Wireless Sensor Systems Security Implications For The Industrial Environment Fuhr

Wireless Sensor Systems:
Security Implications for the

Industrial Environment
Dr. Peter L. Fuhr
Chief Scientist
RAE Systems, Sunnyvale, CA
pfuhr@raesystems.com
Dr. Peter Fuhr, Presenter: 480+ publications&presentations in wireless sensor

networking arena. Old-timer in this areaetc etc.
RAESystemsInc.
PervasiveSensingCompanybased
inSiliconValleyfoundedin1991
Capabilities
Radiationdetection
Gammaandneutron
Chemical/vapordetection
Toxicgas,VOC,combustible
gas,oxygen,CWA,temperature,
humidity,C02
Redeployablesensornetworks
Mobileandfixedwireless
monitors
CargoContainerSensorSystems
ISA Wireless Security, P. Fuhr
Contributors
A number of individuals have provided content for these slides. They

include:
Wayne Manges, Oak Ridge National Laboratory
Robert Poor, Ember
Pat Gonia, Honeywell
Hesh Kagan, Foxboro/Invensys
Kang Lee, NIST
Tom Kevan, Advanstar
Ramesh Shankar, Electric Power Research Institute
Larry Hill, Larry Hill Consulting
Rob Conant, Dust
Rick Kriss, Xsilogy
Gideon Varga, Dept of Energy
Jack Eisenhauser, Energetics
Michael Brambley, Pacific Northwest National Labs
David Wagner, UC-Berkeley
Undoubtedly, there are other contributors too (apologies if
your name is not listed).
Wireless Sensor Networking

its not cellular telephony
its not just WiFi...(and it just may be the next big thing)
Eachdotrepresentsonecellphonetower.
Wireless devices circa 1930
SensorMarket:$11Bin2001
Installation(wiring)costs:>$100B
Fragmented market
platform
opportunity
Installation cost limits
penetration
reducing
installation cost
increases market size
Highly Fragmented
Sensor Market
Freedonia Group report on Sensors, April 2002
Slide courtesy of Rob Conant, Dust 5
IndustrialMarketSizing
SensorNetworkingProducts
NorthAmericanMarketforWirelessproductsusedin
Applicationswheretransmissiondistancesare1mileor
less:
LargestApplicationareas:
2002Total:$107million
2006Forecast:$713million
2010Estimates:$2.1billion
2002:TankLevelMonitoring,AssetTracking,Preventative
Maintenance
2006:TankLevelMonitoring,PreventativeMaintenance,
EnvironmentalMonitoring
Conclusions:
RapidGrowthinIndustrialmarkets
TankLevelMonitoringwillremainasignificantopportunity
KeyUserNeeds:
LowerCostsoverWired(orManual)Solutions
EducationofPotentialCustomersontheTechnology
DemonstrationofOperationalReliability&ApplicationDomain
Knowledge
Slide courtesy of Rick Kriss, Xsilogy
The True cost per monitored node to the

End User
Higher
Higher
SPARSE
DENSE
Bluetooth,
802.15.4, WiFi etc
1xRTT, FLEX
SAT, etc
Installation
Costs
3-Yr
TOC $$
$
Design For Here
Lower
Lower
Meters
$
Radio RF Range (dB)
Miles
$$$$$
Slide courtesy of Rick Kriss, Xsilogy
Whattodowiththedata?
Parameter
ofInterest
Chemical
Electrical
Mechanical
Thermal
Radiation
Optical
Magnetic
MeasurementSystem
Sensor
Modifier
OutputSignal
Output
Transducer
Chemical
Electrical
Mechanical
Thermal
Radiation
Optical
Magnetic
Power
Supply
Great! But how do you get the output signal from the sensor to the location
where the information will be interpreted (used)?
Traditionally the output of the sensor was hardwired to some form of

interpretive device (e.g., PLC) perhaps relying on a 4-20mA signal
Outline:
1. Security? Who needs it?
2. How is security achieved in a wired channel?
3. The Situation for Wireless (its RF in an industrial setting.
Spectrum, modulation, encryption, spatial)
4. Security within various Wireless Delivery Schemes

(cellular, WiFi, 802.15.4, Bluetooth, others)
5. An Integrated Solution
6. The Big Review
Oh,whoneedssecurityina
wirelesschannelanyway!
(prettyridiculousstatementisntit!
10
Lets ask some experts:

WINA meeting, Coral Gables, Sept. 2003
www.wireless4industrial.org
11
WhatsaWINA?
In the spring of 2003, the Wireless Industrial Networking

Alliance (WINA) was formed to promote the adoption of
wireless networking technologies and practices that will help
increase industrial productivity and efficiency.
WINA will be holding a 1.5 day meeting at ISA-HQ in RTP, NC on Feb 11/12
right after the ISA Wireless Security Expo and conference. Check out
www.wireless4industrial.org for WINA meeting details AND
www.isa.org/wireless for the ISA Wireless Security conf details!
12
Back to the Question:

Who needs security in a wireless
channel anyway!
13
StrategyWorkshopParticipants
Suppliers(13)
Systemintegrators(6)
Industrialendusers(10)
Energy/Utilities
Chemicals
Petroleum
ForestProducts
Automotive
Electronics
Industryanalysts/venturecapitalists(3)
Others(associations,government,media,researchers)
14
End-User View of Industrial Wireless

Likes
Mobility
Compactness
Flexibility
Low cost
Capability to monitor
rotating equipment
Short range (security)
Ease of installation
High reliability
Impetus to enhance
electronics support
Dislikes
Change to status quo
Complexity
High cost for coverage in large
plants
Security issues
Portability issues (power)
Unproven reliability
Too risky for process control
Lack of experience in
troubleshooting (staff)
Restricted infrastructure flexibility
once implemented
Lack of analysis tools
15
Technology Group: Key Issues

Security
Jamming, hacking, and eavesdropping
Power
Value (clear to customer)
Interoperability
Co-existence with other facility networks, sensors,
collectors, technology
True engineered solution (sensors, collectors, etc.)
Assured performance & reliability/MTBA*
Software infrastructure, data, & systems management
Robustness (at least as good as wired)
RF characterization (radios, receivers, environments)
*mean time between attention
16
Technology Group: Criticality Varies by

Application (5 = most critical)
Applications
Alarm
Shutdown
Biz
WLAN
35
23
35
RawThruput
(node/aggr.)
2/5
2.5/2.5
1/4
1/1
1/5
Scalability
(Max.#nodes)
23
DataReliability
15
LowCost
13
23
GatewayTechnology
34
EngineeredSolution
Attributes
Monitor
Control
Latency
23
DeviceReliability
Security
17
IndustrialCyberSecurity
TheCaseofVitekBoden
18
On October 31, 2001 Vitek Boden was convicted of:

26 counts of willfully using a restricted computer to
cause damage
1 count of causing serious environment harm
The facts of the case:
Vitek worked for the contractor involved in the
installation of Maroochy Shire sewage treatment
plant.
Vitek left the contractor in December 1999 and
approached the shire for employment. He was
refused.
Between Jan 2000 and Apr 2000 the sewage
system experienced 47 unexplainable faults,
causing millions of liters of sewage to be spilled.
19
How did he do it?

On April 23, 2000 Vitek was arrested with
stolen radio equipment, controller
programming software on a laptop and a fully
operational controller.
Vitek is now in jail
Disgruntled
Contractor
Rogue Radio
PLC
PLC
Sewage Plant
20
AFavorite2.4GHzAntenna
21
WarDriving 802.11 HotSpots in

Silicon Valley
22
WarDriving 802.11 HotSpots in

San Francisco
23
The Question:
Who needs security in a wireless channel
anyway!
The Answer:
We do. SoHow do you provide the
appropriate level of security within the
acceptable price and inconvenience margin
-> Risk Management!
24
Insidevs.Outside?
Wheredoattackscomefrom?
% of Respondents
*Source: 2002 CSI/FBI Computer Crime and Security Survey Computer
Security Institute - www.gocsi.com/losses.
25
An Outside Example.
When? April 2001
26
Hacker War I
In the Spring of 2001, the US got its first a

taste of a new form of warfare.
Launched from overseas and targeted at
US critical infrastructure.
27
Honker Union
Chinese Hacker Group working to advance
and in some cases impose its political agenda
During the spring of 2001, Honker Union
worked with other groups such as the Chinese
Red Guest Network Security Technology
Alliance
Hackers were encouraged to "...make use of
their skills for China..." Wired.com
Attack Methods:
Denial of Service Attacks

