Wireless Sensor Systems: Security Implications for the Industrial Environment

1
Wireless Sensor Systems Security Implications
for the Industrial Environment
Dr. Peter L. Fuhr Chief Scientist RAE Systems,
Sunnyvale, CA pfuhr_at_raesystems.com
2
Dr. Peter Fuhr, Presenter 480
publicationspresentations in wireless
sensor networking arena. Old-timer in this
areaetc etc.

• RAE Systems Inc.
• Pervasive Sensing Company based in Silicon Valley
  founded in 1991
• Capabilities
• Radiation detection
• Gamma and neutron
• Chemical/vapor detection
• Toxic gas, VOC, combustible gas, oxygen, CWA,
  temperature, humidity, C02
• Redeployable sensor networks
• Mobile and fixed wireless monitors
• Cargo Container Sensor Systems

3
Contributors
A number of individuals have provided content
for these slides. They include Wayne Manges,
Oak Ridge National Laboratory Robert Poor,
Ember Pat Gonia, Honeywell Hesh Kagan,
Foxboro/Invensys Kang Lee, NIST Tom Kevan,
Advanstar Ramesh Shankar, Electric Power
Research Institute Larry Hill, Larry Hill
Consulting Rob Conant, Dust Rick Kriss,
Xsilogy Gideon Varga, Dept of Energy Jack
Eisenhauser, Energetics Michael Brambley,
Pacific Northwest National Labs David Wagner,
UC-Berkeley Undoubtedly, there are other
contributors too (apologies if your name is not
listed).
4
Wireless Sensor Networking

• its not cellular telephony
• its not just WiFi...(and it just
  may be the next big thing)

Each dot represents one cell phone tower.
Wireless devices circa 1930
5
Sensor Market 11B in 2001Installation (wiring)
costs gt100B

• Fragmented market
• ? platform opportunity
• Installation cost limits penetration
• ? reducing installation cost increases market
  size

Highly Fragmented Sensor Market
Freedonia Group report on Sensors, April 2002
Slide courtesy of Rob Conant, Dust
6
Industrial Market SizingSensor Networking
Products

• North American Market for Wireless products used
  in Applications where transmission distances are
  1 mile or less
• 2002 Total 107 million
• 2006 Forecast 713 million
• 2010 Estimates 2.1 billion
• Largest Application areas
• 2002 Tank Level Monitoring, Asset Tracking,
  Preventative Maintenance
• 2006 Tank Level Monitoring, Preventative
  Maintenance, Environmental Monitoring
• Conclusions
• Rapid Growth in Industrial markets
• Tank Level Monitoring will remain a significant
  opportunity
• Key User Needs
• Lower Costs over Wired (or Manual) Solutions
• Education of Potential Customers on the
  Technology
• Demonstration of Operational Reliability
  Application Domain Knowledge

Slide courtesy of Rick Kriss, Xsilogy
7
The True cost per monitored node to the End
User
Higher
Higher
SPARSE1xRTT, FLEXSAT, etc
DENSEBluetooth, 802.15.4, WiFi etc
3-YrTOC
InstallationCosts
Design For Here
Lower
Lower
Miles
Radio RF Range (dB)
Meters


Slide courtesy of Rick Kriss, Xsilogy
8
What to do with the data?

• Great! But how do you get the output signal from
  the sensor to the location where the information
  will be interpreted (used)?

Traditionally the output of the sensor was
hardwired to some form of interpretive device
(e.g., PLC) perhaps relying on a 4-20mA signal
9
Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
10
Oh, who needs security in a wireless channel
anyway!
(pretty ridiculous statement isnt it!
11
Lets ask some experts WINA meeting,
Coral Gables, Sept. 2003
www.wireless4industrial.org
12
Whats a WINA?
In the spring of 2003, the Wireless Industrial
Networking Alliance (WINA) was formed to promote
the adoption of wireless networking technologies
and practices that will help increase industrial
productivity and efficiency. WINA will be
holding a 1.5 day meeting at ISA-HQ in RTP, NC on
Feb 11/12 right after the ISA Wireless Security
Expo and conference. Check out
www.wireless4industrial.org for WINA meeting
details AND www.isa.org/wireless for the ISA
Wireless Security conf details!
13
Back to the QuestionWho needs security in a
wireless channel anyway!
14
Strategy Workshop Participants

• Suppliers (13)
• System integrators (6)
• Industrial end users (10)
• Chemicals
• Petroleum
• Automotive
• Industry analysts/venture capitalists (3)
• Others (associations, government, media,
  researchers)

• Energy/Utilities
• Forest Products
• Electronics

15
End-User View of Industrial Wireless

• Likes
• Mobility
• Compactness
• Flexibility
• Low cost
• Capability to monitor rotating equipment
• Short range (security)
• Ease of installation
• High reliability
• Impetus to enhance electronics support

• Dislikes
• Change to status quo
• Complexity
• High cost for coverage in large plants
• Security issues
• Portability issues (power)
• Unproven reliability
• Too risky for process control
• Lack of experience in troubleshooting (staff)
• Restricted infrastructure flexibility once
  implemented
• Lack of analysis tools

16
Technology Group Key Issues

• Security
• Jamming, hacking, and eavesdropping
• Power
• Value (clear to customer)
• Interoperability
• Co-existence with other facility networks,
  sensors, collectors, technology
• True engineered solution (sensors, collectors,
  etc.)
• Assured performance reliability/MTBA
• Software infrastructure, data, systems
  management
• Robustness (at least as good as wired)
• RF characterization (radios, receivers,
  environments)

mean time between attention
17
Technology Group Criticality Varies by
Application (5 most critical)
Attributes Monitor Control Alarm Shutdown BizWLAN
Latency 2-3 3-5 5 5 1
Device Reliability 2-3 3-5 5 5 1
Raw Thru-put (node / aggr.) 2 / 5 2.5 /2.5 1 / 4 1 / 1 1/5
Scalability (Max. nodes) 5 4 4 1 2-3
Data Reliability 1 5 5 5 2
Security 1-5 5 5 5 5
Low Cost 5 2 1-3 1 2-3
Gateway Technology 5 1 3-4 1 1
Engineered Solution 1 5 4 5 3

Applications
18
Industrial CyberSecurity

• The Case of Vitek Boden

19

• On October 31, 2001 Vitek Boden was convicted of
• 26 counts of willfully using a restricted
  computer to cause damage
• 1 count of causing serious environment harm
• The facts of the case
• Vitek worked for the contractor involved in the
  installation of Maroochy Shire sewage treatment
  plant.
• Vitek left the contractor in December 1999 and
  approached the shire for employment. He was
  refused.
• Between Jan 2000 and Apr 2000 the sewage system
  experienced 47 unexplainable faults, causing
  millions of liters of sewage to be spilled.

