[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Users fear wireless networks for control
From: InfoSec News <alerts () infosecnews ! org>
Date: 2007-05-31 5:08:30
Message-ID: Pine.LNX.4.61.0705310007450.14813 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.isa.org/InTech/20070501
By Dick Caro
InTech Magazine
May 1, 2007
Last year, ISA ran a survey requesting end users to answer questions
related to their potential use of wireless technology for industrial
automation.
One user's response made a statement that may reflect a general attitude
of many potential users. Here is the slightly edited response:
There was no place on the wireless survey to make a comment but rather
just answer the predefined questions, I wanted to comment that I will
NOT have wireless in the plant for reasons of operational security not
related to hacking.
ALL wireless signal generation can be jammed and as such provides an
unnecessary operational risk. To those that state spread spectrum is
the answer to jamming, they are totally wrong. Spread spectrum came
about as a means to make hacking increasingly difficult by rotating
through a spectrum of frequencies. The fabricators of spread spectrum
did not see as a technology that would or could overcome a spectrum
jammer. A white noise generator of sufficient power in the spectrum of
the wireless devices can jam ALL the frequencies used, leading to a
total collapse of data from those devices.
All devices manufactured today use the same ranges the FCC licensed for
open frequency use and specifically in use by telephone manufacturers
such as 900 MHz, 2.4 GHz, 5.6GHz, and the rest. A person just needs to
know which band a plant is using and build a jammer that operates at
least ± 40 Hz from this frequency to jam all the spread spectrum
frequencies as well.
Since these field devices operate in the very low power range
(milliwatt), a simple 100W generator should be sufficient to lock out
the devices from the control system over a couple of miles in range.
By ignoring white noise or targeted noise generators, you are opening
industry up to a catastrophic event to take place when people think
they are safe (when in fact they are not). Wired systems require direct
connections to interrupt signals or a VERY strong or CLOSE emf
(electromotive force (voltage)) to drop them. Even with wired
solutions, this STILL accidentally happens. For operational/safety
reasons, the petrochemical industry would be foolish to invest heavily
in wireless technologies.
I for one will be an outspoken critic of wireless for anything other
than informational data to be sent to our control systems. Operational
critical data will never be allowed over a wireless link in any plant
in which I have the influence to stop it.
— An unnamed plant engineer in LaPorte, Tex.
If these statements were true, then the ongoing investment by the
process-automation industry suppliers to support wireless networks for
industrial automation, and process control in particular, would be a
waste and ISA-SP100 standardization a foolish effort. In fact, there
are sound technical reasons why these statements are NOT true, although
the fear does remain.
Broadband frequency jammer
First of all, broad spectrum jamming is a military tactic used during
wartime to cripple radio communications, particularly on the battlefield
where low power radios are used.
During World War II, the Axis forces used exactly such a weapon against
Allied forces. As a direct result of this jamming, Hollywood actor and
Hungarian-born Hedy Lamarr and her associate George Antheil, both
refugees from Europe, invented and patented frequency hopping spread
spectrum communications as a method to avoid the effects of jamming.
Although this patent, assigned to the U.S. Navy, called for mechanical
frequency hopping and although they never built the mechanism, modern
wireless local areas network (LAN) technology, including IEEE 802.11 and
802.15.1, also known as Bluetooth, and most modern military battlefield
communications platform on this type of spread spectrum.
Also, to avoid jamming and for frequency diversity to reduce the effects
of multiple signal paths, the technology being developed for
ISA-SP100 will use frequency hopping spread spectrum.
However, let us not forget the worried user respondent has a fear
wireless network traffic used within a plant facility could be disrupted
with the use of an inexpensive broadband frequency jammer; a radio that
sends out white noise throughout the frequencies being used by the plant
wireless network. I posed this question to the radio frequency expert on
the ISA-SP100 committee, Aké Severinson, president and founder of Omnex
Controls. Here is Severinson's response:
Principles need to be verified with numbers in most engineering
disciplines; wireless communications is no exception. So let me start
with the 100-Watt wideband jammer (that the survey respondent above
mentioned).
The simple 100-watt jammer by definition solely direct to or confine
its energy to a more narrow band, or to be frequency-agile. To jam the
full 2.4 GHz ISM (industrial, scientific, and medical) band, it would
need to spread its energy over the full 2,400 MHz spectrum.
An ISA-SP100 wireless system need only to be "open" (the rest limited
by filters) to about 1 MHz of that band. As a result, it would at any
one time only see 1/2,400th of the 100-Watt jamming power, or 42 mW.
Thus the wideband jammer power would be in the same order of power as
an SP100 wireless transmitter (expected to be between 1 and 100 mW).
With equal power sources, the one closest to the receiver will win.
Assuming you want to have some margin, you would want the desired
signal to be stronger than any interference source, typically by 10 dB
or so.
That translates to a path difference between the desired and
interfering signal of roughly three times. As ISA-SP100 and similar
industrial systems are low power devices by definition, they will
operate over fairly short distances (300 feet is a commonly referenced
number), and the wideband interferer would have to be within 1,000 feet
of the targets to be effective, not several miles as stated.
Highly correlated signal
Severinson's analysis rests on the supposition that a "simple" broadband
jammer generating 100 watts would be at work.
First, "simple" implies such a jammer is NOT concentrating its output
energy into the specific frequency band being used by the wireless
network, since the restrictions imposed by limiting bandwidth are
technically complex.
Second, in this ISM frequency band, any 100-Watt generator is illegal,
since ISM band power is limited to 250 milliwatts. Since it is illegal
to sell such a device, one could reasonably question where one could
purchase such a device, although it is possible to build one.
Likewise, a 100-watt radio transmitter would be easy to detect, locate,
and destroy. Using this form of terrorism is probably unlikely since
other forms of terrorism are technically easier, less costly, and more
likely to cause longer-term disruption of an operating plant.
Since the radio frequency spectrum is likely to fill up with other
networks using the same frequencies, such as wireless HART, Wi-Fi,
cordless telephones, and lots of white noise leaking from microwave
ovens and cell phones, all radios operating as part of ISA-SP100 will be
required to operate in the presence of such noise.
Excellence of design in this spectrum is to be able to discriminate
actual signal from surrounding noise, not simply detecting a radio
signal. White noise does not "drown-out" the signal; it only provides
uncorrelated background noise.
An ISA-SP100 data stream is a highly correlated signal detectable even
in the presence of overwhelming white noise. Part of that correlation is
the frequency-hopping pattern, part of it is the use of direct sequence
spread spectrum with its chipping pattern, and both will be a part of
ISA-SP100.
Another technology planned for ISA-SP100 is mesh networking. One of the
advantages of mesh networking is the ability to develop alternative
paths when noise at one or more frequencies in the band, or obstructions
limit or prevent a message from successfully arriving at its location.
It is called "path diversity" and useful in overcoming sources of
interference by finding a noise free path, or in this discussion, a path
that may be farther away from the noise source.
This discussion would not be complete without mentioning the use of
directional antennas. ISA-SP100 has been attempting to simplify
installation though the use of omnidirectional antennas for radio at 2.4
GHz.
One of the penalties for using omnidirectional antennas is to allow
interfering signals from any direction to potentially disrupt reception
of valid data signals.
Directional antennas are inexpensive at this frequency since they are
small, and high gain transmit and receive antennas can be made redundant
as well. By increasing the gain of actual data signals, at the cost of
somewhat increased installation complexity—aiming the antennas—
rejection of a high amplitude white noise source is even more likely.
Moreover, that's not all folks!
Technology keeps moving forward, and ISA-SP100 can and will take
advantage of new radio modulation techniques as they become available.
Already a standard, but not yet in production is IEEE 802.15.4a, a
highly compatible radio using UltraWideBand (UWB) technology operating
in the 3-11GHz spectrum using either impulse modulation or orthogonal
frequency division multiplexing.
UWB is a new radio technology that operates well below the noise floor,
meaning it expects to operate in the presence of large amounts of noise.
It also moves away from the 2.4 GHz ISM band.
Again, its highly correlated radio signals are easy to discriminate from
white noise, allowing the receiver to pull the data signal out from the
masking noise. These radios will probably become widely available in the
next two years and will be highly suitable for use with ISA-SP100.
Now to the question, "should wireless networks be used for critical
control functions or even safety functions?" Before an answer, please
recall the same question plagued fieldbus signals before Foundation
fieldbus was developed.
