Title: Wireless Sensor Systems: Security Implications for the Industrial Environment
1Wireless Sensor Systems Security Implications
for the Industrial Environment
Dr. Peter L. Fuhr Chief Scientist RAE Systems,
Sunnyvale, CA pfuhr_at_raesystems.com
2Dr. Peter Fuhr, Presenter 480
publicationspresentations in wireless
sensor networking arena. Old-timer in this
areaetc etc.
- RAE Systems Inc.
- Pervasive Sensing Company based in Silicon Valley
founded in 1991 - Capabilities
- Radiation detection
- Gamma and neutron
- Chemical/vapor detection
- Toxic gas, VOC, combustible gas, oxygen, CWA,
temperature, humidity, C02 - Redeployable sensor networks
- Mobile and fixed wireless monitors
- Cargo Container Sensor Systems
3Contributors
A number of individuals have provided content
for these slides. They include Wayne Manges,
Oak Ridge National Laboratory Robert Poor,
Ember Pat Gonia, Honeywell Hesh Kagan,
Foxboro/Invensys Kang Lee, NIST Tom Kevan,
Advanstar Ramesh Shankar, Electric Power
Research Institute Larry Hill, Larry Hill
Consulting Rob Conant, Dust Rick Kriss,
Xsilogy Gideon Varga, Dept of Energy Jack
Eisenhauser, Energetics Michael Brambley,
Pacific Northwest National Labs David Wagner,
UC-Berkeley Undoubtedly, there are other
contributors too (apologies if your name is not
listed).
4Wireless Sensor Networking
- its not cellular telephony
- its not just WiFi...(and it just
may be the next big thing)
Each dot represents one cell phone tower.
Wireless devices circa 1930
5Sensor Market 11B in 2001Installation (wiring)
costs gt100B
- Fragmented market
- ? platform opportunity
- Installation cost limits penetration
- ? reducing installation cost increases market
size
Highly Fragmented Sensor Market
Freedonia Group report on Sensors, April 2002
Slide courtesy of Rob Conant, Dust
6Industrial Market SizingSensor Networking
Products
- North American Market for Wireless products used
in Applications where transmission distances are
1 mile or less - 2002 Total 107 million
- 2006 Forecast 713 million
- 2010 Estimates 2.1 billion
- Largest Application areas
- 2002 Tank Level Monitoring, Asset Tracking,
Preventative Maintenance - 2006 Tank Level Monitoring, Preventative
Maintenance, Environmental Monitoring - Conclusions
- Rapid Growth in Industrial markets
- Tank Level Monitoring will remain a significant
opportunity - Key User Needs
- Lower Costs over Wired (or Manual) Solutions
- Education of Potential Customers on the
Technology - Demonstration of Operational Reliability
Application Domain Knowledge
Slide courtesy of Rick Kriss, Xsilogy
7The True cost per monitored node to the End
User
Higher
Higher
SPARSE1xRTT, FLEXSAT, etc
DENSEBluetooth, 802.15.4, WiFi etc
3-YrTOC
InstallationCosts
Design For Here
Lower
Lower
Miles
Radio RF Range (dB)
Meters
Slide courtesy of Rick Kriss, Xsilogy
8What to do with the data?
- Great! But how do you get the output signal from
the sensor to the location where the information
will be interpreted (used)?
Traditionally the output of the sensor was
hardwired to some form of interpretive device
(e.g., PLC) perhaps relying on a 4-20mA signal
9 Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
10Oh, who needs security in a wireless channel
anyway!
(pretty ridiculous statement isnt it!
11Lets ask some experts WINA meeting,
Coral Gables, Sept. 2003
www.wireless4industrial.org
12Whats a WINA?
In the spring of 2003, the Wireless Industrial
Networking Alliance (WINA) was formed to promote
the adoption of wireless networking technologies
and practices that will help increase industrial
productivity and efficiency. WINA will be
holding a 1.5 day meeting at ISA-HQ in RTP, NC on
Feb 11/12 right after the ISA Wireless Security
Expo and conference. Check out
www.wireless4industrial.org for WINA meeting
details AND www.isa.org/wireless for the ISA
Wireless Security conf details!
13Back to the QuestionWho needs security in a
wireless channel anyway!
14Strategy Workshop Participants
- Suppliers (13)
- System integrators (6)
- Industrial end users (10)
- Chemicals
- Petroleum
- Automotive
- Industry analysts/venture capitalists (3)
- Others (associations, government, media,
researchers)
- Energy/Utilities
- Forest Products
- Electronics
15End-User View of Industrial Wireless
- Likes
- Mobility
- Compactness
- Flexibility
- Low cost
- Capability to monitor rotating equipment
- Short range (security)
- Ease of installation
- High reliability
- Impetus to enhance electronics support
- Dislikes
- Change to status quo
- Complexity
- High cost for coverage in large plants
- Security issues
- Portability issues (power)
- Unproven reliability
- Too risky for process control
- Lack of experience in troubleshooting (staff)
- Restricted infrastructure flexibility once
implemented - Lack of analysis tools
16Technology Group Key Issues
- Security
- Jamming, hacking, and eavesdropping
- Power
- Value (clear to customer)
- Interoperability
- Co-existence with other facility networks,
sensors, collectors, technology - True engineered solution (sensors, collectors,
etc.) - Assured performance reliability/MTBA
- Software infrastructure, data, systems
management - Robustness (at least as good as wired)
- RF characterization (radios, receivers,
environments)
mean time between attention
17Technology Group Criticality Varies by
Application (5 most critical)
Attributes Monitor Control Alarm Shutdown BizWLAN
Latency 2-3 3-5 5 5 1
Device Reliability 2-3 3-5 5 5 1
Raw Thru-put (node / aggr.) 2 / 5 2.5 /2.5 1 / 4 1 / 1 1/5
Scalability (Max. nodes) 5 4 4 1 2-3
Data Reliability 1 5 5 5 2
Security 1-5 5 5 5 5
Low Cost 5 2 1-3 1 2-3
Gateway Technology 5 1 3-4 1 1
Engineered Solution 1 5 4 5 3
Applications
18Industrial CyberSecurity
19- On October 31, 2001 Vitek Boden was convicted of
- 26 counts of willfully using a restricted
computer to cause damage - 1 count of causing serious environment harm
- The facts of the case
- Vitek worked for the contractor involved in the
installation of Maroochy Shire sewage treatment
plant. - Vitek left the contractor in December 1999 and
approached the shire for employment. He was
refused. - Between Jan 2000 and Apr 2000 the sewage system
experienced 47 unexplainable faults, causing
millions of liters of sewage to be spilled.
