Wireless Instruments HCF talk
Just one user’s comments and perspective
Sicco Dwars
Disclaimer: what’s in this ppt is the authors private professional
opinion, not to be mixed up with or hinted to as being his employer’s
point of view or strategy necessarily.
Simplicity Matters
If it aint simple, it isn’t secure,
If it aint simple it will not fly
Watch what I just got:
Huh??
I’m just an office worker,
a) Highly educated (OK…)
b) Well paid, devoted, loyal etc.
c) If I screw up, then the damage can be overseen…
But, what about that contractor
instrument technician, offshore, or in
the desert of Oman, or on a Nigerian
gathering station in the Delta…
Keep it Simple
Please!
My 3 points on Trustwortiness:
1) Stop chasing ToS, QoS. Instead Accept that wireless links
are inherently weak, no matter what and how many diversity
tricks you bold onto it.
2) However, confidence in authenticity of data received,
and confidence of knowing something has failed if
authentic data doesn't arrive when it is expected, can,
with today's technology, quite easily be boosted to astronomic
levels.
3) The interconnect between legacy wired and wireless is a
huge problem. It is the hacker’s potential backdoor onto the
plant network. What to do to mitigate? How can I convince I
have it mitigated?
ISA SP100 – Wireless IC&A Network
Classes
Class 0 : Emergency action
(always critical)
E.g., Instrumented Protective Systems/Safeguarding systems.
Class 1: Closed loop regulatory control
(often critical)
E.g., Regular control loops.
E.g., Set point manipulation for control system optimisation.
Class 3: Open loop control
(human in the loop)
E.g., Manual human actions on alerts.
NOTE: Batch levels* 3 & 4 could be class 2, class 1 or even class 0, depending on
function
*Batch levels as defined by ISA S88; where L3 = "unit" and L4 = "process cell"
Class 4: Alerting
Short-term operational consequence (e.g., event-based maintenance)
Monitoring
Class 5: Logging & downloading/uploading
No immediate operational consequence
(e.g., history collection, SOE, preventive maintenance)
Importance of
Control
Class 2: Closed loop supervisory control (usually non-critical)
message timeliness increases
Safety
Design wireless applications from scratch instead of
trying to mimic very hard the ToS and QoS and
availability and probability of failure on demand that
wires used to give us.
No cell phone that I know of gives latencies or sound
quality comparable to landlines. Yet I often prefer to use
cell phones. And cell phones have made life a lot safer
for many of us (but please don't use them when
driving...).
So what’s wireless control?
"#$%
&
'
!
Wireless and safeguarding - scary?
Today:
long analog signal
wires
IN
Wirelessly
FIELD
linked to
LOGIC
CCR
SOLVE
R
Tomorrow:in-field high SIL loops, with
a long wireless link to the house, wireless
link availability isn’t critical, SIL 0 will do.
AS LONG AS DATA INTEGRITY IS
PROVEN
What matters really for wireless
control & safety systems?
a) Is it loop Availability each and every second?
b) Or is it trustworthiness of the data that arrives via
a wireless links – if it arrives – and knowing what
to do if it doesn’t arrive?
Black channel versus White channel
Analogy: cell phones, Internet banking, ATMs,
laptops, HVAC, burglar alarms, etc
‘White channel’ approach
• All requirements of IEC 61508 apply to all
elements of the communications channel
– Measures for avoidance and control of
systematic faults
• Software, firmware
– Fault tolerance
– Random hardware failures
– Verification & validation
‘White channel’ approach
Equipment
Communications
channel
Equipment
IEC 61508
“Trustworthy end-to-end = Goldplating end-to-end”
‘Black channel’ approach
• Assume communications can fail at any time
• Detect communications failure and shut-down
process within process safety time
• Only failure detection diagnostics comply with
IEC 61508
• Can only use in demand mode
• Can apply to all types of communications:
– e.g. fieldbus, LANs, internet, wireless
• See EN 50159 (IEC 62280)
‘Black Channel’ approach
Equipment
Diagnostics
Equipment
Communications
channel
‘untrusted’
IEC 61508
IEC 61508
“Trustworthy end-to-end = Gold-plating devices, not channels”
CyberSecurity, ISA99
• Before wireless, life was easy. A perimeter, such as a fence
or a wall or a locked cabinet determined what domain
we’re dealing with.
• Cyber Security centered on segregating plant (PCD) from
office (GI-OD) networks, with only one mega firewall,
between those two.
• Wireless creates many new security threats – the perimeter
is no longer a defense line. The backdoors are wide open.
• Ref ISA99 (a.k.a “DACA”), the threats now suddenly
come from below, not from above…
+,
'-
'-
)'
' ) *
(
+&
' ) *
+, .
+,
''/
&
&
)'
' ) *
(
' ) *
+,
)-
0
&+
.
+,
''$/
!
