1 / 136

Wireless Sensor Systems: Security Implications for the Industrial Environment

Wireless Sensor Systems: Security Implications for the Industrial Environment. Dr. Peter L. Fuhr Chief Scientist RAE Systems, Sunnyvale, CA pfuhr@raesystems.com. Dr. Peter Fuhr, Presenter: 480+ publications&presentations in wireless sensor

callum-levy
Télécharger la présentation

Wireless Sensor Systems: Security Implications for the Industrial Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Sensor Systems: Security Implications for the Industrial Environment Dr. Peter L. Fuhr Chief Scientist RAE Systems, Sunnyvale, CA pfuhr@raesystems.com

  2. Dr. Peter Fuhr, Presenter: 480+ publications&presentations in wireless sensor networking arena. Old-timer in this area…etc etc. RAE Systems Inc. • Pervasive Sensing Company based in Silicon Valley founded in 1991 Capabilities • Radiation detection • Gamma and neutron • Chemical/vapor detection • Toxic gas, VOC, combustible gas, oxygen, CWA, temperature, humidity, C02 • Redeployable sensor networks • Mobile and fixed wireless monitors • Cargo Container Sensor Systems

  3. A number of individuals have provided “content” for these slides. They include: Wayne Manges, Oak Ridge National Laboratory Robert Poor, Ember Pat Gonia, Honeywell Hesh Kagan, Foxboro/Invensys Kang Lee, NIST Tom Kevan, Advanstar Ramesh Shankar, Electric Power Research Institute Larry Hill, Larry Hill Consulting Rob Conant, Dust Rick Kriss, Xsilogy Gideon Varga, Dept of Energy Jack Eisenhauser, Energetics Michael Brambley, Pacific Northwest National Labs David Wagner, UC-Berkeley Undoubtedly, there are other contributors too (apologies if your name is not listed). Contributors

  4. Wireless Sensor Networking …it’s not cellular telephony …it’s not just WiFi...(and it just may be the next big thing) Each dot represents one cell phone tower. Wireless devices circa 1930

  5. Sensor Market: $11B in 2001Installation (wiring) costs: >$100B • Fragmented market •  platform opportunity • Installation cost limits penetration •  reducing installation cost increases market size Highly Fragmented Sensor Market Freedonia Group report on Sensors, April 2002 Slide courtesy of Rob Conant, Dust

  6. Industrial Market SizingSensor Networking Products • North American Market for Wireless products used in Applications where transmission distances are 1 mile or less: • 2002 Total: $107 million • 2006 Forecast: $713 million • 2010 Estimates: $ 2.1 billion • Largest Application areas: • 2002: Tank Level Monitoring, Asset Tracking, Preventative Maintenance • 2006: Tank Level Monitoring, Preventative Maintenance, Environmental Monitoring • Conclusions: • Rapid Growth in Industrial markets • Tank Level Monitoring will remain a significant opportunity • Key ‘ User’ Needs: • Lower Costs over Wired (or Manual) Solutions • Education of Potential Customers on the Technology • Demonstration of Operational Reliability & Application ‘ Domain’ Knowledge Slide courtesy of Rick Kriss, Xsilogy

  7. The True cost per monitored node – to the End User Higher Higher SPARSE1xRTT, FLEXSAT, etc DENSEBluetooth, 802.15.4, WiFi etc InstallationCosts 3-YrTOC $$$ Design For Here Lower Lower Miles Meters Radio RF Range (dB) $ $$$$$ Slide courtesy of Rick Kriss, Xsilogy

  8. What to do with the data? Great! But how do you get the output signal from the sensor to the location where the information will be interpreted (used)? Traditionally the output of the sensor was hardwired to some form of interpretive device (e.g., PLC) perhaps relying on a 4-20mA signal…

  9. Outline:1. Security? Who needs it?2. How is security achieved in a wired channel?3. The Situation for Wireless (its RF in an industrial setting. Spectrum, modulation, encryption, spatial…)4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others…)5. An Integrated Solution6. The Big Review

  10. Oh, who needs security in a wireless channel anyway! (pretty ridiculous statement isn’t it!

  11. Let’s ask some experts: WINA meeting, Coral Gables, Sept. 2003 www.wireless4industrial.org

  12. What’s a WINA? In the spring of 2003, the Wireless Industrial Networking Alliance (WINA) was formed to promote the adoption of wireless networking technologies and practices that will help increase industrial productivity and efficiency. WINA will be holding a 1.5 day meeting at ISA-HQ in RTP, NC on Feb 11/12 – right after the ISA Wireless Security Expo and conference. Check out www.wireless4industrial.org for WINA meeting details AND www.isa.org/wireless for the ISA Wireless Security conf details!