20How did he do it?
- On April 23, 2000 Vitek was arrested with stolen
radio equipment, controller programming software
on a laptop and a fully operational controller. - Vitek is now in jail
21A Favorite 2.4 GHz Antenna
22WarDriving 802.11 HotSpots in Silicon Valley
23WarDriving 802.11 HotSpots in San Francisco
24The QuestionWho needs security in a wireless
channel anyway!
The AnswerWe do. SoHow do you provide the
appropriate level of security within the
acceptable price and inconvenience margin -gt
Risk Management!
25Inside vs. Outside?
- Where do attacks come from?
of Respondents
Source 2002 CSI/FBI Computer Crime and
Security Survey Computer Security Institute -
www.gocsi.com/losses.
26An Outside Example. When?
April 2001
27Hacker War I
- In the Spring of 2001, the US got its first a
taste of a new form of warfare. - Launched from overseas and targeted at US
critical infrastructure.
28Honker Union
- Chinese Hacker Group working to advance and in
some cases impose its political agenda - During the spring of 2001, Honker Union worked
with other groups such as the Chinese Red Guest
Network Security Technology Alliance
- Hackers were encouraged to "...make use of their
skills for China..." Wired.com
Attack Methods
- Denial of Service Attacks
- Website Defacement
- E-mailing viruses to US Government Employees
- KillUSA package
29Cyberwar
- Cyber attacks and web defacements increased
dramatically after the start of the war against
Iraq. - More than 1,000 sites were hacked in the first 48
hours of the conflict, with many of the attacks
containing anti-war slogans. - Security consultants state that the war against
Iraq made March the worst month for digital
attacks since records began in 1995.
30Hacker School
- North Korea's Mirim College, is a military
academy specializing in electronic warfare - 100 potential cybersoldiers graduate every year
31The QuestionWho needs security in a wireless
channel anyway?
The AnswerEveryone.
32 Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
33Layered Communications
A few details
34Wired Data Security - Encryption
The traditional method involved encrypting the
data prior to transmission over a potentially
insecure channel. The level of protection rests
on the encryption algorithm. (There are a few
other factorssuch as the physical media.)
Slide courtesy of Wayne Manges, ORNL
35 Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless 4. Security within
various Wireless Delivery Schemes(cellular,
WiFi, 802.15.4, Bluetooth, others)5. An
Integrated Solution6. The Big Review
36Wireless Buildings
From many perspectives, THIS is what a wireless
sensor network can provide.
Key to success reduced installation costs
Slide courtesy of Pat Gonia, Honeywell
37Modulation
E(t) A(t) coswt f(t)
Amplitude Modulation (AM) info is in A(t)
Frequency Modulation (FM) info is in w Phase
Modulation (PM) info is in f(t)
Different vendors use different schemes - and
they are not interoperable.
38The FCC Frequency Assignment
Different vendors may use different frequencies
within the various ISM bands (green in the
diagram).
The ISM bands most commonly used are at 433, 915
and 2400 MHz.
39Multiple Sensors Sharing the Medium
Multiplexing. FDMA, TDMA and CDMA
40Binary Signaling Formats
- Used to Improve Digital Signal Reception and
Decision - NRZ Non-Return to Zero
- RZ Return to Zero
- Unipolar Only one side of 0V
- Bipolar Both sides of 0V
- Manchester Bi-Phase (0 in left 1/2 time slot,
1 in right)
41Narrowband or Spread Spectrum?
- Narrowband uses a fixed carrier frequency, F0.
The receiver then locks onto the carrier
frequency, F0.
Easy to implement (inexpensive). Prone to jamming
or interference (two transmitters at the same
carrier frequency, F0. Least secure modulation
scheme.
42Narrowband or Spread Spectrum (cont.) ?
- Frequency Hopping Spread Spectrum. Uses a carrier
frequency that varies with time, F0(t).
Invented and patented by actress Heddy Lamarr and
her pianist George Antheil.
The receiver must track the time-varying carrier
frequency, F0(t).
Relatively easy to implement (inexpensive). Prone
to jamming or interference (two transmitters at
the same carrier frequency, F0) during any single
transmit interval. Hopping rates may be 1600
hops/second (ala Bluetooth). Very secure
modulation scheme (used in military for decades).
43Narrowband or Spread Spectrum (cont.) ?
- Direct Sequence Spread Spectrum uses a fixed
carrier frequency, F0 but interleaves the data
with a precise mathematical 0/1 data sequence.
(This increases the length of the transmitted
information vector making it longer). The
information is replicated many times throughout
the bandwidth, so if one lobe of the
information is jammed, the remainder gets
through. Highly robust technique.
The receiver then locks onto the carrier
frequency, F0 receives the signal and then must
undo the interleaving.
More difficult to implement (more
expensive). Most complicated scheme (of these
presented). Most secure modulation scheme.