Website Defacement
E-mailing viruses to US Government Employees
KillUSA package
28
Cyberwar
Cyberattacksandwebdefacements
increaseddramaticallyafterthestartofthe
waragainstIraq.
Morethan1,000siteswerehackedinthe
first48hoursoftheconflict,withmanyof
theattackscontainingantiwarslogans.
Securityconsultantsstatethatthewaragainst
IraqmadeMarchtheworstmonthfordigital
attackssincerecordsbeganin1995.
29
Hacker School
North Korea's Mirim College, is a
military academy specializing in
electronic warfare
100 potential cybersoldiers graduate
every year
30
The Question:
Who needs security in a wireless channel
anyway?
The Answer:
Everyone.
31
Outline:


6. The Big Review
32
Afewdetails
LayeredCommunications
33
WiredDataSecurityEncryption
The traditional method involved encrypting the data prior to

transmission over a potentially insecure channel. The level of
protection rests on the encryption algorithm. (There are a few
other factorssuch as the physical media.)
Slide courtesy of Wayne Manges, ORNL

34
Outline:
1.
2.
3.
4.
Security? Who needs it?

How is security achieved in a wired channel?
The Situation for Wireless
Security within various Wireless Delivery Schemes
6. The Big Review
35
From many perspectives, THIS is what a wireless sensor network can provide.
WirelessBuildings
Key to success: reduced installation costs

Slide courtesy of Pat Gonia, Honeywell
36
Modulation
E(t)=A(t)cos[t+(t)]
AmplitudeModulation(AM)
infoisinA(t)
FrequencyModulation(FM)
infoisin
PhaseModulation(PM)
infoisin(t)
Differentvendorsuse
differentschemesandthey
arenotinteroperable.
Phase=0o
Phase=180o
Phase=360o
(orbackto0o)
Phase=270o
37
TheFCCFrequencyAssignment
Differentvendorsmayuse
differentfrequencieswithin
thevariousISMbands
(greeninthediagram).
TheISMbandsmostcommonlyusedareat433,915and2400MHz.
38
MultipleSensorsSharingtheMedium:
Multiplexing.FDMA,TDMAandCDMA
39
Binary Signaling Formats

Used to Improve Digital
Signal Reception and
Decision
NRZ: Non-Return to Zero
RZ: Return to Zero
Unipolar: Only one side of
0V
Bipolar: Both sides of 0V
Manchester: Bi-Phase (0
in left 1/2 time slot, 1 in
right)
40
NarrowbandorSpreadSpectrum?
Narrowbandusesafixedcarrierfrequency,F 0.
The receiver then locks onto the carrier frequency, F 0.

Easy to implement (inexpensive).
Prone to jamming or interference (two transmitters at the
same carrier frequency, F0.
Least secure modulation scheme.
41
NarrowbandorSpreadSpectrum(cont.)?
Frequency Hopping Spread Spectrum. Uses a carrier
frequency that varies with time, F 0(t).
InventedandpatentedbyactressHeddy
LamarrandherpianistGeorgeAntheil.
The receiver must track the time-varying carrier

frequency, F0(t).
Relatively easy to implement (inexpensive).

Prone to jamming or interference (two transmitters at the same carrier
frequency, F0) during any single transmit interval. Hopping rates
may be ~1600 hops/second (ala Bluetooth).
Very secure modulation scheme (used in military for decades).
42
Narrowband or Spread Spectrum (cont.) ?

Direct Sequence Spread Spectrum uses a fixed carrier frequency, F 0
but interleaves the data with a precise mathematical 0/1 data
sequence. (This increases the length of the transmitted information
vector making it longer). The information is replicated many times
throughout the bandwidth, so if one lobe of the information is
jammed, the remainder gets through. Highly robust technique.
Thereceiverthenlocksontothecarrierfrequency,F 0receivesthesignalandthen
mustundotheinterleaving.
Moredifficulttoimplement(moreexpensive).
Mostcomplicatedscheme(ofthesepresented).
Mostsecuremodulationscheme.
43
DIRECT-SEQUENCE SPREAD-SPECTRUM
SIGNALS
PN Clock
Local PN Clock
Carrier
Wide
BP Filter
Data
Power
Spectral
Density
Local
Carrier
PN Sequence
Generator
PN Sequence
Generator
Power
Spectral
Density
Narrow
BP Filter
Phase
Demod
fc
Narrow spectrum at
output of modulator
before spreading
Frequency
Data
Clock
Power
Spectral
Density
Spread
RFI
RFI
Frequency
Data
fc
Spectrum has wider bandwidth

and lower power density after
spreading with PN sequence
(PN Rate >> Data Rate)
Frequency
fc
Original narrowband, high

power density spectrum is
restored if local PN sequence is
same as and lined up with
received PN sequence
44
NarrowbandorSpreadSpectrum(cont.)?
Whichisbest?
Eachhasitsplusesandminusesandeachschemehasitsshareofdiehard
advocatesand/ornaysayers!
Differentvendorsusethese
(andother)schemesat
differentfrequencieswithin
thevariousISMbands.
From a security standpoint, DSSS is best.
45
Reality
DSSS
FHSS
46
No Matter WhatIts Just an

Electromagnetic Field
E(t) = A(t) cos[t +

(t)]
A(t):amplitudeofthewave
:radianfrequencyofthewave
(t):phaseofthewave
47
TheRFFootprint
NetworkSize
PersonalAreaNetwork:typicalradiatedpower:0dBm,size:10m
LocalAreaNetwork:typicalradiatedpower:20dBm,size:100m
WideAreaNetwork:typicalradiatedpower:>30dBm,size:>2000m
48
There are SO many technical questions: such as
NetworkTopologies?
BusNetwork
TreeNetwork
RingNetwork
StarNetwork
Ad Hoc Network
49
The Real World Presents the

Wireless Channel with Multipath and
Attenuationand
50
Real World:
Multipath
The Effect
The Cause
51
Real World:
Atmospheric Attenuation at 2.4 GHz
Rayleigh Fading @ 2.4GHz

52
Real World:
Signal Attenuation at 2.4 GHz
53
Real World:
And Signal-to-Noise Ratios really do

matter!
Anecdotal Evidence: As Frankfurt has increased the

deployment of 2.4 GHz wireless surveillance cameras,
the background Noise level has increased by 12 dB.
(This plays havoc with the BER or for fixed BER, the
overall data rate,)
54
Real World:
Which Frequency is Best?
ALERT! ALERT!!
Notice that the operation at 2.45 GHz is
WORSE than at 900MHz (which is worse
than 433 MHz).
55
Outline:
4. Security within various Wireless Delivery

Schemes
6. The Big Review
56
WirelessDataSecurity:Encryption,Spreading,Interleaving
Wirelessnetworksuseavarietyoftechniquestoenhancesecurity,
suchasspreadingandinterleaving.Thesetechniquescanmakethe
signalvirtuallyundetectablewithoutpriorknowledgeaboutthe
network.Thiscanimprovethesecurityofthenetworkbyorders
ofmagnitude.
Slide courtesy of Wayne Manges, ORNL
57
TheWirelessMarket
GRAPHICS INTERNET
SHORT
< RANGE >
LONG
TEXT
HI-FI
AUDIO
STREAMING
VIDEO
DIGITAL
VIDEO
MULTI-CHANNEL
VIDEO
802.11b
LAN
802.11a/HL2 & 802.11g

Bluetooth 2
ZigBee
LOW
PAN
Bluetooth1
< DATA RATE >
HIGH
58
Bluetoothvs.theRest(contd)
Parameter
Technology
802.11
HomeRF
Bluetooth
2.4 GHz, DSSS2.4GHz, FHSS 2.4 GHz, FHSS
11 chips/bit 50 hops/s
1000+hops/s
Data Rate
11Mbps
1 Mbps
1Mbps
Power
+20 dBm
+20 dBm
0, +20dBm
Range
50m
50m
1-10m, 50m
Topology
128 devices 128 devices 8 devices,
CSMA/CA
CSMA/CA
Piconet
Security
Optional WEP Optional
Encryption
Voice ChannelOptional
Optional
Yes
ZigBee
(proposed)
2.4 GHz,DSSS
15 chips/bit
40 kbits/s
0dBm
100m
100s devices,
CSMA/CA
Not yet
No
Bluetooth aka IEEE 802.15.1

ZigBee aka IEEE 802.15.4
59
Side by Side
60
802.11?
61
TheWorldwideViewofthe802.11Spectral
Space
62
Radiated Field from a single AP

(Kansas City)
63
20dB Attenuation Profile for Univ of Kansas

Eng Bldg., Mesh and AP deployments
64
WEP
(encrypted traffic)
Theindustryssolution:WEP(WiredEquivalentPrivacy)
Shareasinglecryptographickeyamongalldevices
Encryptallpacketssentovertheair,usingthesharedkey
Useachecksumtopreventinjectionofspoofedpackets
65
EarlyHistoryofWEP
1997
Mar 2000
802.11 WEP standard released
Simon, Aboba, Moore: some weaknesses

Walker: Unsafe at any key size
Oct 2000
Jan 30, 2001
Feb 5, 2001
NY Times, WSJ break the story
Borisov, Goldberg, Wagner:

7 serious attacks on WEP
66
SubsequentEvents
Jan 2001
Mar 2001
May 2001
Jun 2001
Aug 2001
Borisov, Goldberg, Wagner

Arbaugh: Your 802.11 network
has no clothes
Arbaugh: more attacks
Newsham: dictionary attacks on WEP keys

Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4
Arbaugh, Mishra: still more attacks
Feb 2002
67
WEP Attack Tools
Downloadable procedures from the Internet

To crack the Key:
AirSnort
http://airsnort.sourceforge.net
WEPCrack
http://sourceforge.net/projects/wepcrack/
To brute force enter into WLAN,
THC-RUT
http://www.thehackerschoice.com/releases.php
68
Wi-Fi Protected Access (WPA)

Flaws in WEP known since January 2001 - flaws include weak
encryption, (keys no longer than 40 bits), static encryption keys, lack of
key distribution method.
IEEE developing 802.11i standard for enhanced wireless security Addresses weak data encryption and user authentication within existing
802.11 standard.
802.11i standard will not be ratified until late 2003, possibly early 2004 outstanding issues.
WPA standard joint effort between Wi-Fi Alliance and IEEE - WPA a
subset of IEEE 802.11i standard (Draft 3.0).
WPA provides stronger data encryption (weak in WEP) and user
authentication (largely missing in WEP).
69
WPADataEncryption
WPAusesTemporalKeyIntegrityProtocol(TKIP)strongerdataencryption,addresses
knownvulnerabilitiesinWEP.
TKIPchosenasprimaryencryptionciphersuiteEasilydeployedand
supportedinlegacy802.11bhardwarecomparedtootheravailablecipher
suites.
TKIPbasedonRC4streamcipheralgorithm,surroundsWEPcipherenginewith4new
algorithms,
1. Extended48bitInitializationVector(IV)andIVsequencingrules(comparedtotheshorter24bitWEPRC4key).
2. Newperpacketkeymixingfunction.
3. Derivationanddistributionmethoda.k.a.rekeying.
4. Amessageintegritycheck(MIC)a.k.a. Michael,ensuresmessageshaventbeentamperedwithduringtransmission.
70
WPADataEncryption,contd
the Temporal Key Integrity Protocol.
Temporal Key
TA
Phase 1
key mixing
Phase 2
key mixing
TTAK Key
TSC
WEP seed(s)
(represented as
WEP IV + RC4
key)
MIC Key
SA + DA +
Plaintext MSDU
Data
MIC
Plaintext
MSDU +
MIC
Fragment(s)
Plaintext
MPDU(s)
WEP
Encapsulation
Ciphertext
MPDU(s)
DA Destination Address
TKIP Temporal Key Integrity Protocol
ICV Integrity Check Value
TSC TKIP Sequence Counter
MPDU Message Protocol Data Unit
TTAK result of phase 1 key mixing of Temporal Key
MSDU MAC Service Data Unit
and Transmitter Address
RSN Robust Security Network
WEP Wired Equivalent Privacy
SA Source Address
WEP IV Wired Equivalent Privacy Initialization Vector
TA Transmitter Address
71
WPA Data Encryption, contd

TKIP implements countermeasures - reduces rate which attacker can
make message forgery attempts down to two packets every 60 seconds.
After 60 second timeout new PMK or Groupwise Key generated, depending
on which attacked ensures attacker cannot obtain information from
attacked key.
Countermeasures bound probability of successful forgery and amount of
information attacker can learn about a key.
TKIP is made available as firmware or software upgrade to existing legacy
hardware.
TKIP eliminates having to replace existing hardware or having to
purchase new hardware.
72
Bluetooth?
73
BlueTooth- Some Specifications

Uses unlicensed 2.402 - 2.480 GHz frequency range
Frequency hopping spread spectrum 79 hops
separated by 1 MHz
Maximum frequency hopping rate: 1600 hops/sec
Nominal range: 10 cm to 10 meters
Nominal antenna power: 0 dBm
One complete Bluetooth data packet can be
transmitted within each 625 msec hop slot.
74
PotentialBluetoothMarkets
75
Bluetooth Market Forecast
Nov03:100MBluetoothcompliantdevicesworldwide
76
Bluetooth Protocol Stack

Adopted Protocols
PPP(Point-To-Point Protocol)
TCP/UDP/IP
OBEX-Session Protocol for IrDA(Infrared Data
Association)
Contents Fromat(e.g. vCard, vCalendar)
WAP-Wireless Application Protocol
77
Bluetooth Security
Supports Unidirectional or Mutual Encryption based
on a Secret Link key Shared Between Two Devices
Security Defined In 3 modes:
Mode1- No Security
Mode 2 - Service Level Security: Not Established
Before Channel is Established at L2CAP
Mode 3 - Link Level Security: Device Initiates
Security Before LMP Link is Setup
Devices and Services can be Set for Different Levels of Security

Two Trust Levels are Set for Devices
Trusted Device: Fixed Relationship and Unrestricted
Access to All Services
Untrusted: No Permanent relationship and Restricted
Services
78
BluetoothSecurity
Devices and Services can be Set for Different Levels
of Security
Two Trust Levels are Set for Devices
Trusted Device: Fixed Relationship and
Unrestricted Access to All Services
Untrusted: No Permanent relationship and
Restricted Services
79
BluetoothSecurity
3LevelsofServiceAccess
RequireAuthorizationandAuthenication
RequireAuthenticationOnly
DefaultSecurityforLegacyApplications
80
ButisthisWirelessLinkSecure?
Newsflash: Jan 2001: Norwegian hackers

crack a Bluetooth transmission
81
Analysis of a BlueTooth Transmission
High overhead?
82
802.15.4/Zigbee?
83
IEEE802.15.4standard
IncludeslayersuptoandincludingLinkLayerControl
LLCisstandardizedin802.1
SupportsmultiplenetworktopologiesincludingStar,ClusterTreeand
Features
of the MAC:
Mesh
Association/dissociation, ACK, frame
delivery, channel access mechanism,
frame validation, guaranteed time slot
management, beacon management,
channel scan
Low complexity: 26 primitives
versus 131 primitives for 802.15.1
(Bluetooth)
ZigBee Application Framework

Networking App Layer (NWK)
Data Link Controller (DLC)
IEEE 802.15.4 LLC
IEEE 802.2
LLC, Type I
IEEE 802.15.4 MAC

IEEE 802.15.4
868/915 MHz PHY
IEEE 802.15.4
2400 MHz PHY
84
PHY overview
Speed
20, 40 or 250 kbps
Channels
1 channel in the 868MHz band
10 channels in the 915MHz band
16 channels in the 2.4GHz band
Modulation
BPSK (868MHz/20kbs)
BPSK (915MHz/40kbps)
O-QPSK (2.4GHz/250kbps)
Coexistence w/
802.11b DSSS
802.15.1 FHSS
802.15.3 DSSS
85
MAC overview
Securitysupport
Powerconsumption
consideration
Dynamicchannel
selection
Networktopology
Startopology
p2ptopology
clustertreenetwork
topology
86
Device classification
Full Function Device (FFD)
Any topology
Can talk to RFDs or other FFDs
Operate in three modes
PAN coordinator
Coordinator
Device.
Reduced Function Device (RFD)
Limited to star topology
Can only talk to an FFD
(coordinator)
Cannot become a coordinator
Unnecessary to send large
amounts of data
Extremely simple
Can be implemented using
minimal resources and memory
capacity
87
Transmissionmanagement
Acknowledgement
NoACK
ACK
Retransmission
Duplicatedetection
Indirecttransmission
88
Security
Unsecuredmode
ACLmode
Accesscontrol
Securedmode
Accesscontrol
Dataencryption
Frameintegrity
Sequentialfreshness
89
Scalable Security
Assumetheattackercandeployownnodes(can
createaringatsomedistancefromcontroller)
[Wisenet2003]
Enemynodesmimickthemeshnodes;they
ACKthehealthinquiryasifeverythingwasOK
buttheydonotforwardtotherestofthenet
Therestofthenetworkisvirtuallycutofffrom
inspectionbycontroller
Needsecurekeyandarandomseedthatchanges
ateachround
90
What About:
1451.5?
1xRTT?
SAT?
CDPD?
Others?
No time this morning!
91
Outline:

6. The Big Review
92
There are SO many technical questions: such as
IntegratedIndustrialNetworks?
If the sensor network is to integrate into an industrial setting, then you

should be cognizant of the Industrial Networking arena.
93
Industrial Device Network Topology
Typically, three layers of networking make up enterprisewide networks. Ethernet

acts as the company's intranet backbone, and it's linked to controllers or
industrial PCs, which supply strategic data to the enterprise. An industrial
network, or fieldbus, links sensors and smart devices. A gateway (not uncommon
in a large system with lots of devices) links devices that have only RS-232 or RS485 ports to the fieldbus system.
94
IndustrialDeviceNetworks
Generalcharacteristicsforindustrialdevice
networkshavearisen.
Obviously the complexity of the network increases as the

functionality is increased.
95
ClassificationofIndustrial
Networks
Threelogicalgroupingsofinstrumentationnetworksusedinan
industrialsetting.
There are over 100 different proprietary networks in the
field.
96
InsideSecurityIncident
EmployeeattacksPLCinanotherplantarea
overPLChighway.
Passwordchangedtoobscenity,blocking
legitimatemaintenanceandforcingprocess
shutdown.
Plant Highway
Disgruntled
Employee
PLC
Steam Plant
PLC
PLC
PLC
Paper Plant
* Source: BCIT Industrial Security Incident Database (ISID)

97
NetworkPositioning
Data
Ethernet TCP/IP
Functionality
DeviceNet
Other CAN
SDS
Complexity
ControlNet
Foundation Fieldbus H2
Profibus-FMS
Profibus-DP
Data Highway+
Interbus-S
Modbus Plus
Remote I/O
Fieldbus H1
Profibus-PA
Modbus
HART
ASi, Seriplex,
Hardwiring, RS485 etc.
Cost
+
98
TooFocusedonInternetIssues?
Myth#1:OurSCADA/PLC/DCSissafeif
wedontconnecttotheInternet.
Myth#2:OurInternetfirewallwillprotect
ourcontrolsystems.
Myth#3:OurITdepartmentunderstands
processcontrolissuesandsecurity.
99
IsIndustrialCommSecurityToo
FocusedonInternetIssues?
Enterprise
Resource Planning
Manufacturing Logistics
Internet
Production
Planning
Firewall
Remote
Engineering
Enterprise Network
Production Networks
Ethernet
Programming Stations
PLC
SCAD
A
Control
Network
PLC
)))))
Handheld
Operator
Terminal
802.11
WLAN
Field Devices
Process
Historian
WarDialing
Attack
Modem
OEM
Source (used by permission): Interface Technologies, Windsor,

CT, 2002
100
Outline:

6. The Big Review
101
Bit Rate vs. Quality of Service
How Many
Bits are
Needed?
The more bits

you xmit, the
more power
you
consume!
102
Coding vs. Quality of Service

IsCoding
Really
Necessary?
103
DirectSequenceSpreadSpectrum
104
Comparing Wireless
Tech.
Range
DSSS
Battery
life
Numbers
InArea
Medium Low
longest
High
FHSS
Long
Short
Medium
UWB
Medium Lowest
short
High
RF
Power
High
105
Technology Beats Marketing in

Performance!
Technology versus Attributes
Summary Chart
Attribute
Long Range
Plug-and-Play
Long Battery life
Low RFI risk
Self Locating
Secure
High throughput
non line-of-sight
robust connections
low cost
small size
DSSS
FHSS
UWB
CDMA
TDMA
FDMA
NA
DSSS
FHSS
DSSS
DSSS
UWB
UWB
UWB
DSSS
FHSS
FHSS
NA
CDMA
FDMA
NA
CDMA
CDMA
NA
NA
CDMA
FDMA
TDMA
Technology
Low
Mobile
Power
Ad Hoc Power
Embedded
Designs Networks Harvesting Intelligence Diversity
NA
yes
NA
NA
yes
NA
NA
NA
NA
NA
yes
NA
yes
yes
yes
yes
yes
NA
yes
yes
NA
NA
NA
yes
yes
yes
NA
NA
yes
yes
NA
NA
NA
yes
yes
NA
yes
NA
NA
yes
NA
yes
NA
NA
yes
yes
NA
NA
NA
NA
yes
NA
NA
NA
NA
FEC
yes
NA
yes
NA
NA
NA
yes
NA
yes
NA
NA
BPSK
Open
QPSK
Standards M-ary
900MHz
2.4GHz
5.8GHz
NA
yes
NA
NA
NA
NA
NA
NA
NA
yes
NA
900MHz
NA
900MHz
5.8GHz
5.8GHz
5.8GHz
5.8GHz
900MHz
5.8GHz
900MHz
5.8GHz
NA
NA
M-ary
NA
NA
NA
M-ary
NA
BPSK
BPSK
BPSK
106
Statistics on Types of Attacks
% of Respondents
*Source: 2002 CSI/FBI Computer Crime and Security Survey Computer
Security Institute - www.gocsi.com/losses.
107
OptimizationofSecurityvs.Cost
Risk reduction is balanced against the cost of
security counter measures to mitigate the risk.
Optimal Level of Security

at Minimum Cost
Cost ($)
Cost of Security
Countermeasures
Cost of Security
Breaches
Security Level
108
Risk in Safety vs. Risk in Security

Safety Definition: Risk is a measure of human
injury, environmental damage, or economic
loss in terms of both the incident likelihood
and the magnitude of the loss or injury.
Security Definition: Risk is an expression of
the likelihood that a defined threat will exploit a
specific vulnerability of a particular attractive
target or combination of targets to cause a
given set of consequences.
*Source: CSPP Guidelines For Analyzing And Managing The Security
Vulnerabilities Of Fixed Chemical Sites
109
Firewall Architectures
The external router blocks attempts to use the
underlying IP layer to break security (e.g. IP
spoofing, source routing, packet fragments, etc) and
forces all traffic to the proxy.
The proxy firewall handles potential security holes in
the higher layer protocols.
The internal router blocks all traffic except to the
proxy server.
Internet
External
Router
Internal
Router
110
ThereslotofWireless
FromcellphonestoPDAstoWiFito
Satellitebased
111
WirelessLANStandards
112
Existing/Developing
IEEE802.11Standards
802.11
802.11a
802.11b
802.11e
802.11f
802.11g
802.11h
802.11i
802.1x
802.15
802.16
FrequencyHopping/DSSS
54Mbps/HyperLAN
(1999)11Mbps
QualityofService
Point2PointRoaming
(2003)54Mbps
EuropeanInspiredChanges
(Q2,2004)NewEncryptionProtocols
(Q2,2004)PortBasedNetworkAccess
PersonalAreaNetwork(WPAN)
WirelessMetropolitanAreaNetwork(WMAN)
113
WirelessBackboneforInflightEntertainment
OnBoardNetworkIntegration
PicoCell
BTS
PicoCell
BTS
6 MCU
GSM SERVER
Noise
Floor
Lifter
SDU
and we havent even touched on RFID!

114
ThereslotofWireless
AnditallneedstofeelmoreSecure!
115
Forarealreviewofnetworking
security
TakeEricByrnesISAcourseIC32C
116
WillHistoryRepeat?
Cellular networks
wireless security: not just 802.11
1980 analog cellphones: AMPS
analog cloning, scanners

fraud pervasive & costly
digital: TDMA, GSM
wireless networks
1999 802.11, WEP
1990
TDMA eavesdropping [Bar]
more TDMA flaws [WSK]

GSM cloneable [BGW]
GSM eavesdropping
[BSW,BGW]
2000
Future: 3rd gen.: 3GPP,
sensor networks
2000
2001
2002
WEP broken [BGW]

WEP badly broken [FMS]
attacks pervasive
2003 WPA
Future: 802.11i
Proprietary systems
2002
1451, 802.15.4, Tiny

2003
Future: ???
117
PATRIOT Act
PATRIOT (Provide Appropriate Tools
Required to Intercept and Obstruct
Terrorism)
Legally classifies many hacking attacks
as acts of terrorism
118
So If Nothing else, at least

PLEASE do this for your WiFi
System!
WLAN Security Countermeasures
Conduct site survey
Identify areas of signal strength and weakness

Do a walkaround with NetStumbler
Document and shut down rogue access points
Document and shut down unauthorized wireless NICs
AND TURN ON SOME LEVEL OF THE PROVIDED
PROTECTION!
119
Oh
And dont forget that as you layer in all of
these wacky encryption schemes and
CDMA and DSSS andand that it takes
some joules to actually implement this. So
if your wireless network has primepower
(a.k.a. AC) youre ok. But if youre going
off a battery then its a tradeoff of security
versus Power Consumption You
Choose that one!
120
...andintheend...
BumbleBee with RF xcvr
...or...
HoneyBee with RFID
Twopotentialformsofwirelesssensornetworks.
And they should both be secure!
121
Outline:

6. The Big Review
7. Glossary and References
122
Glossary
10BASET:IEEE802.3standardforatwistedpairEthernetnetwork.10Mbpstransmissionrateoverbasebandusingunshielded,twisted
paircable.
802.11:TheIEEE802.11standarddefinesbothfrequencyhoppinganddirectsequencespreadspectrumsolutionsforuseinthe2.42.5MHz
ISM(Industrial,Scientific,Medical)band.
802.11a:TheGlobalSystemforMobileCommunicationsstandardforworldwidewirelesscommunicationsonwideareanetworks(WANs).
802.11b:Theportionofthe802.11specificationthatdefinesthe11Mbpsdatarate.
A
AccessPoint:ProvidesabridgebetweenEthernetwiredLANsandthewirelessnetwork.Accesspointsaretheconnectivitypointbetween
Ethernetwirednetworksanddevices(laptops,handheldcomputers,pointofsaleterminals)equippedwithawirelessLANadaptercard.
Analogphone:Comesfromtheword"analogous,"whichmeanssimilarto.Intelephonetransmission,thesignalbeingtransmittedfromthe
phonevoice,videoorimageisanalogoustotheoriginalsignal.
AntennaDirectional:Transmitsandreceivesradiowavesoffthefrontoftheantenna.Thepowerbehindandtothesidesoftheantennais
reduced.Thecoverageareaisovalwiththeantennaatoneofthenarrowends.Typicaldirectionalantennabeamwidthanglesarefrom90
(somewhatdirectional)toaslittleas20(verydirectional).Adirectionalantennadirectspowertoconcentratethecoveragepatternina
particulardirection.Theantennadirectionisspecifiedbytheangleofthecoveragepatterncalledthebeamwidth.
AntennaOmnidirectional:Transmitsandreceivesradiowavesinalldirections.Thecoverageareaiscircularwiththeantennaatthecenter.
Omnidirectionalantennasarealsoreferredtoaswhiporlowprofileantennas.
Association:Theprocessofdeterminingtheviabilityofthewirelessconnectionandestablishingawirelessnetwork'srootanddesignated
accesspoints.Amobileunitassociateswithitswirelessnetworkassoonasitispoweredonormovesintorange.
ATM:AsynchronousTransferMode.Atypeofhighspeedwideareanetwork.
123
Glossary
B
Backbone:Anetworkthatinterconnectsothernetworks,employinghighspeedtransmissionpathsandoftenspanningalargegeographic
area.
Bandwidth:Therangeoffrequencies,expressedinhertz(Hz),thatcanpassoveragiventransmissionchannel.Thebandwidthdeterminesthe
rateatwhichinformationcanbetransmittedthroughthecircuit.
BandwidthManagement:FunctionalitythatallocatesandmanagesRFtrafficbypreventingunwantedframesfrombeingprocessedbythe
accesspoint.
BC/MC:Broadcastframes;Multicastframes
Beacon:AuniframesystempacketbroadcastbytheAPtokeepthenetworksynchronized.AbeaconIncludestheNet_ID(ESSID),theAP
address,theBroadcastdestinationaddresses,atimestamp,aDTIM(DeliveryTrafficIndicatorMaps)andtheTIM(TrafficIndicator
Message).
BFAAntennaConnector:MiniaturecoaxialantennaconnectormanufacturedbyMuRataManufacturingCorporation.
Bluetooth:SeeWirelessPersonalAreaNetworks.
Bridge:AdevicethatconnectstwoLANsofthesameordissimilartypes.ItoperatesattheDataLinkLayer,asopposedtorouters.The
bridgeprovidesfastconnectionoftwocollocatedLANsegmentsthatappearasonelogicalnetworkthroughthebridge.
Buffer:Asegmentofcomputermemoryusedtoholddatawhileitisbeingprocessed.
124
Glossary
CAM:ContinuouslyAwareMode:Modeinwhichtheadapterisinstructedtocontinuallycheckfornetworkactivity.
CardandSocketServices:Packagesthatworkwiththehostcomputeroperatingsystem,enablingtheWirelessLANadaptertointerfacewith
hostcomputerconfigurationandpowermanagementfunctions.
CellularPhone:Lowpowered,duplex,radio/telephonethatoperatesbetween800and900MHz,usingmultipletransceiversiteslinkedtoa
centralcomputerforcoordination.Thesites,or"cells,"coverarangeofonetosixormoremilesineachdirection.
Centrex:Businesstelephoneserviceofferedbyalocaltelephonecompanyfromalocaltelephonecompanyoffice.Centrexisbasicallyasingle
linephonesystemleasedtobusinessesasasubstituteforabusinessthatisbuyingorleasingitsownonpremisesphonesystemorPBX.
CDMAandTDMA:TheCodeDivisionMultipleAccessandTimeDivisionMultipleAccessstandardforwirelesscommunicationsonwide
areanetworks(WANs)inNorthAmerica.
Circuitswitching:Theprocessofsettingupandkeepingacircuitopenbetweentwoormoreuserssothatusershaveexclusiveandfulluseof
thecircuituntiltheconnectionisreleased.
Client:Acomputerthataccessestheresourcesofaserver.
Client/Server:Anetworksystemdesigninwhichaprocessororcomputerdesignatedasaserver(suchasafileserverordatabaseserver)
providesservicestootherclientprocessorsorcomputers.
CODEC:CoderDecoder.Audiocompression/decompressionalgorithmthatisdesignedtoofferexcellentaudioperformance.Convertsvoice
signalsfromtheiranalogformtodigitalsignalsacceptabletomoderndigitalPBXsanddigitaltransmissionsystems.Itthenconvertsthose
digitalsignalsbacktoanalogsothatyoumayhearandunderstandwhattheotherpersonissaying.
ComputerTelephonyIntegration:Technologythatintegratescomputerintelligencewithmaking,receiving,andmanagingtelephonecalls.
Computertelephonyintegratesmessaging,realtimeconnectivity,andtransactionprocessingandinformationaccess.
125
Glossary
D
DataTerminal:Computertransmitandreceiveequipment,includingawidevarietyofdumbterminalsorterminalswithoutembedded
intelligenceintheformofprogrammedlogic.Mostdataterminalsprovideauserinterfacetoamorecapablehostcomputer,suchasa
mainframeormidrangecomputer.
Decryption:Decryptionisthedecodingandunscramblingofreceivedencrypteddata.Thesamedevice,hostcomputerorfrontend
processor,usuallyperformsbothencryptionanddecryption.
DesktopConferencing:AtelecommunicationsfacilityorserviceonaPCthatpermitscallersfromseveraldiverselocationstobeconnected
togetherforaconferencecall.
DigitalPhoneSystem:Proprietaryphonesystemprovidedbyavendor,suchasAT&T,Mitel,NorthernTelecom,andsoon.Thesignalbeing
transmittedinadigitalphonesystemisthesameasthesignalbeingtransmittedinananalogphonesystem.Thesystemcanconsistofa
proprietaryPBXsystemthatconvertsvoicesignalsfromtheiranalogformtodigitalsignals,andthenconvertsthosedigitalsignalsbackto
analog.Alternatively,theconversionfromanalogtodigitalcanoccurinadigitalphone.
DirectInwardDialing:DID.Theabilityforacalleroutsideacompanytocallaninternalextensionwithouthavingtopassthroughan
operatororattendant.InlargePBXsystems,thedialeddigitsarepassedfromthePSTNtothePBX,whichthencompletesthecall.
DirectSequence(DS)SpreadSpectrum:Directsequencetransmitsdatabygeneratingaredundantbitpatternforeachbitofinformationsent.
Commonlyreferredtoasa"chip"or"chippingcode,"thisbitpatternnumbers10chipstooneperbitofinformation.Comparedwith
frequencyhopping,directsequencehashigherthroughput,widerrangeandisupgradableinthe2.4GHzband.
DiversityReception:Theuseoftwoantennasattachedtoasingleaccesspointtoimproveradioreception.Thesecondantennaisusedonly
forreceivingradiosignals,whiletheprimaryisusedforbothtransmittingandreceiving.
Driver:Aprogramroutinethatlinksaperipheraldevice,suchasamobileunit'sradiocard,tothecomputersystem.
126
Glossary
ElementlevelManagement:Leveloftechnologiesaimedatsmallormediumsizedbusinesses.
Encryption:Entailsscramblingandcodinginformation,typicallywithmathematicalformulascalledalgorithms,beforetheinformationistransmittedoveranetwork.
Ethernet:Alocalareanetworkusedforconnectingcomputers,printers,workstations,terminals,servers,andsoon,withinthesamebuildingorcampus.Ethernet
operatesovertwistedwireandovercoaxialcableatspeedsupto100Mbps,with1Gbpsspeedscomingsoon.
Filtering:Preventsuserdefinedframesfrombeingprocessedbytheaccesspoint.
FragmentationThreshold:Themaximumsizefordirecteddatapacketstransmittedovertheradio.Largerframesfragmentintoseveralpacketsthissizeorsmallerbefore
transmissionovertheradio.Thereceivingstationreassemblesthetransmittedfragments.
FrameMode:AcommunicationsprotocolsupportedbytheOEMModules.TheframeprotocolimplementsasynchronousserialPointtoPoint(PPP)framessimilarto
thoseusedbyserialInternetprotocols.
FrequencyHopping(FH)SpreadSpectrum:HedyLamarr,theactress,iscreditedinnameonlyforinventingfrequencyhoppingduringWorldWarII.Asitslabel
suggests,frequencyhoppingtransmitsusinganarrowbandcarrierthatchangesfrequencyinagivenpattern.Thereare79channelsina2.4GHzISMband,eachchannel
occupying1MHzofbandwidth.Aminimumhoprateof2.5hopsperchannelpersecondisrequiredintheUnitedStates.Frequencyhoppingtechnologyisrecognized
assuperiortodirectsequenceintermsofechoresistance,interferenceimmunity,costandeaseofinstallation.Todate,therehasalsobeenagreaterselectionofWLAN
productsfromwhichtochose.
FTP(FileTransferProtocol):AcommonInternetprotocolusedfortransferringfilesfromaservertotheInternetuser.ItusesTCP/IPcommands.
Gain,dBi:Antennagain,expressedindecibelsreferencedtoahalfwavedipole.
Gain,dBi:Antennagain,expressedindecibelsreferencedtoatheoreticalisotropicradiator.
Gain,dBic:Antennagain,expressedindecibelsreferencedtoatheoreticalisotropicradiatorthatiscircularlypolarized.
Gatekeeper:Softwarethatperformstwoimportantfunctionstomaintaintherobustnessofthenetwork:addresstranslationandbandwidthmanagement.Gatekeepersmap
LANaliasestoIPaddressesandprovideaddresslookupswhenneeded.
Gateway:OptionalelementinanH.323conference.GatewaysbridgeH.323conferencestoothernetworks,communicationsprotocols,andmultimediaformats.
GatewaysarenotrequiredifconnectionstoothernetworksornonH.323compliantterminalsarenotneeded.
GHz:InternationalunitformeasuringfrequencyisHertz(Hz),whichisequivalenttotheolderunitofcyclespersecond.OneGigahertz(GHz)isonebillionHertz.
Microwaveovenstypicallyoperateat2.45GHz.
GSM:TheGlobalSystemforMobileCommunicationsstandardforworldwidewirelesscommunicationsonwideareanetworks(WANs).
127
Glossary
H.323:AnumbrellastandardfromtheInternationalTelecommunicationsUnion(ITU)thataddressescallcontrol,multimediamanagement,andbandwidthmanagement
forpointtopointandmultipointconferences,aswellasinterfacesbetweenLANsandothernetworks.Themostpopularstandardcurrentlyinuse.
HandheldPC(HPC):ThetermadoptedbyMicrosoftanditssupporterstodescribehandheldcomputersemployingMicrosoft'sWindowsCEoperatingsystem.
InteractiveVoiceResponse:Systemusedtoaccessadatabaseaccessapplicationusingatelephone.Thevoiceprocessingactsasafrontendtoappropriatedatabasesthat
resideongeneralpurposecomputers.Forinstance,DTMF(touchtone)inputofaPersonalIdentificationNumbercanberequiredforaccessormoreunusualand
expensivetechniquessuchasvoicerecognitionandvoiceprintmatching.
Internet:World'slargestnetwork,oftenreferredtoastheInformationSuperhighway.TheInternetisavirtualnetworkbasedonpacketswitchingtechnology.The
participantsontheInternetanditstopologychangeonadailybasis.
InternetCommerce:ElectronicbusinesstransactionsthatoccurovertheInternet.SamplesofInternetcommerceapplicationsincludeelectronicbanking,airline
reservationsystems,andInternetmalls.
InternetPhone:DeviceusedtotransmitvoiceovertheInternet,bypassingthetraditionalPSTNandsavingmoneyintheprocess.AnInternetphonecanbeasmallphone
(suchastheNetVisionPhone)oramultimediaPCwithamicrophone,speaker,andmodem.
Interoperability:Theabilityofequipmentorsoftwaretooperateproperlyinamixedenvironmentofhardwareandsoftware,fromdifferentvendors.Enabledbythe
IEEE802.11openstandard.
IP(InternetProtocol):TheInternetstandardprotocolthatdefinestheInternetdatagramastheunitofinformationpassedacrosstheInternet.Providesthebasisofthe
Internetconnectionlessbesteffortpacketdeliveryservice.TheInternetprotocolsuiteisoftenreferredtoasTCP/IPbecauseIPisoneofthetwofundamentalprotocols.
InternationalRoaming:Abilitytouseoneadapterworldwide.
Intranet:AprivatenetworkthatusesInternetsoftwareandInternetstandards.Inessence,anintranetisaprivateInternetreservedforusebypeoplewhohavebeengiven
theauthorityandpasswordsnecessarytousethatnetwork.
ISDN:IntegratedServicesDigitalNetwork.Emergingnetworktechnologyofferedbylocalphonecompaniesthatisdesignedfordigitalcommunications,computer
telephony,andvoiceprocessingsystems.
ISMBand:ISMbandsinstrumental(902928MHz),science(2.42.4835GHz),andmedical(5.7255.850GHz)aretheradiofrequencybandsallocatedbytheFCCfor
unlicensedcontinuousoperationsforupto1W.ThemostrecentbandapprovedbytheFCCforWLANswasthemedicalbandinJanuary1997.
ITU:InternationalTelecommunicationsUnion.StandardsbodythatdefinedH.323andotherinternationalstandards.
Jitter:Noiseonacommunicationslinewhichisbasedonphasehits,causingpotentialphasedistortionsandbiterrors..
128
Glossary
Kerberos:AwidelydeployedsecurityprotocolthatwasdevelopedattheMassachusettsInstituteofTechnology(MIT)toauthenticateusersandclientsinawired
networkenvironmentandtosecurelydistributeencryptionkeys.
KeyTelephoneSystem:Asysteminwhichthetelephonehasmultiplebuttonspermittingtheusertodirectlyselectcentralofficephonelinesandintercomlines.Key
phonesystemsaremostoftenfoundinrelativelysmallbusinessenvironments,typicallyaround50telephones.
Layer:Aprotocolthatinteractswithotherprotocolsaspartofanoveralltransmissionsystem.
LPD(LinePrinterDaemon):ATCPbasedprotocoltypicallyusedbetweenaUnixserverandaprinterdriver.Dataisreceivedfromthenetworkconnectionandsentout
overtheserialport.
MAC(MediaAccessControl):PartoftheDataLinkLayer,asdefinedbytheIEEE,thissublayercontainsprotocolsforgainingorderlyaccesstocableorwireless
media.
MD5Encryption:AnauthenticationmethodologywhenMUisinforeignsubnet.
MIB(ManagementInformationBase):AnSNMPstructurethatdescribesthespecificdevicebeingmonitoredbytheremotemonitoringprogram.
Microcell:Aboundedphysicalspaceinwhichanumberofwirelessdevicescancommunicate.Becauseitispossibletohaveoverlappingcellsaswellasisolatedcells,
theboundariesofthecellareestablishedbysomeruleorconvention.
Modem:Equipmentthatconvertsdigitalsignalstoanalogsignalsandviceversa.ModemsareusedtosenddigitaldatasignalsovertheanalogPSTN.
MMCXAntennaConnector:Miniaturecoaxialantennaconnectorinusebyseveralmajorwirelessvendors.
MobileIP:TheabilityofthemobileunittocommunicatewiththeotherhostusingonlyitshomeIPaddress,afterchangingitspointofattachmenttotheInternetand
intranet.
MobileUnit(MU):MaybeaSymbolSpectrum24terminal,PCCardandPCIadapter,barcodescanner,thirdpartydevice,andother
MobileUnitMode:Inthismode,theWLANadapterconnectstoanaccesspoint(AP)oranotherWLANinstalledsystem,allowingthedevicetoroamfreelybetweenAP
cellsinthenetwork.Mobileunitsappearasnetworknodestootherdevices.
Modulation:Anyofseveraltechniquesforcombininguserinformationwithatransmitter'scarriersignal.
Multipath:Thesignalvariationcausedwhenradiosignalstakemultiplepathsfromtransmittertoreceiver.
MultipathFading:Atypeoffadingcausedbysignalstakingdifferentpathsfromthetransmittertothereceiverand,consequently,interferingwitheachother.
129
Node:Anetworkjunctionsuchasaswitchoraroutingcenter.
Glossary
PacketSwitching:Referstosendingdatainpacketsthroughanetworktosomeremotelocation.Inapacketswitchednetwork,nocircuitisleftopenonadedicatedbasis.
Packetswitchingisadataswitchingtechniqueonly.
PBXPhoneSystem:PrivateBrancheXchange.Smallversionofthephonecompany'slargercentralswitchingoffice.AnalternativetoaPBXistosubscribetoalocal
telephonecompany'sCentrexservice.
PCMCIA(PersonalComputerMemoryCardInternationalAssociation)PCCard:Acreditcardsizedeviceusedinlaptopcomputersandavailableasremovablenetwork
adapters.
PCS(PersonalCommunicationsService):Anew,lowerpowered,higherfrequencycompetitivetechnologytocellular.Whereascellulartypicallyoperatesinthe800
900MHzrange,PCSoperatesinthe1.5to1.8GHzrange.TheideawithPCSisthatthephonearecheaper,havelessrange,andaredigital.Thecellsaresmallerand
closertogether,andairtimeischeaper.
PeertopeerNetwork:Anetworkdesigninwhicheachcomputersharesandusesdevicesonanequalbasis.
Ping:AtroubleshootingTCP/IPapplicationthatsendsoutatestmessagetoanetworkdevicetomeasuretheresponsetime.
PLD(DataLinkProtocol):ArawpacketprotocolbasedontheEthernetframeformat.Allframesaresenttothewirelessnetworkverbatimshouldbeusedwithcareas
improperlyformatteddatacangothroughwithundesirableconsequences.
PlugandPlay:AfeaturethatallowsacomputertorecognizethePCIadapterandconfigurethehardwareinterrupt,memory,anddevicerecognitionaddresses;requires
lessuserinteractionandminimizeshardwareconflicts.
PocketPC:ThetermadoptedbyMicrosoftanditssupporterstodescribehandheldcomputersemployingMicrosoft'sPocketPCoperatingsystem.
PointofSaleDevice:Aspecialtypeofequipmentthatisusedtocollectandstoreretailsalesdata.Thisdevicemaybeconnectedtoabarcodereaderanditmayquerya
centralcomputerforthecurrentpriceofthatitem.
POTS(PlainOldTelephoneService):Thebasicservicesupplyingstandardsinglelinetelephones,telephonelines,andaccesstothepublicswitchedtelephonenetwork.
PowerManagement:Algorithmsthatallowtheadaptertosleepbetweencheckingfornetworkactivity,thusconservingpower.
PSP(PowerSavePolling):stationspowerofftheirradiosforlongperiods.WhenamobileunitinPSPmodeassociateswithanaccesspoint,itnotifiestheAPofits
activitystatus.TheAPrespondsbybufferingpacketsreceivedfortheMU.
PSTN(PublicSwitchedTelephoneNetwork):Referstotheworldwidevoicetelephonenetworkaccessibletoallthosewithtelephonesandaccessprivileges.IntheU.S.,
thePSTNisprovidedbyAT&T.
130
Glossary
QoS(QualityofService):Measureofthetelephoneservicequalityprovidedtoasubscriber.QoSreferstothingslike:Isthecalleasytohear?Isitclear?Isitloud
enough?
RBOC(RegionalBellOperatingCompany):OneofthesevenBelloperatingcompaniessetupafterthedivestitureofAT&T,eachofwhichowntwoormoreBell
OperatingCompanies(BOCs).
Roaming:Movementofawirelessnodebetweentwomicrocells.Roamingusuallyoccursininfrastructurenetworksbuiltaroundmultipleaccesspoints.
Repeater:Adeviceusedtoextendcablingdistancesbyregeneratingsignals.
Router:Themaindeviceinanymodernnetworkthatroutesdatablocksfromsourcetodestinationusingroutingtablesanddeterminingthebestpathdynamically.It
functionsasanaddressableentityontheLANandisthebasicbuildingblockoftheInternet.
SNMP(SimpleNetworkManagementProtocol):ThenetworkmanagementprotocolofchoiceforTCP/IPbasedintranets.Definesthemethodforobtaininginformation
aboutnetworkoperatingcharacteristics,changeparametersforroutersandgateways.
Scanning:Aperiodicprocesswherethemobileunitsendsoutprobemessagesonallfrequenciesdefinedbythecountrycode.Thestatisticsenableamobileunittore
associatebysynchronizingitsfrequencytotheAP.TheMUcontinuescommunicatingwiththataccesspointuntilitneedstoswitchcellsorroam.
SiteSurvey:Physicalenvironmentsurveytodeterminetheplacementofaccesspointsandantennas,aswellasthenumberofdevicesnecessarytoprovideoptimal
coverage,inaneworexpandinginstallation.
SpreadSpectrum:AtransmissiontechniquedevelopedbytheU.S.militaryinWorldWarIItoprovidesecurevoicecommunications,spreadspectrumisthemost
commonlyusedWLANtechnologytoday.Itprovidessecurityby"spreading"thesignaloverarangeoffrequencies.Thesignalismanipulatedinthetransmittersothat
thebandwidthbecomeswiderthantheactualinformationbandwidth.Despreadingthesignalisimpossibleforthosenotawareofthespreadingparameters;tothem,the
signalsoundslikebackgroundnoise.Interferencefromnarrowbandsignalsisalsominimizedtobackgroundnoisewhenitisdespreadbythereceiver.Twotypesof
spreadspectrumexist:directsequenceandfrequencyhopping.
StreamMode:AcommunicationsprotocolsupportedonlybytheTelnetandTCPprotocols.Streammodetransfersserialcharactersastheyarereceivedbyencapsulating
theminapacketandsendingthemtothehost.
131
Glossary
T1:Atypeofdedicateddigitalleasedlineavailablefromapublictelephoneproviderwithacapacityof1.544Mbps.AT1linecannormallyhandle24voice
conversations,eachonedigitizedat64Kbps.Withmoreadvanceddigitalvoiceencodingtechniques,itcanhandlemorevoicechannels.T1isthestandardfordigital
transmissionintheU.S.Canada,HongKong,andJapan.
TCP/IP:Networkingprotocolthatprovidescommunicationacrossinterconnectednetworks,betweencomputerswithdiversehardwarearchitectures,andvarious
operatingsystems.TCP/IPisusedintheindustrytorefertothefamilyofcommonInternetprotocols.
TCP(TransportCommunicationProtocol):Controlsthetransferofdatafromoneclienttoonehost,providingthemechanismforconnectionmaintenance,flowcontrol,
retries,andtimeouts.
Telnet(TerminalEmulationProtocol):AprotocolthatusestheTCP/IPnetworkingprotocolasareliabletransportmechanism.Consideredextremelystable.
Terminal:Anendpoint,whichprovidesforrealtime,twowaycommunicationswithanotherterminal,gateway,ormobileunit.
TokenRing:Aringtypeoflocalareanetwork(LAN)inwhichasupervisoryframe,ortoken,mustbereceivedbyanattachedterminalorworkstationbeforethat
terminalorworkstationcanstarttransmitting.TokenringisthetechniqueusedbyIBMandothers.
UDP(UserDatagramProtocol):UDP/IPisaconnectionlessprotocolthatdescribeshowmessagesreachapplicationprogramsrunninginthedestinationmachine;
provideslowoverheadandfastresponseandiswellsuitedforhighbandwidthapplications.
VideoConferencing:VideoandaudiocommunicationbetweentwoormorepeopleviaavideoCODEC(coder/decoder)ateitherendandlinkedbydigitalcircuits.
VoiceMailSystem:Deviceorsystemthatrecords,stores,andretrievesvoicemessages.Thetwotypesofvoicemaildevicesarethosewhichare"standalone"andthose
whichoffersomeintegrationwiththeuser'sphonesystem.
WiFi:Alogograntedasthe"sealofinteroperability"bytheWirelessEthernetCompatibilityAlliance(WECA).Onlyselectwirelessnetworkingproductspossessthis
characteristicofIEEE802.11b.
WirelessAPSupport:AccessPointfunctionsasabridgetoconnecttwoEthernetLANs.
132
Glossary
WirelessLocalAreaNetwork(WLAN):AwirelessLANisadatacommunicationssystemprovidingwirelesspeertopeer(PCtoPC,PCtohub,orprintertohub)and
pointtopoint(LANtoLAN)connectivitywithinabuildingorcampus.InplaceofTPorcoaxialwiresoropticalfiberasusedinaconventionalLAN,WLANstransmit
andreceivedataoverelectromagneticwaves.WLANsperformtraditionalnetworkcommunicationsfunctionssuchasfiletransfer,peripheralsharing,email,and
databaseaccessaswellasaugmentingwiredLANs.WLANsmustincludeNICs(adapters)andaccesspoints(inbuildingbridges),andforcampuscommunications
buildingtobuilding(LANLAN)bridges.
WirelessPersonalAreaNetwork(WPAN):PersonalareanetworksarebasedonaglobalspecificationcalledBluetoothwhichusesradiofrequencytotransmitvoiceand
data.Overashortrange,thiscablereplacementtechnologywirelesslyandtransparentlysynchronizesdataacrossdevicesandcreatesaccesstonetworksandtheInternet.
Bluetoothisidealformobileprofessionalswhoneedtolinknotebookcomputers,mobilephones,PDAs,PIMs,andotherhandhelddevicestodobusinessathome,on
theroad,andintheoffice.
WirelessWideAreaNetwork(WWAN):Wideareanetworksutilizedigitalmobilephonesystemstoaccessdataandinformationfromanylocationintherangeofacell
towerconnectedtoadataenablednetwork.Usingthemobilephoneasamodem,amobilecomputingdevicesuchasanotebookcomputer,PDA,oradevicewitha
standaloneradiocard,canreceiveandsendinformationfromanetwork,yourcorporateintranet,ortheInternet.
133
A Few References
Berge J.,"Fieldbuses for Process Control: Engineering, Operation, Maintenance". ISA Press 2002, ISBN 1-55617
Black U., "Physical Level Interfaces and Protocols". IEEE, ISBN 0-8186-8824-6.
Black U., "The V-series recommendations". McGraw-Hill, ISBN 0-07-005592-0.
Bonfig K., "Feldbus-Systeme". Expert Verlag 1992, 3-8169-0771-7.
Borst W., "Der Feldbus in der Maschinen- und Anlagentechnik". Franzis Verlag, ISBN 3-7723-4621-9.
British Standard Institute, "Guide to the evaluation of fieldbus protocols". Report DISC PD0014:2000.
Brown, "The OSI Dictionary of acronyms". McGraw-Hill 1993, ISBN 0-07-057601-7.
Burton, "Fieldbus for Industrial Control Systems". Chapmann & Hall 1997, ISBN 0-412-57890-5.
Centrum voor Micro-elektronica, "Intelligente sensornetwerken". 1993, 1996
Control Engineering, issues of 1994 and 1995, "Fieldbus series".
Dietrich D., "Feldbustechnik in Forschung, Entwicklung und Anwendung". Springer Verlag, 1997.
ETG Fachbericht 37, "Datenbertragung auf Fahrzeugen mittels serieller Bussysteme". VDE Verlag, ISBN 3-80
ETZ Report 27, "Standardisierung der Prozedatenkommunikation". VDE Verlag 1991.
Fachzeitschrift DE, "Bussysteme fr die Gebudeinstallation. Hthig & Pflaum, 1999.
Frber, "Bussysteme - parallele und serielle Bussysteme in Theorie und Praxis". Oldenbourg Verlag, ISBN 3-4
Frankort, "Digitale Communicatie". Delta Press 1989, ISBN 90-6674-726-9.
Gladdis, "How to automate your home". Baran-Harper 1991, ISBN 0-9632170-0-3.
Gruhler, G. "Feldbusse und Gerte-Kommunikationssysteme". Franzis Verlag 2001, ISBN 3-7723-5745-8.
Hill, "A distributed control & diagnostic architecture for railway maintenance". University of South-Carolina 19
Holzmann, "Design and validation of computer protocols". Prentice-Hall, ISBN 0-13-539834-7.
Huber J.,"Industrial Fiber Optic Networks". ISA Press 1995, ISBN 1-55617-521-3-G.
Hulsebos, R., "Veldbussen". Kluwer 1996, ISBN 90-557-6059-5.
IEE, "Colloquium: Fieldbus devices - A changing future". IEE 1994, Ref. 1994/236.
ISA, "Fieldbus Standard for use in industrial control systems". ISA 1993, ISBN 1-55617-317-2.
ISA, "The ISA Fieldbus Guide". ISA 1997, ISBN 1-55617-637-6.
Johannsmeyer, "Investigation into the intrinsic safety of fieldbus systems (FISCO)". PTB, report W53, ISBN 3-8
Jordan, "Serial networked field instrumentation". Wiley 1995, ISBN 0-471-95236-1.
134
References (cont.)
Keithley Instruments, "Demanding measurements on the factory floor".
Kluwer, "Handboek Industrile Netwerken". Kluwer 2000, ISBN 90-5404-628-7.
Kriesel, "Bustechnologien fr die Automation, 2nd Ed.". Hthig Verlag 2000, ISBN 3-7785-2778-9.
Lian, "Performance evaluation of control networks for manufacturing systems". Proceedings of the
ASME
(Dynamics and Control Division), 1999.
Miklovic, "Real-time control networks". ISA 1993, ISBN 1-55617-231-1.
Mikrocentrum Nederland, Syllabi themadagen "Industrile netwerken". 1993-2001.
Newman, "Direct digital control of building systems". Wiley, 1994, ISBN 0-471-51696-1.
Phoenix, "Grundkurs Sensor/Aktor-Feldbustechnik". Vogel Verlag, ISBN 3-8023-1708-4.
Phoenix, "Grundkurs Feldbustechnik". Vogel Verlag 2000, ISBN 3-8023-1813-7.
Phoenix, "Basic course in sensor/actuator fieldbus technology". Vogel Verlag.
Physikalische Technische Bundesanstalt, "Investigations into the intrinsic safety of fieldbus systems".
PTB 1994, ISBN 3-89429-512-0.
Reinert, "Sichere Bussysteme fr die Automation" Hthig Verlag 2001, ISBN 3-7785-2797-5.
Reienweber B., "Feldbussysteme". Oldenbourg Verlag, 2002, ISBN 3-486-24536-8.
Rikkert de Koe, "OSI-Protocollen lagen 1 t/m 4". Kluwer Telematica, ISBN 90-201-2388-2.
Rosch, "Gebudesystemtechnik: Datenubertragung auf dem 230V Netz". Verlag Moderne Industrie
1998, ISBN 3-478-93185-1.
Scherff, B. "Feldbussysteme in der Praxis". Springer Verlag 1999, ISBN 3-540-63880-6.
Schnell, G. "Bussysteme in der Automatisierungs- and Prozesstechnik" (4th Ed.). Vieweg Verlag 2000,
ISBN 3-528-36569.
Svacina, "Understanding Device Level Buses". Turck.
Thompson, "Industrial Data Communications: Fundamentals And Applications" 3rd Edition. ISA Press
2002, ISBN 1-55617-767-4-G.
Texas Instruments, "RS422 and RS485 Application Guide".
VDI/VDE, "Richtlinien 3687: Auswahl von Feldbussysteme durch Bewertung ihrer
Leistungseigenschaften fr verschiedene Anwendungsbereiche". VDI/VDE, 1997.
Wittgruer, F. "Digitale Schnittstellen und Bussysteme". Vieweg Verlag 1999.
Wrobel, "Optische bertragungstechnik in der Praxis, 2nd Ed.". Hthig Verlag 1998, ISBN 3-7785ISA Wireless Security, P. Fuhr
2638-3.
135
Questions?
Comments?
136

