Lock Down Your Data
New wireless mesh network systems offer mines almost unlimited flexibility in voice and data communications. Have network security measures kept pace with expanding wireless capabilities?
By Russell A. Carter, Managing Editor
Mine-site wireless networks are carrying more information than ever, and with the latest mesh-network
systems offering IP-based communications between an increasingly wide range of locations and devices,
network security is a growing concern. (Photo courtesy of Tropos Networks)
The Stuxnet worm, however, was de-signed to focus on specific equipment and software used in nuclear enrichment pro-cesses, and reportedly had features that stopped it from seriously affecting unrelat-ed industrial processes or from transmit-ting itself from an infected computer to more than three others; it also was pro-grammed to erase itself on a specified date. Nevertheless, its apparent success in achieving its objectives served as a wake-up call to a number of critical industries— public utilities, defense contractors and telecommunications carriers, to name just a few—that their embedded control sys-tems might be highly vulnerable to cata-strophic electronic attacks.
Mining, with its hardscrabble image and publicly perceived low-tech methods, has generally been absent in discussions of potential industrial disasters resulting from the cyber attack following the Stuxnet episode, even though mineral production is usually considered a strategic industry by most developed nations and the industry itself uses thousands of PLCs—the same equipment targeted by Stuxnet. The men-tal image of a 42-ft-diameter SAG mill suddenly spinning out of control is unset-tling, but it appears that mining hasn’t yet blipped onto the radar screen of cyber marauders, or if it has, it’s still only a faint image on the fringe. However, recent devel-opments hint that this could be changing and, in the words of an industry observer, “security by obscurity” may not be a viable option for the industry in the future.
Over the past few years, newspaper articles and television news programs have reported on incidents in which major mining compa-nies such as Rio Tinto and BHP Billiton came under cyber attack, possibly aimed at access to sensitive product pricing and proj-ect information. Australian miner Lynas Corp.’s website was temporarily incapacitat-ed earlier this year, allegedly by a hacker protesting the company’s plans to open a rare-earths processing facility in Malaysia.
At the other end of the networking spectrum, mines located near large popu-lation centers, or those in close proximity to competing operations, run the risk of having their local wireless network data or voice traffic inadvertently or purposely dis-closed to outside parties.
Mine-site mobile networks and plant-based SCADA systems are geographically and conceptually distant from the average corporation’s website and other forms of its public Internet presence, but recent devel-opments show they have something in common—any of them can be attacked by cyber methods that may result in physical and economic damage. To complicate the situation, several trends are converging to make each of these networks even more crucial to a company’s strategic plan:
• Mine- and plant-site data transmission volume is growing at a speed-of-light pace, with new equipment and data streams requiring additional network nodes and devices that could represent weak links in a data-security chain if not configured properly.
• Companies and sites that may have start-ed out using proprietary network setups are moving toward integrated, open-stan-dard Internet Protocol (IP) architecture when upgrading—added enhanced func-tionality and value to the network but requiring closer attention to network security.
• Large mining companies with operations scattered around the globe are pursuing standardization in as many areas of their operations as possible, enabling person-nel to be familiar with corporate prac-tices, technology and equipment wherev-er they are located. The flip side of the coin is that a flaw in one installation of a standardized system could mean a simi-lar flaw exists in all installations.
• Companies are increasingly turning to the Internet to enable remote monitoring and control of equipment and processes to cut costs, increase resource efficiency and allow remote users access to import-ant information—but this also increases network vulnerability to digital snoopers, hackers or even disgruntled employees.
Taking the standardization trend one step further, recent technological advances now offer companies the ability to consoli-date control of what were once considered separate and unrelated operational activi-ties into an integrated, single package. For example, last year at the AIMEX trade show held in Australia, PSI Production, a sub-sidiary of Berlin, Germany-based PSI AG, exhibited an innovative product called PSImining, claimed to be the first plant-level SCADA system that fully integrates all mining processes and security features into one system providing interdisciplinary supervision, control and high-level automa-tion to mine operators.
Quick and convenient scalability is an important feature of new-generation wireless mesh networks,
allowing wireless-system capacity to keep pace with expanding mine fleets and facilities.