At that time (1990), the general attitude among control engineers was a
fieldbus should only supply measurement or process variable data, but
control signals should not transmit on a fieldbus, and control
calculations should never happen in field devices.
The first versions of the safety standard ISA/ANSI S84 also prohibited
critical safety functions from using network communications. Now that
Foundation fieldbus and Profibus-PA are proven technologies, both
positions are reversing.
It is common and often more responsive to do control in field devices
using the fieldbus for control signals. Indeed, standards committees are
accepting the use of fieldbus technology for connection of safety
related data acquisition as long as there are fieldbus diagnostics to
instantly detect fieldbus failures allowing immediate safety action.
In the objectives for the first release of ISA-SP100 is the provision
that it will be devoted to non-critical functions while we gain
experience with its performance, safety, and reliability.
Most users have expressed this desire, and the ISA-SP100 committee is
responding with its first release to concentrate on just such
applications. However, it far too early to call on the eventual use of
wireless technology for critical control and even safety applications.
With the attention going to security by professional security experts on
ISA-SP100, and an architecture that supports redundancy beginning at the
field device as an inherent part of the protocol, there is an excellent
probability ISA-SP100 will be even more reliable than wired
communications, even in the presence of planned illegal attacks.
All new technology engenders fear of the unknown, and the use of
wireless in a process control application is rightfully scary. In this
case, the user has a little bit of knowledge (high power radio jamming)
but is unaware of the steps being taken to eliminate the effects of such
known sources of interference by ISA-SP100.
In fact, ISA-SP100 is also considering many other sources of
interference and of guaranteeing the security of the message from either
alteration or interception using encryption.
All of the suppliers participating in ISA-SP100 are committed to using
the new technology once approval comes and are cooperating rather than
competing in the development of this standard. Furthermore, the
ISA-SP100 committee is dedicated to using technologies developed
elsewhere whenever possible, but adding and adapting for the specific
needs of the industrial automation market, with non-critical process
control applications being the objective of the first release.
About the Author
Richard Caro (RCaro (at) CMC.us) has worked in industrial automation for
almost 50 years and is the author of Automation Network Selection, ISA
Press, 2004. He is chief executive of CMC Associates, a senior member of
ISA, holds two patents, and has two chemical engineering degrees. He
managed the ISA and IEC Fieldbus standards committees.
-=-
Terminology
Emf: Electromotive force is invisible and surrounds any electrical wire
or device. It has two components—the electric field, which is the result
of voltage, and the magnetic field, which is the result of current flow.
Frequency hopping spread spectrum: is a type of radio transmission in
which the transmitter and receiver hop in synchronization from one
frequency to another according to a prearranged pattern.
ISA-SP100: is the Wireless Systems for Automation committee that will
establish standards, recommended practices, technical reports, and
related information that will define procedures for implementing
wireless systems in the automation and control environment.
Direct sequence spread spectrum (DSSS): is different from frequency
hopping. Instead of splitting a data signal into pieces, direct
sequencing encodes each data bit into a longer bit string, called a
chip. Usually, 11 to 20 bits are in for the chip, depending on the
application.
Mesh networking: is a way to route data, voice, and instructions between
nodes. It allows for continuous connections and reconfiguration around
blocked paths by "hopping" from node to node until a connection
establishes itself.
Omnidirectional antennas: radiate and receive equally well in all
horizontal directions. The gain of an omnidirectional antenna can
increase by narrowing the beam width in the vertical or elevation plane.
The net effect is to focus the antenna's energy toward the horizon.
Ultra-wide band technology: usually refers to a radio communications
technique based on transmitting very-short-duration pulses, often of
only nanoseconds or less, whereby the occupied bandwidth goes to very
large values.
-=-
RESOURCES
* Building the perfect beast
www.isa.org/link/Perfect_beast
* Wireless SCADA Gains Foothold
www.isa.org/link/scadafoothold
* ISA-SP100 Wireless Systems for Automation Standards
www.isa.org/isasp100
* Wireless Networks for Industrial Automation, 2nd Edition
by Dick Caro
www.isa.org/wirelessnetworks
* SCADA: Supervisory Control and Data Acquisition, 3rd Edition
by Stuart A. Boyer
www.isa.org/scada
* Wireless Industrial Networking Alliance
www.wina.org
All contents copyright of ISA © 1995-2007 All rights reserved.
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic