Mälardalen University Press Dissertations No. 109 ON SAFE ...445429/FULLTEXT02.pdf · since the...

Mälardalen University Press DissertationsNo. 109

ON SAFE AND SECURE COMMUNICATIONIN PROCESS AUTOMATION

Johan Åkerberg

2011

School of Innovation, Design and Engineering


ON SAFE AND SECURE COMMUNICATIONIN PROCESS AUTOMATION

Johan Åkerberg

2011

School of Innovation, Design and Engineering


ON SAFE AND SECURE COMMUNICATION IN PROCESS AUTOMATION

Johan Åkerberg

Akademisk avhandling

som för avläggande av teknologie doktorsexamen i datavetenskap vidAkademin för innovation, design och teknik kommer att offentligen försvaras

fredagen den 25 november 2011, 10.00 i Paros, Mälardalens högskola, Västerås.

Fakultetsopponent: Dr Lutz Rauchhaupt, ifak

Akademin för innovation, design och teknik


ON SAFE AND SECURE COMMUNICATION IN PROCESS AUTOMATION

Johan Åkerberg

Akademisk avhandling

som för avläggande av teknologie doktorsexamen i datavetenskap vidAkademin för innovation, design och teknik kommer att offentligen försvaras

fredagen den 25 november 2011, 10.00 i Paros, Mälardalens högskola, Västerås.

Fakultetsopponent: Dr Lutz Rauchhaupt, ifak

Akademin för innovation, design och teknik

AbstractIn the process industry, network and system security have become important since the introduction ofEthernet-based fieldbus protocols. As an example, a successful attack on a power plant, supporting largecities with energy, could result in a temporal but total power loss. Such attacks could be devastatingfor the society. The security threats are real, and motivations for attacking industrial communicationsystems may be political or economical.

The visions of autonomous systems, which can be supervised, diagnosed and maintained from remoteis not far from reality, but stress the need for security and safety measures. Wired fieldbus protocolsare mature with respect to safety and there are existing standards for safe communication. However,the wired fieldbuses lack adequate security measures to be deployed in industrial automation. Inwireless sensor networks security is addressed thoroughly in the standards, but is not mature withrespect to safety. Future automation systems need ideally to seamlessly support safety and security inheterogeneous networks while hiding the complexity for the end-users in order to successfully managelarge-scale industrial production.

This thesis presents one feasible solution towards safe and secure communication in heterogeneousindustrial networks for process control. The presented solution addresses several other importantaspects such that engineering efficiency, transparency, possibilities for retrofitting, coexistence withinternational standards in order to protect the return-of-investment of products, systems, and installedbase within the area of process automation. Field trials show that several improvements of wirelesssensor networks with respect to determinism in both the uplink and the downlink are needed. Thisis not only true when it comes to the research problems addressed within the scope of this thesis,but rather a necessity for market acceptance and deployment in process automation in general. Themajor contribution of this thesis is a method that enables end-to-end safe and secure communicationin heterogeneous automation networks without major changes in existing standards, while preservingengineering and integration efficiency.

ISBN 978-91-7485-039-0ISSN 1651-4238

To my family

List of Papers

This thesis is based on the following papers, which are referred to in the textby their Roman numerals.

I J. Åkerberg and M. Björkman, Introducing Security Modules inPROFINET IO, The 14th IEEE International Conference on EmergingTechnology and Factory Automation (ETFA), Mallorca, Spain,September, 2009

II J. Åkerberg, M. Gidlund, T. Lennvall, J. Neander, and M. Björkman,Integration of WirelessHART Networks in Distributed Control Systemsusing PROFINET IO, The 8th IEEE International Conference on Indus-trial Informatics (INDIN), Osaka, Japan, July, 2010

III J. Åkerberg, F. Reichenbach, and M. Björkman, EnablingSafety-Critical Communication using WirelessHART and PROFIsafe,The 15th IEEE International Conference on Emerging Technology andFactory Automation (ETFA), Bilbao, Spain, September, 2010

IV J. Åkerberg, M. Gidlund, J. Neander, T. Lennvall, and M. Björkman,Deterministic Downlink Transmission in WirelessHART NetworksEnabling Wireless Control Applications, The 36th Annual Conferenceof the IEEE Industrial Electronics Society (IECON), Phoenix, USA,November, 2010

V J. Åkerberg, M. Gidlund, T. Lennvall, J. Neander, and M. Björkman,Efficient Integration of Secure and Safety Critical Industrial WirelessSensor Networks, EURASIP Journal on Wireless Communications andNetworking, September, 2011

VI J. Åkerberg, M. Gidlund, and M. Björkman, Future Research Chal-lenges of Industrial Wireless Sensor Networks, The 9th IEEE Interna-tional Conference on Industrial Informatics (INDIN), Lisbon, Portugal,July, 2011

Reprints were made with permission from the publishers.

Papers not Included in the Thesis

The following papers are not included in the thesis.

1. F. Barac, J. Åkerberg, and M. Gidlund, A Lightweight Routing Protocol forIndustrial Wireless Sensor and Actuator Networks, The 37th Annual Con-ference of the IEEE Industrial Electronics Society (IECON), Melbourne,Australia, November, 2011

2. K. Yu, M. Gidlund, J. Åkerberg, and M. Björkman, Reliable and Low La-tency Transmission in Industrial Wireless Sensor Networks, The First In-ternational Workshop on Wireless Networked Control Systems (WNCS), Ni-agra Falls, Canada, September, 2011

3. J. Åkerberg, F. Reichenbach, M. Gidlund, and M. Björkman,Measurements on an Industrial Wireless HART Network SupportingPROFIsafe: A Case Study, The 16th IEEE International Conference onEmerging Technology and Factory Automation (ETFA), Toulouse, France,September, 2011

4. F. Ciccozzi, A. Cicchetti, T. Seceleanu, J. Åkerberg, J. Delsing, L.E.Carlsson, Integrating Wireless Systems into Process Industry and BusinessManagement, The 15th IEEE International Conference on EmergingTechnology and Factory Automation (ETFA), IEEE, Bilbao, Spain,September, 2010

5. J. Åkerberg and M. Björkman, Exploring Network Security in PROFIsafe,The 28th International Conference on Computer Safety, Reliability and Se-curity (SAFECOMP), Hamburg, Germany, September, 2009

6. J. Åkerberg and M. Björkman, Exploring Security in PROFINET IO, The33rd Annual IEEE International Computer Software and ApplicationsConference (COMPSAC), Seattle, USA, July, 2009

Abstract

In the process industry, network and system security have become importantsince the introduction of Ethernet-based fieldbus protocols. As an example, asuccessful attack on a power plant, supporting large cities with energy, couldresult in a temporal but total power loss. Such attacks could be devastatingfor the society. The security threats are real, and motivations for attackingindustrial communication systems may be political or economical.

The visions of autonomous systems, which can be supervised, diagnosedand maintained from remote is not far from reality, but stress the need for se-curity and safety measures. Wired fieldbus protocols are mature with respectto safety and there are existing standards for safe communication. However,the wired fieldbuses lack adequate security measures to be deployed in indus-trial automation. In wireless sensor networks security is addressed thoroughlyin the standards, but is not mature with respect to safety. Future automationsystems need ideally to seamlessly support safety and security in heteroge-neous networks while hiding the complexity for the end-users in order to suc-cessfully manage large-scale industrial production.

This thesis presents one feasible solution towards safe and secure commu-nication in heterogeneous industrial networks for process control. The pre-sented solution addresses several other important aspects such that engineer-ing efficiency, transparency, possibilities for retrofitting, coexistence with in-ternational standards in order to protect the return-of-investment of products,systems, and installed base within the area of process automation. Field trialsshow that several improvements of wireless sensor networks with respect todeterminism in both the uplink and the downlink are needed. This is not onlytrue when it comes to the research problems addressed within the scope of thisthesis, but rather a necessity for market acceptance and deployment in processautomation in general. The major contribution of this thesis is a method thatenables end-to-end safe and secure communication in heterogeneous automa-tion networks without major changes in existing standards, while preservingengineering and integration efficiency.

Sammanfattning

Inom processindustrin har behovet av informations- och systemsäkerhetökat markant sedan Ethernet-baserade fältbussprotokoll började användasi automationsutrustningar. En framgångsrik attack mot till exempel ettkraftverk som genererar elektricitet till stora städer skulle kunna resultera i etttillfälligt och omfattande strömavbrott. Sådana attacker kan vara förödandeför samhället. Hotbilden existerar och motiven för att attackera industriellakommunikationssystem kan vara såväl ekonomiska som politiska.

Visioner om autonoma system, som kan övervakas, diagnostiseras ochunderhållas från avlägsna platser kan snart realiseras, men kräver tillförlitligalösningar för informations- och personsäkerhet. Trådbundna fältbussprotokollär utvecklade med hänseende på personsäkerhet och det finns standarder försäkerhetskritisk kommunikation. De trådbundna fältbussarna saknar lösningarför informationssäkerhet som är gångbara i industriell automation. I trådlösasensornätverk behandlas informationssäkerhet grundligt i standarderna, menlösningar saknas för personsäkerhet. Framtida automationssystem behöverstöd för informations- och personsäkerhet i heterogena nät, som samtidigtdöljer komplexiteten för slutanvändarna för att framgångsrikt hanterastorskalig industriell produktion.

Denna avhandling presenterar en genomförbar lösning för säker kommu-nikation i heterogena industriella nätverk för processtyrning. Den presenter-ade lösningen behandlar flera andra viktiga aspekter såsom enkelhet, effek-tivitet, dölja komplexitet, möjligheter för eftermontering och samexistens medinternationella standarder för att skydda avkastning på investeringar av pro-dukter, system och installerad bas inom området processautomation. Fält-studier visar att det behövs flera förbättringar av trådlösa sensornätverk medavseende på determinism. Detta gäller inte bara inom ramen för denna avhan-dling utan är snarare en nödvändighet för att erhålla marknadsacceptans ochanvändning inom processautomation i största allmänhet. Ett av de stora bidra-gen i denna avhandling är ett koncept som möjliggör en effektiv integration avinformations- och personsäkerhet i heterogena automationsnätverk utan störreförändringar av befintliga standarder.

