Wireless Sensor Systems: Security Implications for the Industrial Environment - PowerPoint PPT Presentation


PPT – Wireless Sensor Systems: Security Implications for the Industrial Environment PowerPoint presentation | free to download - id: 4c2577-ODY1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Wireless Sensor Systems: Security Implications for the Industrial Environment


Wireless Sensor Systems: Security Implications for the Industrial Environment Dr. Peter L. Fuhr Chief Scientist RAE Systems, Sunnyvale, CA pfuhr_at_raesystems.com – PowerPoint PPT presentation

Number of Views:557
Avg rating:3.0/5.0
Slides: 137
Provided by: plf3


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Wireless Sensor Systems: Security Implications for the Industrial Environment

Wireless Sensor Systems Security Implications
for the Industrial Environment
Dr. Peter L. Fuhr Chief Scientist RAE Systems,
Sunnyvale, CA pfuhr_at_raesystems.com
Dr. Peter Fuhr, Presenter 480
publicationspresentations in wireless
sensor networking arena. Old-timer in this
areaetc etc.
  • RAE Systems Inc.
  • Pervasive Sensing Company based in Silicon Valley
    founded in 1991
  • Capabilities
  • Radiation detection
  • Gamma and neutron
  • Chemical/vapor detection
  • Toxic gas, VOC, combustible gas, oxygen, CWA,
    temperature, humidity, C02
  • Redeployable sensor networks
  • Mobile and fixed wireless monitors
  • Cargo Container Sensor Systems

A number of individuals have provided content
for these slides. They include Wayne Manges,
Oak Ridge National Laboratory Robert Poor,
Ember Pat Gonia, Honeywell Hesh Kagan,
Foxboro/Invensys Kang Lee, NIST Tom Kevan,
Advanstar Ramesh Shankar, Electric Power
Research Institute Larry Hill, Larry Hill
Consulting Rob Conant, Dust Rick Kriss,
Xsilogy Gideon Varga, Dept of Energy Jack
Eisenhauser, Energetics Michael Brambley,
Pacific Northwest National Labs David Wagner,
UC-Berkeley Undoubtedly, there are other
contributors too (apologies if your name is not
Wireless Sensor Networking
  • its not cellular telephony
  • its not just WiFi...(and it just
    may be the next big thing)

Each dot represents one cell phone tower.
Wireless devices circa 1930
Sensor Market 11B in 2001 Installation (wiring)
costs gt100B
  • Fragmented market
  • ? platform opportunity
  • Installation cost limits penetration
  • ? reducing installation cost increases market

Highly Fragmented Sensor Market
Freedonia Group report on Sensors, April 2002
Slide courtesy of Rob Conant, Dust
Industrial Market Sizing Sensor Networking
  • North American Market for Wireless products used
    in Applications where transmission distances are
    1 mile or less
  • 2002 Total 107 million
  • 2006 Forecast 713 million
  • 2010 Estimates 2.1 billion
  • Largest Application areas
  • 2002 Tank Level Monitoring, Asset Tracking,
    Preventative Maintenance
  • 2006 Tank Level Monitoring, Preventative
    Maintenance, Environmental Monitoring
  • Conclusions
  • Rapid Growth in Industrial markets
  • Tank Level Monitoring will remain a significant
  • Key User Needs
  • Lower Costs over Wired (or Manual) Solutions
  • Education of Potential Customers on the
  • Demonstration of Operational Reliability
    Application Domain Knowledge

Slide courtesy of Rick Kriss, Xsilogy
The True cost per monitored node to the End
DENSE Bluetooth, 802.15.4, WiFi etc
3-Yr TOC
Installation Costs
Design For Here
Radio RF Range (dB)

Slide courtesy of Rick Kriss, Xsilogy
What to do with the data?
  • Great! But how do you get the output signal from
    the sensor to the location where the information
    will be interpreted (used)?

Traditionally the output of the sensor was
hardwired to some form of interpretive device
(e.g., PLC) perhaps relying on a 4-20mA signal
Outline 1. Security? Who needs it? 2. How
is security achieved in a wired channel? 3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial) 4. Security within various Wireless
Delivery Schemes (cellular, WiFi, 802.15.4,
Bluetooth, others) 5. An Integrated Solution 6.
The Big Review
Oh, who needs security in a wireless channel
(pretty ridiculous statement isnt it!
Lets ask some experts WINA meeting,
Coral Gables, Sept. 2003
Whats a WINA?
In the spring of 2003, the Wireless Industrial
Networking Alliance (WINA) was formed to promote
the adoption of wireless networking technologies
and practices that will help increase industrial
productivity and efficiency. WINA will be
holding a 1.5 day meeting at ISA-HQ in RTP, NC on
Feb 11/12 right after the ISA Wireless Security
Expo and conference. Check out
www.wireless4industrial.org for WINA meeting
details AND www.isa.org/wireless for the ISA
Wireless Security conf details!
Back to the Question Who needs security in a
wireless channel anyway!
Strategy Workshop Participants
  • Suppliers (13)
  • System integrators (6)
  • Industrial end users (10)
  • Chemicals
  • Petroleum
  • Automotive
  • Industry analysts/venture capitalists (3)
  • Others (associations, government, media,
  • Energy/Utilities
  • Forest Products
  • Electronics

End-User View of Industrial Wireless
  • Likes
  • Mobility
  • Compactness
  • Flexibility
  • Low cost
  • Capability to monitor rotating equipment
  • Short range (security)
  • Ease of installation
  • High reliability
  • Impetus to enhance electronics support
  • Dislikes
  • Change to status quo
  • Complexity
  • High cost for coverage in large plants
  • Security issues
  • Portability issues (power)
  • Unproven reliability
  • Too risky for process control
  • Lack of experience in troubleshooting (staff)
  • Restricted infrastructure flexibility once
  • Lack of analysis tools

