http://www.isa.org/InTech/20070501 By Dick Caro InTech Magazine May 1, 2007 Last year, ISA ran a survey requesting end users to answer questions related to their potential use of wireless technology for industrial automation. One user’s response made a statement that may reflect a general attitude of many potential users. Here is the slightly edited response: There was no place on the wireless survey to make a comment but rather just answer the predefined questions, I wanted to comment that I will NOT have wireless in the plant for reasons of operational security not related to hacking. ALL wireless signal generation can be jammed and as such provides an unnecessary operational risk. To those that state spread spectrum is the answer to jamming, they are totally wrong. Spread spectrum came about as a means to make hacking increasingly difficult by rotating through a spectrum of frequencies. The fabricators of spread spectrum did not see as a technology that would or could overcome a spectrum jammer. A white noise generator of sufficient power in the spectrum of the wireless devices can jam ALL the frequencies used, leading to a total collapse of data from those devices. All devices manufactured today use the same ranges the FCC licensed for open frequency use and specifically in use by telephone manufacturers such as 900 MHz, 2.4 GHz, 5.6GHz, and the rest. A person just needs to know which band a plant is using and build a jammer that operates at least ± 40 Hz from this frequency to jam all the spread spectrum frequencies as well. Since these field devices operate in the very low power range (milliwatt), a simple 100W generator should be sufficient to lock out the devices from the control system over a couple of miles in range. By ignoring white noise or targeted noise generators, you are opening industry up to a catastrophic event to take place when people think they are safe (when in fact they are not). Wired systems require direct connections to interrupt signals or a VERY strong or CLOSE emf (electromotive force (voltage)) to drop them. Even with wired solutions, this STILL accidentally happens. For operational/safety reasons, the petrochemical industry would be foolish to invest heavily in wireless technologies. I for one will be an outspoken critic of wireless for anything other than informational data to be sent to our control systems. Operational critical data will never be allowed over a wireless link in any plant in which I have the influence to stop it. — An unnamed plant engineer in LaPorte, Tex. If these statements were true, then the ongoing investment by the process-automation industry suppliers to support wireless networks for industrial automation, and process control in particular, would be a waste and ISA-SP100 standardization a foolish effort. In fact, there are sound technical reasons why these statements are NOT true, although the fear does remain. Broadband frequency jammer First of all, broad spectrum jamming is a military tactic used during wartime to cripple radio communications, particularly on the battlefield where low power radios are used. During World War II, the Axis forces used exactly such a weapon against Allied forces. As a direct result of this jamming, Hollywood actor and Hungarian-born Hedy Lamarr and her associate George Antheil, both refugees from Europe, invented and patented frequency hopping spread spectrum communications as a method to avoid the effects of jamming. Although this patent, assigned to the U.S. Navy, called for mechanical frequency hopping and although they never built the mechanism, modern wireless local areas network (LAN) technology, including IEEE 802.11 and 802.15.1, also known as Bluetooth, and most modern military battlefield communications platform on this type of spread spectrum. Also, to avoid jamming and for frequency diversity to reduce the effects of multiple signal paths, the technology being developed for ISA-SP100 will use frequency hopping spread spectrum. However, let us not forget the worried user respondent has a fear wireless network traffic used within a plant facility could be disrupted with the use of an inexpensive broadband frequency jammer; a radio that sends out white noise throughout the frequencies being used by the plant wireless network. I posed this question to the radio frequency expert on the ISA-SP100 committee, Aké Severinson, president and founder of Omnex Controls. Here is Severinson’s response: Principles need to be verified with numbers in most engineering disciplines; wireless communications is no exception. So let me start with the 100-Watt wideband jammer (that the survey respondent above mentioned). The simple 100-watt jammer by definition solely direct to or confine its energy to a more narrow band, or to be frequency-agile. To jam the full 2.4 GHz ISM (industrial, scientific, and medical) band, it would need to spread its energy over the full 2,400 MHz spectrum. An ISA-SP100 wireless system need only to be “open” (the rest limited by filters) to about 1 MHz of that band. As a result, it would at