Preface

I have many people to thank for making my industrial PhD studies and thisdoctoral thesis possible. It has been an intensive, educating, challenging, andstimulating journey since the summer of 2008 when it all began. First of allI would like to thank my supervisors Mats Björkman (MDH), Maria Lindén(MDH), Mikael Gidlund (ABB Corporate Research), and Kai Hansen (ABBCorporate Research) for all inspiration, encouragement and valuable discus-sions and advices.

I also have to thank Peter Löfgren, Dagfin Brodtkorb, Mirka Mikes-Lindbäck, Tomas Edström, and Helena Malmqvist from ABB CorporateResearch for believing in me, and making it possible for me to start as anindustrial PhD student. The work in this thesis has in part been financed byIndustriforskarskolan RAP, CESAR, and TESLA.

Furthermore I have to thank all of my colleges at ABB Corporate Researchfor all discussions, reviewing, encouragement, support, and all the laughs. I es-pecially have to thank Tiberiu Seceleanu, Tomas Lennvall, Krister Landernäs,Jimmy Kjellsson, Dacfey Dzung, Martin Naedele, Daniel Grandin, Frank Re-ichenbach, Mikael Åkerholm, Tormod Wien, Jan Endresen, Erik Carlson, EwaHansen, Jonas Neander, and Pål Orten.

I dedicate this doctoral thesis to my wife Anna and my daughters Tindraand Alva.

Johan ÅkerbergVästerås, September 10, 2011

Contents

Part I: Thesis1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.1 Research Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211.2 Research Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2 Industrial Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.1 Automation Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.2 Wireless Automation Networks . . . . . . . . . . . . . . . . . . . . . . . . 272.3 Secure Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292.4 Safety Critical Communication . . . . . . . . . . . . . . . . . . . . . . . . 302.5 Reflections on Safe versus Secure Communication . . . . . . . . . . 332.6 Integration Transparency and Life Cycle Efficiency . . . . . . . . . 34

3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Included Papers and Their Contribution . . . . . . . . . . . . . . . . . . . . . 39

4.1 Paper I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.2 Paper II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414.3 Paper III . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424.4 Paper IV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424.5 Paper V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.6 Paper VI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Part II: Included Papers7 Paper I:

Introducing Security Modules in PROFINET IO . . . . . . . . . . . . . . . 598 Paper II:

Integration of WirelessHART Networks in Distributed Control Sys-tems using PROFINET IO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

9 Paper III:Enabling Safety-Critical Communication using WirelessHART andPROFIsafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

10 Paper IV:Deterministic Downlink Transmission in WirelessHART NetworksEnabling Wireless Control Applications . . . . . . . . . . . . . . . . . . . . . 87

11 Paper V:Efficient Integration of Secure and Safety Critical Industrial WirelessSensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

12 Paper VI:Future Research Challenges of Industrial Wireless Sensor Networks 111

Part I:

Thesis

1. Introduction

Automation is a broad area, which is commonly broken down in processautomation, substation automation, factory automation, building automation,and home automation. The requirements differ in real-time performance suchas, allowed jitter, cost, availability, maintainability, and also in safety and se-curity in the various automation disciplines. This thesis focuses on the processautomation domain, but work already done in other domains is evaluated if itis feasible to reuse or adapt for process automation.

The importance of network- and system security are increasing in the pro-cess industry since the introduction of Ethernet-based fieldbus protocols inprocess automation that open up for new attack scenarios. As an example,a successful attack to a power plant [1], supporting large cities with energy,could result in a temporal but total power loss. Such attacks could be devastat-ing for the society. The security threats are real, and motivations for attackingindustrial communication systems may be political or economical [2].

The operational requirements are different for automation and office IT. Inautomation the most important requirement is the safety of person, equipment,and environment. Security violations might affect the safety of the plant and itspersonnel. Availability, that is, to be in safe operation over long periods of timeis the second most important requirement. Office IT security requirementsfocus on authorization, confidentiality, and integrity issues. Furthermore, itis difficult to apply IT system administration practices in automation wheresoftware-patches and rebooting are required when security vulnerabilities areidentified [3].

The measures against security attacks in the process automation standardsare simply to keep the networks closed, i.e. no connections to the outside.If the control system must be connected to the outside, i.e. the Internet, aperimeter defense protects the entrance. On the other hand, the visions ofautonomous systems, that can be followed, diagnosed and maintained fromremote are not far from reality, but stress the need for security and safety so-lutions. Figure 1.1 illustrates one possible future scenario where both wiredand wireless technologies are deployed on various automation network levelsin order to automate distributed processes. The wired fieldbuses are maturewith respect to safety and there are existing standards for safe communica-tion, for example PROFIsafe [4]. However, the wired fieldbuses lack adequatesecurity measures to be deployed in industrial automation. In a setup like anautonomous system, or the scenario that is illustrated in Figure 1.1, which is

19

Figure 1.1: Example of a future architecture where wireless technologies are seam-lessly integrated in the automation systems on all network levels

supervised, maintained and diagnosed from remote, security measures oversafe communication have to be taken into account.

IEC 62280-1 [5] deals with safety-related communication in closed trans-mission systems. PROFIsafe is based on the black channel principle from IEC62280-1, where the standard transmission system can be used for both safety-related and non safety-related messages. The main benefit with the black chan-nel principle is that the standard transmission system can be excluded fromthe functional safety certification. In the railway domain, especially in rail-way signaling, it is difficult, or economically infeasible, to have closed trans-mission systems. Therefore, in the railway signaling domain, where safety-relevant messages have to be transmitted on non-trusted networks, i.e. securityattacks cannot be neglected, IEC 62280-2 [6] applies. IEC 62280-2 recom-mend cryptographic techniques to be used, in addition to the safety layer, toensure integrity, authorization and confidentiality. Following the recommen-dations of IEC 62280-2, safety-relevant data is allowed to be transmitted overnon-trusted networks, i.e. open networks.

The latest advancements in wireless networks, fieldbus systems and as-set management systems contribute to the efficiency of process systems [7].Seamless horizontal and vertical integration of communication and informa-tion throughout the complete organizations are necessary to master the com-plexities of production and business operations in process automation [7]. Us-ing Ethernet-based protocols at the fieldbus level simplifies vertical integrationas the real-time protocols can co-exist with non real-time automation proto-

20

cols. Vertical integration and wireless communication have unfortunately anegative effect on security, and the risks of security attacks at fieldbus levelare increasing with the level of integration.

In wireless networks, security is a very important topic and is addressedthoroughly in the standards, e.g. IEEE 802.11 [8], IEEE 802.15 [9], and Wire-lessHART [10], since there is no possibility to keep the networks closed. Onthe other hand, safety is sparsely addressed, if at all addressed in the stan-dards. Even if safe communication is not a hard requirement today, develop-ing a certifiable safety solution would probably decrease the skepticism forwireless communication in industry. Another aspect is if you choose wirelessequipment from different suppliers, one that has not addressed safety at all,the other has a safety implementation but not formally certified, which vendorwould you choose? This is not only limited to safety, it is equally importantwith an overall security mechanism.

There is a focus to replace or complement the various fieldbuses with field-networks in the industry to gain bandwidth, functionality and flexibility dur-ing plant lifetime. As an example PROFINET IO [11] is starting to replacePROFIBUS [11] as the Ethernet successor in the process industry. Wirelesscommunication is also possible at sensor level or even at network level, thusexpanding the communication effectively into areas where wired communica-tion has challenges with respect to cost, mobility, or mechanical wear.

1.1 Research ProblemSafety of humans, environment, and property is the number one concern inlarge scale industrial automation. In addition, any downtime in production istypically associated with significant losses in production and economical in-come. Therefore, proper deployment of security measures plays an importantrole protecting both safety and the rate of production. Today’s increase of Eth-ernet and wireless communication demands more attention than previously inthe area of safety and security in process automation. The problem is that,1. security is not fully handled today in the safety certified fieldbuses. For

example the PROFIsafe [4] standard states that there are no additionalsecurity layers necessary. It tries to keep safety sub-networks as “closedsystems” and protects network entries via “security boxes”. The researchproblem is: How can secure end-to-end fieldbus communication as wellas efficient integration of security measures be developed without majorchanges in current standards?

2. security is well addressed and mature but safety is barely addressed at all inwireless field networks, such as WirelessHART [10] and ISA100 [12]. Ide-ally the wireless technology should be seamlessly integrated into the exist-ing automation systems and fieldbuses. The research problem is: How cansafe wireless sensor networks, as well as efficient integration of wireless

21

sensor networks, be developed without major changes in existing automa-tion systems and standards?

The research problem is illustrated in Figure 1.2, where ideally the hetero-geneous field networks should be both safe and secure, and not only safe orsecure.

Figure 1.2: Desired future scenario, where the automation systems are both a safe andsecure

1.2 Research ApproachIdeally, to protect the return of investment (ROI) on existing automationequipment, the security problem in process automation should be solvedby retrofitting security without any changes with respect to infrastructure,standards, and products. Therefore, an engineering approach is taken ratherthan a theoretical approach in order not to develop new solutions fromthe beginning, but rather to improve existing solutions with respect tonetwork security and safety. Compared to office IT, automation has differentrequirements with respect to security, i.e. integrity and authentication is moreimportant compared to confidentiality. In process automation it is moreimportant that for example a transmitted command to control a machine is

22

not tampered with, than the risk of exposing the content of the command toan adversary.

In the same way, to protect the ROI when extending existing automationequipment with wireless technologies, the existing standards, infrastructures,methods of integration, and products should ideally be unchanged while sup-porting safety. Last but not least safety and security should ideally be possibleto be engineered, deployed, and maintained where needed and independentlyof the usage of wired or wireless communication technologies.

