Wireless Sensor Systems Security Imp.

Wireless Sensor Systems:
Security Implications for the

Industrial Environment
Dr. Peter L. Fuhr
Chief Scientist
RAE Systems, Sunnyvale, CA

pfuhr@raesystems.com
ISA Wireless Security, P. Fuhr
2
RAE Systems Inc.
Pervasive Sensing Company
based in Silicon Valley founded
in 1991

Capabilities
Radiation detection
Gamma and neutron
Chemical/vapor detection
Toxic gas, VOC, combustible
gas, oxygen, CWA,
temperature, humidity, C0
2
Redeployable sensor networks
Mobile and fixed wireless
monitors
Cargo Container Sensor
Systems
Dr. Peter Fuhr, Presenter: 480+ publications&presentations in wireless sensor
networking arena. Old-timer in this areaetc etc.
3
Contributors
A number of individuals have provided content for these slides. They
include:
Wayne Manges, Oak Ridge National Laboratory
Robert Poor, Ember
Pat Gonia, Honeywell
Hesh Kagan, Foxboro/Invensys
Kang Lee, NIST
Tom Kevan, Advanstar
Ramesh Shankar, Electric Power Research Institute
Larry Hill, Larry Hill Consulting
Rob Conant, Dust
Rick Kriss, Xsilogy
Gideon Varga, Dept of Energy
Jack Eisenhauser, Energetics
Michael Brambley, Pacific Northwest National Labs
David Wagner, UC-Berkeley

Undoubtedly, there are other contributors too (apologies if
your name is not listed).

4
Wireless Sensor Networking
its not cellular telephony
its not just WiFi...(and it just may be the next big thing)

Each dot represents one cell phone tower.
Wireless devices circa 1930
5
Sensor Market: $11B in 2001
Installation (wiring) costs: >$100B
Freedonia Group report on Sensors, April 2002
Fragmented market
platform
opportunity

Installation cost limits
penetration
reducing
installation cost
increases market size

Slide courtesy of Rob Conant, Dust
Highly Fragmented
Sensor Market
6
Industrial Market Sizing
Sensor Networking Products
North American Market for Wireless products used in
Applications where transmission distances are 1 mile or
less:
2002 Total: $107 million
2006 Forecast: $713 million
2010 Estimates: $ 2.1 billion

Largest Application areas:
2002: Tank Level Monitoring, Asset Tracking, Preventative
Maintenance
2006: Tank Level Monitoring, Preventative Maintenance,
Environmental Monitoring

Conclusions:
Rapid Growth in Industrial markets
Tank Level Monitoring will remain a significant opportunity
Key User Needs:
Lower Costs over Wired (or Manual) Solutions
Education of Potential Customers on the Technology
Demonstration of Operational Reliability & Application Domain
Knowledge
Slide courtesy of Rick Kriss, Xsilogy
7

The True cost per monitored node to the
End User
3-Yr
TOC $$$
Radio RF Range (dB)
Lower
Higher
Installation
Costs
Higher
Lower
DENSE
Bluetooth,
802.15.4, WiFi etc
SPARSE
1xRTT, FLEX
SAT, etc
Meters Miles
$$$$$
$
Design For Here
Slide courtesy of Rick Kriss, Xsilogy
8
What to do with the data?
Great! But how do you get the output signal from the sensor to the location
where the information will be interpreted (used)?

Sensor Modifier
Output
Transducer
Power
Supply
Parameter
of Interest
Measurement System
Output Signal
Chemical
Electrical
Mechanical
Thermal
Radiation
Optical
Magnetic
Chemical
Electrical
Mechanical
Thermal
Radiation
Optical
Magnetic
Traditionally the output of the sensor was hardwired to some form of
interpretive device (e.g., PLC) perhaps relying on a 4-20mA signal
9
Outline:

1. Security? Who needs it?
2. How is security achieved in a wired channel?
3. The Situation for Wireless (its RF in an industrial setting.
Spectrum, modulation, encryption, spatial)
4. Security within various Wireless Delivery Schemes
(cellular, WiFi, 802.15.4, Bluetooth, others)
5. An Integrated Solution
6. The Big Review
10
Oh, who needs security in a
wireless channel anyway!
(pretty ridiculous statement isnt it!
11
Lets ask some experts:
WINA meeting, Coral Gables, Sept. 2003
www.wireless4industrial.org
12
Whats a WINA?
In the spring of 2003, the Wireless Industrial Networking
Alliance (WINA) was formed to promote the adoption of
wireless networking technologies and practices that will help
increase industrial productivity and efficiency.