20
How did he do it?

• On April 23, 2000 Vitek was arrested with stolen
  radio equipment, controller programming software
  on a laptop and a fully operational controller.
• Vitek is now in jail

21
A Favorite 2.4 GHz Antenna
22
WarDriving 802.11 HotSpots in Silicon Valley
23
WarDriving 802.11 HotSpots in San Francisco
24
The QuestionWho needs security in a wireless
channel anyway!
The AnswerWe do. SoHow do you provide the
appropriate level of security within the
acceptable price and inconvenience margin -gt
Risk Management!
25
Inside vs. Outside?

• Where do attacks come from?

of Respondents
Source 2002 CSI/FBI Computer Crime and
Security Survey Computer Security Institute -
www.gocsi.com/losses.
26
An Outside Example. When?
April 2001
27
Hacker War I

• In the Spring of 2001, the US got its first a
  taste of a new form of warfare.
• Launched from overseas and targeted at US
  critical infrastructure.

28
Honker Union

• Chinese Hacker Group working to advance and in
  some cases impose its political agenda
• During the spring of 2001, Honker Union worked
  with other groups such as the Chinese Red Guest
  Network Security Technology Alliance

• Hackers were encouraged to "...make use of their
  skills for China..." Wired.com

Attack Methods

• Denial of Service Attacks
• Website Defacement
• E-mailing viruses to US Government Employees
• KillUSA package

29
Cyberwar

• Cyber attacks and web defacements increased
  dramatically after the start of the war against
  Iraq.
• More than 1,000 sites were hacked in the first 48
  hours of the conflict, with many of the attacks
  containing anti-war slogans.
• Security consultants state that the war against
  Iraq made March the worst month for digital
  attacks since records began in 1995.

30
Hacker School

• North Korea's Mirim College, is a military
  academy specializing in electronic warfare
• 100 potential cybersoldiers graduate every year

31
The QuestionWho needs security in a wireless
channel anyway?
The AnswerEveryone.
32
Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
33
Layered Communications
A few details
34
Wired Data Security - Encryption
The traditional method involved encrypting the
data prior to transmission over a potentially
insecure channel. The level of protection rests
on the encryption algorithm. (There are a few
other factorssuch as the physical media.)
Slide courtesy of Wayne Manges, ORNL
35
Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless 4. Security within
various Wireless Delivery Schemes(cellular,
WiFi, 802.15.4, Bluetooth, others)5. An
Integrated Solution6. The Big Review
36
Wireless Buildings
From many perspectives, THIS is what a wireless
sensor network can provide.
Key to success reduced installation costs
Slide courtesy of Pat Gonia, Honeywell
37
Modulation
E(t) A(t) coswt f(t)
Amplitude Modulation (AM) info is in A(t)
Frequency Modulation (FM) info is in w Phase
Modulation (PM) info is in f(t)
Different vendors use different schemes - and
they are not interoperable.
38
The FCC Frequency Assignment
Different vendors may use different frequencies
within the various ISM bands (green in the
diagram).
The ISM bands most commonly used are at 433, 915
and 2400 MHz.
39
Multiple Sensors Sharing the Medium
Multiplexing. FDMA, TDMA and CDMA
40
Binary Signaling Formats

• Used to Improve Digital Signal Reception and
  Decision
• NRZ Non-Return to Zero
• RZ Return to Zero
• Unipolar Only one side of 0V
• Bipolar Both sides of 0V
• Manchester Bi-Phase (0 in left 1/2 time slot,
  1 in right)

41
Narrowband or Spread Spectrum?

• Narrowband uses a fixed carrier frequency, F0.

The receiver then locks onto the carrier
frequency, F0.
Easy to implement (inexpensive). Prone to jamming
or interference (two transmitters at the same
carrier frequency, F0. Least secure modulation
scheme.
42
Narrowband or Spread Spectrum (cont.) ?

• Frequency Hopping Spread Spectrum. Uses a carrier
  frequency that varies with time, F0(t).

Invented and patented by actress Heddy Lamarr and
her pianist George Antheil.
The receiver must track the time-varying carrier
frequency, F0(t).
Relatively easy to implement (inexpensive). Prone
to jamming or interference (two transmitters at
the same carrier frequency, F0) during any single
transmit interval. Hopping rates may be 1600
hops/second (ala Bluetooth). Very secure
modulation scheme (used in military for decades).
43
Narrowband or Spread Spectrum (cont.) ?

• Direct Sequence Spread Spectrum uses a fixed
  carrier frequency, F0 but interleaves the data
  with a precise mathematical 0/1 data sequence.
  (This increases the length of the transmitted
  information vector making it longer). The
  information is replicated many times throughout
  the bandwidth, so if one lobe of the
  information is jammed, the remainder gets
  through. Highly robust technique.

The receiver then locks onto the carrier
frequency, F0 receives the signal and then must
undo the interleaving.
More difficult to implement (more
expensive). Most complicated scheme (of these
presented). Most secure modulation scheme.
44
DIRECT-SEQUENCE SPREAD-SPECTRUM SIGNALS
PN Clock
Local PN Clock
Local Carrier
PN Sequence Generator
PN Sequence Generator
Carrier

• 1

• 1

Wide BP Filter
Data
Narrow BP Filter
Phase Demod
Data
Data Clock

• 1

Power Spectral Density
Power Spectral Density
Power Spectral Density
Spread RFI
RFI
fc
fc
fc
Frequency
Frequency
Frequency
Original narrowband, high power density spectrum
is restored if local PN sequence is same as and
lined up with received PN sequence
Spectrum has wider bandwidth and lower power
density after spreading with PN sequence
(PN Rate gtgt Data Rate)
Narrow spectrum at output of modulator before
spreading
45
Narrowband or Spread Spectrum (cont.) ?