Technology Group Key Issues
  • Security
  • Jamming, hacking, and eavesdropping
  • Power
  • Value (clear to customer)
  • Interoperability
  • Co-existence with other facility networks,
    sensors, collectors, technology
  • True engineered solution (sensors, collectors,
  • Assured performance reliability/MTBA
  • Software infrastructure, data, systems
  • Robustness (at least as good as wired)
  • RF characterization (radios, receivers,

mean time between attention
Technology Group Criticality Varies by
Application (5 most critical)
Attributes Monitor Control Alarm Shutdown Biz WLAN
Latency 2-3 3-5 5 5 1
Device Reliability 2-3 3-5 5 5 1
Raw Thru-put (node / aggr.) 2 / 5 2.5 /2.5 1 / 4 1 / 1 1/5
Scalability (Max. nodes) 5 4 4 1 2-3
Data Reliability 1 5 5 5 2
Security 1-5 5 5 5 5
Low Cost 5 2 1-3 1 2-3
Gateway Technology 5 1 3-4 1 1
Engineered Solution 1 5 4 5 3

Industrial CyberSecurity
  • The Case of Vitek Boden

  • On October 31, 2001 Vitek Boden was convicted of
  • 26 counts of willfully using a restricted
    computer to cause damage
  • 1 count of causing serious environment harm
  • The facts of the case
  • Vitek worked for the contractor involved in the
    installation of Maroochy Shire sewage treatment
  • Vitek left the contractor in December 1999 and
    approached the shire for employment. He was
  • Between Jan 2000 and Apr 2000 the sewage system
    experienced 47 unexplainable faults, causing
    millions of liters of sewage to be spilled.

How did he do it?
  • On April 23, 2000 Vitek was arrested with stolen
    radio equipment, controller programming software
    on a laptop and a fully operational controller.
  • Vitek is now in jail

A Favorite 2.4 GHz Antenna
WarDriving 802.11 HotSpots in Silicon Valley
WarDriving 802.11 HotSpots in San Francisco
The Question Who needs security in a wireless
channel anyway!
The Answer We do. SoHow do you provide the
appropriate level of security within the
acceptable price and inconvenience margin -gt
Risk Management!
Inside vs. Outside?
  • Where do attacks come from?

of Respondents
Source 2002 CSI/FBI Computer Crime and
Security Survey Computer Security Institute -
An Outside Example. When?
April 2001
Hacker War I
  • In the Spring of 2001, the US got its first a
    taste of a new form of warfare.
  • Launched from overseas and targeted at US
    critical infrastructure.

Honker Union
  • Chinese Hacker Group working to advance and in
    some cases impose its political agenda
  • During the spring of 2001, Honker Union worked
    with other groups such as the Chinese Red Guest
    Network Security Technology Alliance
  • Hackers were encouraged to "...make use of their
    skills for China..." Wired.com

Attack Methods
  • Denial of Service Attacks
  • Website Defacement
  • E-mailing viruses to US Government Employees
  • KillUSA package

  • Cyber attacks and web defacements increased
    dramatically after the start of the war against
  • More than 1,000 sites were hacked in the first 48
    hours of the conflict, with many of the attacks
    containing anti-war slogans.
  • Security consultants state that the war against
    Iraq made March the worst month for digital
    attacks since records began in 1995.

Hacker School
  • North Korea's Mirim College, is a military
    academy specializing in electronic warfare
  • 100 potential cybersoldiers graduate every year

The Question Who needs security in a wireless
channel anyway?
The Answer Everyone.
Outline 1. Security? Who needs it? 2. How
is security achieved in a wired channel? 3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial) 4. Security within various Wireless
Delivery Schemes (cellular, WiFi, 802.15.4,
Bluetooth, others) 5. An Integrated Solution 6.
The Big Review
Layered Communications
A few details
Wired Data Security - Encryption
The traditional method involved encrypting the
data prior to transmission over a potentially
insecure channel. The level of protection rests
on the encryption algorithm. (There are a few
other factorssuch as the physical media.)
Slide courtesy of Wayne Manges, ORNL
Outline 1. Security? Who needs it? 2. How
is security achieved in a wired channel? 3. The
Situation for Wireless 4. Security within
various Wireless Delivery Schemes (cellular,
WiFi, 802.15.4, Bluetooth, others) 5. An
Integrated Solution 6. The Big Review
Wireless Buildings
From many perspectives, THIS is what a wireless
sensor network can provide.
Key to success reduced installation costs
Slide courtesy of Pat Gonia, Honeywell
E(t) A(t) coswt f(t)
Amplitude Modulation (AM) info is in A(t)
Frequency Modulation (FM) info is in w Phase
Modulation (PM) info is in f(t)
Different vendors use different schemes - and
they are not interoperable.
The FCC Frequency Assignment
Different vendors may use different frequencies
within the various ISM bands (green in the
The ISM bands most commonly used are at 433, 915
and 2400 MHz.
Multiple Sensors Sharing the Medium
Multiplexing. FDMA, TDMA and CDMA
Binary Signaling Formats
  • Used to Improve Digital Signal Reception and
  • NRZ Non-Return to Zero
  • RZ Return to Zero
  • Unipolar Only one side of 0V
  • Bipolar Both sides of 0V
  • Manchester Bi-Phase (0 in left 1/2 time slot,
    1 in right)

Narrowband or Spread Spectrum?
  • Narrowband uses a fixed carrier frequency, F0.

The receiver then locks onto the carrier
frequency, F0.
Easy to implement (inexpensive). Prone to jamming
or interference (two transmitters at the same
carrier frequency, F0. Least secure modulation
Narrowband or Spread Spectrum (cont.) ?
  • Frequency Hopping Spread Spectrum. Uses a carrier
    frequency that varies with time, F0(t).

Invented and patented by actress Heddy Lamarr and
her pianist George Antheil.
The receiver must track the time-varying carrier
frequency, F0(t).
Relatively easy to implement (inexpensive). Prone
to jamming or interference (two transmitters at
the same carrier frequency, F0) during any single
transmit interval. Hopping rates may be 1600
hops/second (ala Bluetooth). Very secure
modulation scheme (used in military for decades).
Narrowband or Spread Spectrum (cont.) ?
  • Direct Sequence Spread Spectrum uses a fixed
    carrier frequency, F0 but interleaves the data
    with a precise mathematical 0/1 data sequence.
    (This increases the length of the transmitted
    information vector making it longer). The
    information is replicated many times throughout
    the bandwidth, so if one lobe of the
    information is jammed, the remainder gets
    through. Highly robust technique.