WINA will be holding a 1.5 day meeting at ISA-HQ in RTP, NC on Feb 11/12
right after the ISA Wireless Security Expo and conference. Check out
www.wireless4industrial.org for WINA meeting details AND
www.isa.org/wireless for the ISA Wireless Security conf details!

13
Back to the Question:

Who needs security in a wireless
channel anyway!
14
Strategy Workshop Participants
Suppliers (13)
System integrators (6)
Industrial end users (10)
Chemicals
Petroleum
Automotive
Industry analysts/venture capitalists (3)
Others (associations, government, media,
researchers)
Energy/Utilities
Forest Products
Electronics
15
End-User View of Industrial Wireless
Likes
Mobility
Compactness
Flexibility
Low cost
Capability to monitor
rotating equipment
Short range (security)
Ease of installation
High reliability
Impetus to enhance
electronics support

Dislikes
Change to status quo
Complexity
High cost for coverage in large
plants
Security issues
Portability issues (power)
Unproven reliability
Too risky for process control
Lack of experience in
troubleshooting (staff)
Restricted infrastructure
flexibility once implemented
Lack of analysis tools
16
Technology Group: Key Issues
Security
Jamming, hacking, and eavesdropping
Power
Value (clear to customer)
Interoperability
Co-existence with other facility networks, sensors,
collectors, technology
True engineered solution (sensors, collectors, etc.)
Assured performance & reliability/MTBA*
Software infrastructure, data, & systems management
Robustness (at least as good as wired)
RF characterization (radios, receivers, environments)
*mean time between attention
17
Technology Group: Criticality Varies
by Application (5 = most critical)

Attributes

Monitor

Control

Alarm

Shutdown
Biz
WLAN
Latency 2-3 3-5 5 5 1
Device Reliability 2-3 3-5 5 5 1
Raw Thru-put
(node / aggr.)
2 / 5 2.5 /2.5 1 / 4 1 / 1 1/5
Scalability
(Max.# nodes)
5 4 4 1 2-3
Data Reliability 1 5 5 5 2
Security 1-5 5 5 5 5
Low Cost 5 2 1-3 1 2-3
Gateway Technology 5 1 3-4 1 1
Engineered Solution 1 5 4 5 3
Applications
18
Industrial CyberSecurity
The Case of Vitek Boden

19
On October 31, 2001 Vitek Boden was convicted of:
26 counts of willfully using a restricted computer to
cause damage
1 count of causing serious environment harm
The facts of the case:
Vitek worked for the contractor involved in the
installation of Maroochy Shire sewage treatment
plant.
Vitek left the contractor in December 1999 and
approached the shire for employment. He was
refused.
Between Jan 2000 and Apr 2000 the sewage
system experienced 47 unexplainable faults,
causing millions of liters of sewage to be spilled.
20
How did he do it?
On April 23, 2000 Vitek was arrested with
stolen radio equipment, controller
programming software on a laptop and a fully
operational controller.
Vitek is now in jail
Disgruntled
Contractor
PLC PLC
Sewage Plant
Rogue Radio
21
A Favorite 2.4 GHz Antenna
22
WarDriving 802.11 HotSpots in
Silicon Valley
23
WarDriving 802.11 HotSpots in
San Francisco
24
The Question:
Who needs security in a wireless channel
anyway!
The Answer:

We do. SoHow do you provide the
appropriate level of security within the
acceptable price and inconvenience margin
-> Risk Management!
25
Inside vs. Outside?
Where do attacks come from?
0
10
20
30
40
50
60
70
80
90
Foreign Gov. Foreign
Corp.
Hackers U.S.
Competitors
Disgruntled
Employees
2002
2001
2000
1999
1998
*Source: 2002 CSI/FBI Computer Crime and Security Survey Computer Security
Institute - www.gocsi.com/losses.
%