The work is based on an experimental approach, where initially the possibil-ities of dangerous security vulnerabilities are evaluated, on existing automa-tion equipment, using standardized fieldbus protocols and functional safetyprofiles such as PROFINET and PROFIsafe. The concept of Security Modulesis introduced to retrofit authentication, integrity, and optionally confidential-ity. Then the concept is extended using Industrial Wireless Sensor Networks(IWSN) while supporting both functional safety and security. The major goalof this thesis is to propose solutions that can be retrofitted to existing productswithout major changes in the standards, with respect to functional safety andsecurity. Proof-of-concept implementations on existing automation equipmenthave been used to validate and evaluate the feasibility of the solutions.

1.3 Thesis OutlineThe thesis is organized in two parts. In Part I the research problems are de-scribes as well as an overview of the research areas, related work, and contri-butions. In the end of Part I conclusions and future work are presented. Part IIincludes six peer-review scientific papers that are published and presented ininternational conferences or international journals.

The rest of Part I is organized as follows.Chapter 2: This chapter is an introduction in industrial automation,automation networks, security, and functional safety.Chapter 3: This chapter presents the related work.Chapter 4: This chapter presents the included papers and the contribution ofthe thesis.Chapter 5: This chapter presents the conclusions and future work.

23

2. Industrial Automation

As mentioned in the introduction, automation is wide area and with differ-ent requirements with respect to safety and security in the various automationdisciplines. Security concerns protecting systems and devices by e.g. prevent-ing unauthorized access, or preventing malicious people from gaining somebenefit, getting attention, or harming somebody/something. Moreover the tra-ditional definition of a safety system is to automatically bring the process intoa state in which no dangers remain to human, machine and environment.

In the remainder of this section process automation is introduced, as wellas some requirements that needs to be addressed in order to design systemsand solutions that can be used within process automation. Some typical exam-ples of process automation industries are: pulp and paper (see Figure 2.1(a)),mining, steel, oil and gas (see Figure 2.1(b)) to mention some. The main

(a) Pulp and paper (b) Oil and gas

Figure 2.1: Examples of process automation

characteristic that groups them together is that the products are produced ina continuous manner, i.e. the oil is produced in a continuous flow. In discretemanufacturing, the products are produced in discrete steps, i.e. the productsare assembled together using sub assemblies or single components. Typicalexamples of discrete manufacturing industries are automotive, medical, andthe food industries. Discrete manufacturing relies heavily on robotics and beltconveyors for assembly, picking, welding, and palletizing. To generalize, dis-

25

crete manufacturing normally have stricter requirements with respect to la-tency and real-time requirements compared to process automation. The mainreason for this generalized assumption is that in order to pick, assemble, orpalletize at high speed, the latency, refresh rates, and real-time requirementsare stricter compared to a tank level control in process automation to achievethe required production quality. However, as always there are cases when thisgeneral assumption is not true.

In the automation domain, many different communication protocols existon various media such as fiber, copper cables, radio, or even power-line carriercommunication. Since the automation equipment ranges from high-end serverhardware from the IT domain, down to small tailored embedded systems with8 bit processors and just a few kilobytes of memory, it is a challenging taskto solve all needs with one single protocol. From an automation applicationpoint of view, communication is for example used for• interconnection of automation equipment distributed over large geographi-

cal areas• interconnection of dedicated real-time automation systems with operator

work-places for control and supervision• closed loop control, ranging from slow processes such as tank level control,

to fast processes such as motion control• interlocking and control, a major part of control applications in process

control require discrete signaling. For example, a machine might have start,stop, and safety interlocks.

• monitoring and supervision, where large amount of data is transmitted andevaluated to predict and avoid interruption of production.

In the following sections the communication architecture, protocols, as wellas the state-of-the-art in security and safety will be introduced.

2.1 Automation NetworksAs illustrated in Figure 1.1 the automation networks are divided into severaldifferent networks, with different demands and importance of various proper-ties. Typically, the higher levels of the automation networks, i.e. server net-works, have more relaxed constraints on for example latency and real-timeproperties, compared to the field networks. On the other hand, the field net-works have in general relaxed constraints with respect to throughput, as real-time behavior, low latency, and low jitter are more important for process con-trol.

On the higher levels of the automation network, Server Network in Figure1.1, one of the most common protocols are Object Linking and Embedding(OLE) for Process Control [13], or OPC for short. Another common proto-col, mainly residing on the Control Network is the Manufacturing Message

26

Specification [14] (MMS). MMS is using TCP/IP for transportation as wellas OPC. For historical reasons there exist many proprietary protocols on boththe server and control network, the main reason is that the equipment on bothserver and control network are provided from one vendor, and the proprietaryprotocols remain due to backwards compatibility issues.

On the field network level, the IEC 61784-1 standard specifies 9 differentcommunication profiles [11]. Additional protocols, based on Real-Time Eth-ernet are specified in IEC 61784-2 [15]. In Table 2.1 the protocols from IEC61784 are listed. Many other protocols exist as well and the aim is not to makethis a complete list, but an overview of the multitude of different protocols onthe market. When it comes to market shares, there are two dominant protocols

Table 2.1: Standardized fieldbus protocols from IEC 61784

IEC 61784-1 IEC 61784-2

Foundation Fieldbus CIPCIP PROFIBUS & PROFINETPROFIBUS & PROFINET P-NETP-NET INTERBUSWorldFIP Vnet/IPINTERBUS TCnetCC-Link EtherCATHART Ethernet PowerlinkSERCOS EPA

MODBUS RTPSSERCOS

namely Foundation Fieldbus (FF) and Profibus & Profinet. FF is dominant inthe United States, and Profibus & Profinet are dominant in Europe. The totalinstalled base is in order of hundred of million devices and increasing.

Since fieldbuses are used to transmit data for interlocking, closed-loop con-trol, and monitoring there exist several important properties. Some of the mostimportant and sometimes even contradicting properties of industrial commu-nication at various levels are given in Table 2.2.

2.2 Wireless Automation NetworksThe use of wireless technologies in automation is not something new, it hasbeen around for quite some time. For example wireless LANs, long-haul wire-less links are commonly found in industrial automation on the higher levels inthe communication architecture. It is even found on the factory floors for real-

27

Table 2.2: Important properties of industrial communication

Property Description

Safety Failures in communication should not affect the health ofpersons, equipment, or environment

Security The transmitted data should be secure against maliciousmanipulation to avoid loss of production or safety of per-son, equipment, and environment

High avail-ability

Avoid a single-point-of-failure that can compromise theplant production. The production should be able to con-tinue without major degradation in the case of a single fail-ure

Deterministic Data must always be delivered within given time con-straints, for example to be able to stop a conveyor belt be-fore any material transported on the conveyor will causelong time of production loss or affect safety

Low latencyand jitter

Data must be transmitted with low latency and jitter formotion control in order to keep control performance andprecision

Highthrough-put

Plant operators will request production statistics from thecontrol system that will be presented as a trend curve dis-playing different key performance indexes or to monitorthe current production and react before any disturbances inproduction will occur

Efficient de-ployment andmaintenance

The life time of automation equipment is expected to belonger than 10 years. In case of malfunctioning equip-ment the on-site maintenance staff should be able to re-place faulty equipment and restore plant production with-out help from automation system experts. Another reasonis that plants can be at inconvenient geographic locationsand it would take a long time for an expert to reach the site,for example an offshore oil-rig or deep down in a distantmine

Flexibletopology

The asset owners constantly seek new methods to improvethe production speed and quality, and rearrangement or ad-dition of automation equipment is not uncommon due tonew discoveries in the production methodology.

time communication, where IWLAN [16] and WISA [17] have been success-fully deployed. In addition, one international and industrial standard for Wire-less Sensor Networks (WSNs) exists: WirelessHART [10]. WirelessHART

28

provides means to automate areas where wired fieldbuses have challengeswith respect to mechanical wear and cost. ISA-100 [12] and WIA-PA [18]are possibly two emerging IEC standards, or WirelessHART, ISA-100a, andWIA-PA may merge into one industrial standard in the future. The WSNs arealso deployed in the automation industries, but mainly in smaller installations,providing additional services such as condition monitoring, and monitoring ofnon-critical process values.

2.3 Secure CommunicationFor historical reasons, security has got little or no attention in the automationdomain. The reason is that the automation equipment has initially been placedin a central physical location. The automation equipment, i.e. controllers, I/O,and field devices are connected in a marshaling room. The marshaling roomis a central place, where all “field communication” is passing through, com-pare with old telephone systems. The communication between the controllersand operator stations were based on proprietary solutions with no connectionsoutside the physical location, where only authorized personnel may enter. Ina way, security was based on security-by-obscurity and physical security.

Over time, the demand for more information from the field equipment wasnecessary to refine the control algorithms and to improve the quantity andquality of the final products. The control systems went from central controllersto distributed control systems (DCS). The latest advancements in wirelesstechnology and condition monitoring allow and demand even further verti-cal and horizontal integration, or even connections to the Internet. Since al-most 10 years ago, security in the automation domain has gained a lot ofattention [19, 20] and the next paragraphs will describe the state-of-the-art inprocess automation.

The server network communication protocols are security aware. For exam-ple OPC relies heavily on the user configuration of the security. As OPC relieson DCOM (Distributed Component Object Model) [21] the security also re-lies on the limited set of operating systems. This problem has been solved withOPC Unified Architecture (OPC UA) that is platform independent [22]. MMShas no security countermeasures by definition, but provides mechanisms foraccess control.

The closer to the sensors and actuators we get, the less aware of securitythe protocols get. The main reason for this is due to the history of fieldbuscommunication and the initial proprietary protocols. As the fieldbus proto-cols have emerged to Ethernet-based communication, security is still lacking,mainly due to restricted resources and lack of feasible countermeasures to de-ploy. One exception is that wireless technologies used at fieldbus levels arealready security aware, providing countermeasures for integrity, availability,and confidentiality. However, many important issues are still open with re-

29

spect to integration into automation systems, and simple maintenance that isrequired to minimize production downtime.

