Robust Security Designed into WirelessHART

"Always On" Security One Key to WirelessHART Adoption

By Walt Boyes, Wally Pratt

2 of 2 1 | 2 > View on one page

The join key encrypts the data in the join packet. The join key is associated with one and only one device with a given serial number (HART "Unique ID"). Devices possessing a good join key can be put into "quarantine." This allows the operator to see the name of the manufacturer and the device type name (product name) of the device. The tag of the device also can be inspected. Therefore if the operator is not expecting the device, he can veto it from joining. That being said, even if rogue devices get into the network, they are effectively isolated and can do limited damage. If they purposely drop out of the network, they don't crash it. The WirelessHART mesh is resilient. If rogue devices start producing bad data, they should not disrupt the plant anymore than any failing device would.

Also, the rogue device cannot spoof the other device's data. The data from other devices are encrypted with a different set of keys.

Also Red: The cyber security assessment methodology

Implementation Issues

The WirelessHART Working Group, consisting of many of the best engineers and technical advisors from the top manufacturing companies in the industry, made carefully considered choices about what and what not to include in the specifications.. These choices were tested and presented to the HART Communication Foundation (HCF) membership, who further reviewed and approved these specifications prior to their release.

WirelessHART Gateways

WirelessHART has extensive requirements for gateways. These gateways standardize access to the network field devices, caching of device data, access to key performance indicators (KPI) and extensive detailed network statistics. The HART Protocol also standardized communications of HART data over Internet Protocol-based networks (i.e., HART-IP). Client access to the gateways is standardized and interoperable.

That being said, client-side security was chosen not to be standardized, since it was recognized that (especially for IP-based networks) security was an ongoing evolution, and that the client-side security (and testing that security) need to be openly left to experts in that domain. In fact, WirelessHART gateways today have extensive security certifications themselves.

HART Quality Assurance Program

The HART Quality Assurance (QA) Program specifically tries to break HART-enabled devices. As part of this program, testers intentionally attempt to make devices fail and then assess the device's behavior under these conditions. This tests a critical characteristic of failure, that being the measure of a device's behavior when the protocol tries to break it.

WirelessHART field devices undergo extensive testing before they are considered compliant and become registered devices. During this testing, all communication traffic is captured using the HCF's unique WiAnalys tool (U.S. Patent #8,441,947). This tool captures all 16 2.4-GHz IEEE 802.15.4 communications channels simultaneously. Over 500 MBytes of data are captured, and the data is then analyzed to confirm compliance.

Two sets of tests are performed. In the first tests (using the WirelessHART test system) all WirelessHART commands are sent to the devices and their responses evaluated. Both good and bad packets and commands are sent. The device must behave per specifications whether the packets it receives are good or bad.

For example, the protocol specifies the minimum number of keys a field device must support. The device may store more and, in any case, has commands that indicate its capacity. The test suite confirms that devices handle the number of keys they state they can store. The tests also attempt to write more keys than a device can store and confirms that the field device returns the appropriate error messages.

A field device must not malfunction under these or any other configuration error conditions.

The second test suite consists of system-level tests. The HCF has networks running continuously on-site using different commercial off-the-shelf WirelessHART gateways. Field devices are integrated into each of these networks. Their compliance and interoperability along with long-term operation are also assessed.

The HART QA Program helps ensure WirelessHART device implementations comply with the specifications, making them more attack resistant.

Security Manager

WirelessHART requires a security manager, but how keys are selected is not specified. The methods of key selection are a well-known issue and re-invention by WirelessHART was not necessary. The WirelessHART Working Group does not believe in the viability of identifying the pattern used by the security manager for exploitation.

First, in a 20-node network, there would be (1+20 x 5), about 101 keys. WirelessHART recommends the keys be automatically changed regularly. Recognizing the pattern would be challenging unless a hacker had all of the keys.

However, assuming this were possible, and the number of possibilities could be reduced to the 156 million combinations indicated in the paper, WirelessHART devices are battery operated and only periodically wake up.. Assuming they wake up once every 30 seconds (or 1 second) it would take 54,000 (or 1,800) days or so to try all of patterns.

An attack using many keys could be tried, but once again, the WirelessHART Working Group provided a solution. WirelessHART reports all unsuccessful communications. More specifically, it counts every message where the keys don't succeed. This count is reported periodically to the gateway and on to the end user. Lots of illicit attempts to access the network can be easily detected.

In addition, a WirelessHART network typically covers a couple hundred meters. Therefore the attacker (or rogue device) would need to be physically close by and accept the additional risk that entails.

WirelessHART was designed from the ground up to have integrated security meeting today's stringent needs for a cyber-secure network. With these design feature built in to the product, security is maximized within the WirelessHART sensor mesh, and it is likely that intrusions in other areas are more apt to be the target. This has held true in the thousands of devices safely operating in plants today, as WirelessHART offers a safe and secure option to capture intellegent data every day to help operations and enterprises improve their performance.

2 of 2 1 | 2 > View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments