Industrial Sensor Network Security Architecture - IEEE Xplore

1 downloads 6 Views 529KB Size Report
Industrial Sensor Network Security Architecture. Rainer Falk, Hans-Joachim Hof. Siemens AG – Corporate Technology. Munich, Germany. [rainer.falk ...

2010 Fourth International Conference on Emerging Security Information, Systems and Technologies

Industrial Sensor Network Security Architecture

Rainer Falk, Hans-Joachim Hof Siemens AG – Corporate Technology Munich, Germany [rainer.falk | hans-joachim.hof]@siemens.com status that is sent to a control centre for further processing as trend analysis and display to monitoring personal. Other critical infrastructures as fresh water supply, power transmission and distribution, railway infrastructure can be monitored in a similar way. Condition monitoring supervises industrial machines to obtain information about their condition and to schedule maintenance when needed, thereby reducing down time of machinery and costs. Sensor nodes are attached to the machine parts to analyze the current state of the machine. Sensor nodes periodically send reports to a central control station where they are evaluated automatically or by a plant operator. A temporarily installed monitoring system may be used in process automation to locate and analyze mass losses. When the information needed to determine the source of the mass loss is not provided by the installed sensors, an additional monitoring system may be installed temporarily to locate the source of mass loss. The monitoring system uses wirelessly connected sensors to measure the mass flow. They can be easily installed where and when needed (and removed again when the leakage has been found). The temporarily installed monitoring system provides temporally and spatially more finegrained information as the placement of temporary sensors can be denser than the placement of regular (built-in) sensor nodes. Decentralized process control can be implemented using intelligent field devices connected to an industrial wireless sensor network. Sensors measure actual values and send them to intelligent field devices acting as local controllers. These field devices check if actual values match specified values and react if necessary. Additionally, the sensor nodes report measured values to the control station so that the plant operator can react depending on the state of the overall process. The relevant security requirements were determined based on a threat and risk analysis: Authentication and access control, message integrity and freshness are required in all considered usage scenarios, while confidentiality, nonrepudiation, and assurance of node liveliness is required only for some usage scenarios.

Abstract—Wireless sensor-actuator networks have a big usage potential in numerous industrial use cases. They allow easy and flexible deployment of nodes for monitoring and controlling various industrial applications as for example the supervision of critical infrastructures or monitoring and control in factory and process automation. However, missing or weak security of wireless communications would restrain the acceptance of wireless sensor-actuator networks in industrial settings. Security measures are crucial to ensure a reliable operation that is robust to accidental and targeted attacks. This paper describes the security architecture specially crafted for industrial usage environments. It provides mandatory hop-by-hop frame protection as well as authentication, access control, and protection of end-to-end communication. A secure wake-up scheme prevents a certain class of Denial-of-Service attacks, and a secure cooperative MIMO scheme improves communication reliability. Keywords-Wireless sensor network; communication security

I.

INTRODUCTION

Wireless sensor networks have been a hot research topic since the vision of smart dust had been articulated. Nowadays, sensor networks are on the verge to industrial application. Several aspects of wireless sensor networks are appealing for industrial use: there is no need for wiring (installation of wires may be a huge cost factor or simply not practical, for example in the case of moving parts). As wireless sensors and also actuators can be installed flexibly, temporary installations can be deployed when and where needed. The ZESAN project ("Zuverlässige, Energie-effiziente Sensor-Aktor-Netze”, reliable, energy-efficient sensoractuator networks) funded by the German government aims to enhance wireless sensor-actuator network technology to a degree suitable for industrial application [1]. It addresses important industrial application scenarios from process and factory automation. This paper describes the security design for industrial sensor-actuator networks developed as part of the ZESAN project. Some typical industrial application scenarios for industrial wireless sensor networks are sketched to illustrate the kind of sensor network for which security has been designed. With pipeline monitoring a pipeline is supervised to detect and locate problems in a timely fashion. Sensor nodes are attached along the pipeline to obtain up-to-date information about the pipeline 978-0-7695-4095-5/10 $26.00 © 2010 IEEE DOI 10.1109/SECURWARE.2010.24 10.1109/SECURWARE.2010.11

92 97

This paper is structured as follows: Section II gives an overview on important use cases for industrial sensoractuator networks, side conditions, and corresponding security requirements. It describes also the overall architectural design of the ZESAN sensor-actuator network. The security design addressing the relevant security requirements is described in section III, protecting the communication within the wireless sensor-actuator network both hop-by-hop end end-to-end, and the authentication and key agreement for establishing required session keys. Specific security mechanisms for protecting node wake up, for bootstrapping the security configuration, and secure cooperative MIMO (Multiple Input Multiple Output) transmission using antenna diversity are described as well. The paper concludes, after describing the ongoing implementation and related work, with a summary and an outlook on future work. II.

controlled way, so that self-organization is needed only to a limited degree. This enables the usage of centralized network control functions for network operation and security (coordinator, security manager SecMgr). III.

