Security for wireless instrumentation
Cover story: Keeping wireless field device communications secure: Protocols for wireless instrumentation and other field devices use encryption as a key security element. Is it enough?
The last decade has seen huge growth in wireless process instruments and other field devices. While there was a brief time of protocol development, most suppliers and end users have settled on either ISA100.11a (IEC 62734) or WirelessHART (IEC 62591). These two protocols are similar in many ways, including use of the IEEE 802.15.4 radio, but their differences make them incompatible. Some end users have embraced wireless technology rapidly because it offers many advantages for deploying instrumentation and other devices in difficult environments where conventional wiring is expensive or otherwise impractical.
At the same time, other users have taken a more conservative approach, not fully convinced that devices depending on radio rather than direct wiring can be sufficiently reliable and secure. After all, radio wave signal propagation can be disrupted in various ways, and its nature makes it difficult to limit where the signal may travel. In this time of concern about cyber security, is it prudent to have such devices using radio communication in critical applications?
ISA100.11a and WirelessHART both use sophisticated encryption methods, including 128-bit Advanced Encryption Standard (AES) block cipher. But what does this mean, and does it ensure security? As mentioned before, the two main protocols are incompatible. While there are many similarities, there are also many differences. For purposes of this discussion, we will concentrate on ISA100.11a.
"ISA100 Wireless security operates at two levels, in the transport layer and the data-link layer," says the ISA100 Wireless Compliance Institute (WCI) website (Figure 1). "Transport layer security protects your data. It provides end-to-end assurances that mission-critical messages received are secret and authentic. Data-link layer security protects the network. It provides hop-by-hop assurances that each message is flawlessly transmitted to the next hop, with detailed performance and security diagnostics accumulated at each point."
So what does this mean? Encryption is very important to the extent it is impossible to build any kind of secure wireless network without it. Providing security at two levels in this manner is, for all practical purposes, unbreakable. This method has not been broken, and there is no known technology available today able to break it. However, while it makes the transport mechanism rock solid, there are many other elements to the larger security picture.
Identify the biggest threat
Any security practitioner has to consider the larger picture. Having the support of a solid transport layer is a good start, but is the notion of an attacker intercepting and decoding our data transmissions the only threat? In many respects the most serious threat users should be concerned about is the potential for disruption of the radio communication, as it is not only possible but relatively easy. Consider these situations:
- Visitors to various large churches in Mexico City may find that their cell phones stop working when they're inside the sanctuary. This is not divine intervention or a strange coincidence, but a result of a cell phone jammer deployed in the building. Church officials install these devices deliberately to stop phones from ringing and to prevent visitors from carrying on phone conversations. Such jammers are illegal in the U.S., but they can be used in many other countries.
- Marriott Hotels was fined $600,000 by the U.S. FCC for blocking Wi-Fi hotspot devices used by guests in its hotels. The hotel chain claimed it was a cyber defensive strategy to protect its networks, but the FCC didn't buy the argument because they felt Marriott was forcing guests to purchase their Wi-Fi services.
- Delivery trucks can be tracked by their companies using GPS devices. Operators sometimes purchase radio frequency jammers to render these systems inoperative and keep their movements private.
What is the common element? All these scenarios use frequency-specific jamming devices to disrupt particular kinds of radio communication. Has such a thing happened with wireless field devices? Not yet, but there is nothing to say it can't. Some crude, but effective, devices aren't as specific about frequencies they disrupt. They can render everything from AM radio to the highest communication frequencies unusable in an instant, and they don't require breaking encryption. The ultimate intent is to cause a denial of service (DOS).
Wireless service denied
Should the possibility of a DOS attack make you think twice about using wireless instrumentation? It shouldn't stop you entirely, but it should make you think about how you apply it. Ask yourself what would happen to your process if such a disruption actually occurred.
Devices designed to jam other signals, whether crude or sophisticated, have to be relatively close to the signals they mean to interrupt, and they have no capability to gather information or serve as a method for gaining access to another network. They are the cyber security equivalent of throwing a brick through a window.
Jamming devices are not difficult to detect so they can usually be located and disabled. Interference that causes jamming can also come from other unintentional sources, so disruptions should not always be seen as an attack. Poorly shielded equipment elsewhere in your plant can cause radio-frequency interference (RFI) that is just as troublesome. In some cases this may require moving the RFI source or network assets to points where the interference is blocked by a building or other plant infrastructure.
A hacker's attack plan
An equally meaningful question is how to face more sophisticated attackers who want to move into an operation. Wireless networks have an appeal for hackers because they carry outside of a plant's fence. An individual with the right kind of receiver can pick up the signal between a wireless level sensor and its gateway. Can such a signal be hijacked and used as an attack vector?
There are two main things hackers want to do. First, they want to disrupt an operation, such as changing setpoints, injecting confusing data, or damaging equipment. Stuxnet was an example of this approach, where the objective was to damage centrifuges by changing operational setpoints.
Second, hackers are there to steal information, and they may be after plant data, but more likely they want something of greater value. Some hackers believe plant networks are not as well protected as enterprise-level networks, so they use them as an entry point with the intent of moving up from below. A hacker's intent will likely be defined by the source. Some do it strictly for the money, while nation-state hackers may have a political agenda.