IEC 62443 Wireless Security: Deploying OT Wireless Controllers in Industrial Factory Networks

Abstract

With the global manufacturing processes gaining momentum in their conversion to Industry 4.0, wireless connectivity has ceased to be a luxury and become a necessity to carry out its operations. All automated guided vehicles, IIoT sensors, SCADA terminals, and robotic systems rely on the constant secure wireless communication to maintain production. However, security infrastructures that regulate these networks are often copied off the enterprise IT models which were not created to operate in the operational technology environment. The paper is a technical guide to the protection of industrial wireless infrastructure by installing Prime (On-Premises) Wireless LAN Controllers in factories, which are supposed to be in line with the requirements of the ISA/IEC 62443 standard on cybersecurity. Based on the available standards of industrial security, patterns of deployment in the real world, and protocol-level analysis, the paper considers ten baseline security controls: CAPWAP DTLS tunnel encryption, placement of RADIUS in the on-premises, WPA2-PSK non-compliance at Level 2 of security, isolation of the management plane, Management Frame Protection (802.11w), command authorization by TAC The article postulates that the architecturally correct solution to the factory floor is the Prime Controller and offers a hybrid deployment framework that ensures OT resilience and allows flexibility in the management of the IT-layer.