o
f

R
e
s
p
o
n
d
e
n
t
s

26
An Outside Example.
When? April 2001
27
In the Spring of 2001, the US got its first a
taste of a new form of warfare.
Launched from overseas and targeted at
US critical infrastructure.
Hacker War I
28
Chinese Hacker Group working to advance
and in some cases impose its political agenda
During the spring of 2001, Honker Union
worked with other groups such as the Chinese
Red Guest Network Security Technology
Alliance
Honker Union
Hackers were encouraged to "...make use of
their skills for China..." Wired.com
Denial of Service Attacks
Website Defacement
E-mailing viruses to US Government Employees
KillUSA package
Attack Methods:
29
Cyberwar
Cyber attacks and web defacements
increased dramatically after the start of the
war against Iraq.
More than 1,000 sites were hacked in the
first 48 hours of the conflict, with many of
the attacks containing anti-war slogans.
Security consultants state that the war
against Iraq made March the worst month
for digital attacks since records began in
1995.
30
North Korea's Mirim College, is a
military academy specializing in
electronic warfare
100 potential cybersoldiers graduate
every year
Hacker School
31
The Question:
Who needs security in a wireless channel
anyway?
The Answer:

Everyone.
32
Outline:

6. The Big Review
33
Layered Communications
A few details
34
Wired Data Security - Encryption
The traditional method involved encrypting the data prior to
transmission over a potentially insecure channel. The level of
protection rests on the encryption algorithm. (There are a few
other factorssuch as the physical media.)
Slide courtesy of Wayne Manges, ORNL
35
Outline:

3. The Situation for Wireless
6. The Big Review
36
Wireless Buildings
Key to success: reduced installation costs
From many perspectives, THIS is what a wireless sensor network can provide.
Slide courtesy of Pat Gonia, Honeywell
37
E(t) = A(t) cos[wt + f(t)]
Modulation
Amplitude Modulation (AM)
info is in A(t)
Frequency Modulation (FM)
info is in w
Phase Modulation (PM)
info is in f(t)
Phase = 0
o
Phase = 180
o
Phase = 270
o
Phase = 360
o

(or back to 0
o
)
Different vendors use
different schemes - and they
are not interoperable.
38
The FCC Frequency Assignment
Different vendors may use
different frequencies within
the various ISM bands
(green in the diagram).
The ISM bands most commonly used are at 433, 915 and 2400 MHz.
39
Multiple Sensors Sharing the Medium:
Multiplexing. FDMA, TDMA and CDMA
40
Binary Signaling Formats
Used to Improve Digital
Signal Reception and
Decision
NRZ: Non-Return to Zero
RZ: Return to Zero
Unipolar: Only one side
of 0V
Bipolar: Both sides of 0V
Manchester: Bi-Phase
(0 in left 1/2 time slot,
1 in right)

41
Narrowband or Spread Spectrum?
Narrowband uses a fixed carrier frequency, F
0
.

The receiver then locks onto the carrier frequency, F
0
.

Easy to implement (inexpensive).
Prone to jamming or interference (two transmitters at the
same carrier frequency, F
0
.
Least secure modulation scheme.

42
Narrowband or Spread Spectrum (cont.) ?
Frequency Hopping Spread Spectrum. Uses
a carrier frequency that varies with time,
F
0
(t).

The receiver must track the time-varying carrier
frequency, F
0
(t).

Relatively easy to implement (inexpensive).
Prone to jamming or interference (two transmitters at the same carrier
frequency, F
0
) during any single transmit interval. Hopping rates
may be ~1600 hops/second (ala Bluetooth).
Very secure modulation scheme (used in military for decades).

Invented and patented by actress Heddy
Lamarr and her pianist George Antheil.

43
Direct Sequence Spread Spectrum uses a fixed carrier frequency, F
0

but interleaves the data with a precise mathematical 0/1 data
sequence. (This increases the length of the transmitted information
vector making it longer). The information is replicated many times
throughout the bandwidth, so if one lobe of the information is
jammed, the remainder gets through. Highly robust technique.

The receiver then locks onto the carrier frequency, F
0
receives the
signal and then must undo the interleaving.

More difficult to implement (more expensive).
Most complicated scheme (of these presented).
Most secure modulation scheme.

