wireless p3 pakscan case study
TRANSCRIPT
-
8/6/2019 Wireless p3 Pakscan Case Study
1/2
The P3 wireless system is a type ofWireless Local Area Network (WLAN)
based on the IEEE802.15.4 specification
(WiFi is based on 802.11). Wireless is
in effect a broadcast system, unlike
wired networks where the path of
communication is restricted between
devices by the physical cable, inherently
protecting communications. This means
that someone with a wireless transceiver
set to the correct frequency could listen in.
Of course the low power nature of most
WLANs means that is hard to eavesdrop
from more than a couple of hundred
meters away. In an industrial application,
depending upon the installation, it is
possible that the signals would not be
detectable from outside the site perimeter.
But we must accept the fact that it
may be possible for someone to be
able to pick up the Rotork P3 wireless
messages with a transceiver set to the
correct frequency. Whilst it may be
possible to pick up the feedback data
being transmitted, this is of negligible
security risk as there is very little that
can be done with status information. The
area of concern would be if someone
were able to send messages to command
or operate a device on the network.
So, how could someone infiltrate the
network to control a device on theWireless P3 system? To start with they
would have to know some basic details
about the network; the channel on which
communications are occurring (there are
16 to chose from), the Personal Area
Network Identification number (PAN
ID, a 16bit number), a device address
and they would also need to understand
the Rotork P3 wireless protocol. This is
a non-published proprietary protocol.
BUT... thats not the end of it; becausewe recognise the risk presented by a
persistent hacker who wishes to disrupt
plant operations, we have employed
extra security measures to protect
devices from unsolicited commands.
Introduction
Pakscan Wireless SecurityCASE STUDY NOTES
The P3 system uses multiple securitymeasures to protect from both maliciousand accidental interference.
P3 wireless is inherently secure duethe low power radio signals
All command messages are encryptedusing AES128
A secure method of joining thenetwork is employed
Anti-spoofing ensures messages cannot be replayed (recorded then
played back at a later time)
Security overview
There is a two-fold approach to protecting
command messages. The first is
AES128-bit encoding (Advanced
Encryption Standard) and followingthis, an anti-spoofing algorithm is
applied. The AES prevents analysis of
the command, even if the attacker had
knowledge of the Rotork propriety
protocol used for control. The anti-
spoofing prevents replay attacks
originating from a node on the P3
wireless network. Anti-spoofing is also
applied during network join to prevent
non-authorised actuators being placed
on the network and intercepting
command messages from theirintended recipient.
These methods are utilising strong
encryption. What is encryption?
Encryption is the process of changing
data into a form that can be understood
only by the intended receiver. To decipher
the message, the receiver of the
encrypted data must have the proper
decryption key. The sender and the
receiver use the same key to encryptand decrypt data.
This security infrastructure is designed
to secure the join process and the
sending of commands while
providing minimal impact during
operation and commissioning.
AES - AdvancedEncryption Standard
Advanced Encryption Standard is an
algorithm recognised as being strong
enough to protect national security
with approval of the standard (FIPS
197) in 2001. Since then it has been
widely used and is the defacto standard
for encryption. Rotork are specifically
using AES128 - the 128 refers to the
128 bit key length. This key operates
on a 16 byte datablock. It is necessary
for commands to be padded out to bethe full 16 bytes in length. The padding
bytes provide an additional level of security
as they are checked for correctness
when the command is deciphered.
Command messages are encoded by
passing them through the encryption
algorithm based on the key, before
transmission and at the receiving end
the messages are decoded by the
same algorithm. The algorithm startswith the key-expansion, where a number
of round keys are established that are
used later in the algorithm. The data is
arranged in a 2 dimensional block of
size 4*4 bytes.
-
8/6/2019 Wireless p3 Pakscan Case Study
2/2
UK USA
There are a series of 10 rounds, andwithin each round the following stepsare taken:
Subbytes - a non linear bytesubstitution of each byte in thedata block.
Shift Rows - within a row the datais cyclically shifted depending uponthe row number.