To add further security countermeasures, firewalls are used to limit the com-munication to and from the server networks when connecting them to enter-prise networks or the Internet. Also VPN is used to tunnel traffic betweendifferent sites over the Internet.

At fieldbus level, the state-of-the-art is to protect even single productioncells with a dedicated network protected by a firewall [23]. With this approacheach communication segment is protected by a firewall and an adversary hasto penetrate several firewalls to reach the field equipment. The horizontal com-munication below a firewall is based on trust, and all nodes can communicatewith each other without any restrictions. The concept of different securityzones is also covered in the ANSI/ISA standards [24, 25]. ISA have ongo-ing standardization activities in the area of safety and security for industrialautomation and control systems (ISA99 WG7) which at current state is notadvancing [26]. Table 2.3 summarizes typical security objectives that can beused as a framework for categorizing and comparing security mechanismsamongst systems [3].

2.4 Safety Critical CommunicationWhile secure communication has got little attention in automation in the past,safe communication has got lot of attention and is standardized and mature.However, many proprietary protocols still exist. The main reason for the pro-prietary safety protocols are that not all available safety protocols could beincluded in the standards. The ones that did not make it to the standard, hadan installed base before the final selection for standardization and need to bemaintained for years to come.

The IEC 61784-3 [27] standard specifies general rules and functional safetyprofiles for the fieldbus profiles specified in IEC 61158, IEC 61784-1, and IEC61784-2 according to the general functional safety standard IEC 61508. Thesafety profiles specified in the IEC 61784-3 standard are all based upon theblack channel principle from the experiences from the train signaling domain,IEC 62280-1 [5]. The principle of the black channel simplifies the overallsafety certification process, as the standard transmission system does not haveto be part of the safety certification, see Figure 2.2 for an illustration of theblack channel. Using the black channel principle, a safety layer is added on topof the standard transmission system that will detect all errors in a deterministicway without relying on any measures of the standard transmission system.

The possible types of communication errors related to functional safety andIEC 61784-3 are presented in Table 2.4. All safety-profiles have to deploymeasures to handle the possible communication errors in a deterministic waywhile not relying on the mechanisms in the underlying black channel.

30

Objective Description

Confidentiality The confidentiality objective refers to preventingdisclosure of information to unauthorized personsor systems

Integrity The integrity objective refers to preventing unde-tected modification of information by unauthorizedpersons or systems

Availability Availability refers to ensuring that unauthorizedpersons or systems can not deny access or use toauthorized users

Authentication Authentication is concerned with the determinationof the true identity of a system user

Authorization The authorization objective is concerned with pre-venting access to the system by persons or systemswithout permission

Auditability Auditability is concerned with being able to recon-struct the complete history of the system behaviorfrom historical records

Nonrepudiability The nonrepudiability objective refers to being ableto provide proof to a third party of who initiated acertain action in the system, even if the actor is notcooperating

Third-party pro-tection

The third-party protection objective refers to advert-ing damage done to third parties via the system

Table 2.3: Examples of typical security objectives in industrial automation [3]

Figure 2.2: Using the black channel principle to avoid functional safety certificationof the standard transmission system

31

Table 2.4: Possible communication errors from IEC 61784 [27]

Error Description

Corruption Messages may be corrupted due to errors within a bus par-ticipant, due to errors on the transmission medium, or dueto message interference

Unintendedrepetition

Due to an error, fault, or interference, old not updated mes-sages are repeated at an incorrect point in time

Incorrect se-quence

Due to an error, fault, or interference, the predefined se-quence associated with messages from a particular sourceis incorrect

Loss Due to an error, fault, or interference, a message is not re-ceived or not acknowledged

Unacceptabledelay

Messages may be delayed beyond their permitted arrivaltime window, for example due to errors in the transmissionmedium, congested transmission lines, interference, or dueto bus participants sending messages in such manner thatservices are delayed or denied

Insertion Due to a fault or interference, a message is inserted thatrelates to an unexpected or unknown source entity

Masquerade Due to a fault or interference, a message is inserted that re-lates to an apparently valid source entity, so a non-safetyrelevant message may be received by a safety relevant par-ticipant, which then treats it as safety relevant

Addressing Due to a fault or interference, a safety relevant message issent to the wrong safety relevant participant, which thentreats reception as correct

Several standardized safety profiles are specified in IEC 61784-3. The dif-ferent fieldbuses and their safety profiles are listed in Table 2.5. In addition,

Table 2.5: Standardized safety profiles

IEC 61784-1 IEC 61784-3

Foundation Fieldbus FF-SISCIP CIP-SafetyPROFIBUS & PROFINET PROFIsafeINTERBUS INTERBUS Safety

several proprietary safety protocols exist as well, but these are not consid-ered here. With respect to market market shares Fieldbus Foundation Safety

32

Instrumented Systems (FF-SIS) and PROFIsafe dominates the market with ainstalled base in order of millions of devices.

2.5 Reflections on Safe versus Secure CommunicationIn the development and design of safety-critical systems all possible errorcases which can lead to a dangerous situation are identified in a structuredway before the system is put into service. The design and development of se-cure systems are executed in a similar way. Even if it is extremely difficultor practically impossible to design a 100% safe system today, the identifiedrisks are not changing over time as the IEC 61508 life-cycle model coversthe complete life-cycle of the safety-critical system from initial design to de-commissioning and disposal. In security the risks will change over time, forexample if a weakness in a specific crypographic algorithm is discovered, thesecurity countermeasure might not be sufficient any longer. In safety-criticalsystems the manufacturer can specify under what circumstances and opera-tional conditions the system can be used. It is not that simple to specify that asecurity countermeasure should not be broken or weakened by adversaries.

To generalize, the main difference between safe and secure communicationis the use of Cyclic Redundancy Checksums (CRC) or cryptographic check-sums (MAC or Message Integrity Code, MIC) [28]. The CRCs are designedto detect unexpected and randomized transmission errors and are not strongenough to withstand intentional misuse by adversaries. However, the MACand MIC protecting the payload data units are designed to make it trouble-some for an adversary to change the payload without any detection by thecommunicating peers. Thus the MAC and MIC are based upon the use of pre-shared secret keys, while the CRC does not rely on any secret keys.

There are many commonalities and differences with safe and secure com-munication. However, some of the measures taken in the safety protocols canbe exchanged with countermeasures from the security domain to make it moredifficult for an adversary to manipulate the payload without detection [28]. Inthe work of Novak et al. [28] the IEC 61508 life-cycle model is extendedwith security related phases in the life-cycle model to address both safety andsecurity.

Security countermeasures can also be used as safety measures. The sand-boxing technique from the security domain could be used to isolate safety-related applications from errors caused by other (non) safety-related applica-tions. Using sandboxing would increase the confidence of programming lan-guages such as assembler, C, and C++ in safety-critical systems, instead ofrecommending for example ADA for mission-critical safety systems [29, 30].

33

2.6 Integration Transparency and Life Cycle EfficiencySince the life-time of automation systems and equipment can be more that 20years, engineering efficiency and maintenance are key factors in industrial au-tomation. Further complexity is added due to the fact that there are few greenfield installations today in countries with an high level of automation. In thosecountries, continuous upgrades and improvements are conducted and a mul-titude of different automation systems cooperate in order to fully automatethe processes. It is not uncommon that you find automation systems that wereinstalled as state-of-the-art since the 80’s fully cooperating with more recenttechnologies. In order for the asset owners to be productive and adaptive torecent process optimizations, maintenance, technologies, the automation sys-tems must hide as much complexity and technology dependent engineeringas possible. This is also true with respect to current state-of-the-art, as theplant operators might not know, or even care, if a field device for instance iscommunicating wirelessly. The same goes for the maintenance personnel, itis challenging to keep up with the old installed base, and new technologiesshould ideally not be different from an engineering and maintenance perspec-tive.

With this in mind, retrofitting security and safety is a must in order to protectthe return-of-investment. This means that, from a technology point of view, themost recent or best technologies are not necessarily the best choice. Rather aselection of technologies and techniques that are possible to retrofit as well asperform well in the future is desired. In other words, a migration plan is themost desired solution.

34

3. Related Work

There exist a lot of work for security within the IT domain while securityfor industrial automation has been a white spot for a long time but now ithas started to gain more attention in both academia and industry [31]. Dzunget al. present a comprehensive article about relevant specifications and stan-dards for industrial automation which serves as a good introduction to thearea [3]. Savola presents an overview of challenges of information securitymanagement in a modern industrial automation environment and concludedthat the main challenges comes from the diffusion of new ICT technology[32]. Reinelt et al. give an overview for security relevant considerations andalso propose a first approach for a structured methodology to classify com-munications to be able to deduce security-relevant use cases and proper meth-ods [33]. Naedele points out the expectations that various stakeholders haveregarding initiatives to standardize information system security for industrialplants [34]. In particular, a deeper investigation of ISA SP99, NERC CIP andIEC TC65 [35] was done and the conclusion was that each of the particularstandardization bodies only matches a subset of stakeholders. Furthermore,Naedele addresses the key challenges commonly mentioned in the contextof control system security (also referred to as “SCADA security”) and dis-cusses feasible solutions to most of them [36]. In addition, that article arguesthat the main obstacle to control system security is not technical, but ratherfinancial. Tretyl et al. analyze the situation of security measures for indus-trial fieldbus systems and proposed some simple enhancements for IP-basedfieldbus systems [37]. Schwaiger and Sauter discuss the increased securitythreat with gateway interconnections between fieldbus systems and IP-basedlocal area networks (LANs) [38]. They propose two different ways to applyappropriate authentication and encryption mechanisms. Schwaiger and Tretylimplement security systems using a smart card by using a LonWorks field-bus system targeting energy metering, security and safety systems, home au-tomation and remote control of critical infrastructure [39]. Nevertheless, theirapproach may lead to a new fieldbus system that supports the conceived secu-rity services. Object linking and embedding for process control (OPC) unifiedarchitecture (OPC UA) is a software interface specification and applicationframework based on web service for plant automation systems which com-municate with each other over Internet. Renjie et al. analyze the security envi-ronment and requirements for OPC. Furthermore, they presented an improvedsecurity model for OPC UA systems [40]. Recently, industrial wireless sen-