44DIRECT-SEQUENCE SPREAD-SPECTRUM SIGNALS
PN Clock
Local PN Clock
Local Carrier
PN Sequence Generator
PN Sequence Generator
Carrier
Wide BP Filter
Data
Narrow BP Filter
Phase Demod
Data
Data Clock
Power Spectral Density
Power Spectral Density
Power Spectral Density
Spread RFI
RFI
fc
fc
fc
Frequency
Frequency
Frequency
Original narrowband, high power density spectrum
is restored if local PN sequence is same as and
lined up with received PN sequence
Spectrum has wider bandwidth and lower power
density after spreading with PN sequence
(PN Rate gtgt Data Rate)
Narrow spectrum at output of modulator before
spreading
45Narrowband or Spread Spectrum (cont.) ?
Each has its pluses and minusesand each scheme
has its share of die-hard advocates and/or
naysayers!
Different vendors use these (and other) schemes
at different frequencies within the various ISM
bands.
From a security standpoint, DSSS is best.
46Reality
DSSS
FHSS
47No Matter WhatIts Just an Electromagnetic Field
E(t) A(t) coswt f(t)
- A(t) amplitude of the wave
- w radian frequency of the wave
- f(t) phase of the wave
48The RF Footprint
- Personal Area Network typical radiated power 0
dBm, size 10m
- Local Area Network typical radiated power 20
dBm, size 100m
- Wide Area Network typical radiated power gt30
dBm, size gt2000m
49Network Topologies?
There are SO many technical questions such as
Ad Hoc Network
50 The Real World Presents the Wireless Channel
with Multipath and Attenuationand
51Multipath
Real World
The Effect
The Cause
52Atmospheric Attenuation at 2.4 GHz
Real World
Rayleigh Fading _at_ 2.4GHz
53Signal Attenuation at 2.4 GHz
Real World
54And Signal-to-Noise Ratios really do matter!
Real World
Anecdotal Evidence As Frankfurt has increased
the deployment of 2.4 GHz wireless surveillance
cameras, the background Noise level has increased
by 12 dB. (This plays havoc with the BER or for
fixed BER, the overall data rate,)
55Real World
Which Frequency is Best?
ALERT! ALERT!!
Notice that the operation at 2.45 GHz is WORSE
than at 900MHz (which is worse than 433 MHz).
56 Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
57Wireless Data Security Encryption, Spreading,
Interleaving
Wireless networks use a variety of techniques to
enhance security, such as spreading and
interleaving. These techniques can make the
signal virtually undetectable without prior
knowledge about the network. This can improve
the security of the network by orders of
magnitude.
Slide courtesy of Wayne Manges, ORNL
58The Wireless Market
TEXT
GRAPHICS
INTERNET
HI-FI AUDIO
STREAMING VIDEO
DIGITAL VIDEO
MULTI-CHANNEL VIDEO
LAN
802.11b
802.11a/HL2 802.11g
SHORT lt RANGE gt LONG
Bluetooth 2
ZigBee
PAN
Bluetooth1
LOW lt DATA RATE gt HIGH
59Bluetooth vs. the Rest (contd)
ZigBee (proposed) 2.4 GHz,DSSS 15 chips/bit 40
kbits/s 0dBm 100m 100s devices, CSMA/CA Not
yet No
802.11 2.4 GHz, DSSS 11 chips/bit 11Mbps 20
dBm 50m 128 devices CSMA/CA Optional WEP Optional
HomeRF 2.4GHz, FHSS 50 hops/s 1 Mbps 20
dBm 50m 128 devices CSMA/CA Optional Optional
Bluetooth 2.4 GHz, FHSS 1000hops/s 1Mbps 0,
20dBm 1-10m, 50m 8 devices, Piconet Encryption Y
es
Parameter Technology Data Rate Power Range Topol
ogy Security Voice Channel
Bluetooth aka IEEE 802.15.1 ZigBee aka IEEE
802.15.4
60 Side by Side
61 802.11?
62The Worldwide View of the 802.11 Spectral Space
63Radiated Field from a single AP (Kansas City)
6420dB Attenuation Profile for Univ of Kansas Eng
Bldg., Mesh and AP deployments
65WEP
(encrypted traffic)
- The industrys solution WEP (Wired Equivalent
Privacy) - Share a single cryptographic key among all
devices - Encrypt all packets sent over the air, using the
shared key - Use a checksum to prevent injection of spoofed
packets
66Early History of WEP
67Subsequent Events
Jan 2001
Borisov, Goldberg, Wagner
68WEP Attack Tools
- Downloadable procedures from the Internet
- To crack the Key
- AirSnort
- http//airsnort.sourceforge.net
- WEPCrack
- http//sourceforge.net/projects/wepcrack/
- To brute force enter into WLAN,
- THC-RUT
- http//www.thehackerschoice.com/releases.php
69Wi-Fi Protected Access (WPA)
- Flaws in WEP known since January 2001 - flaws
include weak encryption, (keys no longer than 40
bits), static encryption keys, lack of key
distribution method. - IEEE developing 802.11i standard for enhanced
wireless security - Addresses weak data
encryption and user authentication within
existing 802.11 standard. -
- 802.11i standard will not be ratified until late
2003, possibly early 2004 - outstanding issues. - WPA standard joint effort between Wi-Fi Alliance
and IEEE - WPA a subset of IEEE 802.11i standard
(Draft 3.0). - WPA provides stronger data encryption (weak in
WEP) and user authentication (largely missing in
WEP).
70WPA Data Encryption
- WPA uses Temporal Key Integrity Protocol (TKIP) -
stronger data encryption, addresses known
vulnerabilities in WEP. - TKIP chosen as primary encryption cipher suite -
Easily deployed and supported in legacy 802.11b
hardware compared to other available cipher
suites. - TKIP based on RC4 stream cipher algorithm,
surrounds WEP cipher engine with 4 new
algorithms, - Extended 48-bit Initialization Vector (IV) and IV
sequencing rules (compared to the shorter 24-bit
WEP RC4 key). - New per-packet key mixing function.
- Derivation and distribution method - a.k.a.
re-keying. - A message integrity check (MIC) - a.k.a.
Michael, ensures messages havent been tampered
with during transmission.