The specific properties of the envisaged industrial wireless sensor-actuator networks and the corresponding security requirements are reflected in the security design. A further important property is the ease of use, as no IT or even security specialist should be required for installing and using a wireless sensor network. Therefore only few configuration settings should be required. The basic design is rather simplistic, in line with common existing industrial wireless sensor networks as Wireless HART, extending it with additional features: Support for multiple gateways, support for direct node-to-node communication (not only towards gateway), no assumptions on availability of synchronized clock on MAC layer. The security architecture provides an efficient and simple to use base security that covers common security requirements. Additional security features can be selected in a modular way when needed as protected node liveliness check, end-to-end confidentiality protection or nonrepudiation. Different bootstrapping procedures for establishing the required security configuration data with limited administrative effort have been defined. Specific bootstrapping procedures can be integrated without affecting the security architecture for the WSAN operation. Specific new security features have been developed to protect the wake-up of a sleeping node, to determine cryptographic nonces in which network wide nonce contribution value is used in the nonce construction, and for secure multipleinput-multiple-output (MIMO) transmission by using antenna diversity for increasing robustness. The security architecture follows the following design principles: IEEE 802.15.4 frame protection for hop-to-hop communication: The integrity is protected using a network wide key. The frame’s message integrity code allows a receiving sensor node to verify whether the frame has been sent by a node belonging to the same network. Only if this is the case, the frame is forwarded resp. processed. Hardware security support offered by common sensor network chips can be used. Security manager: A security manager is used to authenticate a joining node and to establish required session keys (network key, end-to-end keys). A join key protects network access authentication and key establishment for a joining sensor/actuator node. Depending on the deployment, all nodes of a sensoractuator network can be configured with the same join key or with node-individual join keys. The security manager is also responsible for rekeying and node revocation.

ZESAN WIRELESS SENSOR NETWORK ARCHITECTURE

The German funded project ZESAN develops technologies to bring wireless sensor network technology closer to industrial applicability. Main objectives are to provide reliable, energy-efficient and secure operation of a wireless sensor-actuator network for important industrial usage scenarios. These industrial usage scenarios and their typical properties are slightly different from typical sensor network scenarios, hence security solutions need adaption to their new usage. Sensor Network Domain (SND)

Gateway 3

Gateway 1

SECURITY ARCHITECTURE DESIGN

Gateway 2 Coordinator

SecMgr

Figure 1. Typical Industrial Wireless Sensor-Actuator Network Setting

In wireless sensor-actuator network as envisaged for the covered industrial usage scenarios, a rather small number or sensor and actuator nodes – typically some tens to maximum some hundreds – are interconnected wirelessly to form the wireless multi-hop sensor-actuator network, see Figure 1. The wireless sensor network is connected via one or more gateways to an infrastructure network. In contrast to more limited sensor-actuator networks, multiple gateways may exist. These enable larger installations covering whole areas as an industry park while limiting the maximum path length. The wireless network is planned, installed and operated in a

98 93

End-to-end protection: An additional security layer is added on top for protected end-to-end communication of application data, in particular towards the security manager or a gateway. Both integrity and confidentiality can be protected end-toend.

L2 Hdr

L3 Hdr

Payload (encrypted)

L3 MIC

L2 MIC

Figure 3. Frame Format

A frame comprises two headers, one layer 2 header for hop-to-hop header information, and a layer 3 header for endto-end header information (see Figure 3). It comprises also two message authentication codes called MIC (message integrity code), one MIC that is recomputed and verified on a hop-by-hop basis when the frame is forwarded through the multi-hop sensor network, and one end-to-end MIC computed by the sender and verified by the receiver. The payload may be encrypted to provide end to end confidentiality of transmitted data. The AES-CCM* scheme is used (counter mode with CBC MAC). A node maintains a single Layer 2 outgoing frame counter for all communication partners. It is incremented with each sent frame. The counter allows detecting replayed messages and ensures uniqueness of the cryptographic nonce used for computing the layer 2 MIC. When the frame counter reaches its maximum value of 0xffffffff, the associated keying material must no longer be used, thus requiring a rekeying. The frame counter is used for constructing the CCM* nonce. It is one of the inputs to the cryptographic functions used for integrity and/or confidentiality. The CCM* Nonce consists of the long address of the sender (source address), the frame counter, and the security level. Please note that the CCM* nonce is never transmitted. It is only used as input to the cryptographic functions. In an extension, the MIC nonce may comprise a nonce contribution value provided by the security manager so that a rather small counter value has to be maintained and sent over the wireless link. The security manager provides a changing nonce contribution value to all nodes of a sensor-actuator network. This allows using rather short counters of 16 bit, while avoiding the need for regular rekeying. Encryption and integrity protection on layer 3 protects the application data of sensor network end to end. The counter management on layer three follows the common approach of using a separate counter per security association, as a security context has to be managed for each layer 3 security association. As both nodes store each others counter value, only the lower significant bits have to be transmitted.

Figure 2. Established Security Associations

The dynamically established session keys of a wireless sensor-actuator network comprising three sensor nodes and a single gateway GW are shown in Figure 2. The initial security association in the form of the join key (not shown) is the basis to establish all required session keys. The join key is shared between a joining node and the network’s security manager (SecMgr). The security manager provides a network key (hop-to-hop key) for protecting layer 2 communication on a wireless link. This key ensures basically that forwarded frames originate from a node belonging to the same network and protects the integrity of the frame content (header and data). Furthermore, end-to-end keys are established for protecting the communication between a node and the gateway (gateway end-to-end key) and with the security manager (SecMgr end-to-end-key). Both the integrity and the confidentiality of data are protected. Further end-to-end keys can be established when needed for end-toend protection of multi-hop communication between nodes (node end-to-end key). The security manager can revoke keys when needed. The following sections describe main parts of the security design in more detail.

B. Authentication and Key Agreement A sensor/actuator node connects to the WSAN by the join procedure, see Figure 4. Joining Node

Node

Node

GW

SecMgr

AUTH_REQ integrity protected by join key AUTH_RES(K NWK , K GW , K SM )

A. Frame Protection Frame protection can be applied both on hop-by-hop basis (“Layer 2”) as well as end-to-end (“Layer 3”) across multiple hops within the sensor actuator network.

encrypted and integrity protected by join key

Figure 4. Authentication and Key Agreement (Join Procedure)

99 94

To execute the join procedure successfully, a joining node has to be in possession of a valid join key. The joining node sends an authentication request message AUTH_REQ to a neighboring node that forwards it via further nodes and a gateway GW to the network’s security manager SecMgr. The AUTH_REQ message is integrity protected using the join key. The security manager verifies the message. If the received message contains a valid MIC value that can be verified successfully using the join key stored at the security manager for an authorized node, the node attempting to join is accepted by the security manager. The security manager sends a response message AUTH_RES that includes the session keys required to participate in the WSAN (network key KNWK and link keys for the gateways KGW and the security manager KSM). The contents of the AUTH_RES message is encrypted using the join key, so that the provided session keys are never sent in clear. Further end-to-end keys are provided by the link key procedure (not shown): Link keys are provided by the security manager by request of a node or automatically defined by policy. The keys are provided towards the involved nodes.

Sensor node I/O

CPU

Wake-up radio

Flash

RAM

Main radio

Figure 5. Secure Wake-Up Radio

A secure wake-up scheme has been designed preventing battery draining by waking-up sleeping nodes. A low-power wake-up receiver verifies a “wake up password” before the sleeping node is powered up. The wake-up password is configured before the node is going to sleep. As the wake-up password is used only once and as it is specific for each node, it can be sent in clear. The wake-up password can be established in several ways: Before going to sleep mode, a node generates wakeup password and sends it to candidate wake-up nodes using the WSAN secure communication. The wake-up password may be generated and provided by the security manager using the WSAN secure communication. The wake-up password may be derived from available keys (link key or network key), using a key derivation function. Further information on the secure wake-up scheme is provided in [2].

C. Access Control A sensor/actuator node distinguishes three “hard coded” permissions: Security manager: The security manager may establish and update keys Network manager: The network manager as distinguished node may update network configuration data (e.g., routing, scheduling) Data communication: Sensor data is sent towards a gateway or other node as long as a valid end-to-end key is available. Thereby, for the security manager it is possible to control which nodes exchange data by providing end-to-end keys (or not). The policy defining which nodes may join the network and which node-node security associations are established is managed and enforced by the security manager. The security manager enables a centralized security management.