(Photo courtesy Tropos Networks)
According to the company, the system on display at AIMEX would allow all impor-tant mine operation processes and sub-processes to be integrated into a central SCADA system featuring a high-perform-ance Human Machine Interface. Demon-strations conducted at the trade show reportedly displayed examples of integrated supervision, control and automation of coal mining, tunneling, product flow optimiza-tion by conveyors, mine infrastructure, material logistics, security, people tracking and maintenance—managed by one single SCADA system.
The potential benefits of this type of integrated control system could be enor-mously useful to an industry facing rising operational costs, persistent skilled labor shortages and logistical problems resulting from activities in remote or inhospitable locations. And, in a perfect world, SCADA systems and network devices would never be exposed to the Internet and its threats. But Stuxnet, for example, is capable of infecting a system from a removable drive as well as by computer-to-computer trans-mission—and, in the real world, corporate networks may be connected to local or SCADA networks simply because the data carried on those networks is needed to manage the company efficiently, thereby opening another avenue for infection.
The intricacies of IT and SCADA system-security measures are beyond the scope of this article, but the technology at the ground floor of mine communications— the wireless mesh networks that carry site communications and data traffic—is familiar to most mine operators, and on the basis of recent interviews with suppli-ers of these wireless systems, it appears to E&MJ that data integrity and network security are high on the list of vendors’ performance priorities.
Bert Williams, marketing director for Tropos Networks, a California-based supplier of secure wireless IP broadband network components, told E&MJ that, “There’s an increasing level of awareness about security in the mining industry as well as other indus-trial segments. Exploits such as Stuxnet and the German smart meter hacking demon-stration have raised awareness in all indus-trial verticals, including mining, that securi-ty by obscurity is not a viable strategy.
“[Although] it’s hard to rank things such as price, flexibility, ease of installation and security against each other because they’re all table stakes to compete with in the mar-ket, security has historically played a less important role than other considerations, but that’s changing rather quickly.”
A technical briefing paper authored by Williams explains the advantages of IP-based wireless field communication net-works: “When built using standard tech-nologies such as 802.11 and/or 802.16, they provide high speed and low latency compared to the proprietary networking technologies traditionally deployed in the field, enabling many field automation applications to run on one network. They are very reliable, especially when tools such as mesh routing and TCP with reliable data delivery are employed. IP networks provide interoperable communications for a pletho-ra of diverse endpoints. Unifying communi-cations for many automation applications on one network provides for economical implementation, central management and consistent, end-to-end security policies.”
However, along with these benefits, they also have the potential of being hacked using the same tools used to attack Internet sites. The Tropos paper explains that, even so, the techniques used to thwart cyber-attacks on IP networks have been honed for years by enterprises and are constantly being updated by the security community to battle emerging threats. As a result, a robust set of tools have been developed to combat cyber-attacks on enterprise net-works, including wireless. These include:
• Internet Protocol Security (IPsec) virtual private networks (VPNs) that authenti-cate the endpoints of a network connec-tion and encrypt data transmission between the endpoints, securing both system access and transmitted data.
• Firewalls that permit traffic for only authorized applications, protocols and users to travel over the network while blocking classes of traffic that are not permitted by the forwarding policy. When extended to the edge, firewalls can be used as an effective mechanism for pro-tecting field area assets.
• RADIUS, 802.1x, and 802.11i authen-tication that prevents unauthorized users and devices from accessing the net-work and enforce strong endpoint authen-tication.
• AES encryption, preventing eavesdrop-ping on management and control traffic as well as data transmission.
• HTTPS-based remote access, enabling secure device management.
• Virtual local area networks (VLANs) that enable traffic from different applications and user groups to be segregated and permit security policies to be tailored to the needs of each application/user group.Security policies must be in force out to the “edge” of a wireless network to main-tain efficiency and prevent unauthorized parties from probing the network’s deeper regions, said Williams. In a surface mine, the edge of the network would be equip-ment that is monitored or controlled; for example, sensors and PLCs. In a process-ing plant, the edge would be process con-trollers and other process automation devices. In either environment, the edge could also be physical security systems including video cameras and access control systems. And, it can be devices used by humans; e.g., tablet or handheld devices, man-down systems and VoIP phones.
Wireless routers and receiver-transmitters, such as the Tropos unit pictured here, feature high-level access
control, encryp-tion and secure Internet access capability to prevent field-network intrusion by unauthorized
users, hackers and devices.
Another commonly encountered chal-lenge in migrating from proprietary to IP-based field area communication networks is integrating legacy field automation end-points that don’t support IP, Ethernet or standard wireless connections, according to Williams. Not only must legacy devices be able to communicate over the IP field area communication network, they must be able do so securely. Stranding legacy field assets, forcing their wholesale replacement or leaving them unsecured are not options.
To ensure successful integration, IP field area communication networks also must support the physical interfaces used by legacy endpoints, most commonly RS-232 or RS-485 serial, and convert them so they can be carried over standard wireless and Ethernet connections. The networks must also support translation or tunneling mechanisms so data originally encapsulat-ed in common control protocols can be transported securely across the IP network. Finally, points where legacy devices con-nect to the IP field area communication networks must be as secure as interfaces to field automation devices that natively run IP.
Not surprisingly, Tropos’ newest wireless mesh router products include the security features mentioned by Williams. The Tropos 1410, available in either router or bridge configuration, is a single-radio unit that offers a built-in firewall and IPsec VPN. They implement a multi-layer, multi-application security model that enables traffic from different applications and user groups to be segregated on separate virtual local area networks (VLANs), each with its own address space, quality of service (QoS) policies and security policies including the capability to create one or more standard IPsec VPNs per VLAN. The Tropos 1410 employs RADIUS, 802.1x, and 802.11i authentication, AES encryption and HTTPS-based remote access to secure field area networks from unauthorized devices, users and snooping.
Tropos offers two versions in the new line, the 1410 and the board-level 1410-B. The Tropos 1410 comes in a ruggedi-zed, weatherized enclosure suitable for use in extreme outdoor environments in fixed or semi-mobile locations. The Tropos 1410-B is a module suitable for integra-tion into a wide range of industrial process controllers and SCADA devices. Both products can be configured via software load to be either a bridge that connects to any standard 802.11b/g/n wireless net-work, or a fully functional wireless mesh router. Each supports an 802.11b/g/n wireless connection with full MIMO and a wired connection using 10/100BASE-T Ethernet, RS-232 serial or RS-485 serial. Their Ethernet and serial interfaces sup-port common control protocols.
The Tropos 1410 and 1410-B with bridging software are currently available, and versions with router software will be released later this year. An upgrade from bridging to routing software, for a fee, will also become available at that time. Tropos also offers a line of dual-radio routers.
Williams said Tropos has recently installed wireless networks at Fortescue Metals Group’s iron ore mines in Western Australia and at BHP Billiton-Mitsubishi Alliance (BMA) coal mines in Queensland, Australia. Commenting on the considera-tions required to configure secure wireless networks in various countries with different telecommunications regulations and cus-toms, Williams said, “The differences in regulation have an impact on network design; for example, more mesh routers may be required to cover an given area in a European country where the maximum transmission power is lower than in coun-tries that follow U.S. regulations.
“However, there’s not a significant dif-ference in the security requirements. Tropos is taking the tools and techniques used to secure enterprise networks and their connections to the Internet and applying them to industrial applications such as mining. Because Internet stan-dards are by definition global, they are applicable outside of North America.”
Accommodating Network Access
Malvern, Pennsylvania-based Rajant Corp. is no stranger to the challenges of design-ing and setting up large-scale wireless net-works in a mining environment, listing among its clients Kennecott Utah Copper’s massive Bingham Canyon copper complex near Salt Lake City, Utah. Rajant initially installed 140 of its dual-radio BreadCrumb XL and ME systems to provide the Rio Tinto-owned mine with a secure, scalable wireless voice and data network, and later added another 60 radios, bringing the total number of radios in service at the mine to 340. Additional units can be added as the mine continues to expand its wireless net-work needs.
Gary Anderson, senior vice president of sales at Rajant, said the Bingham Canyon network project was an excellent test of the company’s wireless technology; the mine had a lengthy list of equipment and vendor requirements, and needed a system that could be expanded to handle everything from communications and monitoring of the hundreds of primary and support vehi-cles in service at the mine, to linkups with highly specialized technology such as haulage dispatch, video surveillance, ground probe radar, photogrammetry and electronic fuel management systems—not to mention more mundane but crucial serv-ices such as e-mail and file sharing.