71WPA Data Encryption, contd
- the Temporal Key Integrity Protocol.
- DA Destination Address TKIP Temporal Key
Integrity Protocol - ICV Integrity Check Value TSC TKIP
Sequence Counter - MPDU Message Protocol Data Unit TTAK result
of phase 1 key mixing of Temporal Key - MSDU MAC Service Data Unit and
Transmitter Address - RSN Robust Security Network WEP Wired
Equivalent Privacy - SA Source Address WEP IV Wired Equivalent
Privacy Initialization Vector - TA Transmitter Address
72WPA Data Encryption, contd
- TKIP implements countermeasures - reduces rate
which attacker can make message forgery attempts
down to two packets every 60 seconds. - After 60 second timeout new PMK or Groupwise Key
generated, depending on which attacked ensures
attacker cannot obtain information from attacked
key. - Countermeasures bound probability of successful
forgery and amount of information attacker can
learn about a key. - TKIP is made available as firmware or software
upgrade to existing legacy hardware. - TKIP eliminates having to replace existing
hardware or having to purchase new hardware.
73 Bluetooth?
74BlueTooth- Some Specifications
- Uses unlicensed 2.402 - 2.480 GHz frequency range
- Frequency hopping spread spectrum 79 hops
separated by 1 MHz - Maximum frequency hopping rate 1600 hops/sec
- Nominal range 10 cm to 10 meters
- Nominal antenna power 0 dBm
- One complete Bluetooth data packet can be
transmitted within each 625 msec hop slot.
75Potential Bluetooth Markets
76Bluetooth Market Forecast
Nov03 100M Bluetooth compliant devices worldwide
77Bluetooth Protocol Stack
- Adopted Protocols
- PPP(Point-To-Point Protocol)
- TCP/UDP/IP
- OBEX-Session Protocol for IrDA(Infrared Data
Association) - Contents Fromat(e.g. vCard, vCalendar)
- WAP-Wireless Application Protocol
78Bluetooth Security
- Supports Unidirectional or Mutual Encryption
based on a Secret Link key Shared Between Two
Devices - Security Defined In 3 modes
- Mode1- No Security
- Mode 2 - Service Level Security Not Established
Before Channel is Established at L2CAP - Mode 3 - Link Level Security Device Initiates
Security Before LMP Link is Setup
- Devices and Services can be Set for Different
Levels of Security - Two Trust Levels are Set for Devices
- Trusted Device Fixed Relationship and
Unrestricted Access to All Services - Untrusted No Permanent relationship and
Restricted Services
79Bluetooth Security
- Devices and Services can be Set for Different
Levels of Security - Two Trust Levels are Set for Devices
- Trusted Device Fixed Relationship and
Unrestricted Access to All Services - Untrusted No Permanent relationship and
Restricted Services
80Bluetooth Security
- 3 Levels of Service Access
- Require Authorization and Authenication
- Require Authentication Only
- Default Security for Legacy Applications
81But is this Wireless Link Secure?
Newsflash Jan 2001 Norwegian hackers crack
a Bluetooth transmission
82Analysis of a BlueTooth Transmission
High overhead?
83 802.15.4/Zigbee?
84IEEE 802.15.4 standard
- Includes layers up to and including Link Layer
Control - LLC is standardized in 802.1
- Supports multiple network topologies including
Star, Cluster Tree and Mesh
- Features of the MAC Association/dissociation,
ACK, frame delivery, channel access mechanism,
frame validation, guaranteed time slot
management, beacon management, channel scan - Low complexity 26 primitives versus 131
primitives for 802.15.1 (Bluetooth)
85PHY overview
- Speed
- 20, 40 or 250 kbps
- Channels
- 1 channel in the 868MHz band
- 10 channels in the 915MHz band
- 16 channels in the 2.4GHz band
- Modulation
- BPSK (868MHz/20kbs)
- BPSK (915MHz/40kbps)
- O-QPSK (2.4GHz/250kbps)
- Coexistence w/
- 802.11b DSSS
- 802.15.1 FHSS
- 802.15.3 DSSS
86MAC overview
- Security support
- Power consumption consideration
- Dynamic channel selection
- Network topology
- Star topology
- p2p topology
- cluster-tree network topology
87Device classification
- Full Function Device (FFD)
- Any topology
- Can talk to RFDs or other FFDs
- Operate in three modes
- PAN coordinator
- Coordinator
- Device.
- Reduced Function Device (RFD)
- Limited to star topology
- Can only talk to an FFD (coordinator)
- Cannot become a coordinator
- Unnecessary to send large amounts of data
- Extremely simple
- Can be implemented using minimal resources and
memory capacity
88Transmission management
- Acknowledgement
- No ACK
- ACK
- Retransmission
- Duplicate detection
- Indirect transmission
89Security
- Unsecured mode
- ACL mode
- Access control
- Secured mode
- Access control
- Data encryption
- Frame integrity
- Sequential freshness
90Scalable Security
- Assume the attacker can deploy own nodes (can
create a ring at some distance from
controller)Wisenet 2003 - Enemy nodes mimick the mesh nodes they ACK the
health inquiry as if everything was OK but
they do not forward to the rest of the net - The rest of the network is virtually cut off from
inspection by controller - Need secure key and a random seed that changes at
each round
91 What About1451.5? 1xRTT? SAT? CDPD?
Others? No time this morning!
92 Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
93Integrated Industrial Networks?
There are SO many technical questions such as
If the sensor network is to integrate into an
industrial setting, then you should be cognizant
of the Industrial Networking arena.
94Industrial Device Network Topology
- Typically, three layers of networking make up
enterprisewide networks. Ethernet acts as the
company's intranet backbone, and it's linked to
controllers or industrial PCs, which supply
strategic data to the enterprise. An industrial
network, or fieldbus, links sensors and smart
devices. A gateway (not uncommon in a large
system with lots of devices) links devices that
have only RS-232 or RS-485 ports to the fieldbus
system.