E. Security Bootstrapping A major issue for industrial usage is an easy, uncomplicated set-up of the wireless sensor network.

D. Secure Wake-Up A low duty cycle is crucial for ensuring a long lifetime of battery-powered sensor nodes. A sleep deprivation attack [6,7] prevents the sensor node from going to the powersaving sleep mode. Traditional security mechanisms like a message authentication code or frame encryption do not prevent sleep deprivation attacks: The node is powered up and energy is spent for processing the received message. Only when battery power has already been spend, it is noticed. Figure 6. Parameters Configured during Intial Security Configuration

The following security configuration parameters are established during the initial set-up phase (see Figure 6): Besides the join key, a join counter and the network name of the network to join are configured on a sensor node. The

100 95

In cooperative MIMO communication, the sending node TX may provide the frame to be sent to a transmitter array that sends out the information, see Figure 7. The receiver array nodes provide the obtained information to the receiving node RX. In this setup, the security issue arises that the cooperating support nodes of the two arrays do not necessarily have access to the key material to verify a received frame, and by intention they operate on frames that may still contain transmission errors. Therefore the nodes have to operate on frames that cannot be verified using standard cryptographic means as the layer 2 MIC. The basic scheme is based on authorization tokens: For security, an additional security checksum in the form of a simple “authentication token” is sent in MISO (multiple input, single output) fashion. The token is independent from the sent data contents. The purpose of the authentication token is to provide a piece of information allowing determining those frames that shall be processed by the receiver array nodes. Only frames including a valid authorization token are processed and forwarded. For the token, a powerful error correction coding may be applied to ensure that the token is received correctly.

Security Manager needs to be configured with the node’s join key. It also maintains the current value of a node’s join counter to be able to detect replay attacks. The Security Manager maintains as additional configuration the networkwide security policy (which security features shall be used: only NWK key, key update schedule, e2e keys between sensor nodes that may be provided when requested by sensor nodes resp. that are provided proactively, enable provisioning of wake-up keys and network wide nonce contribution value). Which bootstrapping method is most appropriate depends to a high degree on the specifics of the application domain. Therefore different methods have to be supported. Several options have been defined that can be selected from when designing a specific product: Preconfiguration of the keys during manufacturing of the nodes (during the hardware manufacturing when firmware is programmed or possibly later during application-specific programming). Out-of-Band Communication: Using a separate interface for establishing the configuration (serial/USB, near-field communication wireless) In-band during a weak security set-up phase: The join key assignment is possible only during a restricted time period, the setup phase. Further physical protection measures may be applied as using reduced transmit power, monitoring the radio channel, or by using a directional antenna. Physical protection of messages: The bootstrapping can be performed in a shielded environment (metal box), in which the radio communication is shielded from the surrounding environment. Token based: A hardware token as a chip card, memory stick or USB token may be used to provide configuration information.

IV. IMPLEMENTATION A demonstrator is realized as part of the ZESAN project that realizes also security functionality. The demonstrator is built using TinyOS 2.0 operating system nodes. The security parts have already be realized partially, showing that the design is feasible, but detailed performance figures are not yet available. The implementation makes use of the AES hardware encryption engine of the used chip Chipcon CC2240 for the hop-to-hop and end-to-end protection. The authentication and key agreement is realized in software. Several misuse cases have been defined to demonstrate the realized security features: Attacking node sends falsified data in the sensor network. Without security features disabled completely, it can easily be seen that wrong measurements are shown. The security features are disabled only for demonstration purposes, the design would in reality not allow to disable the (mandatory) basic security protection). Show the possibility to intercept exchanged data when transmitted in clear, but not when being encrypted. Bootstrapping case shows how the required security parameters can be configured easily on a new sensor node. For bootstrapping, the node has to be connected to the security manager. This can be done directly, or indirectly using a simple portable management device (PDA) to inject the key material. In both cases, the user interaction is limited to establishing a connection and pressing a key. Furthermore, it is under consideration to set-up a demonstration of the protected wake-up scheme. Without, an attacker can wake-up a sleeping node, while this would not be possible when the protected wake-up scheme is utilized.

F. Secure Cooperative MIMO Communication Radio transmission with multiple antennas is designated as multiple-input-multiple-output (MIMO). In cooperative MIMO, the antennas of separate nodes are combined to form an antenna array. The transmitter provides the frame to be sent to the nodes forming the transmitter array. The information received by several nodes forming the receiver array is provided to the receiver that performs the frame decoding.

Figure 7. Cooperative MIMO Transmission

101 96

V.