Wireless Sensor Systems Security Implications For The Industrial Environment Fuhr

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireless Sensor Systems Security Implications For The Industrial Environment Fuhr

Uploaded by

Copyright:

Available Formats

Wireless Sensor Systems:

Security Implications for the

Dr. Peter Fuhr, Presenter: 480+ publications&presentations in wireless sensor

ISA Wireless Security, P. Fuhr

A number of individuals have provided content for these slides. They

Wireless Sensor Networking

ISA Wireless Security, P. Fuhr

Slide courtesy of Rob Conant, Dust 5

ISA Wireless Security, P. Fuhr

Slide courtesy of Rick Kriss, Xsilogy

The True cost per monitored node to the

Design For Here

ISA Wireless Security, P. Fuhr

Radio RF Range (dB)

Slide courtesy of Rick Kriss, Xsilogy

Traditionally the output of the sensor was hardwired to some form of

ISA Wireless Security, P. Fuhr

4. Security within various Wireless Delivery Schemes

ISA Wireless Security, P. Fuhr

Lets ask some experts:

In the spring of 2003, the Wireless Industrial Networking

Back to the Question:

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

End-User View of Industrial Wireless

ISA Wireless Security, P. Fuhr

Technology Group: Key Issues

Technology Group: Criticality Varies by

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

On October 31, 2001 Vitek Boden was convicted of:

How did he do it?

ISA Wireless Security, P. Fuhr

WarDriving 802.11 HotSpots in

ISA Wireless Security, P. Fuhr

WarDriving 802.11 HotSpots in

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

In the Spring of 2001, the US got its first a

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

Denial of Service Attacks

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

2. How is security achieved in a wired channel?

4. Security within various Wireless Delivery Schemes

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

The traditional method involved encrypting the data prior to

Slide courtesy of Wayne Manges, ORNL

Security? Who needs it?

(cellular, WiFi, 802.15.4, Bluetooth, others)

ISA Wireless Security, P. Fuhr

Key to success: reduced installation costs

Slide courtesy of Pat Gonia, Honeywell

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

ISA Wireless Security, P. Fuhr

Binary Signaling Formats

ISA Wireless Security, P. Fuhr

The receiver then locks onto the carrier frequency, F 0.

ISA Wireless Security, P. Fuhr