44
Data
PN Clock
Data
Data
Clock
Carrier
1
Local PN Clock
Local
Carrier
1
1
Frequency
Power
Spectral
Density
f
c
Frequency
Power
Spectral
Density
f
c
Frequency
Power
Spectral
Density
f
c
DIRECT-SEQUENCE SPREAD-SPECTRUM SIGNALS
Narrow spectrum at
output of modulator
before spreading
Spectrum has wider bandwidth
and lower power density after
spreading with PN sequence
(PN Rate >>Data Rate)
Original narrowband, high
power density spectrum is
restored if local PN sequence is
same as and lined up with
received PN sequence
RFI
Spread
RFI
Phase
Demod
Narrow
BP Filter
Wide
BP Filter
PN Sequence
Generator
PN Sequence
Generator
45
Which is
best?

Each has its pluses and minusesand each scheme has its share of die-
hard advocates and/or naysayers!
From a security standpoint, DSSS is best.

Different vendors use these
(and other) schemes at
different frequencies within
the various ISM bands.
46
Reality
DSSS
FHSS
47
No Matter WhatIts Just an
Electromagnetic Field
A(t): amplitude of the wave
w: radian frequency of the wave
f(t): phase of the wave
E(t) = A(t) cos[ t + (t)]
48
The RF Footprint
Network Size
Personal Area Network: typical radiated power: 0 dBm, size: 10m

Local Area Network: typical radiated power: 20 dBm, size: 100m

Wide Area Network: typical radiated power: >30 dBm, size: >2000m

49
Network Topologies?
Bus Network
Tree Network
Star Network
Ring Network
Ad Hoc Network
There are SO many technical questions: such as
50
The Real World Presents the
Wireless Channel with Multipath and
Attenuationand

51
Multipath
The Cause
The Effect
Real World:
52
Atmospheric Attenuation at 2.4 GHz
Real World:
Rayleigh Fading @ 2.4GHz
53
Signal Attenuation at 2.4 GHz
Real World:
54
And Signal-to-Noise Ratios really do
matter!
Real World:
Anecdotal Evidence: As Frankfurt has increased the
deployment of 2.4 GHz wireless surveillance cameras,
the background Noise level has increased by 12 dB.
(This plays havoc with the BER or for fixed BER, the
overall data rate,)
55
Which Frequency is Best?
Notice that the operation at 2.45 GHz is
WORSE than at 900MHz (which is worse
than 433 MHz).
ALERT! ALERT!!
Real World:
56
Outline:

4. Security within various Wireless Delivery
Schemes
6. The Big Review
57
Wireless networks use a variety of techniques to enhance security,
such as spreading and interleaving. These techniques can make the
signal virtually undetectable without prior knowledge about the
network. This can improve the security of the network by orders
of magnitude.
Wireless Data Security: Encryption, Spreading, Interleaving
Slide courtesy of Wayne Manges, ORNL
58
The Wireless Market
S
H
O
R
T

<

R
A
N
G
E

>

L
O
N
G

LOW < DATA RATE > HIGH
PAN
LAN
TEXT GRAPHICS INTERNET HI-FI
AUDIO
STREAMING
VIDEO
DIGITAL
VIDEO
MULTI-CHANNEL
VIDEO
Bluetooth1
Bluetooth 2
ZigBee
802.11b
802.11a/HL2 & 802.11g
59
Bluetooth vs. the Rest (contd)
802.11
2.4 GHz, DSSS
11 chips/bit
11Mbps
+20 dBm
50m
128 devices
CSMA/CA
Optional WEP
Optional
HomeRF
2.4GHz, FHSS
50 hops/s
1 Mbps
+20 dBm
50m
128 devices
CSMA/CA
Optional
Optional

Bluetooth
2.4 GHz, FHSS
1000+hops/s
1Mbps
0, +20dBm
1-10m, 50m
8 devices,
Piconet
Encryption
Yes

Parameter
Technology

Data Rate
Power
Range
Topology

Security
Voice Channel
ZigBee (proposed)
2.4 GHz,DSSS
15 chips/bit
40 kbits/s
0dBm
100m
100s devices,
CSMA/CA
Not yet
No

Bluetooth aka IEEE 802.15.1
ZigBee aka IEEE 802.15.4
60
Side by Side

61
802.11?

