[ISN] Users fear wireless networks for control

From: InfoSec News (alerts@private)
Date: Wed May 30 2007 - 22:08:30 PDT


http://www.isa.org/InTech/20070501

By Dick Caro
InTech Magazine
May 1, 2007

Last year, ISA ran a survey requesting end users to answer questions 
related to their potential use of wireless technology for industrial 
automation.

One user’s response made a statement that may reflect a general attitude 
of many potential users. Here is the slightly edited response:

 There was no place on the wireless survey to make a comment but rather 
 just answer the predefined questions, I wanted to comment that I will 
 NOT have wireless in the plant for reasons of operational security not 
 related to hacking.

 ALL wireless signal generation can be jammed and as such provides an 
 unnecessary operational risk. To those that state spread spectrum is 
 the answer to jamming, they are totally wrong. Spread spectrum came 
 about as a means to make hacking increasingly difficult by rotating 
 through a spectrum of frequencies. The fabricators of spread spectrum 
 did not see as a technology that would or could overcome a spectrum 
 jammer. A white noise generator of sufficient power in the spectrum of 
 the wireless devices can jam ALL the frequencies used, leading to a 
 total collapse of data from those devices.

 All devices manufactured today use the same ranges the FCC licensed for 
 open frequency use and specifically in use by telephone manufacturers 
 such as 900 MHz, 2.4 GHz, 5.6GHz, and the rest.  A person just needs to 
 know which band a plant is using and build a jammer that operates at 
 least ± 40 Hz from this frequency to jam all the spread spectrum 
 frequencies as well.

 Since these field devices operate in the very low power range 
 (milliwatt), a simple 100W generator should be sufficient to lock out 
 the devices from the control system over a couple of miles in range.

 By ignoring white noise or targeted noise generators, you are opening 
 industry up to a catastrophic event to take place when people think 
 they are safe (when in fact they are not). Wired systems require direct 
 connections to interrupt signals or a VERY strong or CLOSE emf 
 (electromotive force (voltage)) to drop them. Even with wired 
 solutions, this STILL accidentally happens. For operational/safety 
 reasons, the petrochemical industry would be foolish to invest heavily 
 in wireless technologies.

 I for one will be an outspoken critic of wireless for anything other 
 than informational data to be sent to our control systems. Operational 
 critical data will never be allowed over a wireless link in any plant 
 in which I have the influence to stop it.

 — An unnamed plant engineer in LaPorte, Tex.


If these statements were true, then the ongoing investment by the 
process-automation industry suppliers to support wireless networks for 
industrial automation, and process control in particular, would be a 
waste and ISA-SP100 standardization a foolish effort.  In fact, there 
are sound technical reasons why these statements are NOT true, although 
the fear does remain.


Broadband frequency jammer

First of all, broad spectrum jamming is a military tactic used during 
wartime to cripple radio communications, particularly on the battlefield 
where low power radios are used.

During World War II, the Axis forces used exactly such a weapon against 
Allied forces. As a direct result of this jamming, Hollywood actor and 
Hungarian-born Hedy Lamarr and her associate George Antheil, both 
refugees from Europe, invented and patented frequency hopping spread 
spectrum communications as a method to avoid the effects of jamming.

Although this patent, assigned to the U.S. Navy, called for mechanical 
frequency hopping and although they never built the mechanism, modern 
wireless local areas network (LAN) technology, including IEEE 802.11 and 
802.15.1, also known as Bluetooth, and most modern military battlefield 
communications platform on this type of spread spectrum.

Also, to avoid jamming and for frequency diversity to reduce the effects 
of multiple signal paths, the technology being developed for

ISA-SP100 will use frequency hopping spread spectrum.

However, let us not forget the worried user respondent has a fear 
wireless network traffic used within a plant facility could be disrupted 
with the use of an inexpensive broadband frequency jammer; a radio that 
sends out white noise throughout the frequencies being used by the plant 
wireless network. I posed this question to the radio frequency expert on 
the ISA-SP100 committee, Aké Severinson, president and founder of Omnex 
Controls. Here is Severinson’s response:

 Principles need to be verified with numbers in most engineering 
 disciplines; wireless communications is no exception. So let me start 
 with the 100-Watt wideband jammer (that the survey respondent above 
 mentioned).

 The simple 100-watt jammer by definition solely direct to or confine 
 its energy to a more narrow band, or to be frequency-agile. To jam the 
 full 2.4 GHz ISM (industrial, scientific, and medical) band, it would 
 need to spread its energy over the full 2,400 MHz spectrum.

