Wireless network security continues to be an area of intense research and development, particularly in applications where wireless sensors are extending the reach of traditional monitoring and control systems. While the IT sector has embraced the IEEE 802.11i standard for corporate networks, engineers have many more options available to them for their industrial network designs. This presentation will provide an overview of IEEE 802.11i, IEEE 802.15.4, ZigBee, and other security protocols as they relate to measurement and automation applications. In addition, network design and commissioning best practices will provide attendees with a set of recommendations for guarding against the most common security attacks.
Exploring the Future Potential of AI-Enabled Smartphone Processors
Wireless Security Best Practices for Remote Monitoring Applications
1. Wireless Security Best Practices for
Remote Monitoring Applications
Charlie Stiernberg
Remote Data Acquisition Product Manager, National Instruments
2. 2
A Wireless Security Story…
• The Maroochy Shire sewage treatment plant (Australia)
Between January and April 2000 the sewage system experienced 47
unexplainable faults
Millions of liters of sewage were spilled
• On October 31, 2001 Vitek Boden was convicted of:
26 counts of willfully using a computer to cause damage
1 count of causing serious environment harm
3. 3
Agenda
• Wireless network security: a history
• IEEE 802.11i security for Wi-Fi networks
• IEEE 802.15.4 for wireless sensor networks
• ZigBee security protocols
• Network design best practices: an IT perspective
5. 5
Common Wireless Network Threats
• Dictionary Attack: brute force method for “guessing”
passwords / credentials
• Man-in-the-Middle Attack: Rogue AP’s “trick” clients
into sending them their security credentials
• Denial of Service (DoS): a flood of packets that
consumes network resources
7. 7
IEEE 802.11 Overview
• “Wireless Ethernet”
• High bandwidth for streaming / waveform
measurements
• 10+ years in the IT sector
Version Released Frequency Max PHY Rate Max TCP Rate
802.11 1997 2.4 GHz 2 Mb/s 1 Mbps
802.11b 1999 2.4 GHz 11 Mb/s 14.4 Mbps
802.11a 1999 5 GHz 54 Mb/s 24.4 Mbps
802.11g 2003 2.4 GHz 54 Mb/s 24.4 Mbps
802.11n 2009? 2.4 GHz ~540 Mb/s ~100 Mbps
8. 8
IEEE 802.11 (Wi-Fi) Security
• Three levels of IEEE 802.11 security
WEP (weak)
WPA (ok)
WPA2 (best) <IEEE 802.11i>
• IEEE 802.11i security has two key components
Encryption = data protection
Authentication = access control
9. 10
Encryption
• TKIP = Temporal Key Integrity Protocol (WPA)
• AES = Advanced Encryption Standard (WPA2)
NIST-endorsed standard for government agencies
FIPS-approved (FIPS 197)
Key size (bits) Number of
alternative keys
Time required at
1 decryption/us
Time required at
106 decryptions/us
32 232 = 4.3 x 109 35.8 minutes 2.15 milliseconds
56 256 = 7.2 x 1016 1,142 years 10 hours
128 2128 = 3.4 x 1038 5.4 x 1024 years 5.4 x 1018 years
Time required for exhaustive key search (brute force attack)
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
10. 12
Authentication
• Three players in 802.11i authentication
Supplicant = client trying to access network (Wi-Fi DAQ)
Authenticator = WAP hardwired to secured network
Authentication Server = verifies identity of client
Supplicant Authenticator Authentication
Sever
11. 13
IEEE 802.1X Port-Controlled Authentication
Uncontrolled Port
Controlled Port
802.1X Traffic
Non-802.1X Traffic (Blocked)
Before Authentication
After Authentication 802.1X Traffic
Non-802.1X Traffic (Blocked)
13. 15
EAP = Extensible Authentication Protocol
• EAP is a framework with different implementations
• ~40 different EAP methods
• Some require passwords/user credentials (PEAP)
