CASE STUDY
Pakscan Wireless Security
CASE STUDY NOTES
Introduction
The P3 wireless system is a type of
Wireless Local Area Network (WLAN)
based on the IEEE802.15.4 specification
(WiFi is based on 802.11). Wireless is
in effect a broadcast system, unlike
wired networks where the path of
communication is restricted between
devices by the physical cable, inherently
protecting communications. This means
that someone with a wireless transceiver
set to the correct frequency could listen in.
Of course the low power nature of most
WLANs means that is hard to “eavesdrop”
from more than a couple of hundred
meters away. In an industrial application,
depending upon the installation, it is
possible that the signals would not be
detectable from outside the site perimeter.
But we must accept the fact that it
may be possible for someone to be
able to pick up the Rotork P3 wireless
messages with a transceiver set to the
correct frequency. Whilst it may be
possible to pick up the feedback data
being transmitted, this is of negligible
security risk as there is very little that
can be done with status information. The
area of concern would be if someone
were able to send messages to command
or operate a device on the network.
So, how could someone infiltrate the
network to control a device on the
Wireless P3 system? To start with they
would have to know some basic details
about the network; the channel on which
communications are occurring (there are
16 to chose from), the Personal Area
Network Identification number (PAN
ID, a 16bit number), a device address
and they would also need to understand
the Rotork P3 wireless protocol. This is
a non-published proprietary protocol.
BUT... that’s not the end of it; because
we recognise the risk presented by a
persistent hacker who wishes to disrupt
plant operations, we have employed
extra security measures to protect
devices from unsolicited commands.
Security overview
There is a two-fold approach to protecting
command messages. The first is
AES128-bit encoding (Advanced
Encryption Standard) and following
this, an anti-spoofing algorithm is
applied. The AES prevents analysis of
the command, even if the attacker had
knowledge of the Rotork propriety
protocol used for control. The anti-
spoofing prevents replay attacks
originating from a node on the P3
wireless network. Anti-spoofing is also
applied during network join to prevent
non-authorised actuators being placed
on the network and intercepting
command messages from their
intended recipient.
These methods are utilising strong
encryption. What is encryption?
Encryption is the process of changing
data into a form that can be understood
only by the intended receiver. To decipher
the message, the receiver of the
encrypted data must have the proper
decryption key. The sender and the
receiver use the same key to encrypt
and decrypt data.
This security infrastructure is designed
to secure the join process and the
sending of commands while
The P3 system uses multiple security
measures to protect from both malicious
and accidental interference.
• P3 wireless is inherently secure due
the low power radio signals
• All command messages are encrypted
using AES128
• A secure method of joining the
network is employed
• Anti-spoofing ensures messages can
not be replayed (recorded then
played back at a later time)
providing minimal impact during
operation and commissioning.
AES - Advanced
Encryption Standard
Advanced Encryption Standard is an
algorithm recognised as being strong
enough to protect national security
with approval of the standard (FIPS
197) in 2001. Since then it has been
widely used and is the defacto standard
for encryption. Rotork are specifically
using AES128 - the 128 refers to the
128 bit key length. This key operates
on a 16 byte datablock. It is necessary
for commands to be padded out to be
the full 16 bytes in length. The padding
bytes provide an additional level of security
as they are checked for correctness
when the command is deciphered.
Command messages are encoded by
passing them through the encryption
algorithm based on the key, before
transmission and at the receiving end
the messages are decoded by the
same algorithm. The algorithm starts
with the key-expansion, where a number
of round keys are established that are
used later in the algorithm. The data is
arranged in a 2 dimensional block of
size 4*4 bytes.
There are a series of 10 rounds, and
within each round the following steps
are taken:
• Subbytes - a non linear byte
substitution of each byte in the
data block.
• Shift Rows - within a row the data
is cyclically shifted depending upon
the row number.
• MixColumns - the data in each
column is transformed through
multiplication with a fixed polynomial.
This provides diffusion - each input
byte affects all 4 of the output bytes.
• Add RoundKey - this XORS the data
block with the round key derived earlier.
