employees.
Taking the standardization trend one step further, recent technological advances now offer companies the ability to consolidate control of what were once considered separate and unrelated operational activities into an integrated, single package. For example, last year at the AIMEX trade show held in Australia, PSI Production, a subsidiary of Berlin, Germany-based PSI AG, exhibited an innovative product called PSImining, claimed to be the first plant-level SCADA system that fully integrates all mining processes and security features into one system providing interdisciplinary supervision, control and high-level automation to mine operators.
According to the company, the system on display at AIMEX would allow all important mine operation processes and sub-processes to be integrated into a central SCADA system featuring a high-performance Human Machine Interface. Demonstrations conducted at the trade show reportedly displayed examples of integrated supervision, control and automation of coal mining, tunneling, product flow optimization by conveyors, mine infrastructure, material logistics, security, people tracking and maintenance—managed by one single SCADA system.
The potential benefits of this type of integrated control system could be enormously useful to an industry facing rising operational costs, persistent skilled labor shortages and logistical problems resulting from activities in remote or inhospitable locations. And, in a perfect world, SCADA systems and network devices would never be exposed to the Internet and its threats. But Stuxnet, for example, is capable of infecting a system from a removable drive as well as by computer-to-computer transmission—and, in the real world, corporate networks may be connected to local or SCADA networks simply because the data carried on those networks is needed to manage the company efficiently, thereby opening another avenue for infection.
The intricacies of IT and SCADA system-security measures are beyond the scope of this article, but the technology at the ground floor of mine communications—the wireless mesh networks that carry site communications and data traffic—is familiar to most mine operators, and on the basis of recent interviews with suppliers of these wireless systems, it appears to E&MJ that data integrity and network security are high on the list of vendors’ performance priorities.
Bert Williams, marketing director for Tropos Networks, a California-based supplier of secure wireless IP broadband network components, told E&MJ that, “There’s an increasing level of awareness about security in the mining industry as well as other industrial segments. Exploits such as Stuxnet and the German smart meter hacking demonstration have raised awareness in all industrial verticals, including mining, that security by obscurity is not a viable strategy.
“[Although] it’s hard to rank things such as price, flexibility, ease of installation and security against each other because they’re all table stakes to compete with in the market, security has historically played a less important role than other considerations, but that’s changing rather quickly.”
A technical briefing paper authored by Williams explains the advantages of IP-based wireless field communication networks: “When built using standard technologies such as 802.11 and/or 802.16, they provide high speed and low latency compared to the proprietary networking technologies traditionally deployed in the field, enabling many field automation applications to run on one network. They are very reliable, especially when tools such as mesh routing and TCP with reliable data delivery are employed. IP networks provide interoperable communications for a plethora of diverse endpoints. Unifying communications for many automation applications on one network provides for economical implementation, central management and consistent, end-to-end security policies.”
However, along with these benefits, they also have the potential of being hacked using the same tools used to attack Internet sites. The Tropos paper explains that, even so, the techniques used to thwart cyber-attacks on IP networks have been honed for years by enterprises and are constantly being updated by the security community to battle emerging threats. As a result, a robust set of tools have been developed to combat cyber-attacks on enterprise networks, including wireless. These include:
- Internet Protocol Security (IPsec) virtual private networks (VPNs) that authenticate the endpoints of a network connection and encrypt data transmission between the endpoints, securing both system access and transmitted data.
- Firewalls that permit traffic for only authorized applications, protocols and users to travel over the network while blocking classes of traffic that are not permitted by the forwarding policy. When extended to the edge, firewalls can be used as an effective mechanism for protecting field area assets.
- RADIUS, 802.1x, and 802.11i authentication that prevents unauthorized users and devices from accessing the network and enforce strong endpoint authentication.
- AES encryption, preventing eavesdropping on management and control traffic as well as data transmission.
- HTTPS-based remote access, enabling secure device management.
- Virtual local area networks (VLANs) that enable traffic from different applications and user groups to be segregated and permit security policies to be tailored to the needs of each application/user group.