35

sor networks (IWSN) has gained a lot of attention and is starting to get de-ployed in process automation. This may lead to a potential security problemand in [41], the authors made an experimental study on intrusion detectionmethods for IWSN and proposed a hierarchical framework for intrusion de-tection. Recently a lot of attention has been into security and safety withinbuilding automation and control system (BACS). In the work of Novak etal. [28] the use of MACs, cryptographic checksums, are evaluated with respectto building automation. Both the increase of bandwidth utilization and othertypical run-time figures for different security algorithms are presented. Themain concerns are that security countermeasures add too much computationalresources and network bandwidth utilization in a typical building automationnode without use of hardware acceleration. Novak and Gerstinger present acommon approach on how to engineer a safety and security related buildingautomation technology [42]. Granzer et al. present a security threat analysisand identifies the main challenges of providing security in building automa-tion [43]. The weakest point of encryption and cryptographic checksums arenormally not the algorithms themselves, but the way the “secret keys” are dis-tributed, since the keys have to be exchanged at some point in time and mightbe exposed. Implementation of such key distribution schemes are a biggerchallenge than to find resources for the execution of the security algorithms.One such key distribution scheme has been presented for building automationby Granzer et al. [44]. Moreover, to eliminate a single point of failure in thatinfrastructure, a redundancy concept featuring multiple key servers was pre-sented. Some methods and attempts to attack industrial automation systemsare reported. Baud and Felser try different methods to attack PROFINET IOnodes but their attempts were unsuccessful. However, it was stated that if stan-dard Ethernet switches are used, it should be possible to deploy a successfulman-in-the-middle attack, where an attacker can get in a position between thenodes, relaying and manipulating messages [45]. A Denial-of-Service (DoS)attack, draining network and CPU resources to reduce the availability or denyservice completely, is a non-trivial security threat that cannot be preventedwith cryptography. A generic approach how to deal with DoS attacks in au-tomation systems is presented by Granzer et al. [46].

The security threats to automation systems have been researched, and exist-ing IT security solutions for use in automation networks [3, 37, 47] have beenevaluated as well. In the work of Dzung et al. [3] and Treytl et al. [37] exist-ing security protocols, such as Transport Layer Security (TLS) [48], SecureSockets Layer (SSL) [49] and IPsec, are evaluated for use in the automationdomain. A Virtual Automation Network (VAN) [50–53] is a heterogeneousnetwork consisting of wired and wireless LANs, the Internet and wired and/orwireless communication systems. The aim of VANs is to transfer data througha heterogeneous network, through an end-to-end communication path, in thecontext of automation application. VAN is not a new set of protocols; it aimsat reusing as much as possible from the LAN, Wide Area Network (WAN)

36

and industrial communication. From substation automation, the Generic Ob-ject Oriented Substation Event (GOOSE) [54, 55] protocol from IEC 61850can be extended with security countermeasures [56]. The Substation Configu-ration Language (SCL) file has to be extended to hold, for example, the serialnumber of the certificate to be used. The real-time Ethernet frames are pro-tected by a MAC, a RSA signed message digest, and optionally the payloadis encrypted. This standard is currently being reworked as it is economicallyinfeasible to apply RSA on real-time communication on intelligent electricaldevices that communicate on millisecond basis. The state-of-the-art in au-tomation security is to use perimeter defenses, i.e. firewalls, to restrict in-coming and outgoing traffic to the networks. Firewalls can be deployed be-tween different automation cells, i.e. server, control, and fieldbus networks,and even protect a single automation cell with a dedicated firewall [23]. Func-tionality provided by using Ethernet technology at field device level, suchas web services (HTTP) [57], file transfer (FTP) [58], and network manage-ment (SNMP) [59] can be enabled on Ethernet cards by uploading modifiedfirmware [60]. Peck et al. [60] discusses possible scenarios and threats to Su-pervisory Control And Data Acquisition (SCADA) systems by utilizing thefirmware upload vulnerability found on the Ethernet card.

Wireless extensions of automation networks and fieldbuses have been re-searched in different forms. Willig et al. discuss many issues and solutionsrelated to wireless fieldbus systems [61]. In [62], Gungor and Hancke presentthe state-of-the-art of industrial wireless sensor networks and open researchissues. In [63], Vitturi et al. present results from an experimental evaluationusing experimental industrial application layer protocol on wireless systems.In [64], Ishii presents results on multiple backbone routers to enhance relia-bility on wireless systems for industrial automation. In [65], Haehniche andRauchhaupt present radio channel characteristics and the R-Fieldbus approachfor industrial environments and applications. In [66], Miorandi and Vitturi an-alyzed the possibilities of implementing Profibus DP on hybrid wired/wirelessnetworks, based on Ethernet and Bluetooth, respectively. In [67], Rauchhauptpresents the RFieldbus system architecture that supports real-time wirelesscommunication based on PROFIBUS DP. In [68], Sousa and Ferreira discussand describe the role of simulation tools in order to validate wireless exten-sions of the Profibus protocol. Other related research work on wireless exten-sions for traditional Profibus can be found in [17, 69–74]. Recently, WirelessHART has received a lot of attention in both academia and industrial automa-tion. In [75], Lennvall et al. present a performance comparison between theWireless HART and ZigBee standards. Their conclusion is that ZigBee is notsuitable for wireless industrial applications due to poor performance, and se-curity is optional while in the Wireless HART standard it is mandatory. Se-curity in industrial wireless sensor networks have been heavily discussed andin [76], Raza et al. present a security analysis of the Wireless HART proto-col against well known threats in the wireless media. Wireless HART has also

37

been considered for control applications in process automation [77]. In [78],Nixon et al. present an approach to meet the control performance requirementsusing a wireless mesh network (e.g., WirelessHART). Their main conclusionis that device and network operation must be synchronized. In [79,80], Tayloret al. present a safe communication scheme for wireless networked controlsystems, that monitors the control performance and communication metricsand opens a closed-loop in case of control performance degradation.

Functional safety and communication in open transmission systems havebeen laid down in IEC 62280-2 [6], and Deuter et al. address this in theirwork with Virtual Automation Networks (VAN) [81]. Industrial WLAN(IWLAN) can be used to extend Ethernet networks tunneling PROFIsafein safety-critical applications [16]. In [82], Trikaliotis and Gnad evaluatedifferent mapping solutions for Wireless HART integration. There areongoing standardization activities for integrating Wireless HART devices intoProfibus/Profinet networks within Profibus International [83] and wirelesscooperation team [84]. However, the main difference is that we include safetyand security that is not considered for standardization so far.

In safe and secure communication there are commonalities and differences.Some of the measures taken in the safety protocols can be exchanged withcountermeasures from the security domain to make it more difficult for anadversary to manipulate the payload without detection [28]. In the work ofNovak et al. [28] the IEC 61508 life-cycle model is extended with securityrelated phases in the life-cycle model to address both safety and security. Asimilar approach of combining security and safety in development of medicaldevices is presented by Zafar et al. [85].

38

4. Included Papers and TheirContribution

The first paper presents the concept of security modules to ensure integrityand authentication of real-time messages in PROFINET IO. The concept ofsecurity modules is introduced towards a solution for secure real-time com-munication using PROFINET IO and can be retrofitted without any majorchanges in the standards.

In Paper II, we address and propose a method how to integrate and main-tain Wireless HART into distributed control systems using PROFINET IO.The proof-of-concept implementation of the proposed method shows that it ispossible to download configuration to all Wireless HART components as wellas process controller configuration using existing central engineering tools.Thus the end-users do not need any additional tool-specific training, as exist-ing tools are reused for Wireless HART. In addition, maintenance is greatlysimplified as the actual configuration of Wireless HART devices will be auto-matically downloaded by the distributed control system when faulty devicesare replaced.

Paper III, extends Paper B by introducing a method to integrate, config-ure, and tunnel the functional safety profile PROFIsafe to the Wireless HARTdevices, to achieve safe communication between a DCS and Wireless HARTdevices. A proof-of-concept implementation is presented that shows that themethod is possible to deploy using existing products and standards.

In Paper IV we point out that the current Wireless HART standards lackssupport of actuators, which plays an important role in automation. We pro-pose periodic and deterministic downlink functionality to Wireless HART, aswell as a method to integrate fail-safe states of actuators. A fail-safe state(normally closed/off) is of outmost importance even if the application is notsafety-critical by definition, as actuators cannot remain in their last position incase of communication failures. We define new HART commands extendingthe interface without affecting available services, to support the integration ofactuators.

Paper V combines the results from Paper I-IV towards an efficient integra-tion method of safe and secure Industrial Wireless Sensor Networks. Further-more, we analyze and improve the Safety Function Response Time utilizingthe proposed methods from Paper IV.

39

Finally, Paper VI summarizes gaps and future research challenges identifiedthroughout the work in Paper A-E that could not be covered within the scopeof this thesis.

4.1 Paper IJ. Åkerberg and M. Björkman, Introducing Security Modules in PROFINETIO, The 14th IEEE International Conference on Emerging Technology andFactory Automation (ETFA), Mallorca, Spain, September, 2009

Short Summary. In this paper we show that it is possible to retrofit a securitylayer on top of PROFINET IO without changing the underlying transmissionsystem or standards. By introducing security modules, end-to-end network se-curity can be achieved and ensure authentication, integrity and confidentialityfor real-time communication.

The concept of security modules is a flexible framework and countermea-sures can be changed, as security threats and exploits are changing over time.A proof-of-concept implementation shows that it is possible to implement se-curity modules on existing products in order to secure them against, for exam-ple, man-in-the-middle attacks.

Process data transmitted on the fieldbus level normally contain a limitedset of information, i.e. sensor readings and set points for actuators along withsome measurements. Protecting the integrity of process data requires rela-tively large cryptographic checksums in addition to the process data. How-ever, in most of the cases the net increase of bandwidth utilization is zero, asthe minimum allowed packet size on Ethernet is 64 bytes and the padding isreplaced by security relevant information.