62
The Worldwide View of the 802.11 Spectral
Space
63
Radiated Field from a single AP
(Kansas City)
64
20dB Attenuation Profile for Univ of Kansas
Eng Bldg., Mesh and AP deployments
65
WEP
The industrys solution: WEP (Wired Equivalent Privacy)
Share a single cryptographic key among all devices
Encrypt all packets sent over the air, using the shared key
Use a checksum to prevent injection of spoofed packets
(encrypted traffic)
66
Early History of WEP
802.11 WEP standard released
1997
Simon, Aboba, Moore: some weaknesses
Mar 2000
Walker: Unsafe at any key size

Oct 2000
Borisov, Goldberg, Wagner:
7 serious attacks on WEP
Jan 30, 2001
NY Times, WSJ break the story
Feb 5, 2001
67
Subsequent Events
Jan 2001
Borisov, Goldberg, Wagner
Arbaugh: Your 802.11 network
has no clothes
Mar 2001
Arbaugh, Mishra: still more attacks
Feb 2002
Arbaugh: more attacks

May 2001
Newsham: dictionary attacks on WEP keys
Jun 2001
Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4
Aug 2001
68
WEP Attack Tools
Downloadable procedures from the Internet
To crack the Key:
AirSnort
http://airsnort.sourceforge.net
WEPCrack
http://sourceforge.net/projects/wepcrack/
To brute force enter into WLAN,
THC-RUT
http://www.thehackerschoice.com/releases.php
69
Wi-Fi Protected Access (WPA)
Flaws in WEP known since January 2001 - flaws include weak
encryption, (keys no longer than 40 bits), static encryption keys, lack
of key distribution method.

IEEE developing 802.11i standard for enhanced wireless security -
Addresses weak data encryption and user authentication within
existing 802.11 standard.

802.11i standard will not be ratified until late 2003, possibly early
2004 - outstanding issues.

WPA standard joint effort between Wi-Fi Alliance and IEEE - WPA a
subset of IEEE 802.11i standard (Draft 3.0).

WPA provides stronger data encryption (weak in WEP) and user
authentication (largely missing in WEP).

70
WPA Data Encryption
WPA uses Temporal Key Integrity Protocol (TKIP) - stronger
data encryption, addresses known vulnerabilities in WEP.
TKIP chosen as primary encryption cipher suite -
Easily deployed and supported in legacy 802.11b
hardware compared to other available cipher suites.

TKIP based on RC4 stream cipher algorithm, surrounds WEP
cipher engine with 4 new algorithms,

1. Extended 48-bit Initialization Vector (IV) and IV sequencing rules
(compared to the shorter 24-bit WEP RC4 key).

2. New per-packet key mixing function.

3. Derivation and distribution method - a.k.a. re-keying.

4. A message integrity check (MIC) - a.k.a. Michael, ensures messages
havent been tampered with during transmission.
71
WPA Data Encryption, contd
the Temporal Key Integrity Protocol.

DA Destination Address TKIP Temporal Key Integrity Protocol
ICV Integrity Check Value TSC TKIP Sequence Counter
MPDU Message Protocol Data Unit TTAK result of phase 1 key mixing of Temporal Key
MSDU MAC Service Data Unit and Transmitter Address
RSN Robust Security Network WEP Wired Equivalent Privacy
SA Source Address WEP IV Wired Equivalent Privacy Initialization Vector
TA Transmitter Address

MIC Key
TSC
SA + DA +
Plaintext MSDU
Data
Ciphertext
MPDU(s)
WEP
Encapsulation
MIC
TTAK Key
Plaintext
MSDU +
MIC
Fragment(s)
Phase 2
key mixing
Plaintext
MPDU(s)
WEP seed(s)
(represented as
WEP IV + RC4
key)
Phase 1
key mixing
TA

Temporal Key
72
WPA Data Encryption, contd
TKIP implements countermeasures - reduces rate which attacker can
make message forgery attempts down to two packets every 60
seconds.

After 60 second timeout new PMK or Groupwise Key generated,
depending on which attacked ensures attacker cannot obtain
information from attacked key.

Countermeasures bound probability of successful forgery and amount
of information attacker can learn about a key.

TKIP is made available as firmware or software upgrade to existing
legacy hardware.

TKIP eliminates having to replace existing hardware or having to
purchase new hardware.