 An ISA-SP100 wireless system need only to be “open” (the rest limited 
 by filters) to about 1 MHz of that band. As a result, it would at any 
 one time only see 1/2,400th of the 100-Watt jamming power, or 42 mW. 
 Thus the wideband jammer power would be in the same order of power as 
 an SP100 wireless transmitter (expected to be between 1 and 100 mW).

 With equal power sources, the one closest to the receiver will win. 
 Assuming you want to have some margin, you would want the desired 
 signal to be stronger than any interference source, typically by 10 dB 
 or so.

 That translates to a path difference between the desired and 
 interfering signal of roughly three times. As ISA-SP100 and similar 
 industrial systems are low power devices by definition, they will 
 operate over fairly short distances (300 feet is a commonly referenced 
 number), and the wideband interferer would have to be within 1,000 feet 
 of the targets to be effective, not several miles as stated.


Highly correlated signal

Severinson’s analysis rests on the supposition that a “simple” broadband 
jammer generating 100 watts would be at work.

First, “simple” implies such a jammer is NOT concentrating its output 
energy into the specific frequency band being used by the wireless 
network, since the restrictions imposed by limiting bandwidth are 
technically complex.

Second, in this ISM frequency band, any 100-Watt generator is illegal, 
since ISM band power is limited to 250 milliwatts. Since it is illegal 
to sell such a device, one could reasonably question where one could 
purchase such a device, although it is possible to build one.

Likewise, a 100-watt radio transmitter would be easy to detect, locate, 
and destroy. Using this form of terrorism is probably unlikely since 
other forms of terrorism are technically easier, less costly, and more 
likely to cause longer-term disruption of an operating plant.

Since the radio frequency spectrum is likely to fill up with other 
networks using the same frequencies, such as wireless HART, Wi-Fi, 
cordless telephones, and lots of white noise leaking from microwave 
ovens and cell phones, all radios operating as part of ISA-SP100 will be 
required to operate in the presence of such noise.

Excellence of design in this spectrum is to be able to discriminate 
actual signal from surrounding noise, not simply detecting a radio 
signal. White noise does not “drown-out” the signal; it only provides 
uncorrelated background noise.

An ISA-SP100 data stream is a highly correlated signal detectable even 
in the presence of overwhelming white noise. Part of that correlation is 
the frequency-hopping pattern, part of it is the use of direct sequence 
spread spectrum with its chipping pattern, and both will be a part of 
ISA-SP100.

Another technology planned for ISA-SP100 is mesh networking. One of the 
advantages of mesh networking is the ability to develop alternative 
paths when noise at one or more frequencies in the band, or obstructions 
limit or prevent a message from successfully arriving at its location.

It is called “path diversity” and useful in overcoming sources of 
interference by finding a noise free path, or in this discussion, a path 
that may be farther away from the noise source.

This discussion would not be complete without mentioning the use of 
directional antennas. ISA-SP100 has been attempting to simplify 
installation though the use of omnidirectional antennas for radio at 2.4 
GHz.

One of the penalties for using omnidirectional antennas is to allow 
interfering signals from any direction to potentially disrupt reception 
of valid data signals.

Directional antennas are inexpensive at this frequency since they are 
small, and high gain transmit and receive antennas can be made redundant 
as well. By increasing the gain of actual data signals, at the cost of 
somewhat increased installation complexity—aiming the antennas— 
rejection of a high amplitude white noise source is even more likely.


Moreover, that’s not all folks!

Technology keeps moving forward, and ISA-SP100 can and will take 
advantage of new radio modulation techniques as they become available.

Already a standard, but not yet in production is IEEE 802.15.4a, a 
highly compatible radio using UltraWideBand (UWB) technology operating 
in the 3-11GHz spectrum using either impulse modulation or orthogonal 
frequency division multiplexing.

UWB is a new radio technology that operates well below the noise floor, 
meaning it expects to operate in the presence of large amounts of noise. 
It also moves away from the 2.4 GHz ISM band.

Again, its highly correlated radio signals are easy to discriminate from 
white noise, allowing the receiver to pull the data signal out from the 
masking noise. These radios will probably become widely available in the 
next two years and will be highly suitable for use with ISA-SP100.

Now to the question, “should wireless networks be used for critical 
control functions or even safety functions?” Before an answer, please 
recall the same question plagued fieldbus signals before Foundation 
fieldbus was developed.

At that time (1990), the general attitude among control engineers was a 
fieldbus should only supply measurement or process variable data, but 
control signals should not transmit on a fieldbus, and control 
calculations should never happen in field devices.