95Industrial Device Networks
- General characteristics for industrial device
networks have arisen.
- Obviously the complexity of the network increases
as the functionality is increased.
96Classification of Industrial Networks
- Three logical groupings of instrumentation
networks used in an industrial setting. - There are over 100 different proprietary networks
in the field.
97Inside Security Incident
- Employee attacks PLC in another plant area over
PLC highway. - Password changed to obscenity, blocking
legitimate maintenance and forcing process
shutdown.
Source BCIT Industrial Security Incident
Database (ISID)
98Network Positioning
- Data
Ethernet TCP/IP
ControlNet Foundation Fieldbus H2
Profibus-FMS Data Highway Modbus Plus
Profibus-DP Interbus-S Remote I/O
- Functionality
Complexity -
DeviceNet Other CAN SDS
Fieldbus H1 Profibus-PA Modbus HART
ASi, Seriplex, Hardwiring, RS485 etc.
- Cost
99Too Focused on Internet Issues?
- Myth 1 Our SCADA/PLC/DCS is safe if we dont
connect to the Internet. - Myth 2 Our Internet firewall will protect our
control systems. - Myth 3 Our IT department understands process
control issues and security.
100Is Industrial Comm Security Too Focused on
Internet Issues?
WarDialing Attack
Source (used by permission) Interface
Technologies, Windsor, CT, 2002
101 Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
102Bit Rate vs. Quality of Service
- How Many
- Bits are
- Needed?
The more bits you xmit, the more power you
consume!
103Coding vs. Quality of Service
- Is Coding
- Really
- Necessary?
104Direct Sequence Spread Spectrum
105Comparing Wireless
Tech. Range RF Power Battery life Numbers In Area
DSSS Medium Low longest High
FHSS Long High Short Medium
UWB Medium Lowest short High
Narrow band Longest highest short Lowest
106Technology Beats Marketing in Performance!
107Statistics on Types of Attacks
Source 2002 CSI/FBI Computer Crime and
Security Survey Computer Security Institute -
www.gocsi.com/losses.
of Respondents
108Optimization of Security vs. Cost
- Risk reduction is balanced against the cost of
security counter measures to mitigate the risk.
109Risk in Safety vs. Risk in Security
- Safety Definition Risk is a measure of human
injury, environmental damage, or economic loss in
terms of both the incident likelihood and the
magnitude of the loss or injury. - Security Definition Risk is an expression of
the likelihood that a defined threat will exploit
a specific vulnerability of a particular
attractive target or combination of targets to
cause a given set of consequences.
Source CSPP Guidelines For Analyzing And
Managing The Security Vulnerabilities Of Fixed
Chemical Sites
110Firewall Architectures
- The external router blocks attempts to use the
underlying IP layer to break security (e.g. IP
spoofing, source routing, packet fragments, etc)
and forces all traffic to the proxy. - The proxy firewall handles potential security
holes in the higher layer protocols. - The internal router blocks all traffic except to
the proxy server.
External Router
Internal Router
?
?
111Theres lot of Wireless
- From cellphones to PDAs to WiFi to Satellite-based
112Wireless LAN Standards
113Existing/Developing IEEE 802.11 Standards
- 802.11-
- 802.11a
- 802.11b
- 802.11e
- 802.11f
- 802.11g
- 802.11h
- 802.11i
- 802.1x
- 802.15
- 802.16
Frequency Hopping/DSSS 54Mbps / HyperLAN (1999)
11Mbps Quality of Service Point 2 Point
Roaming (2003) 54Mbps European Inspired
Changes (Q2,2004) New Encryption
Protocols (Q2,2004) Port Based Network Access
Personal Area Network (WPAN) Wireless
Metropolitan Area Network (WMAN)
114On-Board Network Integration
Wireless Backbone for Inflight Entertainment
Noise Floor Lifter
PicoCellBTS
PicoCellBTS
6 MCU GSM SERVER
SDU
and we havent even touched on RFID!
115Theres lot of Wireless
- And it all needs to feel more Secure!
116For a real review of networking security
- Take Eric Byrnes ISA course IC32C
117Will History Repeat?
wireless security not just 802.11
118PATRIOT Act
- PATRIOT (Provide Appropriate Tools Required to
Intercept and Obstruct Terrorism) - Legally classifies many hacking attacks as acts
of terrorism
119So If Nothing else, at least PLEASE do this for
your WiFi System!WLAN Security Countermeasures
- Conduct site survey
- Identify areas of signal strength and weakness
- Do a walkaround with NetStumbler
- Document and shut down rogue access points
- Document and shut down unauthorized wireless NICs
- AND TURN ON SOME LEVEL OF THE PROVIDED PROTECTION!
120 Oh And dont forget that as you layer in
all of these wacky encryption schemes and CDMA
and DSSS andand that it takes some joules to
actually implement this. So if your wireless
network has primepower (a.k.a. AC) youre ok.
But if youre going off a battery then its a
tradeoff of security versus Power Consumption ?
You Choose that one!
121...and in the end...
BumbleBee with RF xcvr
...or...
HoneyBee with RFID
Two potential forms of wireless sensor networks.
And they should both be secure!
122 Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review7. Glossary and References
123Glossary
10BASE-T IEEE 802.3 standard for a twisted-pair
Ethernet network. 10 Mbps transmission rate over
baseband using unshielded, twisted-pair
cable. 802.11 The IEEE 802.11 standard defines
both frequency hopping and direct sequence spread
spectrum solutions for use in the 2.4-2.5 MHz ISM
(Industrial, Scientific, Medical) band. 802.11a
The Global System for Mobile Communications
standard for worldwide wireless communications on
wide area networks (WANs). 802.11b The portion
of the 802.11 specification that defines the 11
Mbps data rate. A Access Point Provides a
bridge between Ethernet wired LANs and the
wireless network. Access points are the
connectivity point between Ethernet wired
networks and devices (laptops, hand-held
computers, point-of-sale terminals) equipped with
a wireless LAN adapter card. Analog phone Comes
from the word "analogous," which means similar
to. In telephone transmission, the signal being
transmitted from the phonevoice, video or
imageis analogous to the original
signal. Antenna-Directional Transmits and
receives radio waves off the front of the
antenna. The power behind and to the sides of the
antenna is reduced. The coverage area is oval
with the antenna at one of the narrow ends.
