| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Automation Instrumentation Summit - 2017

The dark side of IOT

1

Francesco Zucca Wireless Expert

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Agenda

2

Introduction IIOT

How to work WSN

Typical hacker attack in WSN

Issue with Drones

Security Countermeasures

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

IOT – Cyber Security

3

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

IoT scheme

4

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Device subject to cyber attack IOT

5

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Networking device and sensors became a target

6

Measure

Variables

Pressure

Temperature

Equipment damage

Plant shutdown

Production circle

shutdown

Utilities interruption

Inappropriate product

quality

Safety

measures

violation

Applications Monitoring,

Control, Safety.

Distance

100 m, 5 km , 60 km

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation 7

How can Wireless

Transmitters works ?

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Typical protocol stack

8

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Device Join Network

9

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation 10

Examples of attack in WSN

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Low level attack – Default configutation

11

Default password are public in service manual or availalble online

Default keys 445453544E4554574F555B53524F535B.

Default Password : User

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Low level attack – connection to Gateway

12

Operator with

Tablet

Gateway support Iiot app. web app.

Gateway port are used for connect WI-FI Rooter

Operator used to check the instruments and control the network

Wireless Rooter is protected only with WPA or WEP

Hacker crack the encryption in WPA /WEP

Field

Control

Station

Field

Wireless

Management

Station

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Medium level attack - Provisioning Sniffing

13

Join process is done by «OTA method» .

Main Problem :The keys are send in plaintex than hacker is able to steal the keys

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Medium level attack - analyze the firmware

14

1. Buy New Device

2. Remove Plug & Play Module

3. Connect Usb JTAG or SWD reader

4. Read and write RAM, or re-flash on-chip memory

5. API Application programming interface

6. Extract factory-installed key

Some sensors available in the market have same keys for all devices.

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Attacks at the Physical Layer

15

Jamming – it’s a typical denial-of-service (DoS) attack.

Jamming: transmission of a radio signal to interfere with WSN radio frequencies

• Constant jamming: No message are able to be sent or received.

• Intermittent jamming: Nodes are able to exchange messages periodically

Riceiver

Sender

Jammer

Device

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

WSN attack tools

16

Jamming Frequency range

900 MHz

2.4 GHz

Jamming Range

Radius up to 50M

• Multiband 780/868/915/2400 MH

• IEEE 802.11.4 Channel Hopping

• Sniffing mode

• Energy Detection scanner

• Injection mode

• Continuous wave & packet generator

• Network scan mode

• Sniffing Software

• Scanning software

• Network Analyzer

• Packet injection software

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation 17

Issue about Drones

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Attack/Distrurb by drone

18

Drone for industrial application Iot App

Maintenance - thermographic Verification

Control – surveillance, facility security

Mapping

Specification for industial drone/commercial drone

24-28 minute flying time

Target capability

Fine movementg

Handle Objects

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Drones disrupters to Industrial Wireless Antennas?

19

And – It was pretty EASY

Hobby Drones are able to

hover and do Fine Control

movements in moderate

wind conditions!

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Could be drone a problem in the plant ?

Modern hobby drones utilize the 2.4 Ghz spectrum as does WiFi, 802.15.4 etc. So any

disruption needs to be away from the drone and controller due to possible loss of control.

Drone have handle obbject (Jammer) to disturb the network.

If Drone permanent fly in Fresnel Zones will be a problem for WSN.

20

A Fresnel zone (fray-NEL), is a series of concentric ellipsoidal regions indicating wave strength between two antennas.

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation 21

Countermeasures integrated in WSN

Protocol

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Countermeasures for provissioning

22

1. Open Fieldmate software with password manager

2. Connect IR cable interface and extract the information from Device

3. Connect the RJ45 cable to Gateway

4. Open with Network manager password gateway configurator

5. Upload Join Key and network id

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

security design ISA100.11a

23

Link Layer - Hop-to-hop authentication (MIC) and encryption of packets at Layer 2

Transport Layer – End-to-end authentication and encryption of Protocol Data Units at Layer 4.

Secure sessions established between originating and device and destination device

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Security Keys in ISA100.11a

24

Join Key

Created at the conclusion of symmetric key provisioning

Used to join the network, receive the Master Key.

Master Key

Created at the conclusion of the key agreement scheme.

Communication with Security Manager and devices.

Needs to be periodically updated.

DL Key

Used to compute the Message Integrity Code (MIC) at the link layer

Expires and needs to be periodically updated.

Session Key (Optional)

Used to encrypt and/or authenticate PDUs at the transport layer

Expires and needs to be periodically updated

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Security Police ISA100.11a

25

Authentication and encryption:

It’s used in both level Link and Transport layers and can be varied.

All security police are distributed with cryptographic material

Security Manager

Controls policies for cryptographic materials it generates

Manages and distributes keys (Asymmetric keys ,Master keys, session Keys )

Transport layer

security time stamp for protection against replay attacks (important for industrial

applications) all Devices are continuously synchronized using TAI (atomic

international time) Packets older than N seconds (configurable) will be discarded by

recipient

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Countermeasures integrated in phycal layer

26

ISA100.11a incorporates time hopping

mechanisms to ensure communications

• Frequency diversity ( 16 channels)

• Automatic Repeat-reQuest (ARQ)

• Channel blacklisting

• Adaptive hopping

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Countermeasures integrated in the technology

27

All information are encrypted with EAS128 at level 2 and 4 (Prevent Sniffing , Spoofing)

Every packets send have MIC (Message Integrity Check) wtih DL key this (prevert the

tampering and reply attack)

End-to-End communication protection each different session has a different session key.

The networks will be syncronized with TAI and protected with Time-Stamp

No windows base technology - not susceptible to windows virus.

Event register – every action in the network is registers

Different users with different security autorizzation

Adaptive-hopping spread spectrum is needed for Robustness and strength of network (

Resistance to jamming attack)

Full rendudance network

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation 28

Countermeasures that will be

integrated WSN

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Countermeasures the must be integrated in WSN

29

Operator must be trained for IT part and WSN

Cyber Security Life Cycle Management

must be integrated also WSN

Spectrum surveys should be incorporated

into plant security procedures.

Use of Field Wireless Repeaters needs to be considered

from high vantage points ( Rendundat Fresnel zone )

Rendudant loop is needed for control application

(Gateway,Access points, instruments)

If WSN is connected with VPN or WI-FI must be protected

with Firewall and encryption protocol (SSL , Ipsec)

Password for user must be complicated with number letters

and special charactes /)*_@+.,

.

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

WSN Countermeasures in spectrum

30

Graphic - http://www.qualitymag.com/articles/91465-wireless-measurement-data-

acquisition

The 2.4-2.835 GHz Spectrum is VERY crowded. It is used by WiFi/WLAN 802.15.4

(Industrial Wireless – ISA100, WirelessHART, ZigBee)

Since WiFi 802.11 is the major wireless target jammers will leave GAPS in EMI between

WiFi channels 1,6,11

Therefore 802.15.4 users should channelize to 802.15.4 Channels 15, 25,26 ,14, 20

| Document Number | March 23, 2016 |

© Yokogawa Electric Corporation

Thank you for you attention

31