Security policies must be in force out to the “edge” of a wireless network to maintain efficiency and prevent unauthorized parties from probing the network’s deeper regions, said Williams. In a surface mine, the edge of the network would be equipment that is monitored or controlled; for example, sensors and PLCs. In a processing plant, the edge would be process controllers and other process automation devices. In either environment, the edge could also be physical security systems including video cameras and access control systems. And, it can be devices used by humans; e.g., tablet or handheld devices, man-down systems and VoIP phones.
Another commonly encountered challenge in migrating from proprietary to IP-based field area communication networks is integrating legacy field automation endpoints that don’t support IP, Ethernet or standard wireless connections, according to Williams. Not only must legacy devices be able to communicate over the IP field area communication network, they must be able do so securely. Stranding legacy field assets, forcing their wholesale replacement or leaving them unsecured are not options.
To ensure successful integration, IP field area communication networks also must support the physical interfaces used by legacy endpoints, most commonly RS-232 or RS-485 serial, and convert them so they can be carried over standard wireless and Ethernet connections. The networks must also support translation or tunneling mechanisms so data originally encapsulated in common control protocols can be transported securely across the IP network. Finally, points where legacy devices connect to the IP field area communication networks must be as secure as interfaces to field automation devices that natively run IP.
Not surprisingly, Tropos’ newest wireless mesh router products include the security features mentioned by Williams. The Tropos 1410, available in either router or bridge configuration, is a single-radio unit that offers a built-in firewall and IPsec VPN. They implement a multi-layer, multi-application security model that enables traffic from different applications and user groups to be segregated on separate virtual local area networks (VLANs), each with its own address space, quality of service (QoS) policies and security policies including the capability to create one or more standard IPsec VPNs per VLAN. The Tropos 1410 employs RADIUS, 802.1x, and 802.11i authentication, AES encryption and HTTPS-based remote access to secure field area networks from unauthorized devices, users and snooping.
Tropos offers two versions in the new line, the 1410 and the board-level 1410-B. The Tropos 1410 comes in a ruggedized, weatherized enclosure suitable for use in extreme outdoor environments in fixed or semi-mobile locations. The Tropos 1410-B is a module suitable for integration into a wide range of industrial process controllers and SCADA devices. Both products can be configured via software load to be either a bridge that connects to any standard 802.11b/g/n wireless network, or a fully functional wireless mesh router. Each supports an 802.11b/g/n wireless connection with full MIMO and a wired connection using 10/100BASE-T Ethernet, RS-232 serial or RS-485 serial. Their Ethernet and serial interfaces support common control protocols.
The Tropos 1410 and 1410-B with bridging software are currently available, and versions with router software will be released later this year. An upgrade from bridging to routing software, for a fee, will also become available at that time. Tropos also offers a line of dual-radio routers.
Williams said Tropos has recently installed wireless networks at Fortescue Metals Group’s iron ore mines in Western Australia and at BHP Billiton-Mitsubishi Alliance (BMA) coal mines in Queensland, Australia. Commenting on the considerations required to configure secure wireless networks in various countries with different telecommunications regulations and customs, Williams said, “The differences in regulation have an impact on network design; for example, more mesh routers may be required to cover an given area in a European country where the maximum transmission power is lower than in countries that follow U.S. regulations.
“However, there’s not a significant difference in the security requirements. Tropos is taking the tools and techniques used to secure enterprise networks and their connections to the Internet and applying them to industrial applications such as mining. Because Internet standards are by definition global, they are applicable outside of North America.”
Accommodating Network Access
Malvern, Pennsylvania-based Rajant Corp. is no stranger to the challenges of designing and setting up large-scale wireless networks in a mining environment, listing among its clients Kennecott Utah Copper’s massive Bingham Canyon copper complex near Salt Lake City, Utah. Rajant initially installed 140 of its dual-radio BreadCrumb XL and ME systems to provide the Rio Tinto-owned mine with a secure, scalable wireless voice and data network, and later added another 60 radios, bringing the total number of radios in service at the mine to 340. Additional units can be added as the mine continues to expand its wireless network needs.
