WIDS detects rogue APs
Enable WIDS on industrial WLAN deployments. Rogue APs are a common attack vector in industrial environments.
20.1 HiLCOS Operating System
The previous chapters covered wired industrial networking. Wireless connectivity is increasingly required for mobile equipment, AGVs, and remote monitoring. HiLCOS is the operating system that powers Hirschmann industrial WLAN devices and delivers the features needed to make wireless reliable in demanding industrial environments.
Why HiLCOS Exists
Section titled “Why HiLCOS Exists”Standard consumer and enterprise WLAN firmware is designed for office environments. Industrial environments introduce challenges that consumer firmware does not handle: EMI from motors and VFDs, metal enclosures that reflect and attenuate signals, mobile equipment that moves through coverage zones, and applications that do not tolerate dropped connections.
HiLCOS is the Hirschmann purpose-built WLAN operating system. HiLCOS runs on the OpenBAT, BAT867-R, BAT450-F, and BAT867-F product families. HiLCOS delivers features well beyond basic WLAN functions, developed over more than 20 years of industrial wireless deployments.
Core Features
Section titled “Core Features”Key terms:
- HiLCOS (Hirschmann WLAN Operating System) — the operating system for Hirschmann industrial WLAN access points and clients
- WIDS (Wireless Intrusion Detection System) — monitors the wireless environment for unauthorized APs, rogue clients, and attack patterns
- AutoWDS (Automatic Wireless Distribution System) — builds and maintains a wireless mesh network without manual configuration
- BAT WLC Controller — a centralized controller that manages multiple BAT access points from a single interface
| Feature | Description |
|---|---|
| WLAN protocols | IEEE 802.11a/b/g/n/ac |
| Routing | Full IP routing with static routes and NAT |
| Firewall | Stateful packet inspection |
| VLAN | 802.1Q VLAN support |
| Redundancy | PRP over WLAN, RSTP |
| VPN | IPSec, L2TP |
| Security | WPA2/WPA3, 802.1X/EAP, LEPS, hardware-accelerated AES |
| Management | Web GUI, CLI, SNMP, BAT WLC Controller |
WIDS — Wireless Intrusion Detection
Section titled “WIDS — Wireless Intrusion Detection”WIDS (Wireless Intrusion Detection System) monitors the wireless environment and detects:
- Rogue access points (unauthorized APs on the network)
- Evil-twin attacks (APs mimicking legitimate SSIDs)
- Deauthentication flood attacks
- Unauthorized clients
The WIDS functionality is configurable and monitorable from the BAT WLC Controller. The BAT WLC Controller delivers centralized visibility across access points in the installation.
AutoWDS — Automatic Mesh Networking
Section titled “AutoWDS — Automatic Mesh Networking”AutoWDS builds a wireless mesh network. Access points discover each other, negotiate links, and form a self-healing mesh without manual configuration of each link.
When a mesh link is inoperable, AutoWDS reroutes traffic through alternative paths. AutoWDS delivers redundancy without requiring a wired connection to every access point.
Fast Roaming
Section titled “Fast Roaming”Mobile equipment (AGVs, forklifts, handheld terminals) moves between access-point coverage zones. Standard 802.11 roaming takes 50 to 200 ms. This delay causes TCP connections to drop and industrial protocols to time out.
HiLCOS implements Opportunistic Key Caching (OKC) to reduce roaming handover time. The client pre-authenticates with neighboring APs before moving into the neighboring AP coverage zone. Handover time drops to under 50 ms.
PRP over WLAN
Section titled “PRP over WLAN”HiLCOS supports PRP (Parallel Redundancy Protocol) over WLAN. The device sends every frame simultaneously over 2 independent WLAN interfaces. When 1 wireless link is inoperable, the other continues without interruption.
PRP over WLAN delivers zero-recovery-time redundancy for wireless connections — the same guarantee that PRP delivers on wired networks.
Key Takeaways
Section titled “Key Takeaways”AutoWDS simplifies mesh deployment
AutoWDS eliminates manual mesh configuration. Access points discover each other and form a self-healing mesh.
Fast roaming for mobile equipment
Opportunistic Key Caching reduces roaming handover to under 50 ms. OKC keeps TCP connections alive as AGVs and forklifts move between coverage zones.
What Comes Next
Section titled “What Comes Next”HiLCOS delivers the software foundation. The next section covers the BAT series hardware products that run HiLCOS, from the ruggedized IP67 BAT450-F to the high-speed BAT867-F.
References
Section titled “References”- Hirschmann. (2024). Belden/Hirschmann Essentials 2024. Belden.
- IEEE 802.11-2020 — IEEE Standard for Information Technology — Wireless LAN
- IEEE 802.11r-2008 — Fast BSS Transition (fast roaming)