• Which is best?

Each has its pluses and minusesand each scheme
has its share of die-hard advocates and/or
naysayers!
Different vendors use these (and other) schemes
at different frequencies within the various ISM
bands.
From a security standpoint, DSSS is best.
46
Reality
DSSS
FHSS
47
No Matter WhatIts Just an Electromagnetic Field
E(t) A(t) coswt f(t)

• A(t) amplitude of the wave
• w radian frequency of the wave
• f(t) phase of the wave

48
The RF Footprint

• Personal Area Network typical radiated power 0
  dBm, size 10m

• Local Area Network typical radiated power 20
  dBm, size 100m

• Wide Area Network typical radiated power gt30
  dBm, size gt2000m

49
Network Topologies?
There are SO many technical questions such as
Ad Hoc Network
50
The Real World Presents the Wireless Channel
with Multipath and Attenuationand
51
Multipath
Real World
The Effect
The Cause
52
Atmospheric Attenuation at 2.4 GHz
Real World
Rayleigh Fading _at_ 2.4GHz
53
Signal Attenuation at 2.4 GHz
Real World
54
And Signal-to-Noise Ratios really do matter!
Real World
Anecdotal Evidence As Frankfurt has increased
the deployment of 2.4 GHz wireless surveillance
cameras, the background Noise level has increased
by 12 dB. (This plays havoc with the BER or for
fixed BER, the overall data rate,)
55
Real World
Which Frequency is Best?
ALERT! ALERT!!
Notice that the operation at 2.45 GHz is WORSE
than at 900MHz (which is worse than 433 MHz).
56
Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
57
Wireless Data Security Encryption, Spreading,
Interleaving
Wireless networks use a variety of techniques to
enhance security, such as spreading and
interleaving. These techniques can make the
signal virtually undetectable without prior
knowledge about the network. This can improve
the security of the network by orders of
magnitude.
Slide courtesy of Wayne Manges, ORNL
58
The Wireless Market
TEXT
GRAPHICS
INTERNET
HI-FI AUDIO
STREAMING VIDEO
DIGITAL VIDEO
MULTI-CHANNEL VIDEO
LAN
802.11b
802.11a/HL2 802.11g
SHORT lt RANGE gt LONG
Bluetooth 2
ZigBee
PAN
Bluetooth1
LOW lt DATA RATE gt HIGH
59
Bluetooth vs. the Rest (contd)
ZigBee (proposed) 2.4 GHz,DSSS 15 chips/bit 40
kbits/s 0dBm 100m 100s devices, CSMA/CA Not
yet No
802.11 2.4 GHz, DSSS 11 chips/bit 11Mbps 20
dBm 50m 128 devices CSMA/CA Optional WEP Optional
HomeRF 2.4GHz, FHSS 50 hops/s 1 Mbps 20
dBm 50m 128 devices CSMA/CA Optional Optional
Bluetooth 2.4 GHz, FHSS 1000hops/s 1Mbps 0,
20dBm 1-10m, 50m 8 devices, Piconet Encryption Y
es
Parameter Technology Data Rate Power Range Topol
ogy Security Voice Channel
Bluetooth aka IEEE 802.15.1 ZigBee aka IEEE
802.15.4
60
Side by Side
61
802.11?
62
The Worldwide View of the 802.11 Spectral Space
63
Radiated Field from a single AP (Kansas City)
64
20dB Attenuation Profile for Univ of Kansas Eng
Bldg., Mesh and AP deployments
65
WEP
(encrypted traffic)

• The industrys solution WEP (Wired Equivalent
  Privacy)
• Share a single cryptographic key among all
  devices
• Encrypt all packets sent over the air, using the
  shared key
• Use a checksum to prevent injection of spoofed
  packets

66
Early History of WEP
67
Subsequent Events
Jan 2001
Borisov, Goldberg, Wagner
68
WEP Attack Tools

• Downloadable procedures from the Internet
• To crack the Key
• AirSnort
• http//airsnort.sourceforge.net
• WEPCrack
• http//sourceforge.net/projects/wepcrack/
• To brute force enter into WLAN,
• THC-RUT
• http//www.thehackerschoice.com/releases.php

69
Wi-Fi Protected Access (WPA)

• Flaws in WEP known since January 2001 - flaws
  include weak encryption, (keys no longer than 40
  bits), static encryption keys, lack of key
  distribution method.
• IEEE developing 802.11i standard for enhanced
  wireless security - Addresses weak data
  encryption and user authentication within
  existing 802.11 standard.
• 802.11i standard will not be ratified until late
  2003, possibly early 2004 - outstanding issues.
• WPA standard joint effort between Wi-Fi Alliance
  and IEEE - WPA a subset of IEEE 802.11i standard
  (Draft 3.0).
• WPA provides stronger data encryption (weak in
  WEP) and user authentication (largely missing in
  WEP).

70
WPA Data Encryption

• WPA uses Temporal Key Integrity Protocol (TKIP) -
  stronger data encryption, addresses known
  vulnerabilities in WEP.
• TKIP chosen as primary encryption cipher suite -
  Easily deployed and supported in legacy 802.11b
  hardware compared to other available cipher
  suites.
• TKIP based on RC4 stream cipher algorithm,
  surrounds WEP cipher engine with 4 new
  algorithms,
• Extended 48-bit Initialization Vector (IV) and IV
  sequencing rules (compared to the shorter 24-bit
  WEP RC4 key).
• New per-packet key mixing function.
• Derivation and distribution method - a.k.a.
  re-keying.
• A message integrity check (MIC) - a.k.a.
  Michael, ensures messages havent been tampered
  with during transmission.