  13. Back to the Question:Who needs security in a wireless channel anyway!

  14. Strategy Workshop Participants • Suppliers (13) • System integrators (6) • Industrial end users (10) • Chemicals • Petroleum • Automotive • Industry analysts/venture capitalists (3) • Others (associations, government, media, researchers) • Energy/Utilities • Forest Products • Electronics

  15. End-User View of Industrial Wireless Dislikes • Change to status quo • Complexity • High cost for coverage in large plants • Security issues • Portability issues (power) • Unproven reliability • Too risky for process control • Lack of experience in troubleshooting (staff) • Restricted infrastructure flexibility once implemented • Lack of analysis tools Likes • Mobility • Compactness • Flexibility • Low cost • Capability to monitor rotating equipment • Short range (security) • Ease of installation • High reliability • Impetus to enhance electronics support

  16. Technology Group: Key Issues • Security • Jamming, hacking, and eavesdropping • Power • Value (clear to customer) • Interoperability • Co-existence with other facility networks, sensors, collectors, technology • True engineered solution (sensors, collectors, etc.) • Assured performance & reliability/MTBA* • Software infrastructure, data, & systems management • Robustness (at least as good as wired) • RF characterization (radios, receivers, environments) *mean time between attention

  17. Technology Group: Criticality Varies by Application (5 = most critical) Applications

  18. Industrial CyberSecurity • The Case of Vitek Boden

  19. On October 31, 2001 Vitek Boden was convicted of: • 26 counts of willfully using a restricted computer to cause damage • 1 count of causing serious environment harm • The facts of the case: • Vitek worked for the contractor involved in the installation of Maroochy Shire sewage treatment plant. • Vitek left the contractor in December 1999 and approached the shire for employment. He was refused. • Between Jan 2000 and Apr 2000 the sewage system experienced 47 unexplainable faults, causing millions of liters of sewage to be spilled.

  20. PLC PLC Disgruntled Contractor Rogue Radio Sewage Plant How did he do it? • On April 23, 2000 Vitek was arrested with stolen radio equipment, controller programming software on a laptop and a fully operational controller. • Vitek is now in jail…

  21. A Favorite 2.4 GHz Antenna

  22. WarDriving – 802.11 HotSpots in Silicon Valley

  23. WarDriving – 802.11 HotSpots in San Francisco

  24. The Question:Who needs security in a wireless channel anyway! The Answer:We do. So…How do you provide the appropriate level of security within the acceptable price and “inconvenience” margin -> Risk Management!

  25. Inside vs. Outside? • Where do attacks come from? % of Respondents *Source: “2002 CSI/FBI Computer Crime and Security Survey” Computer Security Institute - www.gocsi.com/losses.

  26. An “Outside” Example. When? April 2001

  27. “Hacker War I” • In the Spring of 2001, the US got it’s first a taste of a new form of warfare. • Launched from overseas and targeted at US critical infrastructure.

  28. Honker Union • Chinese Hacker Group working to advance and in some cases impose it’s political agenda • During the spring of 2001, Honker Union worked with other groups such as the Chinese Red Guest Network Security Technology Alliance • Hackers were encouraged to "...make use of their skills for China..." Wired.com Attack Methods: Denial of Service Attacks • Website Defacement • E-mailing viruses to US Government Employees • “KillUSA” package

  29. Cyberwar • Cyber attacks and web defacements increased dramatically after the start of the war against Iraq. • More than 1,000 sites were hacked in the first 48 hours of the conflict, with many of the attacks containing anti-war slogans. • Security consultants state that the war against Iraq made March the worst month for digital attacks since records began in 1995.