Contribution. The main contributions in this paper are summarized as fol-lows:• It is shown that the concept of security modules can be implemented in

existing products to retrofit security in PROFINET IO without violatingthe standards

• It is shown that the concept of security modules preventsman-in-the-middle attacks on PROFINET IO.

Author’s Contribution. The author proposed and implemented the securitymodules to retrofit security in PROFINET IO. Furthermore, the author evalu-ated security modules implementation with industrial automation equipmentand wrote most of the text for the paper. The concept of security modules isbased on the same idea as PROFIsafe, where a safety layer is put on top ofthe transmission system. This approach was mentioned by Treytl et al. in alarger context and it was stated that this approach could cause problems withinteroperability with the underlying fieldbus systems [47].

40

4.2 Paper IIJ. Åkerberg, M. Gidlund, T. Lennvall, J. Neander, and M. Björkman, Inte-gration of WirelessHART Networks in Distributed Control Systems usingPROFINET IO, The 8th IEEE International Conference on Industrial Infor-matics (INDIN), Osaka, Japan, July, 2010

Short Summary. In this paper we describe a method to integrateWirelessHART networks in Distributed Control Systems (DCS) usingPROFINET IO. By modeling the WirelessHART network in the GenericStation Description file, that describes a PROFINET IO device, theWirelessHART related configuration can be distributed from the centralengineering stations. In this way, both process controller configuration andWirelessHART network configuration is engineered and maintained from acentral location. Thus the end-user does not need any additional tool-specifictraining, as the existing tools are used to engineer the WirelessHARTnetworks. We base the method of integration on the keywords simpledeployment and maintenance, and flexible topology.

A proof-of-concept implementation of the proposed method shows thatit is possible to download WirelessHART configuration both to the Wire-lessHART network managers, as well as the WirelessHART sensors. By inte-grating WirelessHART in this way, maintenance is greatly simplified as the ac-tual configuration will be downloaded automatically by the DCS when faultyfield devices are replaced.

Contribution. The main contributions in this paper are summarized as fol-lows:• An integration method for WirelessHART networks in distributed control

systems using PROFINET IO. Our proposed concept provides connectiv-ity between the wireless sensor network and the fieldbus network. Further-more it reduces the need of application specific configuration in the Wire-lessHART gateway.

• Our proposed method uses user-friendly tag names, that are already usedin the DCS, instead of network addresses. In addition the mapping betweenWirelessHART and PROFINET is automatic.

• Our proposed method do not need a WEB server in the WirelessHARTgateway to enable configuration and maintenance which is common in allavailable solutions today. Another advantage with our solution is that theend-user do not need any additional tool-specific training.

• A proof-of-concept implementation is done and shows that our proposedsolution works in a real scenario. We show that it is possible to downloadWirelessHART configuration, including security configuration, to both theWirelessHART network manager as well as to the WirelessHART sensors.

41

Author’s Contribution. The author proposed and implemented theintegration method for WirelessHART in a distributed control system usingPROFINET IO. Furthermore, the author wrote most of the paper.

4.3 Paper IIIJ. Åkerberg, F. Reichenbach, and M. Björkman, Enabling Safety-CriticalCommunication using WirelessHART and PROFIsafe, The 15th IEEEInternational Conference on Emerging Technology and Factory Automation(ETFA), Bilbao, Spain, September, 2010

Short Summary. Two major trends can be recognized in industrial automa-tion. One of them is that Ethernet is replacing traditional fieldbus networkscontinuously, because it combines flexibility, reliability, and introduces fastdata rates, which allow beside others quality of services. This is pushed evenfurther when field devices use wireless communication to connect to the con-trol system. Beside that another trend is seen in functional safety due to risingcustomer demands and evolving regulations in industry. That leads necessar-ily to a consolidation of both technologies, where safety must be guaranteedin the same manner over wireless channels as it is handled over Ethernet.

This paper addresses safety issues emerging when PROFIsafe, as one ofvarious safety protocols on the market, is used on top of a black channel layer,that is comprized of non-safe protocols including WirelessHART.

Contribution. The main contributions in this paper are summarized as fol-lows:• We show that it is principally possible to enable safety-critical communica-

tion with a combination of WirelessHART, PROFINET IO, and PROFIsafe.• An integration method enabling that safety-related configuration is down-

loaded from the control system to the WirelessHART device.• A proof-of-concept implementation based on industrial products shows

that this can be realized without changing fundamental control engineer-ing practices.

Author’s Contribution. The author proposed and implemented the inte-gration method enabling safety-critical communication using WirelessHART,PROFINET IO, and PROFIsafe. Furthermore, the author implemented theproof-of-concept demonstrator and wrote most of the paper.

4.4 Paper IVJ. Åkerberg, M. Gidlund, J. Neander, T. Lennvall, and M. Björkman, Deter-ministic Downlink Transmission in WirelessHART Networks Enabling Wire-

42

less Control Applications, The 36th Annual Conference of the IEEE IndustrialElectronics Society (IECON), Phoenix, USA, November, 2010

Short Summary. Wireless sensor and actuator networks bring many bene-fits to industrial automation systems. However, unreliable wireless and multi-hop communication among sensors and actuators cause challenges in design-ing such systems. Wireless HART is the first standard for wireless real-timeindustrial applications. However, current Wireless HART standard does notprovide services for efficient usage of actuators, which are an essential partof automation. In this paper we focus on Wireless HART and propose a pe-riodic and deterministic downlink transmission functionality which enablesefficient usage of actuators and control applications. Furthermore, we definenew HART commands extending the interface, without affecting available ser-vices, to support the integration of actuators. This can be achieved with minorchanges in the current standard.

Contribution. The main contributions in this paper are summarized as fol-lows:• We propose a new service called periodic downlink transmission for

Wireless HART, that enables periodic and deterministic transmissionsfrom gateway to Wireless HART actuators.

• We define a new set of HART commands extending the interface, withoutaffecting available services.

• We propose a mechanism to utilize the deterministic properties of thedownlink transmission to discover errors in a control loop enablingactuators to transit into a failsafe mode.

• We show that our proposed deterministic downlink transmission schemeintegrates well into PROFINET IO.

Author’s Contribution. The author identified the lack of periodic downlinktransmission for Wireless HART and proposed the method to extend the Wire-less HART standard. Furthermore, the author demonstrated that the proposeddeterministic downlink transmission scheme integrates well into PROFINETIO and wrote most of the paper.

4.5 Paper VJ. Åkerberg, M. Gidlund, T. Lennvall, J. Neander, and M. Björkman, EfficientIntegration of Secure and Safety Critical Industrial Wireless Sensor Networks,EURASIP Journal on Wireless Communications and Networking, September,2011

Short Summary. Wireless communication has gained more interest in in-dustrial automation due to flexibility, mobility, and cost reduction. Wirelesssystems, in general, require additional and different engineering and mainte-

43

nance tasks, for example cryptographic key management. This is an importantaspect that needs to be addressed before wireless systems can be deployed andmaintained efficiently in the industry.

In this paper, we take an holistic approach that addresses safety and securityregardless of the underlying media. In our proposed framework we introduceSecurity Modules which can be retrofitted to provide end-to-end integrity andauthentication measures by utilizing the black channel concept. With the pro-posed approach, we can extend and provide end-to-end security as well asfunctional safety using existing automation equipment and standards, such asPROFIsafe, PROFINET IO, and Wireless HART. Furthermore, we improvethe Wireless HART standard with periodic and deterministic downlink trans-missions to enable efficient usage of wireless actuators, as well as improvingthe performance of functional safety protocols.

Contribution. The main contributions in this paper are summarized as fol-lows:• We propose and demonstrate a framework for wired/wireless media ad-

dressing both functional safety and security. The framework is based onthe black channel concept and provides end-to-end security using SecurityModules and existing functional safety protocols.

• We demonstrate the proposed framework with a proof-of-concept imple-mentation using PROFIsafe, PROFINET IO, and Wireless HART usingan industrial control system. The integration method allows security andsafety related configuration to be engineered and downloaded to the Wire-less HART network. This approach is novel as previous work has not con-sidered security nor safety.

• We propose a new service called periodic downlink transmission forWireless HART, that enables periodic and deterministic transmissionsfrom gateway to Wireless HART actuators. This service enables the useof wireless actuators to be part of a control loop, or actuators with timingconstraints. In addition, the service improves the safety function responsetime with a factor of 8, when using PROFIsafe on Wireless HART.

Author’s Contribution. The author proposed and demonstrated the frame-work for hybrid automation networks supporting functional safety and secu-rity. Furthermore, the author wrote most of the paper.

4.6 Paper VIJ. Åkerberg, M. Gidlund, and M. Björkman, Future Research Challenges ofIndustrial Wireless Sensor Networks, 9th IEEE International Conference onIndustrial Informatics (INDIN), Lisbon, Portugal, July 2011

44

Short Summary. A growing trend in the automation industry is to usewireless technologies for reducing cable cost, deployment time, unlockingof stranded information in previously deployed devices, and enablingwireless control applications. Despite a huge research effort in the area ofwireless sensor networks (WSNs), there are several issues that have not beenaddressed properly such that WSNs can be adopted properly in the processautomation domain.

This article presents the major requirements for typical applications in pro-cess automation and we also aim to outline the research direction within in-dustrial wireless sensor networks (IWSNs). The major issues that needs to beaddressed are safety, security and reliability before IWSN will be adopted infull scale in process automation.

Contribution. The main contributions in this paper are summarized as fol-lows:• We present typical requirements from process automation for some dif-

ferent applications intended to be used in industrial wireless sensor andactuator networks.

• Given these requirements, we point out that today’s commercial WSNs arenot tailored for the needs of industrial automation, since they are mostlyinfluenced upon requirements derived from the consumer market or otherapplications.

• Furthermore, with the requirements for process automation in mind we de-scribe the major challenges that need to be solved in order to utilize theWSANs to the extent the market foresee.