71
WPA Data Encryption, contd

• the Temporal Key Integrity Protocol.
• DA Destination Address TKIP Temporal Key
  Integrity Protocol
• ICV Integrity Check Value TSC TKIP
  Sequence Counter
• MPDU Message Protocol Data Unit TTAK result
  of phase 1 key mixing of Temporal Key
• MSDU MAC Service Data Unit and
  Transmitter Address
• RSN Robust Security Network WEP Wired
  Equivalent Privacy
• SA Source Address WEP IV Wired Equivalent
  Privacy Initialization Vector
• TA Transmitter Address

72
WPA Data Encryption, contd

• TKIP implements countermeasures - reduces rate
  which attacker can make message forgery attempts
  down to two packets every 60 seconds.
• After 60 second timeout new PMK or Groupwise Key
  generated, depending on which attacked ensures
  attacker cannot obtain information from attacked
  key.
• Countermeasures bound probability of successful
  forgery and amount of information attacker can
  learn about a key.
• TKIP is made available as firmware or software
  upgrade to existing legacy hardware.
• TKIP eliminates having to replace existing
  hardware or having to purchase new hardware.

73
Bluetooth?
74
BlueTooth- Some Specifications

• Uses unlicensed 2.402 - 2.480 GHz frequency range
• Frequency hopping spread spectrum 79 hops
  separated by 1 MHz
• Maximum frequency hopping rate 1600 hops/sec
• Nominal range 10 cm to 10 meters
• Nominal antenna power 0 dBm
• One complete Bluetooth data packet can be
  transmitted within each 625 msec hop slot.

75
Potential Bluetooth Markets
76
Bluetooth Market Forecast
Nov03 100M Bluetooth compliant devices worldwide
77
Bluetooth Protocol Stack

• Adopted Protocols
• PPP(Point-To-Point Protocol)
• TCP/UDP/IP
• OBEX-Session Protocol for IrDA(Infrared Data
  Association)
• Contents Fromat(e.g. vCard, vCalendar)
• WAP-Wireless Application Protocol

78
Bluetooth Security

• Supports Unidirectional or Mutual Encryption
  based on a Secret Link key Shared Between Two
  Devices
• Security Defined In 3 modes
• Mode1- No Security
• Mode 2 - Service Level Security Not Established
  Before Channel is Established at L2CAP
• Mode 3 - Link Level Security Device Initiates
  Security Before LMP Link is Setup

• Devices and Services can be Set for Different
  Levels of Security
• Two Trust Levels are Set for Devices
• Trusted Device Fixed Relationship and
  Unrestricted Access to All Services
• Untrusted No Permanent relationship and
  Restricted Services

79
Bluetooth Security

• Devices and Services can be Set for Different
  Levels of Security
• Two Trust Levels are Set for Devices
• Trusted Device Fixed Relationship and
  Unrestricted Access to All Services
• Untrusted No Permanent relationship and
  Restricted Services

80
Bluetooth Security

• 3 Levels of Service Access
• Require Authorization and Authenication
• Require Authentication Only
• Default Security for Legacy Applications

81
But is this Wireless Link Secure?
Newsflash Jan 2001 Norwegian hackers crack
a Bluetooth transmission
82
Analysis of a BlueTooth Transmission
High overhead?
83
802.15.4/Zigbee?
84
IEEE 802.15.4 standard

• Includes layers up to and including Link Layer
  Control
• LLC is standardized in 802.1
• Supports multiple network topologies including
  Star, Cluster Tree and Mesh

• Features of the MAC Association/dissociation,
  ACK, frame delivery, channel access mechanism,
  frame validation, guaranteed time slot
  management, beacon management, channel scan
• Low complexity 26 primitives versus 131
  primitives for 802.15.1 (Bluetooth)

85
PHY overview

• Speed
• 20, 40 or 250 kbps
• Channels
• 1 channel in the 868MHz band
• 10 channels in the 915MHz band
• 16 channels in the 2.4GHz band
• Modulation
• BPSK (868MHz/20kbs)
• BPSK (915MHz/40kbps)
• O-QPSK (2.4GHz/250kbps)
• Coexistence w/
• 802.11b DSSS
• 802.15.1 FHSS
• 802.15.3 DSSS

86
MAC overview

• Security support
• Power consumption consideration
• Dynamic channel selection
• Network topology
• Star topology
• p2p topology
• cluster-tree network topology

87
Device classification

• Full Function Device (FFD)
• Any topology
• Can talk to RFDs or other FFDs
• Operate in three modes
• PAN coordinator
• Coordinator
• Device.
• Reduced Function Device (RFD)
• Limited to star topology
• Can only talk to an FFD (coordinator)
• Cannot become a coordinator
• Unnecessary to send large amounts of data
• Extremely simple
• Can be implemented using minimal resources and
  memory capacity

88
Transmission management

• Acknowledgement
• No ACK
• ACK
• Retransmission
• Duplicate detection
• Indirect transmission

89
Security

• Unsecured mode
• ACL mode
• Access control
• Secured mode
• Access control
• Data encryption
• Frame integrity
• Sequential freshness

90
Scalable Security

• Assume the attacker can deploy own nodes (can
  create a ring at some distance from
  controller)Wisenet 2003
• Enemy nodes mimick the mesh nodes they ACK the
  health inquiry as if everything was OK but
  they do not forward to the rest of the net
• The rest of the network is virtually cut off from
  inspection by controller
• Need secure key and a random seed that changes at
  each round

91
What About1451.5? 1xRTT? SAT? CDPD?
Others? No time this morning!
92
Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
93
Integrated Industrial Networks?
There are SO many technical questions such as
If the sensor network is to integrate into an
industrial setting, then you should be cognizant
of the Industrial Networking arena.
94
Industrial Device Network Topology

• Typically, three layers of networking make up
  enterprisewide networks. Ethernet acts as the
  company's intranet backbone, and it's linked to
  controllers or industrial PCs, which supply
  strategic data to the enterprise. An industrial
  network, or fieldbus, links sensors and smart
  devices. A gateway (not uncommon in a large
  system with lots of devices) links devices that
  have only RS-232 or RS-485 ports to the fieldbus
  system.