73
Bluetooth?

74
BlueTooth- Some Specifications
Uses unlicensed 2.402 - 2.480 GHz frequency range
Frequency hopping spread spectrum 79 hops
separated by 1 MHz
Maximum frequency hopping rate: 1600 hops/sec
Nominal range: 10 cm to 10 meters
Nominal antenna power: 0 dBm
One complete Bluetooth data packet can be
transmitted within each 625 msec hop slot.
75
Potential Bluetooth Markets

76
Bluetooth Market Forecast

Nov03: 100M Bluetooth compliant devices worldwide
77
Bluetooth Protocol Stack
Adopted Protocols
PPP(Point-To-Point Protocol)
TCP/UDP/IP
OBEX-Session Protocol for IrDA(Infrared Data
Association)
Contents Fromat(e.g. vCard, vCalendar)
WAP-Wireless Application Protocol
78
Bluetooth Security
Supports Unidirectional or Mutual Encryption based
on a Secret Link key Shared Between Two Devices
Security Defined In 3 modes:
Mode1- No Security
Mode 2 - Service Level Security: Not Established
Before Channel is Established at L2CAP
Mode 3 - Link Level Security: Device Initiates
Security Before LMP Link is Setup
Devices and Services can be Set for Different Levels of Security
Two Trust Levels are Set for Devices
Trusted Device: Fixed Relationship and Unrestricted
Access to All Services
Untrusted: No Permanent relationship and Restricted
Services
79
Bluetooth Security
Devices and Services can be Set for Different Levels
of Security
Two Trust Levels are Set for Devices
Trusted Device: Fixed Relationship and
Unrestricted Access to All Services
Untrusted: No Permanent relationship and
Restricted Services
80
Bluetooth Security
3 Levels of Service Access
Require Authorization and Authenication
Require Authentication Only
Default Security for Legacy Applications
81
But is this Wireless Link Secure?
Newsflash: Jan 2001: Norwegian hackers crack a
Bluetooth transmission
82
Analysis of a BlueTooth Transmission
High overhead?
83
802.15.4/Zigbee?

84
IEEE 802.15.4 standard
Includes layers up to and including Link Layer Control
LLC is standardized in 802.1
Supports multiple network topologies including Star, Cluster Tree and
Mesh
IEEE 802.15.4 MAC
IEEE 802.15.4 LLC
IEEE 802.2
LLC, Type I
IEEE 802.15.4
2400 MHz PHY
IEEE 802.15.4
868/915 MHz PHY
Data Link Controller (DLC)
Networking App Layer (NWK)
ZigBee Application Framework
Features of the MAC:
Association/dissociation, ACK,
frame delivery, channel access
mechanism, frame validation,
guaranteed time slot management,
beacon management, channel scan
Low complexity: 26 primitives
versus 131 primitives for
802.15.1 (Bluetooth)
85
PHY overview
Speed
20, 40 or 250 kbps
Channels
1 channel in the 868MHz band
10 channels in the 915MHz band
16 channels in the 2.4GHz band
Modulation
BPSK (868MHz/20kbs)
BPSK (915MHz/40kbps)
O-QPSK (2.4GHz/250kbps)

Coexistence w/
802.11b DSSS
802.15.1 FHSS
802.15.3 DSSS
86
MAC overview
Security support
Power consumption
consideration
Dynamic channel
selection
Network topology
Star topology
p2p topology
cluster-tree network
topology

87
Device classification
Full Function Device (FFD)
Any topology
Can talk to RFDs or other FFDs
Operate in three modes
PAN coordinator
Coordinator
Device.
Reduced Function Device (RFD)
Limited to star topology
Can only talk to an FFD
(coordinator)
Cannot become a coordinator
Unnecessary to send large
amounts of data
Extremely simple
Can be implemented using
minimal resources and memory
capacity
88
Transmission management
Acknowledgement
No ACK
ACK
Retransmission
Duplicate detection
Indirect transmission

89
Security
Unsecured mode
ACL mode
Access control
Secured mode
Access control
Data encryption
Frame integrity
Sequential freshness

90
Scalable Security
Assume the attacker can deploy own nodes (can
create a ring at some distance from
controller)[Wisenet 2003]
Enemy nodes mimick the mesh nodes; they
ACK the health inquiry as if everything was OK
but they do not forward to the rest of the net
The rest of the network is virtually cut off from
inspection by controller
Need secure key and a random seed that changes
at each round

91
What About:

1451.5?
1xRTT?
SAT?
CDPD?
Others?