  30. Hacker School • North Korea's Mirim College, is a military academy specializing in electronic warfare • 100 potential cybersoldiers graduate every year

  31. The Question:Who needs security in a wireless channel anyway? The Answer:Everyone.

  32. Outline:1. Security? Who needs it?2. How is security achieved in a wired channel?3. The Situation for Wireless (its RF in an industrial setting. Spectrum, modulation, encryption, spatial…)4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others…)5. An Integrated Solution6. The Big Review

  33. A few details… Layered Communications

  34. Wired Data Security - Encryption The “traditional” method involved encrypting the data prior to transmission over a potentially insecure channel. The level of protection rests on the encryption algorithm. (There are a few other factors…such as the physical media.) Slide courtesy of Wayne Manges, ORNL

  35. Outline:1. Security? Who needs it?2. How is security achieved in a wired channel?3. The Situation for Wireless4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others…)5. An Integrated Solution6. The Big Review

  36. From many perspectives, THIS is what a wireless sensor network can provide. Wireless Buildings Key to success: reduced installation costs Slide courtesy of Pat Gonia, Honeywell

  37. Modulation E(t) = A(t) cos[wt + f(t)] Amplitude Modulation (AM) info is in A(t) Frequency Modulation (FM) info is in w Phase Modulation (PM) info is in f(t) Different vendors use different schemes - and they are not interoperable.

  38. The FCC Frequency Assignment Different vendors may use different frequencies within the various ISM bands (green in the diagram). The ISM bands most commonly used are at 433, 915 and 2400 MHz.

  39. Multiple Sensors Sharing the Medium: Multiplexing. FDMA, TDMA and CDMA

  40. Binary Signaling Formats • Used to Improve Digital Signal Reception and Decision • NRZ: Non-Return to Zero • RZ: Return to Zero • Unipolar: Only one side of 0V • Bipolar: Both sides of 0V • Manchester: Bi-Phase (“0” in left 1/2 time slot, “1” in right)

  41. Narrowband or Spread Spectrum? Narrowband uses a fixed carrier frequency, F0. The receiver then locks onto the carrier frequency, F0. Easy to implement (inexpensive). Prone to jamming or interference (two transmitters at the same carrier frequency, F0. Least secure modulation scheme.

  42. Narrowband or Spread Spectrum (cont.) ? Frequency Hopping Spread Spectrum. Uses a carrier frequency that varies with time, F0(t). Invented and patented by actress Heddy Lamarr and her pianist George Antheil. The receiver must track the time-varying carrier frequency, F0(t). Relatively easy to implement (inexpensive). Prone to jamming or interference (two transmitters at the same carrier frequency, F0) during any single transmit interval. Hopping rates may be ~1600 hops/second (ala Bluetooth). Very secure modulation scheme (used in military for decades).

  43. Narrowband or Spread Spectrum (cont.) ? Direct Sequence Spread Spectrum uses a fixed carrier frequency, F0 but interleaves the data with a precise mathematical 0/1 data sequence. (This increases the length of the transmitted information vector making it longer). The information is replicated many times throughout the bandwidth, so if one “lobe” of the information is jammed, the remainder “gets through”. Highly robust technique. The receiver then locks onto the carrier frequency, F0 receives the signal and then must “undo” the interleaving. More difficult to implement (more expensive). Most complicated scheme (of these presented). Most secure modulation scheme.

  44. DIRECT-SEQUENCE SPREAD-SPECTRUM SIGNALS PN Clock Local PN Clock Local Carrier PN Sequence Generator PN Sequence Generator Carrier • 1 • 1 Wide BP Filter Narrow BP Filter Data Phase Demod Data • 1 Data Clock Power Spectral Density Power Spectral Density Power Spectral Density “Spread” RFI RFI fc fc fc Frequency Frequency Frequency Original narrowband, high power density spectrum is restored if local PN sequence is same as and lined up with received PN sequence Spectrum has wider bandwidth and lower power density after spreading with PN sequence (PN Rate >> Data Rate) Narrow spectrum at output of modulator before spreading

  45. Narrowband or Spread Spectrum (cont.) ? Which is best? Each has its pluses and minuses…and each scheme has its share of die-hard advocates and/or naysayers! Different vendors use these (and other) schemes at different frequencies within the various ISM bands. From a security standpoint, DSSS is best.

  46. Reality DSSS FHSS

  47. No Matter What…Its Just an Electromagnetic Field A(t): amplitude of the wave w: radian frequency of the wave f(t): phase of the wave E(t) = A(t) cos[wt + f(t)]

  48. The RF “Footprint” Personal Area Network: typical radiated power: 0 dBm, size: 10m Local Area Network: typical radiated power: 20 dBm, size: 100m Wide Area Network: typical radiated power: >30 dBm, size: >2000m

  49. There are SO many technical questions: such as… Network Topologies? Ad Hoc Network

  50. The Real World Presents the Wireless Channel with Multipath and Attenuation…and…

More Related