95
Industrial Device Networks

• General characteristics for industrial device
  networks have arisen.

• Obviously the complexity of the network increases
  as the functionality is increased.

96
Classification of Industrial Networks

• Three logical groupings of instrumentation
  networks used in an industrial setting.
• There are over 100 different proprietary networks
  in the field.

97
Inside Security Incident

• Employee attacks PLC in another plant area over
  PLC highway.
• Password changed to obscenity, blocking
  legitimate maintenance and forcing process
  shutdown.

Source BCIT Industrial Security Incident
Database (ISID)
98
Network Positioning
- Data

Ethernet TCP/IP

ControlNet Foundation Fieldbus H2
Profibus-FMS Data Highway Modbus Plus
Profibus-DP Interbus-S Remote I/O
- Functionality
Complexity -

DeviceNet Other CAN SDS
Fieldbus H1 Profibus-PA Modbus HART
ASi, Seriplex, Hardwiring, RS485 etc.
- Cost

99
Too Focused on Internet Issues?

• Myth 1 Our SCADA/PLC/DCS is safe if we dont
  connect to the Internet.
• Myth 2 Our Internet firewall will protect our
  control systems.
• Myth 3 Our IT department understands process
  control issues and security.

100
Is Industrial Comm Security Too Focused on
Internet Issues?
WarDialing Attack
Source (used by permission) Interface
Technologies, Windsor, CT, 2002
101
Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review
102
Bit Rate vs. Quality of Service

• How Many
• Bits are
• Needed?

The more bits you xmit, the more power you
consume!
103
Coding vs. Quality of Service

• Is Coding
• Really
• Necessary?

104
Direct Sequence Spread Spectrum
105
Comparing Wireless
Tech. Range RF Power Battery life Numbers In Area
DSSS Medium Low longest High
FHSS Long High Short Medium
UWB Medium Lowest short High
Narrow band Longest highest short Lowest
106
Technology Beats Marketing in Performance!
107
Statistics on Types of Attacks
Source 2002 CSI/FBI Computer Crime and
Security Survey Computer Security Institute -
www.gocsi.com/losses.
of Respondents
108
Optimization of Security vs. Cost

• Risk reduction is balanced against the cost of
  security counter measures to mitigate the risk.

109
Risk in Safety vs. Risk in Security

• Safety Definition Risk is a measure of human
  injury, environmental damage, or economic loss in
  terms of both the incident likelihood and the
  magnitude of the loss or injury.
• Security Definition Risk is an expression of
  the likelihood that a defined threat will exploit
  a specific vulnerability of a particular
  attractive target or combination of targets to
  cause a given set of consequences.

Source CSPP Guidelines For Analyzing And
Managing The Security Vulnerabilities Of Fixed
Chemical Sites
110
Firewall Architectures

• The external router blocks attempts to use the
  underlying IP layer to break security (e.g. IP
  spoofing, source routing, packet fragments, etc)
  and forces all traffic to the proxy.
• The proxy firewall handles potential security
  holes in the higher layer protocols.
• The internal router blocks all traffic except to
  the proxy server.

External Router
Internal Router
?
?
111
Theres lot of Wireless

• From cellphones to PDAs to WiFi to Satellite-based

112
Wireless LAN Standards
113
Existing/Developing IEEE 802.11 Standards

• 802.11-
• 802.11a
• 802.11b
• 802.11e
• 802.11f
• 802.11g
• 802.11h
• 802.11i
• 802.1x
• 802.15
• 802.16

Frequency Hopping/DSSS 54Mbps / HyperLAN (1999)
11Mbps Quality of Service Point 2 Point
Roaming (2003) 54Mbps European Inspired
Changes (Q2,2004) New Encryption
Protocols (Q2,2004) Port Based Network Access
Personal Area Network (WPAN) Wireless
Metropolitan Area Network (WMAN)
114
On-Board Network Integration
Wireless Backbone for Inflight Entertainment
Noise Floor Lifter
PicoCellBTS
PicoCellBTS
6 MCU GSM SERVER
SDU
and we havent even touched on RFID!
115
Theres lot of Wireless

• And it all needs to feel more Secure!

116
For a real review of networking security

• Take Eric Byrnes ISA course IC32C

117
Will History Repeat?
wireless security not just 802.11
118
PATRIOT Act

• PATRIOT (Provide Appropriate Tools Required to
  Intercept and Obstruct Terrorism)
• Legally classifies many hacking attacks as acts
  of terrorism

119
So If Nothing else, at least PLEASE do this for
your WiFi System!WLAN Security Countermeasures

• Conduct site survey
• Identify areas of signal strength and weakness
• Do a walkaround with NetStumbler
• Document and shut down rogue access points
• Document and shut down unauthorized wireless NICs
• AND TURN ON SOME LEVEL OF THE PROVIDED PROTECTION!

