Most designers assume that wireless is inherently less secure than wired. However, because wireless systems were designed with an awareness of the vulnerability of not having a physical connection, they incorporate many features to incorporate security "natively." This month, I hope to share with you why these concerns are in most cases myths, and in some cases outright "mythnomers" (untrue), using the two most common Wireless Sensor Networks (WSN) as examples.
Both protocols use IEEE 802.15.4 radio operating over 16 channels in the 2.4 GHz band, which are the same channels and license-free frequency used by many other devices including the majority of Wi-Fi products. Though both protocols support mesh networks, mesh routing capability is a network (OSI Layer 3) function that's not specified by IEEE 802.15.4. ISA100.11a and WirelessHART use Time Division Multiple Access (TDMA) to reduce the risk of message loss and time spent on a single frequency, and also to implement security countermeasures against localized wireless network attacks based on the application of the AES encryption standard.
Security, however, must be guaranteed from end to end, and while all WSNs support this capability, they approach it in different ways. The table shows how WirelessHART and ISA100.11a provide some similar capabilities/functions in slightly different ways.
The session keys for both protocols are written to the nodes by the security manager, which also encrypts the join key, while the time slots for WirelessHART are fixed and those for ISA100.11a can be user-configured within this time period. Asymmetric cryptography enhances security strength and reduces the computational sensitivity compared with symmetric cryptography.
Each of the protocols was developed with a different legacy, so it only makes sense that they also contain a number of differing security features. One obvious difference is that WirelessHART had to be backwards compatible with previous versions of the wired HART protocol, which to some extent dictated the following security implementations in HART 7:
WirelessHART field devices undergo extensive testing with the FieldComm Group WiAnalys tool, which monitors and captures all traffic on all 16 of the 2.4 GHz communications channels available as per IEEE 802.15.4 before they're considered compliant and become registered devices. Starting with this testing and once installed in a network, WirelessHART systems report all unsuccessful communications, counting every message where the keys don't succeed.
WirelessHART supports local routing based on HART addressing, and applies a Message Integrity Check (MIC) at the Data Link layer of the communications stack. The protocol has three trust items that can be checked for every device: join key, manufacturer ID, and product name (i.e. device type) or tag name (user's name). To make most effective use of the six write-only keys contained in every field device, they should be set up so five of the six keys are different for every device in the network.
Like most networks, both WirelessHART and ISA100.11.a should regularly update "passwords" as this reduces the possibility of being compromised, and if compromised, of any associated vulnerability being used. For WirelessHART, this means updating the Network Layer and Session Layer keys, while because ISA100.11.a uses time stamps as part of its encryption, the keys are in effect 'automatically' changed every message. The ISA100.11.a protocol can also selectively encrypt and authenticate the MAC payload.
The security credentials for each ISA100.11a node have all keys derived from the asymmetric master key (private key) from the Elliptic Curve Cryptography (ECC) cryptographic algorithm that's generated inside each device using a secure key generation (SKG) process. Asymmetric SKG enables both devices to create a shared secret master key without ever transmitting the master key between nodes.
ISA100.11a networks are tightly synchronized with atomic international time (TAI). The protocol uses this time stamp for the AES-128 encryption engine to indicate when the data packet was created as part of the Transport Layer security. The final recipient of the device attempts to authenticate the packet, but if it was created more than N (configurable to accommodate various network sizes) seconds ago, the recipient will discard the packet, thus protecting against replay attacks.
The final difference from a structural standpoint between these protocols is the ISA10011.a stack is based on several Internet Engineering Task Force requests for comments (RFCs), including support for IPv6 addressing by adopting the IETF Internet Protocol version 6 (IPv6) over low-rate personal area networks (6LoWPAN) standard in the network layer. Subnet routing as well as active neighbor discovery are also supported.
It's true that when networks operate on the same channels and frequencies (which is true for heterogeneous WSN standards based on IEEE 802.15.4), they compete and have the potential to jam each other. That's not a security issue, but is a topic for a future column.
Cybersecurity is always a consideration in the design and operation of any digital communications network. Fortunately, when the WSN protocols were being developed, the people doing so were aware of the cybersecueity issue and, as shown, incorporated steps to provide degrees of cybersecurity, therefore debunking the wireless myth that it is "not secure" because it does not use wires. This assumption is thus a "mythnomer."