MixColumns - the data in eachcolumn is transformed throughmultiplication with a fixed polynomial.This provides diffusion - each inputbyte affects all 4 of the output bytes.
Add RoundKey - this XORS the datablock with the round key derived earlier.
All systems are sent out with the sameAES key in the FCUs and the co-ordinator.This can (and should) be changed tosecure the site. The key can be modifiedin the master station (assuming the userhas the correct access rights) using theHMI or web pages and in individualactuators using the IR interface.Additionally, a new key can be distributedthroughout the system over the network.For this distribution the new key issecured by using a Key Transportkey that is hard-coded into thesystem software.
Anti-spoofing
Although the command data is protectedby AES, it does not prevent replayattacks from other nodes on the network.In theory a hacker could join a node tothe network and replay a messagewith the same payload as a commandmessage and with all the message headerinformation correct. In the Rotork P3Wireless systems anti-spoofing is thename given to the encryption algorithmapplied during network joining to preventnon-authorised actuators being placedon the network and during run time toprevent command message replay.
It is an encryption method designed inhouse, but is a similar scheme to messageauthentication code and Nonce(Number Used Once) alogrithms.
Join protectionFor a device to join the network it mustfirst obtain a counter from the Trust
Centre (the co-ordinator device) andthen use this counter combined withthe anti-spoofing encryption to providea successful registration request, andupon passing this authentication theP3 master station will add the deviceto its list of Actuators.
Replay protection
To prevent replay we add additionaldatabytes onto the transmission payload,that contain an encrypted counter. Theadditional bytes are formed by the anti-spoofing encryption that takes a system-wide counter as input. The encryptionused is proprietary and like AES involvespadding, substitution and rotations.
The routers will request the system timeon a periodic basis such that any potentialdrift in the coordinator clock and therouter clock will not push the timetolerance outside an acceptable window.
On reception of a message the routerwill examine a particular byte to ascertainif it is a command. Messages which arenot classified as commands are simplypassed onto the actuator. Commandswill need to have the additional bytes thathave been added to payload deciphered.The deciphered bytes provide a timecounter and if this time matches thetime kept by the router itself, within a
certain tolerance, the command ispassed on to the actuator.
Common Attacks
Imposter NodeAn Imposter node attack is where anattacker places a node on the networkthat masquerades as a real actuator,diverting commands to itself ratherthan to the real actuator. The RotorkP3 wireless system provides severalcounter measures to this: The imposter could not guarantee
diversion since it would need tocontrol the routing tables of alldevices on the network.
Should the imposter node successfullyjoin the network (which is anunlikely event given the securitymeasures employed) then it willalso need to provide authenticated
and encrypted acknowledgments
to commands. This would require
knowledge of the AES key and
anti-spoofing encryption algorithm.
If this acknowledgment to a
command is not received, the master
station will flag an error.
The imposter would need to conform
to the P3 Wireless proprietary protocol
to prevent an error being reported.
Replay
The record and replay attack is prevented
by the same method that prevents
spoofing. A command or registration
message must be fresh (not have
timed out) to be passed on to the target
by the router/ coordinator or acted
upon by an actuator.
Eavesdropping
The message protocol used is a proprietaryone and therefore is not in the public
domain. Whilst an eavesdropper
might be able to gain knowledge to
understand Rotork messaging protocol
and successfully decode messages that
are not commands, this is deemed to
have no practical use to an attacker.
Denial of ServiceThe most straightforward method ofcreating a Denial of Service (DoS) is to
impose so much noise on the channelthat devices cannot communicate; thisis equivalent to cutting the wire on afully wired system. The use of DSSS(Direct Sequence Spread Spectrum),where the message is spread over asmall band of frequencies, can helpwith DoS attacks that are focussed onone spot frequency. Site securityshould be employed to control accessto the site and therefore preventequipment capable of a DoS attackbeing placed within the site. If this didoccur, the operator will soon be alertedto the problem since the P3 MasterStation will flag a CommunicationsBad alarm for all actuators, making itclear there is a problem. A correctlyinstalled wireless network would notallow new devices to join andtherefore a DoS attack based uponbombarding the master station withdata would not be possible.
CS04/11/10