RELATED WORK

group 6LoWPAN [5], also standard protocols as IPsec or TLS/DTLS may be used, in particular for end-to-end encryption. Also the join procedure could use common protocols, in particular an EAP-based network access authentication as known from WLAN, WiMAX, or PANA. The established MSK key would then be used by the security manager as basis to configure further session keys, similar to 802.11-based mesh networks. So the architecture of sensor/actuator networks would become more similar to common IP-based networks, being mapped to a powerefficient link layer technology. The specific mechanisms have to be simplified to be suitable for sensor/actuator nodes with limited resources.

The standard IEEE 802.15.4 defines several options for protecting a frame on a single wireless link. It is used for the hop-to-hop protection. The wireless HART standard defines a multi-hop sensor/actuator network for process automation. Its security has influenced the ZESAN security design which provides support for multiple gateways, secure node-to-node communication, secure wake-up and MIMO. Also the frame encryption does not assume a synchronized clock for construction the IV values. Compared to ZigBee, the ZESAN security design provides a clearer design having significantly reduced number of options and having a clear separation of layer 2 and layer 3 keys. However, the basic ZESAN design could be mapped roughly also to similar ZigBee profile. Academic work on sensor network investigates often different scenarios in which the security is not managed centrally by a security manager. In particular various probabilistic key pre-distribution schemes have been investigated [4]. VI.

ACKNOWLEDGMENT This work has been performed as part of the ZESAN project partly funded by the Federal Ministry of Education and Research under the funding number 01BN0712A. The paper represents the opinion of the authors. The authors would like to acknowledge the contributions of their colleagues participating in the ZESAN project

SUMMARY AND OUTLOOK

REFERENCES

A security design for industrial wireless multi-hop sensor/actuator networks has been described that uses a security manager to establish the session keys needed for protecting the communication both hop-to-hop and end-toend. Further specific technologically new features of the security architecture concern the bootstrapping, secure wakeup, efficient construction of the cryptographic nonce, and cooperative MIMO. Future work could address a more fine granular, configurable access control, providing access control information as part of key material by the security manager. Asymmetric node authentication may be realized instead of the secret-key based join key. Such an extension is straight forward, as only the join procedure has to be modified. While ongoing communication is not affected if the security manager should not be available, establishment of new connections with previous unknown nodes fails because the required keys can not be assigned without the security manager. Further work may explore the possibility of a “failure mode” in which available key material is used autonomously by the nodes when no security manager is available. The simplest case would be to rely on network key hop-by-hop encryption alone as long as no end-to-end key can be established, while requesting an end-to-end key if the security manager is available. This functionality may be realized by gateways or dedicated sensor/actor nodes. With the increasing use of IP-based protocols also in sensor/actuator networks, as addressed by the IETF working

[1]

[2]

[3]

[4]

[5] [6]

[7]

102 97

R. Falk, H.-J. Hof, U. Meyer, C. Niedermeyer, R. Sollacher, and N. Vicari, From Academia to the Field: Wireless Sensor Networks for Industrial Use, Fachgespräch Sensornetze, 7. GI/ITG KuVS Fachgespräch Drahtlose Sensornetze, Berlin, 25-26 Sep. 2008. R. Falk and H.-J. Hof: Fighting Insomnia, A Secure Wake-up Scheme for Wireless Sensor Networks, Third International Conference on Emerging Security Information, Systems and Technologies SECURWARE 2009, Athens/Glyfada, Greece, 18-23 June 2009. S. Cui, A.J. Goldsmith, and A. Bahai, Energy-Efficiency of MIMO and Cooperative MIMO Techniques in Sensor Networks”, IEEE Journal on selected areas in communications 22(6): 1089-1098, 2004. H. Chan, V. Gligor, A. Perrig, and G. Muralidharan, On the Distribution and Revocation of Cryptographic Keys in Sensor Networks, IEEE Transactions on Secure and Dependable Computing 2(3):233-247, 2005. IETF working group IPv6 over Low power WPAN (6lowpan), http://datatracker.ietf.org/wg/6lowpan/charter/ (accessed 16Apr2010) T. Martin, M. Hsiao, D. Ha, and J. Krishnaswami, Denial-of-Service Attacks on Battery-powered Mobile Computers, Second IEEE International Conference on Pervasive Computing and Communications (PerCom'04), pp. 309- 318, IEEE, 2004. F. Stajano, Security for Ubiquitous Computing, John Wiley and Sons, New York, 2002.

Suggest Documents