No time this morning!
92
Outline:

6. The Big Review
93
Integrated Industrial Networks?
There are SO many technical questions: such as
If the sensor network is to integrate into an industrial setting, then you
should be cognizant of the Industrial Networking arena.
94
Industrial Device Network Topology
Typically, three layers of networking make up enterprisewide networks. Ethernet
acts as the company's intranet backbone, and it's linked to controllers or
industrial PCs, which supply strategic data to the enterprise. An industrial
network, or fieldbus, links sensors and smart devices. A gateway (not uncommon
in a large system with lots of devices) links devices that have only RS-232 or RS-
485 ports to the fieldbus system.
95
Industrial Device Networks
General characteristics for industrial device
networks have arisen.
Obviously the complexity of the network increases as the
functionality is increased.
96
Classification of Industrial
Networks
Three logical groupings of instrumentation
networks used in an industrial setting.
There are over 100 different proprietary
networks in the field.
97
Inside Security Incident
Employee attacks PLC in another plant area
over PLC highway.
Password changed to obscenity, blocking
legitimate maintenance and forcing process
shutdown.
* Source: BCIT Industrial Security Incident Database (ISID)
Disgruntled
Employee
PLC PLC PLC PLC
Steam Plant Paper Plant
Plant Highway
98
Network Positioning
-

F
u
n
c
t
i
o
n
a
l
i
t
y

+

Ethernet TCP/IP

- Cost +
+

C
o
m
p
l
e
x
i
t
y

-

- Data +
DeviceNet
Other CAN
SDS
Fieldbus H1
Profibus-PA
Modbus
HART
Profibus-DP
Interbus-S
Remote I/O
Profibus-FMS
Data Highway+
Modbus Plus
ASi, Seriplex,
Hardwiring, RS485 etc.
ControlNet
Foundation Fieldbus H2
99
Too Focused on Internet Issues?
Myth #1: Our SCADA/PLC/DCS is safe if
we dont connect to the Internet.
Myth #2: Our Internet firewall will protect
our control systems.
Myth #3: Our IT department understands
process control issues and security.

100
Is Industrial Comm Security Too
Focused on Internet Issues?
Field Devices
Control
Network
SCAD
A
Programming Stations
PLC
PLC
Remote
Engineering
Production
Planning
Manufacturing Logistics
Enterprise
Resource Planning
Process
Historian
Enterprise Network
Internet
Firewall
Ethernet
Production Networks
Handheld
Operator
Terminal
Modem

OEM

802.11
WLAN
Source (used by permission): Interface Technologies, Windsor, CT, 2002
WarDialing
Attack
101
Outline:

6. The Big Review
102
Bit Rate vs. Quality of Service
How Many
Bits are
Needed?
The more bits
you xmit,
the more
power you
consume!
103
Coding vs. Quality of Service
Is Coding
Really
Necessary?

104
Direct Sequence Spread Spectrum
105
Comparing Wireless
Tech. Range RF
Power
Battery
life
Numbers
In Area
DSSS Medium Low longest High
FHSS Long High Short Medium
UWB Medium Lowest short High
Narrow
band
Longest highest short Lowest
106
Technology Beats Marketing in
Performance!
Technology versus Attributes
Summary Chart
Technology
Attribute
DSSS
FHSS
UWB
CDMA
TDMA
FDMA
Low
Power
Designs
Mobile
Ad Hoc
Networks
Power
Harvesting
Embedded
Intelligence Diversity FEC
Open
Standards
BPSK
QPSK
M-ary
900MHz
2.4GHz
5.8GHz
Long Range NA NA NA yes NA NA yes yes NA NA 900MHz
Plug-and-Play DSSS CDMA NA NA NA NA NA NA yes NA NA
Long Battery life FHSS FDMA yes NA yes yes yes yes NA M-ary 900MHz
Low RFI risk DSSS NA yes yes NA yes yes NA NA NA 5.8GHz
Self Locating DSSS CDMA NA NA NA yes yes NA NA NA 5.8GHz
Secure UWB CDMA yes NA NA yes yes NA NA NA 5.8GHz
High throughput UWB NA NA NA NA yes yes yes NA M-ary 5.8GHz
non line-of-sight UWB NA NA yes NA NA yes NA NA NA 900MHz
robust connections DSSS CDMA NA yes NA NA yes yes NA BPSK 5.8GHz
low cost FHSS FDMA yes NA NA NA NA NA yes BPSK 900MHz
small size FHSS TDMA yes NA NA NA NA NA NA BPSK 5.8GHz
107
Statistics on Types of Attacks
0 20 40 60 80 100 120
Theft of Propriety Info
Sabotage
Telecom Evesdropping
System Penetration
Insider Abuse of Net Access
Finacial Fraud
Virus
Unauthorized Insider Access
Telecom Fraud
Active Wiretap
Laptop Theft
Denial of Service
1997
1998
1999
2000
2001
2002