Gary Anderson, senior vice president of sales at Rajant, said the Bingham Canyon network project was an excellent test of the company’s wireless technology; the mine had a lengthy list of equipment and vendor requirements, and needed a system that could be expanded to handle everything from communications and monitoring of the hundreds of primary and support vehicles in service at the mine, to linkups with highly specialized technology such as haulage dispatch, video surveillance, ground probe radar, photogrammetry and electronic fuel management systems—not to mention more mundane but crucial services such as e-mail and file sharing.
After system startup, Kennecott Utah Copper reported it had saved an estimated $7 million in reduced operational costs in just the first 90 days of network operation, attributed mainly to the BreadCrumb network’s ability to satisfy the concurrent, real-time demands of the many applications the mine uses to track, monitor and manage its mining activities.
Rajant’s BreadCrumb LX4 is the latest in its family of multi-radio wireless transmitter-receivers. The LX4 supports up to four high-power radios in a single unit, has a faster processor than the company’s BreadCrumb LX3 model, and with options for 900 MHz, 2.4 GHz, 4.9 GHz and 5 GHz (LoS and NLos), is the most advanced multi-radio node in the BreadCrumb family. It also features 10/100 Ethernet for Internet connectivity, USB for firmware upgrades and a GPS port. It supports secure connectivity with any Ethernet or 802.11a/b/g client equipment—ensuring compatibility with off-the-shelf devices such as laptops, PDAs, IP cameras, sensors, VoIP phones and other IP gear.
The BreadCrumb JR is the most portable member of the product family, intended primarily for ‘client participation’ in a kinetic mesh network. Portable and battery powered, the JR is a full-function InstaMesh client featuring a 2.4-GHz radio and 7 Mbps maximum throughput. Measuring 7.3 x 1.5 x 1.4 in., it is easily attached to personnel or vehicles on the move to provide network connectivity. The BreadCrumb JR includes a GPS port and the same level of security as the BreadCrumb LX line.
For network security, the BreadCrumb units support a number of high-level data encryption protocols. “We have the capability of encrypting all transmissions between BreadCrumb nodes, and then encrypting the whole network on top of that,” Anderson said. “Most operations would consider that to be overkill—all they really want is just to keep their data safe—but [the BreadCrumb system] has been approved by the U.S. government to transmit secret-level information in other applications.”
In most mine setups, Rajant accommodates setup of Virtual Local Area Networks, or VLANs, within a BreadCrumb network, segregating distinct categories of voice and data traffic—administrative, operational, vendor access, etc.—into separate channels for security and efficiency. “Many mines have five or more wireless VLANs, and the wireless side mirrors their wired networks,” said Anderson. “We can set up a mine’s wireless network to be very, very secure or completely unsecured, or any point in between.”
All of the company’s newer BreadCrumb models use InstaMesh, a protocol developed by Rajant that allows for continuous and instantaneous routing of wireless and wired connections. According to the company, it provides complete network mobility, robust fault tolerance, high throughput and low latency, with zero maintenance and administration—all of which is becoming increasingly important to meet rapidly expanding mine-site data requirements. “Some of our mining customers have 20 applications running simultaneously on the network. And it seems that just as fast as we can increase network capacity, [the customers] are looking for new applications to run on it,” said Anderson.
One of the company’s more recent innovations, said Anderson, is inclusion of a SIP (Session Initiation Protocol) server into each BreadCrumb, allowing extremely clear voice communications. “This shouldn’t be thought of as a typical VoIP system,” Anderson said. “We actually call it TRoIP, Tactical Radio over Internet Protocol. Using a headset or even just an earpiece like a Bluetooth ‘fob’, anyone with access to the mesh network can talk with any other person on the network, or everyone at one time.”
Also on tap for near-future release is a new software version release that will “tremendously increase” the capabilities of the network, according to Anderson, and possible inclusion of a video encoder in future BreadCrumb units that will provide clear, multi-stream video transmission over the mesh network.