Wireless networks are becoming unavoidable in manufacturing. Sensors are cheaper wireless, technicians expect mobile access, and wired infrastructure is expensive to expand in older facilities. The security question is not whether to allow wireless, but where wireless improves security outcomes compared to the alternative of wired networks under constant pressure to grant unrestricted access.
Wireless is not inherently worse than wired—it is simply different. A wireless network with strong encryption and explicit access control may be more secure than a wired network that is poorly segmented because everyone insists on flexible access for troubleshooting.
Wireless Use Case 1: Mobile Equipment and Asset Tracking
RFID and BLE tags on mobile equipment (forklifts, welding carts, test benches) provide location data that improves operational efficiency and asset utilization. These devices transmit low-bandwidth, low-frequency signals that are naturally range-limited. Security exposure is minimal if the data is encrypted and the location system is isolated from production networks. This use case justifies a dedicated wireless network specifically for asset tracking that is separate from OT control networks.
Wireless Use Case 2: Environmental Sensors and Predictive Maintenance
Vibration, temperature, and humidity sensors on production equipment generate continuous data streams for predictive maintenance and quality monitoring. Wiring 100+ sensors into a centralized data collector is expensive and inflexible. Wireless sensor networks with mesh routing and edge aggregation reduce wiring costs significantly. These sensors contain non-critical data (historical trends, not real-time control), so temporary packet loss or latency is acceptable. Deploy these on a separate 5 GHz network with WPA3 encryption, isolated from control networks by a firewall.
Wireless Use Case 3: Time-Sensitive Guest Access
Temporary contractors, OEM technicians, and third-party integrators often need network access for equipment setup or troubleshooting. Granting them wired access requires port configuration, cleanup after they leave, and coordination with your network team. A managed guest wireless network with time-limited access, bandwidth constraints, and segmentation from production networks reduces friction while maintaining security boundaries. Guests authenticate with credentials issued specifically for their visit, automatically revoked after 48 hours.
Wireless Security Non-Negotiables
- Separate SSIDs: Never run OT control systems and guest access on the same SSID. Use separate wireless networks with different encryption, authentication, and network policies.
- Firewall Isolation: Wireless networks must be logically segmented from wired production networks via firewalls. Traffic between wireless and wired must traverse explicit access control rules.
- Encryption Standard: WPA3 is now standard; WPA2 is acceptable for sensor networks; WEP or no encryption is unacceptable. Enforce strong passphrases (24+ characters) or certificate-based authentication.
- Site Survey and Coverage Mapping: Weak RF coverage leads to retransmission storms that degrade both wireless and adjacent wired networks. Map RF coverage before deployment and after production layout changes.
When to Say No to Wireless
Real-time control systems—PLCs, motor drives, safety interlocks—should remain on wired networks. The latency variability and packet loss inherent in wireless systems is incompatible with hard real-time requirements. If an integrator proposes wireless for control logic or safety I/O, reject it. The convenience gain is not worth the risk.
If you're considering wireless for your facility, reach out to discuss which use cases make sense for your environment.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.