The receiver then locks onto the carrier
frequency, F0 receives the signal and then must
undo the interleaving.
More difficult to implement (more
expensive). Most complicated scheme (of these
presented). Most secure modulation scheme.
PN Clock
Local PN Clock
Local Carrier
PN Sequence Generator
PN Sequence Generator
  • 1
  • 1

Wide BP Filter
Narrow BP Filter
Phase Demod
Data Clock
  • 1

Power Spectral Density
Power Spectral Density
Power Spectral Density
Spread RFI
Original narrowband, high power density spectrum
is restored if local PN sequence is same as and
lined up with received PN sequence
Spectrum has wider bandwidth and lower power
density after spreading with PN sequence
(PN Rate gtgt Data Rate)
Narrow spectrum at output of modulator before
Narrowband or Spread Spectrum (cont.) ?
  • Which is best?

Each has its pluses and minusesand each scheme
has its share of die-hard advocates and/or
Different vendors use these (and other) schemes
at different frequencies within the various ISM
From a security standpoint, DSSS is best.
No Matter WhatIts Just an Electromagnetic Field
E(t) A(t) coswt f(t)
  • A(t) amplitude of the wave
  • w radian frequency of the wave
  • f(t) phase of the wave

The RF Footprint
  • Personal Area Network typical radiated power 0
    dBm, size 10m
  • Local Area Network typical radiated power 20
    dBm, size 100m
  • Wide Area Network typical radiated power gt30
    dBm, size gt2000m

Network Topologies?
There are SO many technical questions such as
Ad Hoc Network
The Real World Presents the Wireless Channel
with Multipath and Attenuationand
Real World
The Effect
The Cause
Atmospheric Attenuation at 2.4 GHz
Real World
Rayleigh Fading _at_ 2.4GHz
Signal Attenuation at 2.4 GHz
Real World
And Signal-to-Noise Ratios really do matter!
Real World
Anecdotal Evidence As Frankfurt has increased
the deployment of 2.4 GHz wireless surveillance
cameras, the background Noise level has increased
by 12 dB. (This plays havoc with the BER or for
fixed BER, the overall data rate,)
Real World
Which Frequency is Best?
Notice that the operation at 2.45 GHz is WORSE
than at 900MHz (which is worse than 433 MHz).
Outline 1. Security? Who needs it? 2. How
is security achieved in a wired channel? 3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial) 4. Security within various Wireless
Delivery Schemes (cellular, WiFi, 802.15.4,
Bluetooth, others) 5. An Integrated Solution 6.
The Big Review
Wireless Data Security Encryption, Spreading,
Wireless networks use a variety of techniques to
enhance security, such as spreading and
interleaving. These techniques can make the
signal virtually undetectable without prior
knowledge about the network. This can improve
the security of the network by orders of
Slide courtesy of Wayne Manges, ORNL
The Wireless Market
802.11a/HL2 802.11g
Bluetooth 2
Bluetooth vs. the Rest (contd)
ZigBee (proposed) 2.4 GHz,DSSS 15 chips/bit 40
kbits/s 0dBm 100m 100s devices, CSMA/CA Not
yet No
802.11 2.4 GHz, DSSS 11 chips/bit 11Mbps 20
dBm 50m 128 devices CSMA/CA Optional WEP Optional
HomeRF 2.4GHz, FHSS 50 hops/s 1 Mbps 20
dBm 50m 128 devices CSMA/CA Optional Optional
Bluetooth 2.4 GHz, FHSS 1000hops/s 1Mbps 0,
20dBm 1-10m, 50m 8 devices, Piconet Encryption Y
Parameter Technology Data Rate Power Range Topol
ogy Security Voice Channel
Bluetooth aka IEEE 802.15.1 ZigBee aka IEEE
Side by Side
The Worldwide View of the 802.11 Spectral Space
Radiated Field from a single AP (Kansas City)
20dB Attenuation Profile for Univ of Kansas Eng
Bldg., Mesh and AP deployments
(encrypted traffic)
  • The industrys solution WEP (Wired Equivalent
  • Share a single cryptographic key among all
  • Encrypt all packets sent over the air, using the
    shared key
  • Use a checksum to prevent injection of spoofed

Early History of WEP
Subsequent Events
Jan 2001
Borisov, Goldberg, Wagner
WEP Attack Tools
  • Downloadable procedures from the Internet
  • To crack the Key
  • AirSnort
  • http//airsnort.sourceforge.net
  • WEPCrack
  • http//sourceforge.net/projects/wepcrack/
  • To brute force enter into WLAN,
  • http//www.thehackerschoice.com/releases.php

Wi-Fi Protected Access (WPA)
  • Flaws in WEP known since January 2001 - flaws
    include weak encryption, (keys no longer than 40
    bits), static encryption keys, lack of key
    distribution method.
  • IEEE developing 802.11i standard for enhanced
    wireless security - Addresses weak data
    encryption and user authentication within
    existing 802.11 standard.
  • 802.11i standard will not be ratified until late
    2003, possibly early 2004 - outstanding issues.
  • WPA standard joint effort between Wi-Fi Alliance
    and IEEE - WPA a subset of IEEE 802.11i standard
    (Draft 3.0).
  • WPA provides stronger data encryption (weak in
    WEP) and user authentication (largely missing in

WPA Data Encryption
  • WPA uses Temporal Key Integrity Protocol (TKIP) -
    stronger data encryption, addresses known
    vulnerabilities in WEP.
  • TKIP chosen as primary encryption cipher suite -
    Easily deployed and supported in legacy 802.11b
    hardware compared to other available cipher
  • TKIP based on RC4 stream cipher algorithm,
    surrounds WEP cipher engine with 4 new
  • Extended 48-bit Initialization Vector (IV) and IV
    sequencing rules (compared to the shorter 24-bit
    WEP RC4 key).
  • New per-packet key mixing function.
  • Derivation and distribution method - a.k.a.
  • A message integrity check (MIC) - a.k.a.
    Michael, ensures messages havent been tampered
    with during transmission.