120
Oh And dont forget that as you layer in
all of these wacky encryption schemes and CDMA
and DSSS andand that it takes some joules to
actually implement this. So if your wireless
network has primepower (a.k.a. AC) youre ok.
But if youre going off a battery then its a
tradeoff of security versus Power Consumption ?
You Choose that one!
121
...and in the end...
BumbleBee with RF xcvr
...or...
HoneyBee with RFID
Two potential forms of wireless sensor networks.
And they should both be secure!
122
Outline1. Security? Who needs it?2. How
is security achieved in a wired channel?3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial)4. Security within various Wireless
Delivery Schemes(cellular, WiFi, 802.15.4,
Bluetooth, others)5. An Integrated Solution6.
The Big Review7. Glossary and References
123
Glossary
10BASE-T IEEE 802.3 standard for a twisted-pair
Ethernet network. 10 Mbps transmission rate over
baseband using unshielded, twisted-pair
cable. 802.11 The IEEE 802.11 standard defines
both frequency hopping and direct sequence spread
spectrum solutions for use in the 2.4-2.5 MHz ISM
(Industrial, Scientific, Medical) band. 802.11a
The Global System for Mobile Communications
standard for worldwide wireless communications on
wide area networks (WANs). 802.11b The portion
of the 802.11 specification that defines the 11
Mbps data rate. A Access Point Provides a
bridge between Ethernet wired LANs and the
wireless network. Access points are the
connectivity point between Ethernet wired
networks and devices (laptops, hand-held
computers, point-of-sale terminals) equipped with
a wireless LAN adapter card. Analog phone Comes
from the word "analogous," which means similar
to. In telephone transmission, the signal being
transmitted from the phonevoice, video or
imageis analogous to the original
signal. Antenna-Directional Transmits and
receives radio waves off the front of the
antenna. The power behind and to the sides of the
antenna is reduced. The coverage area is oval
with the antenna at one of the narrow ends.
Typical directional antenna beam width angles are
from 90 (somewhat directional) to as little as
20(very directional). A directional antenna
directs power to concentrate the coverage pattern
in a particular direction. The antenna direction
is specified by the angle of the coverage pattern
called the beam width. Antenna-Omni-directional
Transmits and receives radio waves in all
directions. The coverage area is circular with
the antenna at the center. Omni-directional
antennas are also referred to as whip or
low-profile antennas. Association The process
of determining the viability of the wireless
connection and establishing a wireless network's
root and designated access points. A mobile unit
associates with its wireless network as soon as
it is powered on or moves into range. ATM
Asynchronous Transfer Mode. A type of high-speed
wide area network.

124
Glossary
B Backbone A network that interconnects other
networks, employing high-speed transmission paths
and often spanning a large geographic
area. Bandwidth The range of frequencies,
expressed in hertz (Hz), that can pass over a
given transmission channel. The bandwidth
determines the rate at which information can be
transmitted through the circuit. Bandwidth
Management Functionality that allocates and
manages RF traffic by preventing unwanted frames
from being processed by the access point. BC/MC
Broadcast frames Multicast frames Beacon A
uniframe system packet broadcast by the AP to
keep the network synchronized. A beacon Includes
the Net_ID (ESSID), the AP address, the Broadcast
destination addresses, a time stamp, a DTIM
(Delivery Traffic Indicator Maps) and the TIM
(Traffic Indicator Message). BFA Antenna
Connector Miniature coaxial antenna connector
manufactured by MuRata Manufacturing
Corporation. Bluetooth See Wireless Personal
Area Networks. Bridge A device that connects
two LANs of the same or dissimilar types. It
operates at the Data Link Layer, as opposed to
routers. The bridge provides fast connection of
two collocated LAN segments that appear as one
logical network through the bridge. Buffer A
segment of computer memory used to hold data
while it is being processed.

125
Glossary
C CAM Continuously Aware Mode Mode in which
the adapter is instructed to continually check
for network activity. Card and Socket Services
Packages that work with the host computer
operating system, enabling the Wireless LAN
adapter to interface with host computer
configuration and power management
functions. Cellular Phone Low-powered, duplex,
radio/telephone that operates between 800 and 900
MHz, using multiple transceiver sites linked to a
central computer for coordination. The sites, or
"cells," cover a range of one to six or more
miles in each direction. Centrex Business
telephone service offered by a local telephone
company from a local telephone company office.
Centrex is basically a single line phone system
leased to businesses as a substitute for a
business that is buying or leasing its own
on-premises phone system or PBX. CDMA and TDMA
The Code Division Multiple Access and Time
Division Multiple Access standard for wireless
communications on wide area networks (WANs) in
North America. Circuit switching The process of
setting up and keeping a circuit open between two
or more users so that users have exclusive and
full use of the circuit until the connection is
released. Client A computer that accesses the
resources of a server. Client/Server A network
system design in which a processor or computer
designated as a server (such as a file server or
database server) provides services to other
client processors or computers. CODEC
Coder-Decoder. Audio compression/decompression
algorithm that is designed to offer excellent
audio performance. Converts voice signals from
their analog form to digital signals acceptable
to modern digital PBXs and digital transmission
systems. It then converts those digital signals
back to analog so that you may hear and
understand what the other person is
saying. Computer Telephony Integration
Technology that integrates computer intelligence
with making, receiving, and managing telephone
calls. Computer telephony integrates messaging,
real-time connectivity, and transaction
processing and information access.

126
Glossary
D Data Terminal Computer transmit and receive
equipment, including a wide variety of dumb
terminals or terminals without embedded
intelligence in the form of programmed logic.
Most data terminals provide a user interface to a
more capable host computer, such as a mainframe
or midrange computer. Decryption Decryption is
the decoding and unscrambling of received
encrypted data. The same device, host computer or
front-end processor, usually performs both
encryption and decryption. Desktop Conferencing
A telecommunications facility or service on a PC
that permits callers from several diverse
locations to be connected together for a
conference call. Digital Phone System
Proprietary phone system provided by a vendor,
such as ATT, Mitel, Northern Telecom, and so on.
The signal being transmitted in a digital phone
system is the same as the signal being
transmitted in an analog phone system. The system
can consist of a proprietary PBX system that
converts voice signals from their analog form to
digital signals, and then converts those digital
signals back to analog. Alternatively, the
conversion from analog-to-digital can occur in a
digital phone. Direct Inward Dialing DID. The
ability for a caller outside a company to call an
internal extension without having to pass through
an operator or attendant. In large PBX systems,
the dialed digits are passed from the PSTN to the
PBX, which then completes the call. Direct-Sequen
ce (DS) Spread Spectrum Direct sequence
transmits data by generating a redundant bit
pattern for each bit of information sent.
Commonly referred to as a "chip" or "chipping
code," this bit pattern numbers 10 chips to one
per bit of information. Compared with frequency
hopping, direct sequence has higher throughput,
wider range and is upgradable in the 2.4GHz
band. Diversity Reception The use of two
antennas attached to a single access point to
improve radio reception. The second antenna is
used only for receiving radio signals, while the
primary is used for both transmitting and
receiving. Driver A program routine that links
a peripheral device, such as a mobile unit's
radio card, to the computer system.