• Some require client-side and/or server-side
certificates (EAP-TLS)
• EAP can provide mutual authentication for the network
and the supplicant
15. 17
IEEE 802.15.4 Overview
Application
ZigBee Application Layer (APL)
ZigBee Network Layer (NWK)
802.15.4 Medium Access Control Layer (MAC)
802.15.4 Physical Layer (PHY)
ZigBee
Security
Service
Provider
End User
ZigBee
Alliance
IEEE 802.15.4
16. 18
IEEE 802.15.4 Security
• Security services defined in the MAC layer
• Access Control List (ACL) Mode
The MAC maintains a list of hardware devices addresses
with which it will communicate
• Secured Mode adds…
AES encryption up to 128 bits
Frame integrity with message integrity code (MIC)
Sequential freshness appends values to MAC frame to
prevent replay attacks
17. 19
ZigBee Overview
• ZigBee Coordinator – starts and controls the network
• ZigBee Routers – extend network coverage
• ZigBee End Devices – transmit/receive messages
Star Tree Mesh
ZC
ZC
ZC
ZR
ZR
ZR
ZRZRZR
ZR
18. 20
ZigBee Security
• ZigBee security builds on IEEE 802.15.4
Application and Network Layer security
Key management for encryption and authentication
• ZigBee Trust Center
Authenticates joining devices
Manages key distribution in the network
• Standard Security Mode
• High Security Mode
19. 21
ZigBee Security Keys
Keys are used for encryption & authentication
• Network Keys
All devices on a ZigBee network share the same key
• Link Keys
Secure unicast messages between two devices
• Master Keys
Used as an initial shared secret between two devices to
perform SKKE to generate link key
20. 22
ZigBee Commissioning & Security
• Standard security
Preconfigured with active network key
Preconfigured with a Trust Center link key and
address
• High security
Preconfigured with a Trust Center master key and
address
• Not preconfigured (not recommended)
22. 24
IT & Engineering Network Convergence
Traditional Model – Separate Networks for
IT/Corporate & Measurement/Control
Converged Model – Shared Network for
IT/Corporate & Measurement/Control
HMI
Sensors Motors
PLCPAC
Control
Network Gateway
Back-End
Servers
Business
Logic
HMI
Sensors Motors
Wireless
DAQ
Ethernet
DAQ PAC
Back-End
Servers
Business
Logic
23. 25
Firewall
• Blocks unauthorized access while permitting outward
communication
• Can also permit, deny, encrypt, decrypt, or proxy all
traffic between different security domains
24. 26
Virtual Local Area Networks (VLANs)
• OSI Layer 2 technology
• Switch ports assigned to a VLAN
• Data is only forwarded to ports
within the same VLAN
• Broadcasts and multicasts are
restricted to their respective VLANs
• A Layer 3 device (router or Layer 3
switch) can pass messages
between different VLANs
1
2
3
4
5
VLAN 1 VLAN 2
VLAN 3
25. 27
VLAN Best Practices
• Logically segment networks (ie,
instrumentation VLAN vs
enterprise VLAN)
• Assign VLANs to devices when
traffic patterns are known
• Limit the flow of
producer/consumer traffic outside
of required devices
• Use Layer 3 switch or router to
exchange data between VLANs
26. 28
Wireless Intrusion Prevention System (WIPS)
• Continuous monitoring of radio spectrum for
unauthorized devices (intrusion detection) and
automatic countermeasures (intrusion prevention)
Rogue AP
Man-in-the-Middle
Ad-hoc
DoS
MAC-Spoofing
Etc.
27. 29
Pulling it All Together
• Logically segmented
network (NIST SP 800-82)
• Firewalls & VLANs
• Demilitarized Zone (DMZ)
• Wireless link encryption
& authentication
• WIPS
Measurement &
Control Network
DMZ
Enterprise
Internet
28. 30
Summary
• Wireless security can be robust when implemented
correctly
• If you are still using WEP, stop…now
• New security technologies are still evolving for WSN
• Start planning with your IT group before they start
planning for you