WPA Data Encryption, contd
  • the Temporal Key Integrity Protocol.
  • DA Destination Address TKIP Temporal Key
    Integrity Protocol
  • ICV Integrity Check Value TSC TKIP
    Sequence Counter
  • MPDU Message Protocol Data Unit TTAK result
    of phase 1 key mixing of Temporal Key
  • MSDU MAC Service Data Unit and
    Transmitter Address
  • RSN Robust Security Network WEP Wired
    Equivalent Privacy
  • SA Source Address WEP IV Wired Equivalent
    Privacy Initialization Vector
  • TA Transmitter Address

WPA Data Encryption, contd
  • TKIP implements countermeasures - reduces rate
    which attacker can make message forgery attempts
    down to two packets every 60 seconds.
  • After 60 second timeout new PMK or Groupwise Key
    generated, depending on which attacked ensures
    attacker cannot obtain information from attacked
  • Countermeasures bound probability of successful
    forgery and amount of information attacker can
    learn about a key.
  • TKIP is made available as firmware or software
    upgrade to existing legacy hardware.
  • TKIP eliminates having to replace existing
    hardware or having to purchase new hardware.

BlueTooth- Some Specifications
  • Uses unlicensed 2.402 - 2.480 GHz frequency range
  • Frequency hopping spread spectrum 79 hops
    separated by 1 MHz
  • Maximum frequency hopping rate 1600 hops/sec
  • Nominal range 10 cm to 10 meters
  • Nominal antenna power 0 dBm
  • One complete Bluetooth data packet can be
    transmitted within each 625 msec hop slot.

Potential Bluetooth Markets
Bluetooth Market Forecast
Nov03 100M Bluetooth compliant devices worldwide
Bluetooth Protocol Stack
  • Adopted Protocols
  • PPP(Point-To-Point Protocol)
  • OBEX-Session Protocol for IrDA(Infrared Data
  • Contents Fromat(e.g. vCard, vCalendar)
  • WAP-Wireless Application Protocol

Bluetooth Security
  • Supports Unidirectional or Mutual Encryption
    based on a Secret Link key Shared Between Two
  • Security Defined In 3 modes
  • Mode1- No Security
  • Mode 2 - Service Level Security Not Established
    Before Channel is Established at L2CAP
  • Mode 3 - Link Level Security Device Initiates
    Security Before LMP Link is Setup
  • Devices and Services can be Set for Different
    Levels of Security
  • Two Trust Levels are Set for Devices
  • Trusted Device Fixed Relationship and
    Unrestricted Access to All Services
  • Untrusted No Permanent relationship and
    Restricted Services

Bluetooth Security
  • Devices and Services can be Set for Different
    Levels of Security
  • Two Trust Levels are Set for Devices
  • Trusted Device Fixed Relationship and
    Unrestricted Access to All Services
  • Untrusted No Permanent relationship and
    Restricted Services

Bluetooth Security
  • 3 Levels of Service Access
  • Require Authorization and Authenication
  • Require Authentication Only
  • Default Security for Legacy Applications

But is this Wireless Link Secure?
Newsflash Jan 2001 Norwegian hackers crack
a Bluetooth transmission
Analysis of a BlueTooth Transmission
High overhead?
IEEE 802.15.4 standard
  • Includes layers up to and including Link Layer
  • LLC is standardized in 802.1
  • Supports multiple network topologies including
    Star, Cluster Tree and Mesh
  • Features of the MAC Association/dissociation,
    ACK, frame delivery, channel access mechanism,
    frame validation, guaranteed time slot
    management, beacon management, channel scan
  • Low complexity 26 primitives versus 131
    primitives for 802.15.1 (Bluetooth)

PHY overview
  • Speed
  • 20, 40 or 250 kbps
  • Channels
  • 1 channel in the 868MHz band
  • 10 channels in the 915MHz band
  • 16 channels in the 2.4GHz band
  • Modulation
  • BPSK (868MHz/20kbs)
  • BPSK (915MHz/40kbps)
  • O-QPSK (2.4GHz/250kbps)
  • Coexistence w/
  • 802.11b DSSS
  • 802.15.1 FHSS
  • 802.15.3 DSSS

MAC overview
  • Security support
  • Power consumption consideration
  • Dynamic channel selection
  • Network topology
  • Star topology
  • p2p topology
  • cluster-tree network topology

Device classification
  • Full Function Device (FFD)
  • Any topology
  • Can talk to RFDs or other FFDs
  • Operate in three modes
  • PAN coordinator
  • Coordinator
  • Device.
  • Reduced Function Device (RFD)
  • Limited to star topology
  • Can only talk to an FFD (coordinator)
  • Cannot become a coordinator
  • Unnecessary to send large amounts of data
  • Extremely simple
  • Can be implemented using minimal resources and
    memory capacity

Transmission management
  • Acknowledgement
  • No ACK
  • ACK
  • Retransmission
  • Duplicate detection
  • Indirect transmission

  • Unsecured mode
  • ACL mode
  • Access control
  • Secured mode
  • Access control
  • Data encryption
  • Frame integrity
  • Sequential freshness

Scalable Security
  • Assume the attacker can deploy own nodes (can
    create a ring at some distance from
    controller)Wisenet 2003
  • Enemy nodes mimick the mesh nodes they ACK the
    health inquiry as if everything was OK but
    they do not forward to the rest of the net
  • The rest of the network is virtually cut off from
    inspection by controller
  • Need secure key and a random seed that changes at
    each round

What About 1451.5? 1xRTT? SAT? CDPD?
Others? No time this morning!
Outline 1. Security? Who needs it? 2. How
is security achieved in a wired channel? 3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial) 4. Security within various Wireless
Delivery Schemes (cellular, WiFi, 802.15.4,
Bluetooth, others) 5. An Integrated Solution 6.
The Big Review
Integrated Industrial Networks?
There are SO many technical questions such as
If the sensor network is to integrate into an
industrial setting, then you should be cognizant
of the Industrial Networking arena.
Industrial Device Network Topology
  • Typically, three layers of networking make up
    enterprisewide networks. Ethernet acts as the
    company's intranet backbone, and it's linked to
    controllers or industrial PCs, which supply
    strategic data to the enterprise. An industrial
    network, or fieldbus, links sensors and smart
    devices. A gateway (not uncommon in a large
    system with lots of devices) links devices that
    have only RS-232 or RS-485 ports to the fieldbus

Industrial Device Networks
  • General characteristics for industrial device
    networks have arisen.
  • Obviously the complexity of the network increases
    as the functionality is increased.

