No wireless for real-time control
Use wired Ethernet for PLC-to-drive and PLC-to-IO connections. Reserve wireless for HMIs, laptops, and monitoring sensors.
7.4 Antennas and OT Wireless
Encryption secures the data in transit. Antenna selection and OT-specific constraints determine whether wireless works reliably in an industrial environment.
Antenna Types
Section titled “Antenna Types”An omnidirectional antenna radiates signal equally in all horizontal directions. A directional antenna focuses signal in one direction for longer range. dBi (decibels relative to isotropic) measures antenna gain: higher dBi means a more focused beam.
| Antenna Type | Pattern | Typical Gain | Use Case |
|---|---|---|---|
| Omnidirectional | 360 degrees horizontal | 2 to 5 dBi | Indoor APs, general coverage |
| Patch / Panel | 60 to 120 degree sector | 6 to 14 dBi | Hallways, directed coverage |
| Yagi | Narrow beam | 10 to 18 dBi | Point-to-point links |
| Parabolic dish | Very narrow beam | 20+ dBi | Long-distance backhaul |
Wireless in OT Environments
Section titled “Wireless in OT Environments”Wireless in OT serves specific use cases: mobile HMIs, maintenance laptops, asset tracking, and sensor data collection. It does not replace wired connections for real-time control.
PROFINET over Wi-Fi
Section titled “PROFINET over Wi-Fi”PROFINET RT operates at Layer 2 with EtherType 0x8892. Standard Wi-Fi adds variable latency (1 to 10 ms per hop) and jitter that violates PROFINET RT cycle time requirements (typically 1 to 4 ms). PROFINET IRT, which requires sub-millisecond determinism, is incompatible with Wi-Fi entirely. Use wired Ethernet for all PROFINET connections.
Industrial Wireless Standards
Section titled “Industrial Wireless Standards”| Standard | Frequency | Topology | Use Case |
|---|---|---|---|
| WirelessHART | 2.4 GHz (IEEE 802.15.4) | Mesh | Process instrumentation (temperature, pressure, flow) |
| ISA100.11a | 2.4 GHz (IEEE 802.15.4) | Mesh / Star | Process monitoring, non-critical control |
| Wi-Fi (802.11) | 2.4 / 5 / 6 GHz | Infrastructure | HMIs, laptops, cameras |
WirelessHART and ISA100.11a are designed for industrial sensor networks. They use mesh topologies for reliability, time-synchronized communication for determinism, and AES-128 encryption. They are appropriate for monitoring (reading sensor values every 1 to 10 seconds) but not for real-time closed-loop control.
Why Wireless is Avoided for Hard Real-Time Control
Section titled “Why Wireless is Avoided for Hard Real-Time Control”Wireless introduces three problems for real-time control:
- Variable latency: Wi-Fi contention and retransmissions add unpredictable delay
- Interference: 2.4 GHz is shared with motors, welders, and other industrial equipment that generate electromagnetic noise
- No deterministic scheduling: Wi-Fi has no mechanism to guarantee a frame arrives within a specific time window
For these reasons, use wired Ethernet for all closed-loop control (PLC to drive, PLC to I/O) and reserve wireless for monitoring, HMIs, and maintenance access.
Detecting Rogue Access Points
Section titled “Detecting Rogue Access Points”A rogue AP is an unauthorized access point connected to the network. It creates an uncontrolled entry point that bypasses firewall rules and network segmentation. The following script uses Scapy to capture 802.11 beacon frames and compare detected SSIDs against an approved list.
from scapy.all import sniff, Dot11, Dot11Beacon, Dot11Elt
APPROVED_SSIDS = {"PlantWiFi", "PlantGuest", "Maintenance"}seen_aps: dict[str, str] = {} # bssid -> ssid
def check_beacon(pkt): if not pkt.haslayer(Dot11Beacon): return bssid = pkt[Dot11].addr2 ssid_elt = pkt[Dot11Elt] ssid = ssid_elt.info.decode(errors="ignore") if ssid_elt.ID == 0 else "" if bssid in seen_aps: return seen_aps[bssid] = ssid status = "APPROVED" if ssid in APPROVED_SSIDS else "ROGUE" print(f"[{status}] SSID='{ssid}' BSSID={bssid}")
# Requires monitor mode: sudo ip link set wlan0 down# sudo iw wlan0 set monitor control# sudo ip link set wlan0 upsniff(iface="wlan0", prn=check_beacon, store=False, timeout=60)print(f"\nTotal APs detected: {len(seen_aps)}")rogue = {b: s for b, s in seen_aps.items() if s not in APPROVED_SSIDS}print(f"Rogue APs: {len(rogue)}")Run this script periodically from a laptop with a wireless adapter in monitor mode. Any SSID not in the approved list warrants investigation. A rogue AP broadcasting “PlantWiFi” with a different BSSID than the approved APs indicates an evil twin attack.
Key Takeaways
Section titled “Key Takeaways”WirelessHART for process monitoring
WirelessHART and ISA100.11a provide mesh reliability and AES-128 encryption for sensor data collection at 1 to 10 second intervals.
Detect rogue APs regularly
Scan for unauthorized access points. A rogue AP bypasses all network segmentation and firewall rules.
What Comes Next
Section titled “What Comes Next”Wireless extends the physical network, but modern infrastructure increasingly lives in the cloud. The next chapter covers cloud networking: VPCs, security groups, and how traditional networking concepts translate to virtualized, on-demand infrastructure.
References
Section titled “References”- IEC 62591:2016 — WirelessHART
- ISA-100.11a-2011 — Wireless Systems for Industrial Automation