The first versions of the safety standard ISA/ANSI S84 also prohibited 
critical safety functions from using network communications. Now that 
Foundation fieldbus and Profibus-PA are proven technologies, both 
positions are reversing.

It is common and often more responsive to do control in field devices 
using the fieldbus for control signals. Indeed, standards committees are 
accepting the use of fieldbus technology for connection of safety 
related data acquisition as long as there are fieldbus diagnostics to 
instantly detect fieldbus failures allowing immediate safety action.

In the objectives for the first release of ISA-SP100 is the provision 
that it will be devoted to non-critical functions while we gain 
experience with its performance, safety, and reliability.

Most users have expressed this desire, and the ISA-SP100 committee is 
responding with its first release to concentrate on just such 
applications. However, it far too early to call on the eventual use of 
wireless technology for critical control and even safety applications.

With the attention going to security by professional security experts on 
ISA-SP100, and an architecture that supports redundancy beginning at the 
field device as an inherent part of the protocol, there is an excellent 
probability ISA-SP100 will be even more reliable than wired 
communications, even in the presence of planned illegal attacks.

All new technology engenders fear of the unknown, and the use of 
wireless in a process control application is rightfully scary. In this 
case, the user has a little bit of knowledge (high power radio jamming) 
but is unaware of the steps being taken to eliminate the effects of such 
known sources of interference by ISA-SP100.

In fact, ISA-SP100 is also considering many other sources of 
interference and of guaranteeing the security of the message from either 
alteration or interception using encryption.

All of the suppliers participating in ISA-SP100 are committed to using 
the new technology once approval comes and are cooperating rather than 
competing in the development of this standard.  Furthermore, the 
ISA-SP100 committee is dedicated to using technologies developed 
elsewhere whenever possible, but adding and adapting for the specific 
needs of the industrial automation market, with non-critical process 
control applications being the objective of the first release.


About the Author

Richard Caro (RCaro (at) CMC.us) has worked in industrial automation for 
almost 50 years and is the author of Automation Network Selection, ISA 
Press, 2004. He is chief executive of CMC Associates, a senior member of 
ISA, holds two patents, and has two chemical engineering degrees. He 
managed the ISA and IEC Fieldbus standards committees.

-=-

Terminology

Emf: Electromotive force is invisible and surrounds any electrical wire 
or device. It has two components—the electric field, which is the result 
of voltage, and the magnetic field, which is the result of current flow.

Frequency hopping spread spectrum: is a type of radio transmission in 
which the transmitter and receiver hop in synchronization from one 
frequency to another according to a prearranged pattern.

ISA-SP100: is the Wireless Systems for Automation committee that will 
establish standards, recommended practices, technical reports, and 
related information that will define procedures for implementing 
wireless systems in the automation and control environment.

Direct sequence spread spectrum (DSSS): is different from frequency 
hopping. Instead of splitting a data signal into pieces, direct 
sequencing encodes each data bit into a longer bit string, called a 
chip. Usually, 11 to 20 bits are in for the chip, depending on the 
application.

Mesh networking: is a way to route data, voice, and instructions between 
nodes. It allows for continuous connections and reconfiguration around 
blocked paths by “hopping” from node to node until a connection 
establishes itself.

Omnidirectional antennas: radiate and receive equally well in all 
horizontal directions. The gain of an omnidirectional antenna can 
increase by narrowing the beam width in the vertical or elevation plane. 
The net effect is to focus the antenna’s energy toward the horizon.

Ultra-wide band technology: usually refers to a radio communications 
technique based on transmitting very-short-duration pulses, often of 
only nanoseconds or less, whereby the occupied bandwidth goes to very 
large values.


-=-


RESOURCES

* Building the perfect beast 
  www.isa.org/link/Perfect_beast
    
* Wireless SCADA Gains Foothold
  www.isa.org/link/scadafoothold
    
* ISA-SP100 Wireless Systems for Automation Standards
  www.isa.org/isasp100
    
* Wireless Networks for Industrial Automation, 2nd Edition 
  by Dick Caro
  www.isa.org/wirelessnetworks
    
* SCADA: Supervisory Control and Data Acquisition, 3rd Edition 
  by Stuart A. Boyer
  www.isa.org/scada
    
* Wireless Industrial Networking Alliance
  www.wina.org

 
All contents copyright of ISA © 1995-2007 All rights reserved.



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed May 30 2007 - 22:17:03 PDT