[Imported] Network Security - Common Questions

>>Message imported from previous forum - Category:Trio Data Radios<<
User: joelw, originally posted: 2018-10-17 23:11:22 Id:128
This is a re-posting from the obsoleted (October 2018) "Schneider Electric Telemetry & SCADA" forum

-------------

**_jweder:_**
We often receive questions from those who don't know much about SCADA or Telemetry, but who have been tasked with evaluating our products for network security concerns. Here are a few such questions, along with my replies:

**1. Frequency hopping; How many freqs per second is the rotation?** This is configurable, between 4 and 20 hops (frequency changes) per second. (for J Series)

**2. Who sets the Key(s)? Do they change? Who maintains the keys?** Are you referring to AES encryption keys or to the frequency hopping pattern? I'll assume you are asking about the hopping pattern. With J Series radios the hopping pattern is a pseudo-random sequence that is generated automatically by the specific Access Point radio being used. (each Access Point will use a different pattern) If you had a Trio J Series radio and knew which Access Point was in use, however, you still could NOT configure a remote radio to talk to that AP without more information. You would need also to know the hopping interval (rate) and the Network ID. (name)

**3. Interfacing with the Network: We would be putting an asset on a maintenance VLAN, which would connect to the system. How does the radio system interface with the asset?** J Series radios have two standard 10/100 Mbps LAN connectors. (auto sensing) They act internally like an unmanaged switch.

**4. In the drawing, it shows a cable running from the KR900 (I presume you mean JR900 – the Ethernet frequency-hopping radio, as KR900 is serial-only!) to the computer. What methods are available for interfacing? I.e Wired/Wireless?** Trio radios do NOT include a WiFi or Bluetooth interface. You would use a standard Ethernet cable. Alternately, the radio's two serial ports can be enabled if necessary, and configured to transport various serial data protocols. Typically a 3 wire modem cable (straight-thru) is used for that.

**5. Can we enable and disable connection protocols?** On the LAN side, the Trio radios are protocol-agnostic. They act in a transparent manner, simply transporting the protocol, not getting "involved". If you enable one of (or both of) the serial ports, those however are more sensitive to the protocol used. Modbus, DNP3, DF1 half-duplex, and many other serial protocols can however be carried, depending on serial port configuration.

**6. Does the remote radio configuration support 2 factor Authentication methods?** No, our radios do not support Two Factor Authentication. This is something that no radios in our industry support. Two Factor Authentication appears to use both login username & password, as well as a device such as a key fob, a physical item that would have to be present to allow a user to log in. Certainly that would be complex to implement in order to enable communication traffic on an ongoing basis. Could be done to allow login to the radio for configuration purposes, yes. But again, nobody in our industry is doing that at this time. Also, it would preclude the possibility of over-the-air remote configuration which is a feature many of our customers demand.

**7. I read something about AES 256 bit encryption. AES 256 encryption may optionally be enabled in the J Series radios.** The key is manually configured.

**8. Data: What types of data are actually being transferred? Can we control what data is transferred?** As noted above, the J Series radios act in a transparent manner, very much like an unmanaged switch. There is however a simple filter that can be enabled to block broadcasts & some multicast traffic, and even ARP messages. And also optionally the radio can be configured to only allow traffic to be initiated by a specific MAC address. (or up to 4 MAC addresses)

**9. Mitigation: If radio encryption is broken, what data are we actually losing?** Can they be changed to be able to disrupt the machines, or other malicious activity? I can't answer "what data are we actually losing?" That is totally up to you (or the users of the radio system) and the data that is being sent over the network. But more importantly, I have never heard of anyone breaking AES 256 bit encryption, not even the proverbial "Men in Black." Communication devices are susceptible to complex attacks such as "Man in the Middle" types, and Trio radios are no exception. You need a more complex security-capable communication device to protect against ALL such attacks. But remember that the hacker would need to know multiple things to access the radio network: The hopping pattern, the network ID and the hopping interval. If they were able to gain access to all of that information it really means you've got a deeper problem (eg an "inside job") that would be almost impossible to protect against.

**10. Interfacing with the network, are the devices able to be configured for permissions, set to read only, or such?** Our radios do include user login capability (username and password) for access to the configuration interface. Also, HTTPS (secure web browser) can be enabled and regular HTTP blocked. In such cases a security certificate would be shared by the radio and computer. (generated either by the radio itself or by a 3rd party & uploaded)

**11. Do the devices ONLY read data from the machines?** Our radios do NOT typically get involved in an active way to read data from end devices. They are simply transport layer devices, passing messages from the polling device (a computer, a PLC or an RTU) thru to a remote device, then passing the reply back the other way. Only in the case of serial data transport (over a J Series system) would the attached devices possibly communicate directly to the radio. The radio would convert the Ethernet protocol to a serial protocol, acting as a gateway. But even then, the radios are not actively doing anything, just transporting the messages.

------------------------

bevanweiss:
Is there any intention of Trio radios supporting RADIUS authentication? Then you could claim two-factor authentication also 🙂
Since certain RADIUS servers can be setup with two-factor 'passwords'.

------------------------

**_jweder:
There definitely has been work in support of adding Radius authentication. It's on the Roadmap for the near future, but can't give you a date. Most likely it would appear in the Q licensed radio first, then J Series license-free later.
If you know of any specific project(s) being lost due to lack of this feature please do let us know, as that can definitely influence the development timeline._**