IHPIm Technologiepark 2515236 Frankfurt (Oder)

Germany

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009 - All rights reserved

An Engineering Approach for Secure and SafeWireless Sensor and Actuator Networks

for Industrial Automation Systems

Steffen Peter, Oliver Stecklina, Peter Langendörfer

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Outline

• Motivation

• Introduction development flow

• System analysis

• Mapping process

• Conclusions

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Realflex project (2008-2010)

Water works Biogas facility Roboter cell

wireless architecture for industrial automation

large distance,public networks

Small latency, dependability

Standards, existent architecture

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Waterworks scenario

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Today’s way of handling security

• Shield network and define that it is secure

not realistic in wireless networks• Enable “sort of miracle” security layer

mostly not right solution• Patch security where a hole is assumed

often not efficient

all threads considered?• Proper design of security solutions

expensive and time-consuming

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Proposed development flow

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

System Analysis

• Break it down-Find atomic flows of information Data flow graph with dependencies

• Analyze each processing step separately-What are the requirements for this step?-Ignore dependencies at this stage

• Resolve dependencies-Requirements resolve over data flow

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Example

• Control pumps based on measured flow and pressure values–Uplink

-Sensors on the field PLC-Wireless connection to the Ethernet access point

–Downlink-PLCpumps-Wireless connection to the Ethernet access point-High integrity requirement

sensor AP PLC AP pump

U p l i n k D o w n l i n k

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Security properties

• Concealment / Secrecy• Integrity• Availability• Authentication• Authorization• Accountability• Non-Repudiation

Security requirements

vector

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Security Metric

Security class Attacker Attacker tools Budget

0 No security attack can be succeed 'by accident'

1 curious hacker common tools < 10,000$

2organized attacker (academic, crime)

special tools< 100,000$

3large organized attacker(crime, government)

highly specialized tools, laboratory

> 100,000$

An algorithm belongs to class c if it resists all attacks from attacker groups smaller than c.

Requirement Vector = <(0…3)7>

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Proposed development flow

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Mapping Process

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

What to do if drawer is empty?

• Find a solution from scratch–State of the art–Good solution–Not efficient

• Look in neighborhood–Find close solutions–Analyze & solve the differences

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Waterworks Example

• Security: –Strong integrity

• Environment: –open field, short range wireless (802.15.4)–One message every 30 seconds

• Dependability: –node life time min. one month400mJ/operation

-Information integrity >99.9999% 1/1 million

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Waterworks Example (2)

• Assumed no direct solution found • Neighborhood: wired environment

–Security requirements fulfilled by protected environment–Information integrity realized with CRC

we have no protected environment, but CRC is fine

adapt dependencies (information integrity solved)• How to realize protected environment

–Mapping tells us AES OFB is solution (message integrity due to pair-wise shared keys)

Test against other requirements: too high energy consumption

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Waterworks Example (3)

• Problem message overhead–16 bit message + 20 bit CRC encrypted with 128 bit AES

• Solution: take one AES key for 3 messages40 bit ciphertext

Still security of 128 bit AES OFB Information integrity as in wired environment Dependency requirements fulfilled

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2009- All rights reserved

Conclusions

• Suitable security and safety needs consideration of–Environment–Dependability requirements–Security requirementsHuge complexity, expensive development flow

• Proposed semi-formal engineering methodology is a first answer–Requirements and potential solutions are cataloged

as result of a formal analysis processAllows reproducible problems and reusability of answers–Mapping process as efficient way to integrate applications

• Fuzzy requirements (environment) still biggest challenge for a full automatic integration process

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2008 - All rights reserved

Thank You

Questions?

peter@ihp-microelectronics.com