127
Glossary
Element-level Management Level of technologies
aimed at small or medium-sized businesses. Encryp
tion Entails scrambling and coding information,
typically with mathematical formulas called
algorithms, before the information is transmitted
over a network. Ethernet A local area network
used for connecting computers, printers,
workstations, terminals, servers, and so on,
within the same building or campus. Ethernet
operates over twisted wire and over coaxial cable
at speeds up to 100 Mbps, with 1 Gbps speeds
coming soon. Filtering Prevents user-defined
frames from being processed by the access
point. Fragmentation Threshold The maximum size
for directed data packets transmitted over the
radio. Larger frames fragment into several
packets this size or smaller before transmission
over the radio. The receiving station reassembles
the transmitted fragments. Frame Mode A
communications protocol supported by the OEM
Modules. The frame protocol implements
asynchronous serial Point-to-Point (PPP) frames
similar to those used by serial Internet
protocols. Frequency Hopping (FH) Spread
Spectrum Hedy Lamarr, the actress, is credited
in name only for inventing frequency hopping
during World War II. As its label suggests,
frequency hopping transmits using a narrowband
carrier that changes frequency in a given
pattern. There are 79 channels in a 2.4GHz ISM
band, each channel occupying 1MHz of bandwidth. A
minimum hop rate of 2.5 hops per channel per
second is required in the United States.
Frequency hopping technology is recognized as
superior to direct sequence in terms of echo
resistance, interference immunity, cost and
ease-of-installation. To date, there has also
been a greater selection of WLAN products from
which to chose. FTP (File Transfer Protocol) A
common Internet protocol used for transferring
files from a server to the Internet user. It uses
TCP/IP commands. Gain, dBi Antenna gain,
expressed in decibels referenced to a half wave
dipole. Gain, dBi Antenna gain, expressed in
decibels referenced to a theoretical isotropic
radiator. Gain, dBic Antenna gain, expressed in
decibels referenced to a theoretical isotropic
radiator that is circularly polarized. Gatekeeper
Software that performs two important functions
to maintain the robustness of the network
address translation and bandwidth management.
Gatekeepers map LAN aliases to IP addresses and
provide address lookups when needed. Gateway
Optional element in an H.323 conference. Gateways
bridge H.323 conferences to other networks,
communications protocols, and multimedia formats.
Gateways are not required if connections to other
networks or non-H.323 compliant terminals are not
needed. GHz International unit for measuring
frequency is Hertz (Hz), which is equivalent to
the older unit of cycles per second. One
Gigahertz (GHz) is one billion Hertz. Microwave
ovens typically operate at 2.45 GHz. GSM The
Global System for Mobile Communications standard
for worldwide wireless communications on wide
area networks (WANs).

128
Glossary
H.323 An umbrella standard from the
International Telecommunications Union (ITU) that
addresses call control, multimedia management,
and bandwidth management for point-to-point and
multi-point conferences, as well as interfaces
between LANs and other networks. The most popular
standard currently in use. Handheld PC (HPC)
The term adopted by Microsoft and its supporters
to describe handheld computers employing
Microsoft's Windows CE operating
system. Interactive Voice Response System used
to access a database access application using a
telephone. The voice processing acts as a
front-end to appropriate databases that reside on
general purpose computers. For instance, DTMF
(touch tone) input of a Personal Identification
Number can be required for access or more unusual
and expensive techniques such as voice
recognition and voice print matching. Internet
World's largest network, often referred to as the
Information Superhighway. The Internet is a
virtual network based on packet switching
technology. The participants on the Internet and
its topology change on a daily basis. Internet
Commerce Electronic business transactions that
occur over the Internet. Samples of Internet
commerce applications include electronic banking,
airline reservation systems, and Internet
malls. Internet Phone Device used to transmit
voice over the Internet, bypassing the
traditional PSTN and saving money in the process.
An Internet phone can be a small phone (such as
the NetVision Phone) or a multimedia PC with a
microphone, speaker, and modem. Interoperability
The ability of equipment or software to operate
properly in a mixed environment of hardware and
software, from different vendors. Enabled by the
IEEE 802.11 open standard. IP (Internet
Protocol) The Internet standard protocol that
defines the Internet datagram as the unit of
information passed across the Internet. Provides
the basis of the Internet connection-less-
best-effort packet delivery service. The Internet
protocol suite is often referred to as TCP/IP
because IP is one of the two fundamental
protocols. International Roaming Ability to use
one adapter worldwide. Intranet A private
network that uses Internet software and Internet
standards. In essence, an intranet is a private
Internet reserved for use by people who have been
given the authority and passwords necessary to
use that network. ISDN Integrated Services
Digital Network. Emerging network technology
offered by local phone companies that is designed
for digital communications, computer telephony,
and voice processing systems. ISM Band ISM
bands--instrumental (902-928MHz), science
(2.4-2.4835GHz), and medical (5.725-5.850GHz)--are
the radio frequency bands allocated by the FCC
for unlicensed continuous operations for up to
1W. The most recent band approved by the FCC for
WLANs was the medical band in January 1997. ITU
International Telecommunications Union. Standards
body that defined H.323 and other international
standards. Jitter Noise on a communications
line which is based on phase hits, causing
potential phase distortions and bit errors..

