Zucca, Raimondo (2006) Le Fonti sul Korakodes portus. In: Mastino ...
024 Yokogawa, Francesco Zucca -The dark side of IOT · 23/03/2016 · Automation Instrumentation...
Transcript of 024 Yokogawa, Francesco Zucca -The dark side of IOT · 23/03/2016 · Automation Instrumentation...
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Automation Instrumentation Summit - 2017
The dark side of IOT
1
Francesco Zucca Wireless Expert
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Agenda
2
Introduction IIOT
How to work WSN
Typical hacker attack in WSN
Issue with Drones
Security Countermeasures
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
IoT scheme
4
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Device subject to cyber attack IOT
5
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Networking device and sensors became a target
6
Measure
Variables
Pressure
Temperature
Equipment damage
Plant shutdown
Production circle
shutdown
Utilities interruption
Inappropriate product
quality
Safety
measures
violation
Applications Monitoring,
Control, Safety.
Distance
100 m, 5 km , 60 km
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation 7
How can Wireless
Transmitters works ?
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Low level attack – Default configutation
11
Default password are public in service manual or availalble online
Default keys 445453544E4554574F555B53524F535B.
Default Password : User
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Low level attack – connection to Gateway
12
Operator with
Tablet
Gateway support Iiot app. web app.
Gateway port are used for connect WI-FI Rooter
Operator used to check the instruments and control the network
Wireless Rooter is protected only with WPA or WEP
Hacker crack the encryption in WPA /WEP
Field
Control
Station
Field
Wireless
Management
Station
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Medium level attack - Provisioning Sniffing
13
Join process is done by «OTA method» .
Main Problem :The keys are send in plaintex than hacker is able to steal the keys
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Medium level attack - analyze the firmware
14
1. Buy New Device
2. Remove Plug & Play Module
3. Connect Usb JTAG or SWD reader
4. Read and write RAM, or re-flash on-chip memory
5. API Application programming interface
6. Extract factory-installed key
Some sensors available in the market have same keys for all devices.
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Attacks at the Physical Layer
15
Jamming – it’s a typical denial-of-service (DoS) attack.
Jamming: transmission of a radio signal to interfere with WSN radio frequencies
• Constant jamming: No message are able to be sent or received.
• Intermittent jamming: Nodes are able to exchange messages periodically
Riceiver
Sender
Jammer
Device
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
WSN attack tools
16
Jamming Frequency range
900 MHz
2.4 GHz
Jamming Range
Radius up to 50M
• Multiband 780/868/915/2400 MH
• IEEE 802.11.4 Channel Hopping
• Sniffing mode
• Energy Detection scanner
• Injection mode
• Continuous wave & packet generator
• Network scan mode
• Sniffing Software
• Scanning software
• Network Analyzer
• Packet injection software
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Attack/Distrurb by drone
18
Drone for industrial application Iot App
Maintenance - thermographic Verification
Control – surveillance, facility security
Mapping
Specification for industial drone/commercial drone
24-28 minute flying time
Target capability
Fine movementg
Handle Objects
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Drones disrupters to Industrial Wireless Antennas?
19
And – It was pretty EASY
Hobby Drones are able to
hover and do Fine Control
movements in moderate
wind conditions!
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Could be drone a problem in the plant ?
Modern hobby drones utilize the 2.4 Ghz spectrum as does WiFi, 802.15.4 etc. So any
disruption needs to be away from the drone and controller due to possible loss of control.
Drone have handle obbject (Jammer) to disturb the network.
If Drone permanent fly in Fresnel Zones will be a problem for WSN.
20
A Fresnel zone (fray-NEL), is a series of concentric ellipsoidal regions indicating wave strength between two antennas.
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation 21
Countermeasures integrated in WSN
Protocol
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Countermeasures for provissioning
22
1. Open Fieldmate software with password manager
2. Connect IR cable interface and extract the information from Device
3. Connect the RJ45 cable to Gateway
4. Open with Network manager password gateway configurator
5. Upload Join Key and network id
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
security design ISA100.11a
23
Link Layer - Hop-to-hop authentication (MIC) and encryption of packets at Layer 2
Transport Layer – End-to-end authentication and encryption of Protocol Data Units at Layer 4.
Secure sessions established between originating and device and destination device
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Security Keys in ISA100.11a
24
Join Key
Created at the conclusion of symmetric key provisioning
Used to join the network, receive the Master Key.
Master Key
Created at the conclusion of the key agreement scheme.
Communication with Security Manager and devices.
Needs to be periodically updated.
DL Key
Used to compute the Message Integrity Code (MIC) at the link layer
Expires and needs to be periodically updated.
Session Key (Optional)
Used to encrypt and/or authenticate PDUs at the transport layer
Expires and needs to be periodically updated
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Security Police ISA100.11a
25
Authentication and encryption:
It’s used in both level Link and Transport layers and can be varied.
All security police are distributed with cryptographic material
Security Manager
Controls policies for cryptographic materials it generates
Manages and distributes keys (Asymmetric keys ,Master keys, session Keys )
Transport layer
security time stamp for protection against replay attacks (important for industrial
applications) all Devices are continuously synchronized using TAI (atomic
international time) Packets older than N seconds (configurable) will be discarded by
recipient
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Countermeasures integrated in phycal layer
26
ISA100.11a incorporates time hopping
mechanisms to ensure communications
• Frequency diversity ( 16 channels)
• Automatic Repeat-reQuest (ARQ)
• Channel blacklisting
• Adaptive hopping
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Countermeasures integrated in the technology
27
All information are encrypted with EAS128 at level 2 and 4 (Prevent Sniffing , Spoofing)
Every packets send have MIC (Message Integrity Check) wtih DL key this (prevert the
tampering and reply attack)
End-to-End communication protection each different session has a different session key.
The networks will be syncronized with TAI and protected with Time-Stamp
No windows base technology - not susceptible to windows virus.
Event register – every action in the network is registers
Different users with different security autorizzation
Adaptive-hopping spread spectrum is needed for Robustness and strength of network (
Resistance to jamming attack)
Full rendudance network
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation 28
Countermeasures that will be
integrated WSN
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
Countermeasures the must be integrated in WSN
29
Operator must be trained for IT part and WSN
Cyber Security Life Cycle Management
must be integrated also WSN
Spectrum surveys should be incorporated
into plant security procedures.
Use of Field Wireless Repeaters needs to be considered
from high vantage points ( Rendundat Fresnel zone )
Rendudant loop is needed for control application
(Gateway,Access points, instruments)
If WSN is connected with VPN or WI-FI must be protected
with Firewall and encryption protocol (SSL , Ipsec)
Password for user must be complicated with number letters
and special charactes /)*_@+.,
.
| Document Number | March 23, 2016 |
© Yokogawa Electric Corporation
WSN Countermeasures in spectrum
30
Graphic - http://www.qualitymag.com/articles/91465-wireless-measurement-data-
acquisition
The 2.4-2.835 GHz Spectrum is VERY crowded. It is used by WiFi/WLAN 802.15.4
(Industrial Wireless – ISA100, WirelessHART, ZigBee)
Since WiFi 802.11 is the major wireless target jammers will leave GAPS in EMI between
WiFi channels 1,6,11
Therefore 802.15.4 users should channelize to 802.15.4 Channels 15, 25,26 ,14, 20