Screenshot of a Rajant BreadCrumb wireless mesh network
site deployment spanning 44 square miles with over 200
multi-radio nodes, almost all of which are constantly in
motion. (Photo courtesy of Rajant Corp.)
After system startup, Kennecott Utah Copper reported it had saved an estimated $7 million in reduced operational costs in just the first 90 days of network operation, attributed mainly to the BreadCrumb net-work’s ability to satisfy the concurrent, real-time demands of the many applica-tions the mine uses to track, monitor and manage its mining activities.
Rajant’s BreadCrumb LX4 is the latest in its family of multi-radio wireless trans-mitter-receivers. The LX4 supports up to four high-power radios in a single unit, has a faster processor than the company’s BreadCrumb LX3 model, and with options for 900 MHz, 2.4 GHz, 4.9 GHz and 5 GHz (LoS and NLos), is the most ad-vanced multi-radio node in the Bread-Crumb family. It also features 10/100 Ethernet for Internet connectivity, USB for firmware upgrades and a GPS port. It sup-ports secure connectivity with any Ethernet or 802.11a/b/g client equip-ment—ensuring compatibility with off-the-shelf devices such as laptops, PDAs, IP cameras, sensors, VoIP phones and other IP gear.
The BreadCrumb JR is the most portable member of the product family, intended primarily for ‘client participation’ in a kinetic mesh network. Portable and battery powered, the JR is a full-function InstaMesh client featuring a 2.4-GHz radio and 7 Mbps maximum throughput. Measuring 7.3 x 1.5 x 1.4 in., it is easily attached to personnel or vehicles on the move to provide network connectivity. The BreadCrumb JR includes a GPS port and the same level of security as the BreadCrumb LX line.
For network security, the BreadCrumb units support a number of high-level data encryption protocols. “We have the capa-bility of encrypting all transmissions between BreadCrumb nodes, and then encrypting the whole network on top of that,” Anderson said. “Most operations would consider that to be overkill—all they really want is just to keep their data safe—but [the BreadCrumb system] has been approved by the U.S. govern-ment to transmit secret-level information in other applications.”
In most mine setups, Rajant accommo-dates setup of Virtual Local Area Networks, or VLANs, within a BreadCrumb network, segregating distinct categories of voice and data traffic—administrative, operational, vendor access, etc.—into separate chan-nels for security and efficiency. “Many mines have five or more wireless VLANs, and the wireless side mirrors their wired networks,” said Anderson. “We can set up a mine’s wireless network to be very, very secure or completely unsecured, or any point in between.”
All of the company’s newer Bread-Crumb models use InstaMesh, a protocol developed by Rajant that allows for con-tinuous and instantaneous routing of wire-less and wired connections. According to the company, it provides complete net-work mobility, robust fault tolerance, high throughput and low latency, with zero maintenance and administration—all of which is becoming increasingly important to meet rapidly expanding mine-site data requirements. “Some of our mining cus-tomers have 20 applications running simultaneously on the network. And it seems that just as fast as we can increase network capacity, [the customers] are looking for new applications to run on it,” said Anderson.
Rajant’s LX4 transmitter-receiver can accommodate up
to four radios and offers secure connectivity with any
Ethernet or 802.11a/b/g client device. (Photo courtesy
of Rajant Corp.)
One of the company’s more recent innovations, said Anderson, is inclusion of a SIP (Session Initiation Protocol) server into each BreadCrumb, allowing extremely clear voice communications. “This shouldn’t be thought of as a typical VoIP system,” Anderson said. “We actual-ly call it TRoIP, Tactical Radio over Internet Protocol. Using a headset or even just an earpiece like a Bluetooth ‘fob’, anyone with access to the mesh network can talk with any other person on the network, or everyone at one time.”
Also on tap for near-future release is a new software version release that will “tremendously increase” the capabilities of the network, according to Anderson, and possible inclusion of a video encoder in future BreadCrumb units that will provide clear, multi-stream video transmission over the mesh network.