![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0024.png)
22
industrial communications handbook 2016
With regard to wireless links, it is important to re-
member the following points:
• The wireless hardware is as vulnerable as the equiva-
lent wired hardware and so needs to be protected by
physical access control security wherever possible.
• Physical access to the radio signal itself now be-
comes a real threat. A user with a decent high-gain
antenna and sniffer software can seriously affect the
security of the site.
4.4 External devices
In any discussion on policies and third party users, an
important question is: how are external devices han-
dled? A USB flash drive is the easiest and most common
way to transfer data physically, yet this type of external
storage could be carrying a dangerous virus about to in-
fect your network. A third party laptop may have some
kind of sniffer software installed that captures any data
travelling through the laptop’s network interface, wait-
ing to send this on to unsavoury individuals, whether or
not the owner of the laptop is aware of it. There are a
wide variety of third party devices that could possibly
threaten the network, and we need to be aware of, and
protect, against all possibilities.
Policies are particularly significant in such circum-
stances, and informing outside users (and employees) as
to the correct way to handle external storage devices is
important; with some viruses, plugging in the USB can
be too late. External storage can be handled in different
ways, such as having a computer with no connection to
the rest of the network (but with an internet connection)
running up-to-date antivirus software. Any files needed
can be loaded onto this computer, scanned for viruses or
malware, and then copied to the relevant machine on the
secure network using an authorised clean storage device.
Some advanced firewall manufacturers include simi-
lar protection in their hardware, which protects against
files incoming from the Internet, such as downloads or
email attachments. These files are quarantined and a
copy sent to an online cloud server, which checks the
file for malware, and opens or runs the file in a protected
environment to see what actions are needed. If anything
out of the ordinary is discovered, a message is sent back
to the firewall which deletes the file from quarantine be-
fore it and its attached devices can get to the network.
Even with good policies, one should assume that
some sort of malware will find its way onto the network
sooner or later. The Stuxnet virus, which shut down
entire nuclear enrichment facilities in 2009/2010, was
thought to have already infected a large portion of the
world’s computers at the time it activated; however, it
did not activate on those systems (as it was coded to
look for a specific target) and was not discovered for a
long time.
The number of viruses on the Internet is immeasur-
able. Viruses range from harmless snippets of code that
may do nothing, to system-killers that could cause ex-
pansive damage to a site. For this reason all computers
attached to the network should be running anti-virus
software. Updating the anti-virus solution is critical and
must happen regularly, in some cases multiple times
a day. The best way to achieve this is to get a solution
that has a single server with direct internet access. The
server generally resides in a DMZ (Demilitarised Zone),
which is essentially a different subnetwork, separated
from the rest of the network by a router and firewall.
This machine updates its anti-virus definitions from
an online server as they become available. The other
machines on the network then update their anti-virus
definitions from this machine—through a firewall which
stops any other type of traffic—and thus are kept up to
date yet do not require direct internet access.
4.5 Direct access devices
The next step is to protect against other devices that are
able to connect directly to the network. Whilst physi-
cal access control and company policies are important,
there are other, more automated methods that can be
used to protect the network from unauthorised devices.
Collectively known as AAA (Authentication, Authorisa-
tion and Accounting), this technology includes proto-
cols such as RADIUS (Remote Authentication Dial-In
User Service) and TACACS+ (Terminal Access Control-
ler Access Control System). AAA collectively refers to
three general functionalities:
• Authentication—which is checking people are who
they say they are.
• Authorisation—which is checking what those people
are allowed to do on the network.
• Accounting—which is keeping a record of who
logged in, when they logged in and what they did
while logged in.