Author’s Contribution. The author presented typical requirements and so-lutions from process automation, and identified the future research challengesbased on the requirements and the current state of the WSN. Furthermore, theauthor wrote most of the paper.

45

5. Conclusions

One of the major concerns in large scale industrial automation is the safety ofhumans, environment, and property. Furthermore, any downtime in produc-tion is typically associated with significant losses in production and econom-ical income. Today, proper deployment of security measures is important forsafety and production. Ideally, to protect the return of investment on existingautomation equipment, the security problem in process automation should besolved by retrofitting security without any changes with respect to infrastruc-ture, standards, and products. In the same way, to protect the return of in-vestment when extending existing automation equipment with wireless tech-nologies, the existing standards, infrastructures, methods of integration, andproducts should ideally be unchanged while supporting safety. Finally, safetyand security should ideally be possible to be engineer, deploy, and maintainwhere needed and independent of the usage of wired or wireless communica-tion technologies.

In Section 1.1 the research problem presented is twofold; wired fieldbusesare mature with respect to safety but barely addresses security. Secondly, thewireless fieldbuses are mature concerning security, but barely addresses safety.This thesis presents one feasible solution towards safe and secure communica-tion in heterogeneous industrial networks for process control. The presentedsolution addresses several other important aspects such that engineering ef-ficiency, transparency, possibilities for retrofitting, coexistence with interna-tional standards in order to protect the return-of-investment of products, sys-tems, and installed base within the area of process automation. This thesisshows that it is possible to develop safe and secure communication in het-erogeneous industrial networks without major changes in the existing interna-tional standards with an appropriate level of integration. Nevertheless, manyresearch problems are still open and better approaches may come in the fu-ture depending on new advancements in the research community. However,the solution proposed in this thesis is not technology dependent as such, butdepend on for example proper key distribution mechanisms and deterministicbidirectional communication in the wireless subsystems. The main reason forthis statement is that todays industrial control systems need to be designednot only for secure communication, since an adversary will most likely try toattack the weakest point in the system. Moreover, todays wireless sensor net-works are not designed with respect to requirements from industrial processcontrol. The solutions in this thesis show that it is possible to achieve safe

47

and secure communication using todays technologies and standards, and al-low retrofitting, thus serving as a foundation towards future and standardizedsolutions providing end-to-end security and safety in heterogeneous industrialnetworks in the future.

5.1 Future WorkSeveral areas of improvements and future work have already been addressedwithin the scope of this thesis. Field trials show that several improvements ofWSNs with respect to determinism in both the uplink and the downlink areneeded [86]. This is not only true when it comes to the research problemsaddressed within the scope of this thesis, but rather a necessity for marketacceptance and deployment in process automation in general, since automa-tion is about sensing as well as actuating. This means, that solving the gen-eral case, will also improve the situation for safety-critical communication.Moreover, in the area of WSNs, real-time requirements and determinism alsorequires additional attention in the usage of feasible routing protocols and re-transmission schemes. With respect to the automation system and products,the main challenge is to find adequate solutions for key management in real-time environments where the availability of the system is expected to be closeto 100%. Furthermore, engineering and maintenance need to be efficient, andautomation systems today are non-trivial to troubleshoot. Therefore, securitysolutions shall have minimal impact on for example usability and downtime.

48

6. References

[1] Symantec, “Stuxnet introduces the first known rootkit for industrial con-trol systems.” http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices,2010.

[2] Practices for securing critical information assets. U.S. Critical InfrastructureAssurance Office, 2000.

[3] D. Dzung, M. Naedele, T. Von Hoff, and M. Crevatin, “Security for industrialcommunication systems,” Proceedings of the IEEE, vol. 93, pp. 1152–1177,June 2005.

[4] IEC 61784-3-3. Industrial communication networks - Profiles - Part 3-3: Func-tional safety fieldbuses - Additional specifications for CPF 3. International Elec-trotechnical Commission, 2007.

[5] IEC 62280-1. Railway applications - Communication, signaling and processingsystems - Part 1: Safety-related communication in closed transmission systems.International Electrotechnical Commission, 2002.

[6] IEC 62280-2. Railway applications - Communication, signaling and processingsystems - Part 2: Safety-related communication in open transmission systems.International Electrotechnical Commission, 2002.

[7] S.-L. Jämsä-Jounela, “Future trends in process automation,” Annual Reviews inControl, vol. 31, pp. 211–220, 2007.

[8] IEEE 802.11. IEEE Standard for Information technology - Telecommunica-tions and information exchange between systems - Local and metropolitan areanetworks-Specific requirements - Part 11: Wireless LAN Medium Access Control(MAC) and Physical Layer (PHY) Specifications. IEEE Standards Association,2007.

[9] IEEE 802.15. IEEE Standard for Information technology - Telecommunica-tions and information exchange between systems - Local and metropolitan areanetworks - Specific requirements. Part 15.1: Wireless Medium Access Control(MAC) and Physical Layer (PHY) Specifications for Wireless Personal Area Net-works (WPANs). IEEE Standards Association, 2005.

[10] WirelessHART, “Hart 7 specification.” http://www.hartcomm.org/,2010.

49

[11] IEC 61784-1. Industrial Communication Networks - Profiles - Part 1: Fieldbusprofiles. International Electrotechnical Commission, 2007.

[12] ISA100, “Isa 100, wireless systems for automation.” http://www.isa.org/isa100, 2010.

[13] F. Iwanitz and J. Lange, OLE for Process Control. Heidelberg, Germany:Huthig, 2001.

[14] Industrial Automation Systems - Manufacturing Message Specification (MMS).ISO 9506-1:2003, 9506-2:2003, 9506-5:1999, 9506-6:1994, 2003.

[15] IEC 61784-2. Industrial Communication Networks - Profiles - Part 2: Additionalfieldbus profiles for real-time networks based on ISO/IEC 8802-3. InternationalElectrotechnical Commission, 2007.

[16] R. Pigan and M. Metter, Automating With PROFINET: Industrial Communica-tion Based on Industrial Ethernet.

[17] J. Kjellsson, A. Vallestad, R. Steigmann, and D. Dzung, “Integration of a wire-less i/o interface for profibus and profinet for factory automation,” IEEE Trans-actions on Industrial Electronics, vol. 56, pp. 4279–4287, Oct. 2009.

[18] WIA-PA, “Industrial communication networks – fieldbus specifi-cations – wia-pa communcation network and communication pro-file (final draft).” http://webstore.iec.ch/preview/info_iecfdis62601(ed1.0)en.pdf, 2011.

[19] M. Naedele, “It security for automation systems—motivations and mecha-nisms,” Automatisierungstechnische Praxis, vol. 45, pp. 84 – 91, 2003.

[20] M. Naedele, IT Security for Automation Systems, Industrial Information Tech-nology Handbook. CRC Press, 2004.

[21] Microsoft Corporation, DCOM Technical Overview. Microsoft White Paper,1996.

[22] W. Mahnke, S.-H. Leitner, and M. Damm, OPC Unified Architecture. SpringerVerlag, 2009.

[23] M. Harada, “Security management of factory automation,” International Con-ference on Instrumentation, Control and Information Technology, pp. 2914–2917, Sept. 2007.

[24] ANSI/ISA-99 00 01, Security for Industrial Automation and Control Systems -Part1: Terminology, Concepts, and Models. Americal National Standard, 2007.

[25] ANSI/ISA-99 02 01, Security for Industrial Automation and Control Systems -Establishing an Industrial Automation and Control Systems Security Program.American National Standard, 2009.

50

[26] “Isa99 wg7 - safety and security.” http://isa99.isa.org/ISA99Wiki,2011.

[27] IEC 61784-3. Industrial communication networks - Profiles - Part 3: Func-tional safety fieldbuses - General rules and profile definitions. InternationalElectrotechnical Commission, 2007.

[28] T. Novak, A. Treytl, and P. Palensky, “Common approach to functional safetyand system security in building automation and control systems,” 12th Inter-national IEEE Conference on Emerging Technologies and Factory Automation,pp. 1141–1148, Sept. 2007.

[29] N. Storey, Safety Critical Computer Systems. Pearson Education International,1996.

[30] I. 61508-7, Functional safety of electrical/electronic/programmable electronicsafety-related systems - Part 7: Overview of techniques and measures. Interna-tional Electrotechnical Commission, 2000.

[31] H. Hadeli, R. Schierholz, M. Braendle, and C. Tuduce, “Leveraging determin-ism in industrial control systems for advanced anomaly detection and reliablesecurity configuration,” in IEEE Conference on Emerging Technologies FactoryAutomation, pp. 1 –8, 2009.

[32] R. Savola, “Information security management in inndustrial automation sys-tems,” IEEE International Conference on Industrial Technology (ICIT’06)., Dec.2006.

[33] D. Reinelt, A. Luder, and T. Fuchs, “Securing communication in automation net-works,” in 5th IEEE International Conference on Industrial Informatics, vol. 1,pp. 149 –154, 2007.

[34] M. Naedele, “Standardizing industrial it security - a first look at the iec ap-proach,” 10th International IEEE Conference on Emerging Technologies andFactory Automation., Sept. 2005.

[35] H. Sasajima, “Latest updates of iec standardization activities for process au-tomation sectors,” in ICCAS-SICE, 2009, pp. 951 –954, 2009.

[36] M. Naedele, “Addressing it security for critical control systems,” 40th AnnualHawaii International Conference on System Sciences (HICSS’07)., Jan. 2007.

[37] A. Treytl, T. Sauter, and C. Schwaiger, “Security measures for industrial fieldbussystems - state of the art and solutions for ip-based approaches,” IEEE Interna-tional Workshop on Factory Communication Systems, pp. 201–209, Sept. 2004.

[38] C. Schwaiger and T. Sauter, “A secure architecture for fieldbus/internet gate-ways,” in 8th International IEEE Conference on Emerging Technologies andFactory Automation, Sept. 2001.

