8/6/2019 Wireless p3 Pakscan Case Study

1/2

The P3 wireless system is a type ofWireless Local Area Network (WLAN)

based on the IEEE802.15.4 specification

(WiFi is based on 802.11). Wireless is

in effect a broadcast system, unlike

wired networks where the path of

communication is restricted between

devices by the physical cable, inherently

protecting communications. This means

that someone with a wireless transceiver

set to the correct frequency could listen in.

Of course the low power nature of most

WLANs means that is hard to eavesdrop

from more than a couple of hundred

meters away. In an industrial application,

depending upon the installation, it is

possible that the signals would not be

detectable from outside the site perimeter.

But we must accept the fact that it

may be possible for someone to be

able to pick up the Rotork P3 wireless

messages with a transceiver set to the

correct frequency. Whilst it may be

possible to pick up the feedback data

being transmitted, this is of negligible

security risk as there is very little that

can be done with status information. The

area of concern would be if someone

were able to send messages to command

or operate a device on the network.

So, how could someone infiltrate the

network to control a device on theWireless P3 system? To start with they

would have to know some basic details

about the network; the channel on which

communications are occurring (there are

16 to chose from), the Personal Area

Network Identification number (PAN

ID, a 16bit number), a device address

and they would also need to understand

the Rotork P3 wireless protocol. This is

a non-published proprietary protocol.

BUT... thats not the end of it; becausewe recognise the risk presented by a

persistent hacker who wishes to disrupt

plant operations, we have employed

extra security measures to protect

devices from unsolicited commands.

Introduction

Pakscan Wireless SecurityCASE STUDY NOTES

The P3 system uses multiple securitymeasures to protect from both maliciousand accidental interference.

P3 wireless is inherently secure duethe low power radio signals

All command messages are encryptedusing AES128

A secure method of joining thenetwork is employed

Anti-spoofing ensures messages cannot be replayed (recorded then

played back at a later time)

Security overview

There is a two-fold approach to protecting

command messages. The first is

AES128-bit encoding (Advanced

Encryption Standard) and followingthis, an anti-spoofing algorithm is

applied. The AES prevents analysis of

the command, even if the attacker had

knowledge of the Rotork propriety

protocol used for control. The anti-

spoofing prevents replay attacks

originating from a node on the P3

wireless network. Anti-spoofing is also

applied during network join to prevent

non-authorised actuators being placed

on the network and intercepting

command messages from theirintended recipient.

These methods are utilising strong

encryption. What is encryption?

Encryption is the process of changing

data into a form that can be understood

only by the intended receiver. To decipher

the message, the receiver of the

encrypted data must have the proper

decryption key. The sender and the

receiver use the same key to encryptand decrypt data.

This security infrastructure is designed

to secure the join process and the

sending of commands while

providing minimal impact during

operation and commissioning.

AES - AdvancedEncryption Standard

Advanced Encryption Standard is an

algorithm recognised as being strong

enough to protect national security

with approval of the standard (FIPS

197) in 2001. Since then it has been

widely used and is the defacto standard

for encryption. Rotork are specifically

using AES128 - the 128 refers to the

128 bit key length. This key operates

on a 16 byte datablock. It is necessary

for commands to be padded out to bethe full 16 bytes in length. The padding

bytes provide an additional level of security

as they are checked for correctness

when the command is deciphered.

Command messages are encoded by

passing them through the encryption

algorithm based on the key, before

transmission and at the receiving end

the messages are decoded by the

same algorithm. The algorithm startswith the key-expansion, where a number

of round keys are established that are

used later in the algorithm. The data is

arranged in a 2 dimensional block of

size 4*4 bytes.

8/6/2019 Wireless p3 Pakscan Case Study

2/2

UK USA

There are a series of 10 rounds, andwithin each round the following stepsare taken:

Subbytes - a non linear bytesubstitution of each byte in thedata block.

Shift Rows - within a row the datais cyclically shifted depending uponthe row number.

MixColumns - the data in eachcolumn is transformed throughmultiplication with a fixed polynomial.This provides diffusion - each inputbyte affects all 4 of the output bytes.

Add RoundKey - this XORS the datablock with the round key derived earlier.

All systems are sent out with the sameAES key in the FCUs and the co-ordinator.This can (and should) be changed tosecure the site. The key can be modifiedin the master station (assuming the userhas the correct access rights) using theHMI or web pages and in individualactuators using the IR interface.Additionally, a new key can be distributedthroughout the system over the network.For this distribution the new key issecured by using a Key Transportkey that is hard-coded into thesystem software.

Anti-spoofing

Although the command data is protectedby AES, it does not prevent replayattacks from other nodes on the network.In theory a hacker could join a node tothe network and replay a messagewith the same payload as a commandmessage and with all the message headerinformation correct. In the Rotork P3Wireless systems anti-spoofing is thename given to the encryption algorithmapplied during network joining to preventnon-authorised actuators being placedon the network and during run time toprevent command message replay.

It is an encryption method designed inhouse, but is a similar scheme to messageauthentication code and Nonce(Number Used Once) alogrithms.

Join protectionFor a device to join the network it mustfirst obtain a counter from the Trust

Centre (the co-ordinator device) andthen use this counter combined withthe anti-spoofing encryption to providea successful registration request, andupon passing this authentication theP3 master station will add the deviceto its list of Actuators.

Replay protection

To prevent replay we add additionaldatabytes onto the transmission payload,that contain an encrypted counter. Theadditional bytes are formed by the anti-spoofing encryption that takes a system-wide counter as input. The encryptionused is proprietary and like AES involvespadding, substitution and rotations.

The routers will request the system timeon a periodic basis such that any potentialdrift in the coordinator clock and therouter clock will not push the timetolerance outside an acceptable window.

On reception of a message the routerwill examine a particular byte to ascertainif it is a command. Messages which arenot classified as commands are simplypassed onto the actuator. Commandswill need to have the additional bytes thathave been added to payload deciphered.The deciphered bytes provide a timecounter and if this time matches thetime kept by the router itself, within a

certain tolerance, the command ispassed on to the actuator.

Common Attacks

Imposter NodeAn Imposter node attack is where anattacker places a node on the networkthat masquerades as a real actuator,diverting commands to itself ratherthan to the real actuator. The RotorkP3 wireless system provides severalcounter measures to this: The imposter could not guarantee

diversion since it would need tocontrol the routing tables of alldevices on the network.

Should the imposter node successfullyjoin the network (which is anunlikely event given the securitymeasures employed) then it willalso need to provide authenticated

and encrypted acknowledgments

to commands. This would require

knowledge of the AES key and

anti-spoofing encryption algorithm.

If this acknowledgment to a

command is not received, the master

station will flag an error.

The imposter would need to conform

to the P3 Wireless proprietary protocol

to prevent an error being reported.

Replay

The record and replay attack is prevented

by the same method that prevents

spoofing. A command or registration

message must be fresh (not have

timed out) to be passed on to the target

by the router/ coordinator or acted

upon by an actuator.

Eavesdropping

The message protocol used is a proprietaryone and therefore is not in the public

domain. Whilst an eavesdropper

might be able to gain knowledge to

understand Rotork messaging protocol

and successfully decode messages that

are not commands, this is deemed to

have no practical use to an attacker.

Denial of ServiceThe most straightforward method ofcreating a Denial of Service (DoS) is to

impose so much noise on the channelthat devices cannot communicate; thisis equivalent to cutting the wire on afully wired system. The use of DSSS(Direct Sequence Spread Spectrum),where the message is spread over asmall band of frequencies, can helpwith DoS attacks that are focussed onone spot frequency. Site securityshould be employed to control accessto the site and therefore preventequipment capable of a DoS attackbeing placed within the site. If this didoccur, the operator will soon be alertedto the problem since the P3 MasterStation will flag a CommunicationsBad alarm for all actuators, making itclear there is a problem. A correctlyinstalled wireless network would notallow new devices to join andtherefore a DoS attack based uponbombarding the master station withdata would not be possible.

CS04/11/10