The leading industrial wireless sensor network protocol is IEC62591-WirelessHART, with over 50% market share in wireless sensor networks in the process industries (critical infrastructure, including 802.11n and Bluetooth) and well over 80% market share in IEEE802.15.4-based sensor networks used in the oil and gas industry, in the chemical industry, pharmaceuticals, and water and wastewater, among other verticals.
Several wireless sensor network protocols had been designed when the WirelessHART team began to specify its capabilities, so it had the advantage of being able to look at what had been done. Because of the team's analysis of older protocols, such as Zigbee, WirelessHART was designed with a very high level of security built in and designed to be "always on."
An analysis of the WirelessHART protocol serves to illustrate the good decisions the WirelessHART design team made by concentrating on and designing in security. The achieved design goal of the WirelessHART team was to make the network's security robust, always on and secure right out of the box.
In this article we will show you some (but not all) of the security features that are built into the WirelessHART protocol.
While developing WirelessHART, strong security was a critical requirement due to the demanding nature of users in the process automation industry. The WirelessHART Working Group early on adopted a defense in-depth strategy using multiple layers of security. This strategy focuses on how to trust a new device joining the network, ensuring the packets are trusted at each hop along the mesh network and protecting the confidentiality of all communications between endpoints in the mesh network.
The designers in the WirelessHART Working Group paid a lot of attention to how keys were managed. In WirelessHART a user may pick a different initial join key for every device in the network. WirelessHART has standardized means to enter this key manually, or the key entry may be automated by connecting the field device to the gateway/security manager. In either case, the key is communicated to the field device via a wired connection to the maintenance port. Keys are write-only: There are no HART commands to read the key from the field device.
All WirelessHART field devices must allow the join key to be written as part of device commissioning. The join key is only one of many keys in the field device. All other keys are transferred in encrypted packets. The join key is only used for the first packet from the field device and the reply from the network manager. Because a human may have entered the join key, WirelessHART recommends the metwork manager immediately change the join key once the field device joins the network.
In WirelessHART keys are used for authentication and for encryption. Since WirelessHART is fundamentally a mesh network, one key is shared at the data-link layer. This is used to authenticate packets as they hop node to node. This "network key" is written via an encrypted packet early in the join process.
To enable packet routing, some fields in the packets are only authenticated. However all payloads are encrypted with a different key for each pair of devices. In other words, there are two layers of keys. In a typical WirelessHART installation, every WirelessHART Field device has six keys in use. Five of the six keys should be different for every device in the network. WirelessHART key management (aside from possibly entering the first join key) is automated and invisible to the user.
Encryption of Payloads
While developing WirelessHART, it was quickly concluded that (1) encryption was necessary, and (2) unique session keys must be supported. In other words, WirelessHART is designed so that each pair of endpoints in communication must be allowed to have a separate key. For example, if there are 20 field devices in the network, then the gateway has 20 sets of keys (1 set for each field device). The separate keys are used to perform the encryption.
WirelessHART security is designed to isolate devices; i.e., one device cannot snoop on another device. Encrypted payloads are part of the design objective to reduce the possibility of one device bringing the plant down. The WirelessHART team believes plants SHOULD ALWAYS be designed so one malfunctioning device cannot jeopardize the whole operation. This is one reason why WirelessHART is fundamentally a mesh. Consequently, the failure, whether intentional or not, of one device will not bring down the network.
Rogue Field Devices
Early on the WirelessHART Working Group (WG) assumed any attacker would go at great lengths with infinate resources to intrude into a network. The WG concluded that "firmware reverse engineering", cloning of devices, insertion of rogue devices into a network and other nefarious deeds would occur. This realization drove several design decisions. Including the use of the unique session keys discussed above was one of them.
Ultimately, the first line of defense against rogue devices hinges on determining which device is trusted to be in the network. WirelessHART has three trust items that can be checked: 1) join key; 2) manufacturer and 3) product name (what device is it) and tag (user's name for the device).