Security for wireless instrumentation
Cover story: Keeping wireless field device communications secure: Protocols for wireless instrumentation and other field devices use encryption as a key security element. Is it enough?
The last decade has seen huge growth in wireless process instruments and other field devices. While there was a brief time of protocol development, most suppliers and end users have settled on either ISA100.11a (IEC 62734) or WirelessHART (IEC 62591). These two protocols are similar in many ways, including use of the IEEE 802.15.4 radio, but their differences make them incompatible. Some end users have embraced wireless technology rapidly because it offers many advantages for deploying instrumentation and other devices in difficult environments where conventional wiring is expensive or otherwise impractical.
At the same time, other users have taken a more conservative approach, not fully convinced that devices depending on radio rather than direct wiring can be sufficiently reliable and secure. After all, radio wave signal propagation can be disrupted in various ways, and its nature makes it difficult to limit where the signal may travel. In this time of concern about cyber security, is it prudent to have such devices using radio communication in critical applications?
ISA100.11a and WirelessHART both use sophisticated encryption methods, including 128-bit Advanced Encryption Standard (AES) block cipher. But what does this mean, and does it ensure security? As mentioned before, the two main protocols are incompatible. While there are many similarities, there are also many differences. For purposes of this discussion, we will concentrate on ISA100.11a.
"ISA100 Wireless security operates at two levels, in the transport layer and the data-link layer," says the ISA100 Wireless Compliance Institute (WCI) website (Figure 1). "Transport layer security protects your data. It provides end-to-end assurances that mission-critical messages received are secret and authentic. Data-link layer security protects the network. It provides hop-by-hop assurances that each message is flawlessly transmitted to the next hop, with detailed performance and security diagnostics accumulated at each point."
So what does this mean? Encryption is very important to the extent it is impossible to build any kind of secure wireless network without it. Providing security at two levels in this manner is, for all practical purposes, unbreakable. This method has not been broken, and there is no known technology available today able to break it. However, while it makes the transport mechanism rock solid, there are many other elements to the larger security picture.
Identify the biggest threat
Any security practitioner has to consider the larger picture. Having the support of a solid transport layer is a good start, but is the notion of an attacker intercepting and decoding our data transmissions the only threat? In many respects the most serious threat users should be concerned about is the potential for disruption of the radio communication, as it is not only possible but relatively easy. Consider these situations:
- Visitors to various large churches in Mexico City may find that their cell phones stop working when they’re inside the sanctuary. This is not divine intervention or a strange coincidence, but a result of a cell phone jammer deployed in the building. Church officials install these devices deliberately to stop phones from ringing and to prevent visitors from carrying on phone conversations. Such jammers are illegal in the U.S., but they can be used in many other countries.
- Marriott Hotels was fined $600,000 by the U.S. FCC for blocking Wi-Fi hotspot devices used by guests in its hotels. The hotel chain claimed it was a cyber defensive strategy to protect its networks, but the FCC didn’t buy the argument because they felt Marriott was forcing guests to purchase their Wi-Fi services.
- Delivery trucks can be tracked by their companies using GPS devices. Operators sometimes purchase radio frequency jammers to render these systems inoperative and keep their movements private.
What is the common element? All these scenarios use frequency-specific jamming devices to disrupt particular kinds of radio communication. Has such a thing happened with wireless field devices? Not yet, but there is nothing to say it can’t. Some crude, but effective, devices aren’t as specific about frequencies they disrupt. They can render everything from AM radio to the highest communication frequencies unusable in an instant, and they don’t require breaking encryption. The ultimate intent is to cause a denial of service (DOS).
Wireless service denied
Should the possibility of a DOS attack make you think twice about using wireless instrumentation? It shouldn’t stop you entirely, but it should make you think about how you apply it. Ask yourself what would happen to your process if such a disruption actually occurred.
Devices designed to jam other signals, whether crude or sophisticated, have to be relatively close to the signals they mean to interrupt, and they have no capability to gather information or serve as a method for gaining access to another network. They are the cyber security equivalent of throwing a brick through a window.
Jamming devices are not difficult to detect so they can usually be located and disabled. Interference that causes jamming can also come from other unintentional sources, so disruptions should not always be seen as an attack. Poorly shielded equipment elsewhere in your plant can cause radio-frequency interference (RFI) that is just as troublesome. In some cases this may require moving the RFI source or network assets to points where the interference is blocked by a building or other plant infrastructure.
A hacker’s attack plan
An equally meaningful question is how to face more sophisticated attackers who want to move into an operation. Wireless networks have an appeal for hackers because they carry outside of a plant’s fence. An individual with the right kind of receiver can pick up the signal between a wireless level sensor and its gateway. Can such a signal be hijacked and used as an attack vector?
There are two main things hackers want to do. First, they want to disrupt an operation, such as changing setpoints, injecting confusing data, or damaging equipment. Stuxnet was an example of this approach, where the objective was to damage centrifuges by changing operational setpoints.
Second, hackers are there to steal information, and they may be after plant data, but more likely they want something of greater value. Some hackers believe plant networks are not as well protected as enterprise-level networks, so they use them as an entry point with the intent of moving up from below. A hacker’s intent will likely be defined by the source. Some do it strictly for the money, while nation-state hackers may have a political agenda.
Slipping in and out undetected
A hacker intent on stealing information or causing some other subtle disruption probably wants to get into the network without being spotted in the act or leaving anything behind to give away his or her identity. This means finding some entry point where there is a weakness in the defenses, scoping out the networks to see what is connected to what, and eventually getting to the desired target.
One way to gain entry is to pretend to be a node on the wireless network by intercepting the communication between a wireless sensor and its gateway and hijacking the dialog. This approach is called a man-in-the-middle attack (Figure 2). The hacker becomes pressure sensor 1A and begins to send his data to the system, or the hacker takes the place of the gateway and tells a valve actuator to open or close following his instructions rather than those from the DCS. This approach is not at all easy thanks to the encryption discussed earlier. In fact, it is essentially impossible given today’s technology. So does this make the network secure?
A lesson from history
Stop for a moment and think back to the days of World War II. The Axis powers in Europe, led by Germany, encoded military transmissions using an electro-mechanical coding machine called Enigma. This machine was very sophisticated, and the ciphering process it created was unbreakable using the technology of the day. And yet the Allies managed to intercept and decode enemy communications.
How was it possible?
Allied code breakers did not break the encryption; they broke how it was used. By piecing together elements from captured code books, information learned from lazy radio operators, and clever logic-they were able to replicate the action of the coding machine. They broke the application, not the encryption. They found other weak links in the chain and exploited those, which is the same way modern hackers break into networks.
Let’s say you want to break into your neighbor’s tool shed and steal a lawnmower. The door is locked using a hasp and padlock. If you can’t pick the lock and the shackle is hardened to resist cutting, your next step is to cut through the hasp or pry out the screws. Hackers can’t break the encryption, so they find the next most vulnerable spot.
Hacking the application
With wireless networks, it may involve the next link in the security chain: the application. What do those kinds of weaknesses look like?
Does the gateway allow for lower encryption methods in an effort to provide connectivity to legacy systems? Older equipment with less sophisticated encryption may provide a crack in the defenses a hacker can pry open, so plants must make sure those capabilities are disabled.
Look at all your wireless routers and gateways. Are they from reliable approved suppliers? Some users have discovered the devices on their networks are not as secure as thought. While they may work, they don’t have the same security capabilities.
How is your device recognition set up? How difficult is it for a hacker to create a new node on the network? One attack vector makes the network think the plant has added a new pressure sensor, able to talk to the gateway and get on the network (Figure 3). Once such a foothold is established, the next step is to move up level after level. If this process is not firmly locked down, it can represent a serious vulnerability.
Cyber defense systems have a hard time when they get down into the mesh networks that wireless devices use. It’s hard for them to track the ways signals bounce around from device to device, so it’s easy for an attacker to remain concealed in the traffic, and even remove data through an instrumentation network.
How to decrease risk
Wireless field device networks need to be protected following the same basic methods as wired networks. Various network segments should be separated with appropriate demilitarized zones (DMZs) and firewalls to limit movement from one part of the network to another.
Supply chain practices should ensure reliance on trusted suppliers with proven security track records. Verifying all the various settings of routers and gateways is critical. Don’t leave inadvertent entry points for hackers because you have not turned off some feature, including those you don’t yet realize are there. Hackers know those points and look for them. You should too.
Don’t give away too much information. Hackers look for specific kinds of equipment and specific configurations where they know there are vulnerabilities. Don’t give away information about your networks and the way they’re set up.
Is wireless instrumentation worth the risk?
Wireless instruments and other field devices offer huge advantages in the right applications, but there are also possibilities for creating new vulnerabilities. Yes, there is always potential for an attacker to come in through the wireless system; however, in most cases attackers will look for something easier, and in most cases will try and find some other vulnerability to use as a point of entry.
The most critical question to answer relates to disruption. When these devices are installed and working, what is the worst-case scenario where all radio communication is shut down? How will you operate when all those devices go dark for some period of time? It may be inconvenient, but if you can still remain in production safely until the situation is resolved, then you have no reason to deny yourself the advantages wireless devices bring. Deploy wireless devices appropriately using basic security measures and enjoy the results.
– Jeff Melrose, CISSP, ISSEP, is the principal technology strategist for cyber security at Yokogawa Corporation of America. Edited by Peter Welander, content manager, CFE Media, Control Engineering, firstname.lastname@example.org.
- Encryption is needed for safe wireless networks, but it alone is not enough for security.
- Wireless networks can have their communication disrupted, and that is a major threat possibility.
- Find ways to lower the risk; what’s the worst that could happen?
How difficult would it be for a hacker to create a new node on your network?
– See additional stories linked below about cyber security best practices.