&
)'
' ) *
(
' ) *
+,
)-
0 1 0
-+10
& -+.
+,
''2/3 00+
)'
' ) *
(
' ) *
+,
&
)-
0 1 0 5,
+& 6
,
0
&
.
4
+,
''"/'- 5 1&
&7
1
- !)'
'/
) *=
8 ++9%$/ 9%$/: 9
%$/;
"<
(
' ) *
+,
&
)-
- 1 &+
0
+
8
>
?
=
1.
4
Level 5
Firewall Level 4-5
internet
office network
Level 4
802.3 Ethernet
Firewall Level 3-4 (PCAD)
process control network
Level 3
802.3 Ethernet
Wireless
Backdoor
Firewall
gateway
802.16?
Wireless
Backdoor
Firewall
WW
control bus
Level 2
Gateway (DCS or PLC)
wireless
Gateway
To Level 2
802.11
Level 1
wireless
Gateway
To Level 3
Via WLAN
802.11
wireless
Gateway
To Level 3
wireless
Gateway
To level 5
wireless
gateway
To Level 1
Level 0
Gateway
to Level 1
field bus H1 or Profibus or Modbus or HART
IEEE 802.15.4
mesh
IEEE 802.15.4
mesh
PID
IEEE 802.15.4
P2P
PID
PID
WW
IEEE 802.15.4
mesh
Wireless and safeguarding – very scary!!
A SIL3 Safety System, a ‘HIPPS’
how “thumb” can one get…
So wireless security does matter, big time!
When challenged, today, not one vendor can
convince us that they decently mitigated the risk
of the potential wireless backdoor.
They expect us to just trust them.
But, 1980=Tell me, 1990=Show me, 2000+ = Proof to me that….
Or maybe they ignorantly assume our work processes and
staff are excellent…
OK, WiHART can’t do routing. Yet. Who says it’s not going to do.
ISA100.11a, IETF all go 6LoPAN, IP to the edge...
Can we really manage Wireless Security with what’s on offer today?
• Passwords, secret Join Keys…
• Who owns them?
• Who do we give them to?
• How do we keep them accessible for 20 years lifecycle?
• How do we convince they didn’t leak…
• Huge gap between reality on the ground at oil & gas facilities,
versus what’s being proposed as workable solutions.
What’s lacking: simplicity, scalability, auditability, freedom
to mix-and-match vendors, no secrets in
the hands of people on plants. No reliance on secrets at all.
Payment cards & e-passports could crack this nut. So can you.
This is for WiFi. But also WSN will see many different users.
Only some of them are ‘C&A’. Most will be ‘Rotating Equipment’,
‘Corrosion Monitoring’, ‘Logistics’, ‘HSE’, ‘Drilling’, ‘Seismic’,
‘HVAC’ and so on. With not the DCS, and not even the PI server
as ‘sink’ for WSN data…
One ether. Many users. Plus more than just WSN…
Our Steer in HCF, ISA100 & IETF
•
•
•
•
•
Open Wireless Networks
One Physical Wireless Infrastructure
Access controlled by C&A persons
Multiple Logical Wireless Networks
Serving 3 domains:
a) Prio 1: Real Time guarantees: Plant Domain, control, sensors, alarms
b) Prio 2: Real Time - ish: Office Domain, Voice, Wireless Worker
c) Best effort, throttled , no guarantees: WWW, 3rd parties, web cam
• All 3 domains in 2 flavors:
• WiFi, IEEE 802.11, powered via a wire, 5 and 2.4 GHz, IPv4 & IPv6
• WirelessHART, ISA100.11a, ZigBee IEEE 802.15.4, batteries, 2.4 GHz,
IPv6(!)
• Complementary to a broadband 3G telco supplied
wireless network (HSxPA, GPRS)
Defining 3 geographical areas for
wireless instruments
1. The wider space around, where its radio
signals travel. Say 10-1000 meters around.
2. The immediate Device Perimeter. Where
instrument technicians have access to.
3. The Cryptographic Boundary inside the
device from where sensitive data (keys,
credentials etc) shall not leak.
1. The wider space around,
where its radio signals travel.
GW,
DCS
CCR
Wireless instruments
Site Fence
Bad Property: it crosses the fence line
perimeter, all traffic is also ‘on the street’.
1. The wider space around,
where its radio signals travel.
Bad Property: it crosses the fence line
perimeter, all traffic is also ‘on the street’.
2. The immediate Device Perimeter.
GW/DCS,
CCR
Good Property: it doesn’t cross the fence line perimeter, all traffic can be assumed
‘private’. Only the instrument technicians have access.
Other Good Property: It doesn’t reach any other wireless node. It’s clear and undisputable
which device the instrument tech deals with.
An instrument tech can easily get in there, provided he is physically there.
Access is controlled. Permit To Work system typically in place.