Classification of Industrial Networks
  • Three logical groupings of instrumentation
    networks used in an industrial setting.
  • There are over 100 different proprietary networks
    in the field.

Inside Security Incident
  • Employee attacks PLC in another plant area over
    PLC highway.
  • Password changed to obscenity, blocking
    legitimate maintenance and forcing process

Source BCIT Industrial Security Incident
Database (ISID)
Network Positioning
- Data

Ethernet TCP/IP

ControlNet Foundation Fieldbus H2
Profibus-FMS Data Highway Modbus Plus
Profibus-DP Interbus-S Remote I/O
- Functionality
Complexity -

DeviceNet Other CAN SDS
Fieldbus H1 Profibus-PA Modbus HART
ASi, Seriplex, Hardwiring, RS485 etc.
- Cost

Too Focused on Internet Issues?
  • Myth 1 Our SCADA/PLC/DCS is safe if we dont
    connect to the Internet.
  • Myth 2 Our Internet firewall will protect our
    control systems.
  • Myth 3 Our IT department understands process
    control issues and security.

Is Industrial Comm Security Too Focused on
Internet Issues?
WarDialing Attack
Source (used by permission) Interface
Technologies, Windsor, CT, 2002
Outline 1. Security? Who needs it? 2. How
is security achieved in a wired channel? 3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial) 4. Security within various Wireless
Delivery Schemes (cellular, WiFi, 802.15.4,
Bluetooth, others) 5. An Integrated Solution 6.
The Big Review
Bit Rate vs. Quality of Service
  • How Many
  • Bits are
  • Needed?

The more bits you xmit, the more power you
Coding vs. Quality of Service
  • Is Coding
  • Really
  • Necessary?

Direct Sequence Spread Spectrum
Comparing Wireless
Tech. Range RF Power Battery life Numbers In Area
DSSS Medium Low longest High
FHSS Long High Short Medium
UWB Medium Lowest short High
Narrow band Longest highest short Lowest
Technology Beats Marketing in Performance!
Statistics on Types of Attacks
Source 2002 CSI/FBI Computer Crime and
Security Survey Computer Security Institute -
of Respondents
Optimization of Security vs. Cost
  • Risk reduction is balanced against the cost of
    security counter measures to mitigate the risk.

Risk in Safety vs. Risk in Security
  • Safety Definition Risk is a measure of human
    injury, environmental damage, or economic loss in
    terms of both the incident likelihood and the
    magnitude of the loss or injury.
  • Security Definition Risk is an expression of
    the likelihood that a defined threat will exploit
    a specific vulnerability of a particular
    attractive target or combination of targets to
    cause a given set of consequences.

Source CSPP Guidelines For Analyzing And
Managing The Security Vulnerabilities Of Fixed
Chemical Sites
Firewall Architectures
  • The external router blocks attempts to use the
    underlying IP layer to break security (e.g. IP
    spoofing, source routing, packet fragments, etc)
    and forces all traffic to the proxy.
  • The proxy firewall handles potential security
    holes in the higher layer protocols.
  • The internal router blocks all traffic except to
    the proxy server.

External Router
Internal Router
Theres lot of Wireless
  • From cellphones to PDAs to WiFi to Satellite-based

Wireless LAN Standards
Existing/Developing IEEE 802.11 Standards
  • 802.11-
  • 802.11a
  • 802.11b
  • 802.11e
  • 802.11f
  • 802.11g
  • 802.11h
  • 802.11i
  • 802.1x
  • 802.15
  • 802.16

Frequency Hopping/DSSS 54Mbps / HyperLAN (1999)
11Mbps Quality of Service Point 2 Point
Roaming (2003) 54Mbps European Inspired
Changes (Q2,2004) New Encryption
Protocols (Q2,2004) Port Based Network Access
Personal Area Network (WPAN) Wireless
Metropolitan Area Network (WMAN)
On-Board Network Integration
Wireless Backbone for Inflight Entertainment
Noise Floor Lifter
PicoCell BTS
PicoCell BTS
and we havent even touched on RFID!
Theres lot of Wireless
  • And it all needs to feel more Secure!

For a real review of networking security
  • Take Eric Byrnes ISA course IC32C

Will History Repeat?
wireless security not just 802.11
  • PATRIOT (Provide Appropriate Tools Required to
    Intercept and Obstruct Terrorism)
  • Legally classifies many hacking attacks as acts
    of terrorism

So If Nothing else, at least PLEASE do this for
your WiFi System! WLAN Security Countermeasures
  • Conduct site survey
  • Identify areas of signal strength and weakness
  • Do a walkaround with NetStumbler
  • Document and shut down rogue access points
  • Document and shut down unauthorized wireless NICs

Oh And dont forget that as you layer in
all of these wacky encryption schemes and CDMA
and DSSS andand that it takes some joules to
actually implement this. So if your wireless
network has primepower (a.k.a. AC) youre ok.
But if youre going off a battery then its a
tradeoff of security versus Power Consumption ?
You Choose that one!
...and in the end...
BumbleBee with RF xcvr
HoneyBee with RFID
Two potential forms of wireless sensor networks.
And they should both be secure!
Outline 1. Security? Who needs it? 2. How
is security achieved in a wired channel? 3. The
Situation for Wireless (its RF in an industrial
setting. Spectrum, modulation, encryption,
spatial) 4. Security within various Wireless
Delivery Schemes (cellular, WiFi, 802.15.4,
Bluetooth, others) 5. An Integrated Solution 6.
The Big Review 7. Glossary and References
10BASE-T IEEE 802.3 standard for a twisted-pair
Ethernet network. 10 Mbps transmission rate over
baseband using unshielded, twisted-pair
cable. 802.11 The IEEE 802.11 standard defines
both frequency hopping and direct sequence spread
spectrum solutions for use in the 2.4-2.5 MHz ISM
(Industrial, Scientific, Medical) band. 802.11a
The Global System for Mobile Communications
standard for worldwide wireless communications on
wide area networks (WANs). 802.11b The portion
of the 802.11 specification that defines the 11
Mbps data rate. A Access Point Provides a
bridge between Ethernet wired LANs and the
wireless network. Access points are the
connectivity point between Ethernet wired
networks and devices (laptops, hand-held
computers, point-of-sale terminals) equipped with
a wireless LAN adapter card. Analog phone Comes
from the word "analogous," which means similar
to. In telephone transmission, the signal being
transmitted from the phonevoice, video or
imageis analogous to the original
signal. Antenna-Directional Transmits and
receives radio waves off the front of the
antenna. The power behind and to the sides of the
antenna is reduced. The coverage area is oval
with the antenna at one of the narrow ends.
Typical directional antenna beam width angles are
from 90 (somewhat directional) to as little as
20(very directional). A directional antenna
directs power to concentrate the coverage pattern
in a particular direction. The antenna direction
is specified by the angle of the coverage pattern
called the beam width. Antenna-Omni-directional
Transmits and receives radio waves in all
directions. The coverage area is circular with
the antenna at the center. Omni-directional
antennas are also referred to as whip or
low-profile antennas. Association The process
of determining the viability of the wireless
connection and establishing a wireless network's
root and designated access points. A mobile unit
associates with its wireless network as soon as
it is powered on or moves into range. ATM
Asynchronous Transfer Mode. A type of high-speed
wide area network.

B Backbone A network that interconnects other
networks, employing high-speed transmission paths
and often spanning a large geographic
area. Bandwidth The range of frequencies,
expressed in hertz (Hz), that can pass over a
given transmission channel. The bandwidth
determines the rate at which information can be
transmitted through the circuit. Bandwidth
Management Functionality that allocates and
manages RF traffic by preventing unwanted frames
from being processed by the access point. BC/MC
Broadcast frames Multicast frames Beacon A
uniframe system packet broadcast by the AP to
keep the network synchronized. A beacon Includes
the Net_ID (ESSID), the AP address, the Broadcast
destination addresses, a time stamp, a DTIM
(Delivery Traffic Indicator Maps) and the TIM
(Traffic Indicator Message). BFA Antenna
Connector Miniature coaxial antenna connector
manufactured by MuRata Manufacturing
Corporation. Bluetooth See Wireless Personal
Area Networks. Bridge A device that connects
two LANs of the same or dissimilar types. It
operates at the Data Link Layer, as opposed to
routers. The bridge provides fast connection of
two collocated LAN segments that appear as one
logical network through the bridge. Buffer A
segment of computer memory used to hold data
while it is being processed.

C CAM Continuously Aware Mode Mode in which
the adapter is instructed to continually check
for network activity. Card and Socket Services
Packages that work with the host computer
operating system, enabling the Wireless LAN
adapter to interface with host computer
configuration and power management
functions. Cellular Phone Low-powered, duplex,
radio/telephone that operates between 800 and 900
MHz, using multiple transceiver sites linked to a
central computer for coordination. The sites, or
"cells," cover a range of one to six or more
miles in each direction. Centrex Business
telephone service offered by a local telephone
company from a local telephone company office.
Centrex is basically a single line phone system
leased to businesses as a substitute for a
business that is buying or leasing its own
on-premises phone system or PBX. CDMA and TDMA
The Code Division Multiple Access and Time
Division Multiple Access standard for wireless
communications on wide area networks (WANs) in
North America. Circuit switching The process of
setting up and keeping a circuit open between two
or more users so that users have exclusive and
full use of the circuit until the connection is
released. Client A computer that accesses the
resources of a server. Client/Server A network
system design in which a processor or computer
designated as a server (such as a file server or
database server) provides services to other
client processors or computers. CODEC
Coder-Decoder. Audio compression/decompression
algorithm that is designed to offer excellent
audio performance. Converts voice signals from
their analog form to digital signals acceptable
to modern digital PBXs and digital transmission
systems. It then converts those digital signals
back to analog so that you may hear and
understand what the other person is
saying. Computer Telephony Integration
Technology that integrates computer intelligence
with making, receiving, and managing telephone
calls. Computer telephony integrates messaging,
real-time connectivity, and transaction
processing and information access.

D Data Terminal Computer transmit and receive
equipment, including a wide variety of dumb
terminals or terminals without embedded
intelligence in the form of programmed logic.
Most data terminals provide a user interface to a
more capable host computer, such as a mainframe
or midrange computer. Decryption Decryption is
the decoding and unscrambling of received
encrypted data. The same device, host computer or
front-end processor, usually performs both
encryption and decryption. Desktop Conferencing
A telecommunications facility or service on a PC
that permits callers from several diverse
locations to be connected together for a
conference call. Digital Phone System
Proprietary phone system provided by a vendor,
such as ATT, Mitel, Northern Telecom, and so on.
The signal being transmitted in a digital phone
system is the same as the signal being
transmitted in an analog phone system. The system
can consist of a proprietary PBX system that
converts voice signals from their analog form to
digital signals, and then converts those digital
signals back to analog. Alternatively, the
conversion from analog-to-digital can occur in a
digital phone. Direct Inward Dialing DID. The
ability for a caller outside a company to call an
internal extension without having to pass through
an operator or attendant. In large PBX systems,
the dialed digits are passed from the PSTN to the
PBX, which then completes the call. Direct-Sequen
ce (DS) Spread Spectrum Direct sequence
transmits data by generating a redundant bit
pattern for each bit of information sent.
Commonly referred to as a "chip" or "chipping
code," this bit pattern numbers 10 chips to one
per bit of information. Compared with frequency
hopping, direct sequence has higher throughput,
wider range and is upgradable in the 2.4GHz
band. Diversity Reception The use of two
antennas attached to a single access point to
improve radio reception. The second antenna is
used only for receiving radio signals, while the
primary is used for both transmitting and
receiving. Driver A program routine that links
a peripheral device, such as a mobile unit's
radio card, to the computer system.

Element-level Management Level of technologies
aimed at small or medium-sized businesses. Encryp
tion Entails scrambling and coding information,
typically with mathematical formulas called
algorithms, before the information is transmitted
over a network. Ethernet A local area network
used for connecting computers, printers,
workstations, terminals, servers, and so on,
within the same building or campus. Ethernet
operates over twisted wire and over coaxial cable
at speeds up to 100 Mbps, with 1 Gbps speeds
coming soon. Filtering Prevents user-defined
frames from being processed by the access
point. Fragmentation Threshold The maximum size
for directed data packets transmitted over the
radio. Larger frames fragment into several
packets this size or smaller before transmission
over the radio. The receiving station reassembles
the transmitted fragments. Frame Mode A
communications protocol supported by the OEM
Modules. The frame protocol implements
asynchronous serial Point-to-Point (PPP) frames
similar to those used by serial Internet
protocols. Frequency Hopping (FH) Spread
Spectrum Hedy Lamarr, the actress, is credited
in name only for inventing frequency hopping
during World War II. As its label suggests,
frequency hopping transmits using a narrowband
carrier that changes frequency in a given
pattern. There are 79 channels in a 2.4GHz ISM
band, each channel occupying 1MHz of bandwidth. A
minimum hop rate of 2.5 hops per channel per
second is required in the United States.
Frequency hopping technology is recognized as
superior to direct sequence in terms of echo
resistance, interference immunity, cost and
ease-of-installation. To date, there has also
been a greater selection of WLAN products from
which to chose. FTP (File Transfer Protocol) A
common Internet protocol used for transferring
files from a server to the Internet user. It uses
TCP/IP commands. Gain, dBi Antenna gain,
expressed in decibels referenced to a half wave
dipole. Gain, dBi Antenna gain, expressed in
decibels referenced to a theoretical isotropic
radiator. Gain, dBic Antenna gain, expressed in
decibels referenced to a theoretical isotropic
radiator that is circularly polarized. Gatekeeper
Software that performs two important functions
to maintain the robustness of the network
address translation and bandwidth management.
Gatekeepers map LAN aliases to IP addresses and
provide address lookups when needed. Gateway
Optional element in an H.323 conference. Gateways
bridge H.323 conferences to other networks,
communications protocols, and multimedia formats.
Gateways are not required if connections to other
networks or non-H.323 compliant terminals are not
needed. GHz International unit for measuring
frequency is Hertz (Hz), which is equivalent to
the older unit of cycles per second. One
Gigahertz (GHz) is one billion Hertz. Microwave
ovens typically operate at 2.45 GHz. GSM The
Global System for Mobile Communications standard
for worldwide wireless communications on wide
area networks (WANs).

H.323 An umbrella standard from the
International Telecommunications Union (ITU) that
addresses call control, multimedia management,
and bandwidth management for point-to-point and
multi-point conferences, as well as interfaces
between LANs and other networks. The most popular
standard currently in use. Handheld PC (HPC)
The term adopted by Microsoft and its supporters
to describe handheld computers employing
Microsoft's Windows CE operating
system. Interactive Voice Response System used
to access a database access application using a
telephone. The voice processing acts as a
front-end to appropriate databases that reside on
general purpose computers. For instance, DTMF
(touch tone) input of a Personal Identification
Number can be required for access or more unusual
and expensive techniques such as voice
recognition and voice print matching. Internet
World's largest network, often referred to as the
Information Superhighway. The Internet is a
virtual network based on packet switching
technology. The participants on the Internet and
its topology change on a daily basis. Internet
Commerce Electronic business transactions that
occur over the Internet. Samples of Internet
commerce applications include electronic banking,
airline reservation systems, and Internet
malls. Internet Phone Device used to transmit
voice over the Internet, bypassing the
traditional PSTN and saving money in the process.
An Internet phone can be a small phone (such as
the NetVision Phone) or a multimedia PC with a
microphone, speaker, and modem. Interoperability
The ability of equipment or software to operate
properly in a mixed environment of hardware and
software, from different vendors. Enabled by the
IEEE 802.11 open standard. IP (Internet
Protocol) The Internet standard protocol that
defines the Internet datagram as the unit of
information passed across the Internet. Provides
the basis of the Internet connection-less-
best-effort packet delivery service. The Internet
protocol suite is often referred to as TCP/IP
because IP is one of the two fundamental
protocols. International Roaming Ability to use
one adapter worldwide. Intranet A private
network that uses Internet software and Internet
standards. In essence, an intranet is a private
Internet reserved for use by people who have been
given the authority and passwords necessary to
use that network. ISDN Integrated Services
Digital Network. Emerging network technology
offered by local phone companies that is designed
for digital communications, computer telephony,
and voice processing systems. ISM Band ISM
bands--instrumental (902-928MHz), science
(2.4-2.4835GHz), and medical (5.725-5.850GHz)--are
the radio frequency bands allocated by the FCC
for unlicensed continuous operations for up to
1W. The most recent band approved by the FCC for
WLANs was the medical band in January 1997. ITU
International Telecommunications Union. Standards
body that defined H.323 and other international
standards. Jitter Noise on a communications
line which is based on phase hits, causing
potential phase distortions and bit errors..

