Reprinted from INBOUND LOGISTICS, April, 2004
Wireless Security: Is your data at risk?
Many companies use wireless devices to manage transportation and logistics, and many more are considering doing so. Now that all this important information is being sent through the air, the question arises: Can anyone tap into your wireless information stream? Short answer: Yes! Your sensitive SCM information is out there for all to see. Here are some steps you can take to secure your wireless networks.
Logistics was one of the first industries to take advantage of wireless local area networks (LANs). Years before people started downloading email while sipping lattes at Starbuck's, companies used wireless LANs in warehouses and similar facilities to provide real-time links between mobile data collection devices and logistics applications.
Wireless LANs are more vulnerable today, largely because the industry has developed interoperability standards. Back in the day, vendors sold proprietary hardware and software for wireless local area networking. Equipment was relatively expensive, and companies bought it mainly through specialized suppliers.
In 1997, the Institute of Electrical and Electronics Engineers (IEEE) introduced the first version of a standard for wireless LANs, called 802.11. Two versions of this standard are commonly known as "Wi-Fi." Since Wi-Fi emerged, it has become a popular technology for providing untethered data communications.
Wireless Hot Spots
Wireless networks are vulnerable because they transmit data on radio signals, which pass through walls. Just as anyone with a scanner can eavesdrop on unscrambled police radio chatter, intruders with the right equipment can intercept wireless data transmissions in and around your facilities.
In a warehouse, for example, "cinder block walls will let a large percentage of RF through," says a white paper on security for 802.11 wireless networks published by LXE, Atlanta. "The steel bay doors, if closed, will block some RF radiation, but if these doors are left open, as is often the case, then the network signal pours into the parking area unobstructed."
While unauthorized people might find it hard to lurk undisturbed in the parking lot, determined eavesdroppers "will obtain a directional antenna that allows them to listen from anywhere within a quarter-mile radius that has a line of sight to the warehouse," the paper says.
"If you don't implement good security procedures, processes, and technologies, it's equivalent to putting Ethernet ports outside the four walls of your corporate office building and making them accessible to anybody interested in plugging into your corporate network," says David Baildon, global market leader, transportation and logistics solutions, Symbol Technologies, Holtsville, N.Y.
A wireless network might also be vulnerable because the operator doesn't appreciate the potential threats. The biggest problem with security for wireless LANs today "is that it's not being used," says a white paper published by Intermec, Everett, Wash. Hackers can intercept data easily "because people just plug in the access point right out of the box and don't change the default settings."
For example, the security measures built into 802.11 equipment include Wired Equivalent Privacy (WEP), a protocol that encrypts data on the wireless network. To unscramble the encrypted data, a device on the network needs a special software "key."
"People discovered early on that the WEP key that comes with an 802.11 device is so simple, hackers can figure it out easily," says Dan Park, director of wireless management connectivity systems at Intermec. "If you removed all the factory defaults and put in a fairly extensive WEP key, then it became very difficult to break. But most people didn't do that."
"We have within our network, data that's important to our customers. We take the responsibility of protecting that information seriously," says Jon Fieldman, vice president, enterprise integration and chief information officer at DSC Logistics, a third-party logistics provider that operates more than two dozen warehouses. DSC uses data collection equipment primarily from LXE and uses wireless networking technology from Cisco Systems.
Protecting customers' data means two things, Fieldman says. "First, we do not want anyone to manipulate, delete, destroy, or change the data. Secondly, we don't want anyone who is unauthorized to be able to see it."
It's probably not a big deal if an industrial spy peering into your network learns that one of your workers has just picked 14 cases of lima beans. More often, though, hackers break into an RF network with bigger prizes in mind.
Hackers who penetrate the security measures in place on a wireless network can operate on that network just as though they were sitting at a desktop PC, says Hank Stephens, product manager for wireless infrastructure at LXE. "Potentially, they can do a lot of damage. Delete data, steal data. They could disable the network."
"If I understand that you just sent 14 cases of lima beans, and I know all your security information, I can get into your network and look at other things besides lima beans," Park says. "If I get access to your financial and inventory records, I can look at the price you charge for the beans, how many you sell in a year, and similar information." Once inside the network, spies can also obtain employee phone numbers, payroll data, confidential client information, details about intellectual property and more," says Baildon.
And if you ship not lima beans, but home entertainment systems, you have another worry. Sometimes organized rings of cargo thieves break into wireless networks to learn about upcoming shipments, warns John Sweitzer, director of industry marketing, transportation and logistics at Intermec. "That's clearly a concern for high-value shippers."
Once you understand the danger posed by threats to your wireless network, what can you do about it? First, you can take advantage of the authentication and encryption measures already built into the 802.11 standard.
Al Lovato, director of operations and technical services at DSC Logistics, says his company follows all of Cisco's recommendations for configuring the security on its RF equipment. He advises other logistics professionals to heed their vendors' instructions as well.
"Right now, many people just plug it in, and the defaults are no security at all. If you don't take specific steps to establish those Cisco recommendations, or some type of other security on your wireless, you are generally wide open," Lovato notes.
One technique for making the security in 802.11 more effective is to change the WEP key often. "If you put in a full WEP key and don't use any factory defaults, you have to collect four million packets before you get enough information to break that key," says Park. "So if after every three million packets you change that key, nobody will ever get in."
Experts agree that the current 802.11 security standard needs improvement. Within the IEEE, a committee is currently working on a new standard, known as 802.11i. Because standard committees are notoriously slow in their work, and the market is eager for better security options, members of the wireless industry took matters into their own hands last year. A trade organization called the Wi-Fi Alliance published an interim standard called the Wi-Fi Protected Access (WPA).
Using A Server
One solution to that problem is to load all transaction data from the wireless network onto a server. An application on the main network—say, an accounting system—could reach out to that server for data it needed, but traffic wouldn't flow in the other direction.
A company can further protect its wireless network by implementing virtual private networks (VPNs). A VPN establishes an exclusive connection between two machines that are communicating over a public network. It's sort of an "electronic tunnel" that safeguards the data passing through it, says Yangmin Shen, director of technical marketing in Symbol Technologies' wireless infrastructure division.
If you buy all your equipment from a single vendor, "it's probably easier to supply security enterprise-wide than if you mix and match vendors for your basic wireless access points and infrastructure," Lovato advises.
Sticking with one vendor, you can take advantage of any new security features that company adds to its products, months before they're adopted as standards throughout the industry. Also, "a single-vendor solution is much easier to administer and manage across the board," he explains.
"If you already have equipment from more than one vendor, or you have a mix of old and new end-user devices, you might need to deploy a combination of approaches to accommodate them all," says Shen. "At the same time, you have to make sure none of those techniques impedes the mobility of these devices on the network. For example, as a user roams from one access point to another, devices that use a technology called IP Secure (IPSEC) to establish a VPN tend to disconnect from the network," he says. "This could make IPSEC a poor choice for use in a warehouse."
© Copyright April 2004, Inbound Logistics, Merrill Douglas. All rights reserved. Used with permission. 040605
Contact us for more information.