any one time only see 1/2,400th of the 100-Watt jamming power, or 42 mW. Thus the wideband jammer power would be in the same order of power as an SP100 wireless transmitter (expected to be between 1 and 100 mW). With equal power sources, the one closest to the receiver will win. Assuming you want to have some margin, you would want the desired signal to be stronger than any interference source, typically by 10 dB or so. That translates to a path difference between the desired and interfering signal of roughly three times. As ISA-SP100 and similar industrial systems are low power devices by definition, they will operate over fairly short distances (300 feet is a commonly referenced number), and the wideband interferer would have to be within 1,000 feet of the targets to be effective, not several miles as stated. Highly correlated signal Severinson’s analysis rests on the supposition that a “simple” broadband jammer generating 100 watts would be at work. First, “simple” implies such a jammer is NOT concentrating its output energy into the specific frequency band being used by the wireless network, since the restrictions imposed by limiting bandwidth are technically complex. Second, in this ISM frequency band, any 100-Watt generator is illegal, since ISM band power is limited to 250 milliwatts. Since it is illegal to sell such a device, one could reasonably question where one could purchase such a device, although it is possible to build one. Likewise, a 100-watt radio transmitter would be easy to detect, locate, and destroy. Using this form of terrorism is probably unlikely since other forms of terrorism are technically easier, less costly, and more likely to cause longer-term disruption of an operating plant. Since the radio frequency spectrum is likely to fill up with other networks using the same frequencies, such as wireless HART, Wi-Fi, cordless telephones, and lots of white noise leaking from microwave ovens and cell phones, all radios operating as part of ISA-SP100 will be required to operate in the presence of such noise. Excellence of design in this spectrum is to be able to discriminate actual signal from surrounding noise, not simply detecting a radio signal. White noise does not “drown-out” the signal; it only provides uncorrelated background noise. An ISA-SP100 data stream is a highly correlated signal detectable even in the presence of overwhelming white noise. Part of that correlation is the frequency-hopping pattern, part of it is the use of direct sequence spread spectrum with its chipping pattern, and both will be a part of ISA-SP100. Another technology planned for ISA-SP100 is mesh networking. One of the advantages of mesh networking is the ability to develop alternative paths when noise at one or more frequencies in the band, or obstructions limit or prevent a message from successfully arriving at its location. It is called “path diversity” and useful in overcoming sources of interference by finding a noise free path, or in this discussion, a path that may be farther away from the noise source. This discussion would not be complete without mentioning the use of directional antennas. ISA-SP100 has been attempting to simplify installation though the use of omnidirectional antennas for radio at 2.4 GHz. One of the penalties for using omnidirectional antennas is to allow interfering signals from any direction to potentially disrupt reception of valid data signals. Directional antennas are inexpensive at this frequency since they are small, and high gain transmit and receive antennas can be made redundant as well. By increasing the gain of actual data signals, at the cost of somewhat increased installation complexity—aiming the antennas— rejection of a high amplitude white noise source is even more likely. Moreover, that’s not all folks! Technology keeps moving forward, and ISA-SP100 can and will take advantage of new radio modulation techniques as they become available. Already a standard, but not yet in production is IEEE 802.15.4a, a highly compatible radio using UltraWideBand (UWB) technology operating in the 3-11GHz spectrum using either impulse modulation or orthogonal frequency division multiplexing. UWB is a new radio technology that operates well below the noise floor, meaning it expects to operate in the presence of large amounts of noise. It also moves away from the 2.4 GHz ISM band. Again, its highly correlated radio signals are easy to discriminate from white noise, allowing the receiver to pull the data signal out from the masking noise. These radios will probably become widely available in the next two years and will be highly suitable for use with ISA-SP100. Now to the question, “should wireless networks be used for critical control functions or even safety functions?” Before an answer, please recall the same question plagued fieldbus signals before Foundation fieldbus was developed. At that time (1990), the general attitude among control engineers was a fieldbus should only supply measurement or process variable data, but control signals should not transmit on a fieldbus, and