Typical directional antenna beam width angles are
from 90 (somewhat directional) to as little as
20(very directional). A directional antenna
directs power to concentrate the coverage pattern
in a particular direction. The antenna direction
is specified by the angle of the coverage pattern
called the beam width. Antenna-Omni-directional
Transmits and receives radio waves in all
directions. The coverage area is circular with
the antenna at the center. Omni-directional
antennas are also referred to as whip or
low-profile antennas. Association The process
of determining the viability of the wireless
connection and establishing a wireless network's
root and designated access points. A mobile unit
associates with its wireless network as soon as
it is powered on or moves into range. ATM
Asynchronous Transfer Mode. A type of high-speed
wide area network.
124Glossary
B Backbone A network that interconnects other
networks, employing high-speed transmission paths
and often spanning a large geographic
area. Bandwidth The range of frequencies,
expressed in hertz (Hz), that can pass over a
given transmission channel. The bandwidth
determines the rate at which information can be
transmitted through the circuit. Bandwidth
Management Functionality that allocates and
manages RF traffic by preventing unwanted frames
from being processed by the access point. BC/MC
Broadcast frames Multicast frames Beacon A
uniframe system packet broadcast by the AP to
keep the network synchronized. A beacon Includes
the Net_ID (ESSID), the AP address, the Broadcast
destination addresses, a time stamp, a DTIM
(Delivery Traffic Indicator Maps) and the TIM
(Traffic Indicator Message). BFA Antenna
Connector Miniature coaxial antenna connector
manufactured by MuRata Manufacturing
Corporation. Bluetooth See Wireless Personal
Area Networks. Bridge A device that connects
two LANs of the same or dissimilar types. It
operates at the Data Link Layer, as opposed to
routers. The bridge provides fast connection of
two collocated LAN segments that appear as one
logical network through the bridge. Buffer A
segment of computer memory used to hold data
while it is being processed.
125Glossary
C CAM Continuously Aware Mode Mode in which
the adapter is instructed to continually check
for network activity. Card and Socket Services
Packages that work with the host computer
operating system, enabling the Wireless LAN
adapter to interface with host computer
configuration and power management
functions. Cellular Phone Low-powered, duplex,
radio/telephone that operates between 800 and 900
MHz, using multiple transceiver sites linked to a
central computer for coordination. The sites, or
"cells," cover a range of one to six or more
miles in each direction. Centrex Business
telephone service offered by a local telephone
company from a local telephone company office.
Centrex is basically a single line phone system
leased to businesses as a substitute for a
business that is buying or leasing its own
on-premises phone system or PBX. CDMA and TDMA
The Code Division Multiple Access and Time
Division Multiple Access standard for wireless
communications on wide area networks (WANs) in
North America. Circuit switching The process of
setting up and keeping a circuit open between two
or more users so that users have exclusive and
full use of the circuit until the connection is
released. Client A computer that accesses the
resources of a server. Client/Server A network
system design in which a processor or computer
designated as a server (such as a file server or
database server) provides services to other
client processors or computers. CODEC
Coder-Decoder. Audio compression/decompression
algorithm that is designed to offer excellent
audio performance. Converts voice signals from
their analog form to digital signals acceptable
to modern digital PBXs and digital transmission
systems. It then converts those digital signals
back to analog so that you may hear and
understand what the other person is
saying. Computer Telephony Integration
Technology that integrates computer intelligence
with making, receiving, and managing telephone
calls. Computer telephony integrates messaging,
real-time connectivity, and transaction
processing and information access.
126Glossary
D Data Terminal Computer transmit and receive
equipment, including a wide variety of dumb
terminals or terminals without embedded
intelligence in the form of programmed logic.
Most data terminals provide a user interface to a
more capable host computer, such as a mainframe
or midrange computer. Decryption Decryption is
the decoding and unscrambling of received
encrypted data. The same device, host computer or
front-end processor, usually performs both
encryption and decryption. Desktop Conferencing
A telecommunications facility or service on a PC
that permits callers from several diverse
locations to be connected together for a
conference call. Digital Phone System
Proprietary phone system provided by a vendor,
such as ATT, Mitel, Northern Telecom, and so on.
The signal being transmitted in a digital phone
system is the same as the signal being
transmitted in an analog phone system. The system
can consist of a proprietary PBX system that
converts voice signals from their analog form to
digital signals, and then converts those digital
signals back to analog. Alternatively, the
conversion from analog-to-digital can occur in a
digital phone. Direct Inward Dialing DID. The
ability for a caller outside a company to call an
internal extension without having to pass through
an operator or attendant. In large PBX systems,
the dialed digits are passed from the PSTN to the
PBX, which then completes the call. Direct-Sequen
ce (DS) Spread Spectrum Direct sequence
transmits data by generating a redundant bit
pattern for each bit of information sent.
Commonly referred to as a "chip" or "chipping
code," this bit pattern numbers 10 chips to one
per bit of information. Compared with frequency
hopping, direct sequence has higher throughput,
wider range and is upgradable in the 2.4GHz
band. Diversity Reception The use of two
antennas attached to a single access point to
improve radio reception. The second antenna is
used only for receiving radio signals, while the
primary is used for both transmitting and
receiving. Driver A program routine that links
a peripheral device, such as a mobile unit's
radio card, to the computer system.