Kerberos A widely deployed security protocol
that was developed at the Massachusetts Institute
of Technology (MIT) to authenticate users and
clients in a wired network environment and to
securely distribute encryption keys. Key
Telephone System A system in which the telephone
has multiple buttons permitting the user to
directly select central office phone lines and
intercom lines. Key phone systems are most often
found in relatively small business environments,
typically around 50 telephones. Layer A
protocol that interacts with other protocols as
part of an overall transmission system. LPD
(Line Printer Daemon) A TCP-based protocol
typically used between a Unix server and a
printer driver. Data is received from the network
connection and sent out over the serial
port. MAC (Media Access Control) Part of the
Data Link Layer, as defined by the IEEE, this
sublayer contains protocols for gaining orderly
access to cable or wireless media. MD5
Encryption An authentication methodology when MU
is in foreign subnet. MIB (Management
Information Base) An SNMP structure that
describes the specific device being monitored by
the remote-monitoring program. Microcell A
bounded physical space in which a number of
wireless devices can communicate. Because it is
possible to have overlapping cells as well as
isolated cells, the boundaries of the cell are
established by some rule or convention. Modem
Equipment that converts digital signals to analog
signals and vice versa. Modems are used to send
digital data signals over the analog PSTN. MMCX
Antenna Connector Miniature coaxial antenna
connector in use by several major wireless
vendors. Mobile IP The ability of the mobile
unit to communicate with the other host using
only its home IP address, after changing its
point of attachment to the Internet and
intranet. Mobile Unit (MU) May be a Symbol
Spectrum24 terminal, PC Card and PCI adapter,
bar-code scanner, third-party device, and
other Mobile Unit Mode In this mode, the WLAN
adapter connects to an access point (AP) or
another WLAN installed system, allowing the
device to roam freely between AP cells in the
network. Mobile units appear as network nodes to
other devices. Modulation Any of several
techniques for combining user information with a
transmitter's carrier signal. Multipath The
signal variation caused when radio signals take
multiple paths from transmitter to
receiver. Multipath Fading A type of fading
caused by signals taking different paths from the
transmitter to the receiver and, consequently,
interfering with each other.

Node A network junction such as a switch or a
routing center. Packet Switching Refers to
sending data in packets through a network to some
remote location. In a packet switched network, no
circuit is left open on a dedicated basis. Packet
switching is a data switching technique
only. PBX Phone System Private Branch eXchange.
Small version of the phone company's larger
central switching office. An alternative to a PBX
is to subscribe to a local telephone company's
Centrex service. PCMCIA (Personal Computer
Memory Card International Association) PC Card A
credit card-size device used in laptop computers
and available as removable network adapters. PCS
(Personal Communications Service) A new, lower
powered, higher-frequency competitive technology
to cellular. Whereas cellular typically operates
in the 800-900 MHz range, PCS operates in the 1.5
to 1.8 GHz range. The idea with PCS is that the
phone are cheaper, have less range, and are
digital. The cells are smaller and closer
together, and airtime is cheaper. Peer-to-peer
Network A network design in which each computer
shares and uses devices on an equal basis. Ping
A troubleshooting TCP/IP application that sends
out a test message to a network device to measure
the response time. PLD (Data Link Protocol) A
raw packet protocol based on the Ethernet frame
format. All frames are sent to the wireless
network verbatim--should be used with care as
improperly formatted data can go through with
undesirable consequences. Plug and Play A
feature that allows a computer to recognize the
PCI adapter and configure the hardware interrupt,
memory, and device recognition addresses
requires less user interaction and minimizes
hardware conflicts. Pocket PC The term adopted
by Microsoft and its supporters to describe
handheld computers employing Microsoft's Pocket
PC operating system. Point-of-Sale Device A
special type of equipment that is used to collect
and store retail sales data. This device may be
connected to a bar code reader and it may query a
central computer for the current price of that
item. POTS (Plain Old Telephone Service) The
basic service supplying standard single line
telephones, telephone lines, and access to the
public switched telephone network. Power
Management Algorithms that allow the adapter to
sleep between checking for network activity, thus
conserving power. PSP (Power Save Polling)
stations power off their radios for long periods.
When a mobile unit in PSP mode associates with an
access point, it notifies the AP of its activity
status. The AP responds by buffering packets
received for the MU. PSTN (Public Switched
Telephone Network) Refers to the worldwide voice
telephone network accessible to all those with
telephones and access privileges. In the U.S.,
the PSTN is provided by ATT.

QoS (Quality of Service) Measure of the
telephone service quality provided to a
subscriber. QoS refers to things like Is the
call easy to hear? Is it clear? Is it loud
enough? RBOC (Regional Bell Operating Company)
One of the seven Bell operating companies set up
after the divestiture of ATT, each of which own
two or more Bell Operating Companies
(BOCs). Roaming Movement of a wireless node
between two microcells. Roaming usually occurs in
infrastructure networks built around multiple
access points. Repeater A device used to extend
cabling distances by regenerating
signals. Router The main device in any modern
network that routes data blocks from source to
destination using routing tables and determining
the best path dynamically. It functions as an
addressable entity on the LAN and is the basic
building block of the Internet. SNMP (Simple
Network Management Protocol) The network
management protocol of choice for TCP/IP based
intranets. Defines the method for obtaining
information about network operating
characteristics, change parameters for routers
and gateways. Scanning A periodic process where
the mobile unit sends out probe messages on all
frequencies defined by the country code. The
statistics enable a mobile unit to re-associate
by synchronizing its frequency to the AP. The MU
continues communicating with that access point
until it needs to switch cells or roam. Site
Survey Physical environment survey to determine
the placement of access points and antennas, as
well as the number of devices necessary to
provide optimal coverage, in a new or expanding
installation. Spread Spectrum A transmission
technique developed by the U.S. military in World
War II to provide secure voice communications,
spread spectrum is the most commonly used WLAN
technology today. It provides security by
"spreading" the signal over a range of
frequencies. The signal is manipulated in the
transmitter so that the bandwidth becomes wider
than the actual information bandwidth.
De-spreading the signal is impossible for those
not aware of the spreading parameters to them,
the signal sounds like background noise.
Interference from narrowband signals is also
minimized to background noise when it is
de-spread by the receiver. Two types of spread
spectrum exist direct sequence and frequency
hopping. Stream Mode A communications protocol
supported only by the Telnet and TCP protocols.
Stream mode transfers serial characters as they
are received by encapsulating them in a packet
and sending them to the host.


T1 A type of dedicated digital leased-line
available from a public telephone provider with a
capacity of 1.544 Mbps. A T1
About PowerShow.com