WIDS detects rogue APs automatically
Enable WIDS on all industrial WLAN deployments. Rogue APs are a common attack vector in industrial environments.
20.1 HiLCOS Operating System
The previous chapters covered wired industrial networking. Wireless connectivity is increasingly required for mobile equipment, AGVs, and remote monitoring. HiLCOS is the operating system that powers Hirschmann’s industrial WLAN devices and provides the features needed to make wireless reliable in demanding industrial environments.
Why HiLCOS Exists
Section titled “Why HiLCOS Exists”Standard consumer and enterprise WLAN firmware is designed for office environments. Industrial environments introduce challenges that consumer firmware cannot handle: EMI from motors and VFDs, metal enclosures that reflect and attenuate signals, mobile equipment that moves through coverage zones, and safety-critical applications that cannot tolerate dropped connections.
HiLCOS is Hirschmann’s purpose-built WLAN operating system. It runs on the OpenBAT, BAT867-R, BAT450-F, and BAT867-F product families. It provides features well beyond basic WLAN functions, developed over more than 20 years of industrial wireless deployments.
Core Features
Section titled “Core Features”Key terms:
- HiLCOS (Hirschmann WLAN Operating System) — the operating system for Hirschmann industrial WLAN access points and clients
- WIDS (Wireless Intrusion Detection System) — monitors the wireless environment for unauthorized APs, rogue clients, and attack patterns
- AutoWDS (Automatic Wireless Distribution System) — automatically builds and maintains a wireless mesh network without manual configuration
- BAT WLC Controller — a centralized controller that manages multiple BAT access points from a single interface
| Feature | Description |
|---|---|
| WLAN protocols | IEEE 802.11a/b/g/n/ac |
| Routing | Full IP routing with static routes and NAT |
| Firewall | Stateful packet inspection |
| VLAN | 802.1Q VLAN support |
| Redundancy | PRP over WLAN, RSTP |
| VPN | IPSec, L2TP |
| Security | WPA2/WPA3, 802.1X/EAP, LEPS, hardware-accelerated AES |
| Management | Web GUI, CLI, SNMP, BAT WLC Controller |
WIDS — Wireless Intrusion Detection
Section titled “WIDS — Wireless Intrusion Detection”WIDS (Wireless Intrusion Detection System) monitors the wireless environment and detects:
- Rogue access points (unauthorized APs on the network)
- Evil twin attacks (APs mimicking legitimate SSIDs)
- Deauthentication flood attacks
- Unauthorized clients
The WIDS functionality is configurable and monitorable from the BAT WLC Controller, providing centralized visibility across all access points in the installation.
AutoWDS — Automatic Mesh Networking
Section titled “AutoWDS — Automatic Mesh Networking”AutoWDS automatically builds a wireless mesh network. Access points discover each other, negotiate links, and form a self-healing mesh without manual configuration of each link.
If a mesh link fails, AutoWDS automatically reroutes traffic through alternative paths. This provides redundancy without requiring a wired connection to every access point.
Fast Roaming
Section titled “Fast Roaming”Mobile equipment (AGVs, forklifts, handheld terminals) moves between access point coverage zones. Standard 802.11 roaming can take 50 to 200 ms, which causes TCP connections to drop and industrial protocols to time out.
HiLCOS implements Opportunistic Key Caching (OKC) to reduce roaming handover time. The client pre-authenticates with neighboring APs before moving into their coverage zone. Handover time drops to under 50 ms.
PRP over WLAN
Section titled “PRP over WLAN”HiLCOS supports PRP (Parallel Redundancy Protocol) over WLAN. The device sends every frame simultaneously over two independent WLAN interfaces. If one wireless link fails, the other continues without interruption.
This provides zero-recovery-time redundancy for wireless connections — the same guarantee that PRP provides on wired networks.
Key Takeaways
Section titled “Key Takeaways”AutoWDS simplifies mesh deployment
AutoWDS eliminates manual mesh configuration. Access points discover each other and form a self-healing mesh automatically.
Fast roaming for mobile equipment
Opportunistic Key Caching reduces roaming handover to under 50 ms. This keeps TCP connections alive as AGVs and forklifts move between coverage zones.
What Comes Next
Section titled “What Comes Next”HiLCOS provides the software foundation. The next section covers the BAT series hardware products that run HiLCOS, from the ruggedized IP67 BAT450-F to the high-speed BAT867-F.
References
Section titled “References”- Hirschmann. (2024). Belden/Hirschmann Essentials 2024. Belden.
- IEEE 802.11-2020 — IEEE Standard for Information Technology — Wireless LAN
- IEEE 802.11r-2008 — Fast BSS Transition (fast roaming)