127Glossary
Element-level Management Level of technologies
aimed at small or medium-sized businesses. Encryp
tion Entails scrambling and coding information,
typically with mathematical formulas called
algorithms, before the information is transmitted
over a network. Ethernet A local area network
used for connecting computers, printers,
workstations, terminals, servers, and so on,
within the same building or campus. Ethernet
operates over twisted wire and over coaxial cable
at speeds up to 100 Mbps, with 1 Gbps speeds
coming soon. Filtering Prevents user-defined
frames from being processed by the access
point. Fragmentation Threshold The maximum size
for directed data packets transmitted over the
radio. Larger frames fragment into several
packets this size or smaller before transmission
over the radio. The receiving station reassembles
the transmitted fragments. Frame Mode A
communications protocol supported by the OEM
Modules. The frame protocol implements
asynchronous serial Point-to-Point (PPP) frames
similar to those used by serial Internet
protocols. Frequency Hopping (FH) Spread
Spectrum Hedy Lamarr, the actress, is credited
in name only for inventing frequency hopping
during World War II. As its label suggests,
frequency hopping transmits using a narrowband
carrier that changes frequency in a given
pattern. There are 79 channels in a 2.4GHz ISM
band, each channel occupying 1MHz of bandwidth. A
minimum hop rate of 2.5 hops per channel per
second is required in the United States.
Frequency hopping technology is recognized as
superior to direct sequence in terms of echo
resistance, interference immunity, cost and
ease-of-installation. To date, there has also
been a greater selection of WLAN products from
which to chose. FTP (File Transfer Protocol) A
common Internet protocol used for transferring
files from a server to the Internet user. It uses
TCP/IP commands. Gain, dBi Antenna gain,
expressed in decibels referenced to a half wave
dipole. Gain, dBi Antenna gain, expressed in
decibels referenced to a theoretical isotropic
radiator. Gain, dBic Antenna gain, expressed in
decibels referenced to a theoretical isotropic
radiator that is circularly polarized. Gatekeeper
Software that performs two important functions
to maintain the robustness of the network
address translation and bandwidth management.
Gatekeepers map LAN aliases to IP addresses and
provide address lookups when needed. Gateway
Optional element in an H.323 conference. Gateways
bridge H.323 conferences to other networks,
communications protocols, and multimedia formats.
Gateways are not required if connections to other
networks or non-H.323 compliant terminals are not
needed. GHz International unit for measuring
frequency is Hertz (Hz), which is equivalent to
the older unit of cycles per second. One
Gigahertz (GHz) is one billion Hertz. Microwave
ovens typically operate at 2.45 GHz. GSM The
Global System for Mobile Communications standard
for worldwide wireless communications on wide
area networks (WANs).
128Glossary
H.323 An umbrella standard from the
International Telecommunications Union (ITU) that
addresses call control, multimedia management,
and bandwidth management for point-to-point and
multi-point conferences, as well as interfaces
between LANs and other networks. The most popular
standard currently in use. Handheld PC (HPC)
The term adopted by Microsoft and its supporters
to describe handheld computers employing
Microsoft's Windows CE operating
system. Interactive Voice Response System used
to access a database access application using a
telephone. The voice processing acts as a
front-end to appropriate databases that reside on
general purpose computers. For instance, DTMF
(touch tone) input of a Personal Identification
Number can be required for access or more unusual
and expensive techniques such as voice
recognition and voice print matching. Internet
World's largest network, often referred to as the
Information Superhighway. The Internet is a
virtual network based on packet switching
technology. The participants on the Internet and
its topology change on a daily basis. Internet
Commerce Electronic business transactions that
occur over the Internet. Samples of Internet
commerce applications include electronic banking,
airline reservation systems, and Internet
malls. Internet Phone Device used to transmit
voice over the Internet, bypassing the
traditional PSTN and saving money in the process.
An Internet phone can be a small phone (such as
the NetVision Phone) or a multimedia PC with a
microphone, speaker, and modem. Interoperability
The ability of equipment or software to operate
properly in a mixed environment of hardware and
software, from different vendors. Enabled by the
IEEE 802.11 open standard. IP (Internet
Protocol) The Internet standard protocol that
defines the Internet datagram as the unit of
information passed across the Internet. Provides
the basis of the Internet connection-less-
best-effort packet delivery service. The Internet
protocol suite is often referred to as TCP/IP
because IP is one of the two fundamental
protocols. International Roaming Ability to use
one adapter worldwide. Intranet A private
network that uses Internet software and Internet
standards. In essence, an intranet is a private
Internet reserved for use by people who have been
given the authority and passwords necessary to
use that network. ISDN Integrated Services
Digital Network. Emerging network technology
offered by local phone companies that is designed
for digital communications, computer telephony,
and voice processing systems. ISM Band ISM
bands--instrumental (902-928MHz), science
(2.4-2.4835GHz), and medical (5.725-5.850GHz)--are
the radio frequency bands allocated by the FCC
for unlicensed continuous operations for up to
1W. The most recent band approved by the FCC for
WLANs was the medical band in January 1997. ITU
International Telecommunications Union. Standards
body that defined H.323 and other international
standards. Jitter Noise on a communications
line which is based on phase hits, causing
potential phase distortions and bit errors..