All systems are sent out with the same
AES key in the FCUs and the co-ordinator.
This can (and should) be changed to
secure the site. The key can be modified
in the master station (assuming the user
has the correct access rights) using the
HMI or web pages and in individual
actuators using the IR interface.
Additionally, a new key can be distributed
throughout the system over the network.
For this distribution the new key is
secured by using a Key Transport
key that is hard-coded into the
system software.
Anti-spoofing
Although the command data is protected
by AES, it does not prevent replay
attacks from other nodes on the network.
In theory a hacker could join a node to
the network and replay a message
with the same payload as a command
message and with all the message header
information correct. In the Rotork P3
Wireless systems anti-spoofing is the
name given to the encryption algorithm
applied during network joining to prevent
non-authorised actuators being placed
on the network and during run time to
prevent command message replay.
It is an encryption method designed in
house, but is a similar scheme to message
authentication code and Nonce
(Number Used Once) alogrithms.
Join protection
For a device to join the network it must
first obtain a counter from the Trust
UK
Centre (the co-ordinator device) and
then use this counter combined with
the anti-spoofing encryption to provide
a successful registration request, and
upon passing this authentication the
P3 master station will add the device
to its list of Actuators.
Replay protection
To prevent replay we add additional
databytes onto the transmission payload,
that contain an encrypted counter. The
additional bytes are formed by the anti-
spoofing encryption that takes a system-
wide counter as input. The encryption
used is proprietary and like AES involves
padding, substitution and rotations.
The routers will request the system time
on a periodic basis such that any potential
drift in the coordinator clock and the
router clock will not push the time
tolerance outside an acceptable window.
On reception of a message the router
will examine a particular byte to ascertain
if it is a command. Messages which are
not classified as commands are simply
passed onto the actuator. Commands
will need to have the additional bytes that
have been added to payload deciphered.
The deciphered bytes provide a time
counter and if this time matches the
time kept by the router itself, within a
certain tolerance, the command is
passed on to the actuator.
Common Attacks
Imposter Node
An Imposter node attack is where an
attacker places a node on the network
that masquerades as a real actuator,
diverting commands to itself rather
than to the real actuator. The Rotork
P3 wireless system provides several
counter measures to this:
• The imposter could not guarantee
diversion since it would need to
control the routing tables of all
devices on the network.
• Should the imposter node successfully
join the network (which is an
unlikely event given the security
measures employed) then it will
also need to provide authenticated
and encrypted acknowledgments
USA
to commands. This would require
knowledge of the AES key and
anti-spoofing encryption algorithm.
If this acknowledgment to a
command is not received, the master
station will flag an error.
• The imposter would need to conform
to the P3 Wireless proprietary protocol
to prevent an error being reported.
Replay
The ‘record and replay’ attack is prevented
by the same method that prevents
spoofing. A command or registration
message must be ‘fresh’ (not have
timed out) to be passed on to the target
by the router/ coordinator or acted
upon by an actuator.
Eavesdropping
The message protocol used is a proprietary
one and therefore is not in the public
domain. Whilst an eavesdropper
might be able to gain knowledge to
understand Rotork messaging protocol
and successfully decode messages that
are not commands, this is deemed to
have no practical use to an attacker.
Denial of Service
The most straightforward method of
creating a Denial of Service (DoS) is to
impose so much noise on the channel
that devices cannot communicate; this
is equivalent to ‘cutting the wire’ on a
fully wired system. The use of DSSS
(Direct Sequence Spread Spectrum),
where the message is spread over a
small band of frequencies, can help
with DoS attacks that are focussed on
one spot frequency. Site security
should be employed to control access
to the site and therefore prevent
equipment capable of a DoS attack
being placed within the site. If this did
occur, the operator will soon be alerted
to the problem since the P3 Master
Station will flag a ‘Communications
Bad’ alarm for all actuators, making it
clear there is a problem. A correctly
installed wireless network would not
allow new devices to join and
therefore a DoS attack based upon
bombarding the master station with
data would not be possible.
CS04/11/10