control calculations should never happen in field devices. The first versions of the safety standard ISA/ANSI S84 also prohibited critical safety functions from using network communications. Now that Foundation fieldbus and Profibus-PA are proven technologies, both positions are reversing. It is common and often more responsive to do control in field devices using the fieldbus for control signals. Indeed, standards committees are accepting the use of fieldbus technology for connection of safety related data acquisition as long as there are fieldbus diagnostics to instantly detect fieldbus failures allowing immediate safety action. In the objectives for the first release of ISA-SP100 is the provision that it will be devoted to non-critical functions while we gain experience with its performance, safety, and reliability. Most users have expressed this desire, and the ISA-SP100 committee is responding with its first release to concentrate on just such applications. However, it far too early to call on the eventual use of wireless technology for critical control and even safety applications. With the attention going to security by professional security experts on ISA-SP100, and an architecture that supports redundancy beginning at the field device as an inherent part of the protocol, there is an excellent probability ISA-SP100 will be even more reliable than wired communications, even in the presence of planned illegal attacks. All new technology engenders fear of the unknown, and the use of wireless in a process control application is rightfully scary. In this case, the user has a little bit of knowledge (high power radio jamming) but is unaware of the steps being taken to eliminate the effects of such known sources of interference by ISA-SP100. In fact, ISA-SP100 is also considering many other sources of interference and of guaranteeing the security of the message from either alteration or interception using encryption. All of the suppliers participating in ISA-SP100 are committed to using the new technology once approval comes and are cooperating rather than competing in the development of this standard. Furthermore, the ISA-SP100 committee is dedicated to using technologies developed elsewhere whenever possible, but adding and adapting for the specific needs of the industrial automation market, with non-critical process control applications being the objective of the first release. About the Author Richard Caro (RCaro (at) CMC.us) has worked in industrial automation for almost 50 years and is the author of Automation Network Selection, ISA Press, 2004. He is chief executive of CMC Associates, a senior member of ISA, holds two patents, and has two chemical engineering degrees. He managed the ISA and IEC Fieldbus standards committees. -=- Terminology Emf: Electromotive force is invisible and surrounds any electrical wire or device. It has two components—the electric field, which is the result of voltage, and the magnetic field, which is the result of current flow. Frequency hopping spread spectrum: is a type of radio transmission in which the transmitter and receiver hop in synchronization from one frequency to another according to a prearranged pattern. ISA-SP100: is the Wireless Systems for Automation committee that will establish standards, recommended practices, technical reports, and related information that will define procedures for implementing wireless systems in the automation and control environment. Direct sequence spread spectrum (DSSS): is different from frequency hopping. Instead of splitting a data signal into pieces, direct sequencing encodes each data bit into a longer bit string, called a chip. Usually, 11 to 20 bits are in for the chip, depending on the application. Mesh networking: is a way to route data, voice, and instructions between nodes. It allows for continuous connections and reconfiguration around blocked paths by “hopping” from node to node until a connection establishes itself. Omnidirectional antennas: radiate and receive equally well in all horizontal directions. The gain of an omnidirectional antenna can increase by narrowing the beam width in the vertical or elevation plane. The net effect is to focus the antenna’s energy toward the horizon. Ultra-wide band technology: usually refers to a radio communications technique based on transmitting very-short-duration pulses, often of only nanoseconds or less, whereby the occupied bandwidth goes to very large values. -=- RESOURCES * Building the perfect beast www.isa.org/link/Perfect_beast * Wireless SCADA Gains Foothold www.isa.org/link/scadafoothold * ISA-SP100 Wireless Systems for Automation Standards www.isa.org/isasp100 * Wireless Networks for Industrial Automation, 2nd Edition by Dick Caro www.isa.org/wirelessnetworks * SCADA: Supervisory Control and Data Acquisition, 3rd Edition by Stuart A. Boyer www.isa.org/scada * Wireless Industrial Networking Alliance www.wina.org All contents copyright of ISA © 1995-2007 All rights reserved. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed May 30 2007 - 22:17:03 PDT