129
Glossary
Kerberos A widely deployed security protocol
that was developed at the Massachusetts Institute
of Technology (MIT) to authenticate users and
clients in a wired network environment and to
securely distribute encryption keys. Key
Telephone System A system in which the telephone
has multiple buttons permitting the user to
directly select central office phone lines and
intercom lines. Key phone systems are most often
found in relatively small business environments,
typically around 50 telephones. Layer A
protocol that interacts with other protocols as
part of an overall transmission system. LPD
(Line Printer Daemon) A TCP-based protocol
typically used between a Unix server and a
printer driver. Data is received from the network
connection and sent out over the serial
port. MAC (Media Access Control) Part of the
Data Link Layer, as defined by the IEEE, this
sublayer contains protocols for gaining orderly
access to cable or wireless media. MD5
Encryption An authentication methodology when MU
is in foreign subnet. MIB (Management
Information Base) An SNMP structure that
describes the specific device being monitored by
the remote-monitoring program. Microcell A
bounded physical space in which a number of
wireless devices can communicate. Because it is
possible to have overlapping cells as well as
isolated cells, the boundaries of the cell are
established by some rule or convention. Modem
Equipment that converts digital signals to analog
signals and vice versa. Modems are used to send
digital data signals over the analog PSTN. MMCX
Antenna Connector Miniature coaxial antenna
connector in use by several major wireless
vendors. Mobile IP The ability of the mobile
unit to communicate with the other host using
only its home IP address, after changing its
point of attachment to the Internet and
intranet. Mobile Unit (MU) May be a Symbol
Spectrum24 terminal, PC Card and PCI adapter,
bar-code scanner, third-party device, and
other Mobile Unit Mode In this mode, the WLAN
adapter connects to an access point (AP) or
another WLAN installed system, allowing the
device to roam freely between AP cells in the
network. Mobile units appear as network nodes to
other devices. Modulation Any of several
techniques for combining user information with a
transmitter's carrier signal. Multipath The
signal variation caused when radio signals take
multiple paths from transmitter to
receiver. Multipath Fading A type of fading
caused by signals taking different paths from the
transmitter to the receiver and, consequently,
interfering with each other.

130
Glossary
Node A network junction such as a switch or a
routing center. Packet Switching Refers to
sending data in packets through a network to some
remote location. In a packet switched network, no
circuit is left open on a dedicated basis. Packet
switching is a data switching technique
only. PBX Phone System Private Branch eXchange.
Small version of the phone company's larger
central switching office. An alternative to a PBX
is to subscribe to a local telephone company's
Centrex service. PCMCIA (Personal Computer
Memory Card International Association) PC Card A
credit card-size device used in laptop computers
and available as removable network adapters. PCS
(Personal Communications Service) A new, lower
powered, higher-frequency competitive technology
to cellular. Whereas cellular typically operates
in the 800-900 MHz range, PCS operates in the 1.5
to 1.8 GHz range. The idea with PCS is that the
phone are cheaper, have less range, and are
digital. The cells are smaller and closer
together, and airtime is cheaper. Peer-to-peer
Network A network design in which each computer
shares and uses devices on an equal basis. Ping
A troubleshooting TCP/IP application that sends
out a test message to a network device to measure
the response time. PLD (Data Link Protocol) A
raw packet protocol based on the Ethernet frame
format. All frames are sent to the wireless
network verbatim--should be used with care as
improperly formatted data can go through with
undesirable consequences. Plug and Play A
feature that allows a computer to recognize the
PCI adapter and configure the hardware interrupt,
memory, and device recognition addresses
requires less user interaction and minimizes
hardware conflicts. Pocket PC The term adopted
by Microsoft and its supporters to describe
handheld computers employing Microsoft's Pocket
PC operating system. Point-of-Sale Device A
special type of equipment that is used to collect
and store retail sales data. This device may be
connected to a bar code reader and it may query a
central computer for the current price of that
item. POTS (Plain Old Telephone Service) The
basic service supplying standard single line
telephones, telephone lines, and access to the
public switched telephone network. Power
Management Algorithms that allow the adapter to
sleep between checking for network activity, thus
conserving power. PSP (Power Save Polling)
stations power off their radios for long periods.
When a mobile unit in PSP mode associates with an
access point, it notifies the AP of its activity
status. The AP responds by buffering packets
received for the MU. PSTN (Public Switched
Telephone Network) Refers to the worldwide voice
telephone network accessible to all those with
telephones and access privileges. In the U.S.,
the PSTN is provided by ATT.

131
Glossary
QoS (Quality of Service) Measure of the
telephone service quality provided to a
subscriber. QoS refers to things like Is the
call easy to hear? Is it clear? Is it loud
enough? RBOC (Regional Bell Operating Company)
One of the seven Bell operating companies set up
after the divestiture of ATT, each of which own
two or more Bell Operating Companies
(BOCs). Roaming Movement of a wireless node
between two microcells. Roaming usually occurs in
infrastructure networks built around multiple
access points. Repeater A device used to extend
cabling distances by regenerating
signals. Router The main device in any modern
network that routes data blocks from source to
destination using routing tables and determining
the best path dynamically. It functions as an
addressable entity on the LAN and is the basic
building block of the Internet. SNMP (Simple
Network Management Protocol) The network
management protocol of choice for TCP/IP based
intranets. Defines the method for obtaining
information about network operating
characteristics, change parameters for routers
and gateways. Scanning A periodic process where
the mobile unit sends out probe messages on all
frequencies defined by the country code. The
statistics enable a mobile unit to re-associate
by synchronizing its frequency to the AP. The MU
continues communicating with that access point
until it needs to switch cells or roam. Site
Survey Physical environment survey to determine
the placement of access points and antennas, as
well as the number of devices necessary to
provide optimal coverage, in a new or expanding
installation. Spread Spectrum A transmission
technique developed by the U.S. military in World
War II to provide secure voice communications,
spread spectrum is the most commonly used WLAN
technology today. It provides security by
"spreading" the signal over a range of
frequencies. The signal is manipulated in the
transmitter so that the bandwidth becomes wider
than the actual information bandwidth.
De-spreading the signal is impossible for those
not aware of the spreading parameters to them,
the signal sounds like background noise.
Interference from narrowband signals is also
minimized to background noise when it is
de-spread by the receiver. Two types of spread
spectrum exist direct sequence and frequency
hopping. Stream Mode A communications protocol
supported only by the Telnet and TCP protocols.
Stream mode transfers serial characters as they
are received by encapsulating them in a packet
and sending them to the host.

132
Glossary

T1 A type of dedicated digital leased-line
available from a public telephone provider with a
capacity of 1.544 Mbps. A T1