Note: in the wired world, this area used to extend to the field cables, junction boxes,
marshalling cabinets etc.
On a refinery, the area may be up to 10 meters around the device, allowing e.g. for IR
handhelds, however….
2b. The immediate Device Perimeter.
GW
DCS
CCR
However… if the device is outside the fence, or otherwise easily accessible for
unauthorized persons, then things must be more restrictive, meaning the area
gets smaller, and may be just inside the instrument’s enclosure. An instrument
technician still needs access. Likely, he will need a key to unlock a cabinet
before accessing the instruments diagnostics port.
Examples: unmanned wellheads, custody transfer meters on refineries,
instruments on rail carts, public gas stations.
3. The Cryptographic Boundary inside the
device from where sensitive data (keys,
credentials etc) shall not leak.
Good Property: it doesn’t leak secrets, ever.
Not even the instrument tech can get in there, ever.
Also the device maker should not get back in unnoticed, ever!
FIPS140-2 or ISO 15408 CC will tell how good or bad it is.
3. The Cryptographic Boundary inside the device from where
sensitive data (keys, credentials etc) shall not leak.
MODEL A: don’t care about DL security, hence don’t assess
it either
3. The Cryptographic Boundary inside the device from where
sensitive data (keys, credentials etc) shall not leak.
MODEL B: care about DL security also, assess two different
cryptographic boundaries, get two FIPS-140-2 scores…
But don’t care about DL security
when DL keys get updated…
3. The Cryptographic Boundary inside the device from where
sensitive data (keys, credentials etc) shall not leak.
MODEL C: care about DL and TL security, also when keys
get updated. One score.
3. The Cryptographic Boundary inside the device from where
sensitive data (keys, credentials etc) shall not leak.
MODEL D: care about DL and TL security, also when keys
get updated. One score.
3. The Cryptographic Boundary inside the device from where
sensitive data (keys, credentials etc) shall not leak.
Critical note: allowing Out-of-band key loading by a user
defeats the concept of Cryptographic Boundaries, and voids
the intend of assessed FIPS140-2 ratings…
“No Perimeter Security”
“Hand carry key in a ‘safe’ ”
CRYPTOGRAPHIC BOUNDARY!
Process Control Domain Boundary
“Perimeter Security”
“No Perimeter Security”
“Tell the key”
CRYPTOGRAPHIC BOUNDARY!!
“Perimeter Security”
“No Perimeter Security”
“Perimeter Security”
Join yes
or no?
PROCESS CONTROL DOMAIN
BOUNDARY
CRYPTOGRAPHIC
BOUNDARY, Satellite
extension to PROCESS
CONTROL DOMAIN
Security Module Concept:
•How you (=sec mngr) talk to the
security modules isn’t relevant (IR, RF,
buttons, plugs…)
•What matters is that you CAN talk
•If others can listen in, tap, eavesdrop,
overhear, skim, then all that doesn’t
matter
•Actually, listening in and recording that
dialog yields into an open-to-all audit
trail on quantifiable trustworthiness
•What’s outside the crypto boundary,
outside the dashed red box, is
irrelevant
Security Module Concept:
•How good that module inside the
crypto boundary must be, is not for
the ISA100 standard to prescribe.
•Some may opt for FIPS 140-2 level
1, some for 2, others for 3, and maybe
some want level 4… Many will not
even care about what level it is. Some
prefer Common Criteria, ISO15408
instead of FIPS.
•The same concept and benefits
applies for ISA100.11a devices that
do not have an IEEE802.15.4 radio.
What matters is that ex-factory, they
can talk. How they talk initially is
irrelevant.
Generic Scheme Overview
Step by step, timeline
Borrowing from EMV DDA:
EMV Integrated Circuit Card Specifications for Payment
Systems Book 2 Security and Key Management Version
4.2 June 2008 (www.emvco.org, specifications)
Section 6, (pp. 51-69)
–
How Certificates are formatted
–
How Hash and Cipher algorithms are specified and to be used
–
How Certificates are verified
–
How Public Keys and Key Remainders are dealt with
Section 7.2 (pp.85,86)
As Guideline how to encrypt a new AES join key (Key S) prior to
sending it to the DBP (PIN to be replaced by Key S).
OK, that was too complicated stuff for now.
But what are the benefits?
One catalog item,
Same device can go anywhere
No secrets to share
No lock-in to a particular CA
Simplicity: one click to add or reject
No keys in their hands
Traceable trust,
Trust that it’s a genuine devicve
Freedom to mix & match
No more handhelds…
Wireless, Architecture & Security
Work To Be Completed
•
•
•
•
Standards for Ease Of Deployment
Standards for simplicity
Architecture of 3 logical and 1 physical network
Shell Cyber security standards Compatible: The
Wireless Access Domain box, and maybe some
data diodes.
• Compliant Products & Systems
• Max Simplified Work Processes Defined