51

[39] C. Schwaiger and A. Tretyl, “Smart card based security for fieldbus systems,”in 10th International IEEE Conference on Emerging Technologies and FactoryAutomation, Sept. 2003.

[40] H. Renjie, L. Feng, and P. Dongbo, “Research on opc ua security,” in 5th IEEEConference on Industrial Electronics and Applications (ICIEA), pp. 1439 –1444,2010.

[41] S. Shin, T. Kwon, G.-Y. Jo, Y. Park, and H. Rhy, “An experimental study ofhierarchical intrusion detection for wireless industrial sensor networks,” IEEETransactions on Industrial Informatics, vol. 6, no. 4, pp. 744 –757, 2010.

[42] T. Novak and A. Gerstinger, “Safety- and security-critical services in buildingautomation and control systems,” IEEE Transactions on Industrial Electronics,vol. 57, no. 11, pp. 3614 –3621, 2010.

[43] W. Granzer, F. Praus, and W. Kastner, “Security in building automation sys-tems,” IEEE Transactions on Industrial Electronics, vol. 57, no. 11, pp. 3622–3630, 2010.

[44] W. Granzer, C. Reinisch, and W. Kastner, “Key Set Management in Net-worked Building Automation Systems using Multiple Key Servers,” in Proc.7th IEEE International Workshop on Factory Communication Systems (WFCS’08), pp. 205–214, May 2008.

[45] M. Baud and M. Felser, “Profinet io-device emulator based on the man-in-the-middle attack,” in 11th International IEEE Conference on Emerging Technolo-gies and Factory Automation, pp. 437–440, IEEE, 2006.

[46] W. Granzer, C. Reinisch, and W. Kastner, “Denial-of-service in automation sys-tems,” in 13th International IEEE Conference on Emerging Technologies andFactory Automation, pp. 468–471, IEEE, 2008.

[47] A. Treytl, T. Sauter, and C. Schwaiger, “Security measures in automationsystems-a practice-oriented approach,” 10th International IEEE Conference onEmerging Technologies and Factory Automation, vol. 2, pp. 9 pp.–, Sept. 2005.

[48] T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol. Version1.2. RFC 5246, 2008.

[49] T. Dierks and C. Allen, The TLS Protocol. Version 1.0. RFC 2246, 1999.

[50] P. Neumann, “Virtual automation network - reality or dream,” IEEE Interna-tional Conference on Industrial Technology, vol. 2, pp. 994–999 Vol.2, Dec.2003.

[51] P. Neumann, “Communication in industrial automation - what is going on?,”Control Engineering Practice, vol. 15, pp. 1332–1347, 2006.

[52] P. Neumann, A. Poeschmann, and R. Messerschmidt, “Architectural concept ofvirtual automation networks,” IFAC World Congress, 2008.

52

[53] L. Rauchhaupt and V. Lakkundi, “Wireless network integration into virtual au-tomation networks,” in Proceedings of the 17th World Congress, pp. 13982 –13987, July 2008.

[54] IEC 61850-7-1. Communication networks and systems in substations – Part 7-1:Basic communication structure for substation and feeder equipment – Principlesand models. International Electrotechnical Commission, 2003.

[55] IEC 61850-7-2. Communication networks and systems in substations – Part 7-2:Basic communication structure for substation and feeder equipment – Abstractcommunication service interface (ACSI). International Electrotechnical Com-mission, 2003.

[56] IEC/TS 62351-6. Power systems management and associated information ex-change - Data and communications security - Part 6: Security for IEC 61850.International Electrotechnical Commission, 2007.

[57] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, andT. Berners-Lee, RFC2616 - Hypertext Transfer Protocol - HTTP/1.1. RFC 2616,1999.

[58] J. Postel and J. Reynolds, File Transfer Protocol. RFC 959, 1985.

[59] J. Case, M. Fedor, M. Schoffstall, and J. Davin, Simple Network ManagementProtocol (SNMP). RFC 1157, 1990.

[60] D. Peck and D. Peterson, “Leveraging ethernet card vulnerabilities in field de-vices,” in SCADA Security Scientific Symposium, pp. 1–19, 2009.

[61] A. Willig, K. Matheus, and A. Wolisz, “Wireless technology in industrial net-works,” Proceedings of the IEEE, vol. 93, pp. 1130 –1151, June 2005.

[62] V. Gungor and G. Hancke, “Industrial wireless sensor networks: Challenges,design principles, and technical approaches,” IEEE Transactions on IndustrialElectronics, vol. 56, pp. 4258 –4265, Oct. 2009.

[63] S. Vitturi, I. Carreras, D. Miorandi, L. Schenato, and A. Sona, “Experimentalevaluation of an industrial application layer protocol over wireless systems,”IEEE Transactions on Industrial Informatics, vol. 3, pp. 275 –288, Nov. 2007.

[64] Y. Ishii, “Exploiting backbone routing redundancy in industrial wireless sys-tems,” IEEE Transactions on Industrial Electronics, vol. 56, pp. 4288 –4295,Oct. 2009.

[65] J. Haehniche and L. Rauchhaupt, “Radio communication in automation systems:the r-fieldbus approach,” in IEEE International Workshop on Factory Commu-nication Systems, pp. 319 –326, 2000.

[66] D. Miorandi and S. Vitturi, “A wireless extension of profibus dp based on thebluetooth system,” Computer Communications, vol. 27, no. 10, pp. 946 – 960,2004.

53

[67] L. Rauchhaupt, “System and device architecture of a radio based fieldbus-therfieldbus system,” in 4th IEEE International Workshop on Factory Communica-tion Systems, pp. 185 – 192, 2002.

[68] P. B. Sousa and L. L. Ferreira, “Hybrid wired/wireless profibus architectures:Performance study based on simulation models,” EURASIP Journal on WirelessCommunications and Networking, 2010.

[69] K. C. Lee and S. Lee, “Integrated network of profibus-dp and ieee 802.11 wire-less lan with hard real-time requirement,” in IEEE International Symposium onIndustrial Electronics, vol. 3, pp. 1484 –1489 vol.3, 2001.

[70] A. Willig, “Polling-based mac protocols for improving real-time performancein a wireless profibus,” IEEE Transactions on Industrial Electronics, vol. 50,pp. 806 – 817, Aug. 2003.

[71] C. Koulamas, S. Koubias, and G. Papadopoulos, “Using cut-through forwardingto retain the real-time properties of profibus over hybrid wired/wireless architec-tures,” IEEE Transactions on Industrial Electronics, vol. 51, pp. 1208 – 1217,Dec. 2004.

[72] J.-D. Decotignie, Interconnection of Wireline and Wireless Fieldbusses. TheIndustrial Information Technology Handbook, CRC Press, Industrial ElectronicsSeries, 2005.

[73] M. Alves and E. Tovar, “Engineering profibus networks with heterogeneoustransmission media,” Computer Communications, vol. 30, pp. 17 – 32, Dec.2006.

[74] H.-J. Korber, H. Wattar, and G. Scholl, “Modular wireless real-time sen-sor/actuator network for factory automation applications,” IEEE Transactionson Industrial Informatics, vol. 3, pp. 111 –119, May 2007.

[75] T. Lennvall, S. Svensson, and F. Hekland, “A comparison of wirelesshart andzigbee for industrial applications,” in IEEE International Workshop on FactoryCommunication Systems, pp. 85–88, May 2008.

[76] S. Raza, A. Slabbert, T. Voigt, and K. Landernäs, “Security considerations forthe wirelesshart protocol,” in 14th International IEEE Conference on EmergingTechnologies and Factory Automation, pp. 1–8, 2009.

[77] J. Song, S. Han, A. Mok, D. Chen, M. Lucas, and M. Nixon, “Wirelesshart:Applying wireless technology in real-time industrial process control,” in IEEEReal-Time and Embedded Technology and Applications Symposium, pp. 377 –386, Apr. 2008.

[78] M. Nixon, D. Chen, T. Blevins, and A. Mok, “Meeting control performance overa wireless mesh network,” in IEEE International Conference on Automation Sci-ence and Engineering (CASE), pp. 540 –547, Aug. 2008.

54

[79] J. Taylor and H. Ibrahim, “A new, practical approach to maintaining an efficientyet acceptably-performing wireless networked control system,” in InternationalConference on System Science and Engineering (ICSSE), pp. 269 –274, july2010.

[80] J. Taylor, H. Ibrahim, J. Slipp, and J. Nicholson, “A safe communication schemefor an intelligent wireless networked control system coordination agent,” inIEEE International Conference on Systems Man and Cybernetics (SMC),pp. 3068 –3073, oct. 2010.

[81] A. Deuter, S. Horn, M. Wolframm, and H. Adamczyk, “Safety-related data trans-fer in secure virtual automation networks,” in SICE Annual Conference, pp. 2208–2214, Aug. 2008.

[82] S. Trikaliotis and A. Gnad, “Mapping wirelesshart into profinet and profibusfieldbusses,” in 14th International IEEE Conference on Emerging Technologiesand Factory Automation, pp. 1–4, 2009.

[83] “Tc2/wg12 wireless sensor/actor networks.” http://www.profibus.com/index.php?id=1314&tcwg_tc_uid=2&tcwg_wg_uid=14,2010.

[84] “Wireless cooperation team.” http://www.hartcomm.org/hcf/news/pr2008/press_conf_interkama2008.pdf, 2010.

[85] S. Zafar and R. Dromey, “Integrating safety and security into design of an em-bedded system,” in 12th Asia-Pacific Software Engineering Conference, pp. –,2005.

[86] J. Åkerberg, F. Reichenbach, M. Gidlund, and M. Björkman, “Measurementson an industrial wireless hart network supporting profisafe: A case study,” inThe 16th IEEE International Conference on Emerging Technology and FactoryAutomation (ETFA’11), pp. 1–8, Sept. 2011.

55

Mälardalen University Press Dissertations No. 109 ON SAFE ...445429/FULLTEXT02.pdf · since the...

Documents

Transcript of Mälardalen University Press Dissertations No. 109 ON SAFE ...445429/FULLTEXT02.pdf · since the...