129Glossary
Kerberos A widely deployed security protocol
that was developed at the Massachusetts Institute
of Technology (MIT) to authenticate users and
clients in a wired network environment and to
securely distribute encryption keys. Key
Telephone System A system in which the telephone
has multiple buttons permitting the user to
directly select central office phone lines and
intercom lines. Key phone systems are most often
found in relatively small business environments,
typically around 50 telephones. Layer A
protocol that interacts with other protocols as
part of an overall transmission system. LPD
(Line Printer Daemon) A TCP-based protocol
typically used between a Unix server and a
printer driver. Data is received from the network
connection and sent out over the serial
port. MAC (Media Access Control) Part of the
Data Link Layer, as defined by the IEEE, this
sublayer contains protocols for gaining orderly
access to cable or wireless media. MD5
Encryption An authentication methodology when MU
is in foreign subnet. MIB (Management
Information Base) An SNMP structure that
describes the specific device being monitored by
the remote-monitoring program. Microcell A
bounded physical space in which a number of
wireless devices can communicate. Because it is
possible to have overlapping cells as well as
isolated cells, the boundaries of the cell are
established by some rule or convention. Modem
Equipment that converts digital signals to analog
signals and vice versa. Modems are used to send
digital data signals over the analog PSTN. MMCX
Antenna Connector Miniature coaxial antenna
connector in use by several major wireless
vendors. Mobile IP The ability of the mobile
unit to communicate with the other host using
only its home IP address, after changing its
point of attachment to the Internet and
intranet. Mobile Unit (MU) May be a Symbol
Spectrum24 terminal, PC Card and PCI adapter,
bar-code scanner, third-party device, and
other Mobile Unit Mode In this mode, the WLAN
adapter connects to an access point (AP) or
another WLAN installed system, allowing the
device to roam freely between AP cells in the
network. Mobile units appear as network nodes to
other devices. Modulation Any of several
techniques for combining user information with a
transmitter's carrier signal. Multipath The
signal variation caused when radio signals take
multiple paths from transmitter to
receiver. Multipath Fading A type of fading
caused by signals taking different paths from the
transmitter to the receiver and, consequently,
interfering with each other.
130Glossary
Node A network junction such as a switch or a
routing center. Packet Switching Refers to
sending data in packets through a network to some
remote location. In a packet switched network, no
circuit is left open on a dedicated basis. Packet
switching is a data switching technique
only. PBX Phone System Private Branch eXchange.
Small version of the phone company's larger
central switching office. An alternative to a PBX
is to subscribe to a local telephone company's
Centrex service. PCMCIA (Personal Computer
Memory Card International Association) PC Card A
credit card-size device used in laptop computers
and available as removable network adapters. PCS
(Personal Communications Service) A new, lower
powered, higher-frequency competitive technology
to cellular. Whereas cellular typically operates
in the 800-900 MHz range, PCS operates in the 1.5
to 1.8 GHz range. The idea with PCS is that the
phone are cheaper, have less range, and are
digital. The cells are smaller and closer
together, and airtime is cheaper. Peer-to-peer
Network A network design in which each computer
shares and uses devices on an equal basis. Ping
A troubleshooting TCP/IP application that sends
out a test message to a network device to measure
the response time. PLD (Data Link Protocol) A
raw packet protocol based on the Ethernet frame
format. All frames are sent to the wireless
network verbatim--should be used with care as
improperly formatted data can go through with
undesirable consequences. Plug and Play A
feature that allows a computer to recognize the
PCI adapter and configure the hardware interrupt,
memory, and device recognition addresses
requires less user interaction and minimizes
hardware conflicts. Pocket PC The term adopted
by Microsoft and its supporters to describe
handheld computers employing Microsoft's Pocket
PC operating system. Point-of-Sale Device A
special type of equipment that is used to collect
and store retail sales data. This device may be
connected to a bar code reader and it may query a
central computer for the current price of that
item. POTS (Plain Old Telephone Service) The
basic service supplying standard single line
telephones, telephone lines, and access to the
public switched telephone network. Power
Management Algorithms that allow the adapter to
sleep between checking for network activity, thus
conserving power. PSP (Power Save Polling)
stations power off their radios for long periods.
When a mobile unit in PSP mode associates with an
access point, it notifies the AP of its activity
status. The AP responds by buffering packets
received for the MU. PSTN (Public Switched
Telephone Network) Refers to the worldwide voice
telephone network accessible to all those with
telephones and access privileges. In the U.S.,
the PSTN is provided by ATT.
131Glossary
QoS (Quality of Service) Measure of the
telephone service quality provided to a
subscriber. QoS refers to things like Is the
call easy to hear? Is it clear? Is it loud
enough? RBOC (Regional Bell Operating Company)
One of the seven Bell operating companies set up
after the divestiture of ATT, each of which own
two or more Bell Operating Companies
(BOCs). Roaming Movement of a wireless node
between two microcells. Roaming usually occurs in
infrastructure networks built around multiple
access points. Repeater A device used to extend
cabling distances by regenerating
signals. Router The main device in any modern
network that routes data blocks from source to
destination using routing tables and determining
the best path dynamically. It functions as an
addressable entity on the LAN and is the basic
building block of the Internet. SNMP (Simple
Network Management Protocol) The network
management protocol of choice for TCP/IP based
intranets. Defines the method for obtaining
information about network operating
characteristics, change parameters for routers
and gateways. Scanning A periodic process where
the mobile unit sends out probe messages on all
frequencies defined by the country code. The
statistics enable a mobile unit to re-associate
by synchronizing its frequency to the AP. The MU
continues communicating with that access point
until it needs to switch cells or roam. Site
Survey Physical environment survey to determine
the placement of access points and antennas, as
well as the number of devices necessary to
provide optimal coverage, in a new or expanding
installation. Spread Spectrum A transmission
technique developed by the U.S. military in World
War II to provide secure voice communications,
spread spectrum is the most commonly used WLAN
technology today. It provides security by
"spreading" the signal over a range of
frequencies. The signal is manipulated in the
transmitter so that the bandwidth becomes wider
than the actual information bandwidth.
De-spreading the signal is impossible for those
not aware of the spreading parameters to them,
the signal sounds like background noise.
Interference from narrowband signals is also
minimized to background noise when it is
de-spread by the receiver. Two types of spread
spectrum exist direct sequence and frequency
hopping. Stream Mode A communications protocol
supported only by the Telnet and TCP protocols.
Stream mode transfers serial characters as they
are received by encapsulating them in a packet
and sending them to the host.
132Glossary
T1 A type of dedicated digital leased-line
available from a public telephone provider with a
capacity of 1.544 Mbps. A T1