*Source: 2002 CSI/FBI Computer Crime and Security Survey Computer Security
Institute - www.gocsi.com/losses.
% of Respondents
108
Optimization of Security vs. Cost
Risk reduction is balanced against the cost of
security counter measures to mitigate the risk.
Security Level
Cost ($)
Cost of Security
Countermeasures
Cost of Security
Breaches
Optimal Level of Security
at Minimum Cost
109
Risk in Safety vs. Risk in Security
Safety Definition: Risk is a measure of
human injury, environmental damage, or
economic loss in terms of both the incident
likelihood and the magnitude of the loss or
injury.
Security Definition: Risk is an expression of
the likelihood that a defined threat will exploit
a specific vulnerability of a particular
attractive target or combination of targets to
cause a given set of consequences.
*Source: CSPP Guidelines For Analyzing And Managing The Security
Vulnerabilities Of Fixed Chemical Sites
110
Firewall Architectures
The external router blocks attempts to use the
underlying IP layer to break security (e.g. IP
spoofing, source routing, packet fragments, etc) and
forces all traffic to the proxy.
The proxy firewall handles potential security holes in
the higher layer protocols.
The internal router blocks all traffic except to the
proxy server.

Internal
Router
Internet
External
Router

111
Theres lot of Wireless
From cellphones to PDAs to WiFi to
Satellite-based
112
Wireless LAN Standards
113
Existing/Developing
IEEE 802.11 Standards
802.11-
802.11a
802.11b
802.11e
802.11f
802.11g
802.11h
802.11i
802.1x
802.15
802.16
Frequency Hopping/DSSS
54Mbps / HyperLAN
(1999) 11Mbps
Quality of Service
Point 2 Point Roaming
(2003) 54Mbps
European Inspired Changes
(Q2,2004) New Encryption Protocols
(Q2,2004) Port Based Network Access
Personal Area Network (WPAN)
Wireless Metropolitan Area Network (WMAN)
114
PicoCell
BTS
PicoCell
BTS
Noise
Floor
Lifter
6 MCU
GSM SERVER
On-Board Network Integration
SDU
Wireless Backbone for Inflight Entertainment
and we havent even touched on RFID!
115
Theres lot of Wireless
And it all needs to feel more Secure!
116
For a real review of networking
security
Take Eric Byrnes ISA course IC32C
117
Will History Repeat?
analog cellphones: AMPS 1980
1990
2000
analog cloning, scanners
fraud pervasive & costly
digital: TDMA, GSM
TDMA eavesdropping [Bar]
more TDMA flaws [WSK]
GSM cloneable [BGW]
GSM eavesdropping
[BSW,BGW]
Future: 3
rd
gen.: 3GPP,
Cellular networks
802.11, WEP
2001
2002
WEP broken [BGW]
WEP badly broken [FMS]
WPA
2000
1999
Future: 802.11i
2003
attacks pervasive
wireless networks
Proprietary systems
2002
1451, 802.15.4, TinyOS
Future: ???
2003
sensor networks
wireless security: not just 802.11
118
PATRIOT (Provide Appropriate Tools
Required to Intercept and Obstruct
Terrorism)
Legally classifies many hacking attacks
as acts of terrorism
PATRIOT Act
119
So If Nothing else, at least
PLEASE do this for your WiFi
System!

WLAN Security Countermeasures
Conduct site survey
Identify areas of signal strength and weakness
Do a walkaround with NetStumbler
Document and shut down rogue access points
Document and shut down unauthorized wireless
NICs
AND TURN ON SOME LEVEL OF THE
PROVIDED PROTECTION!
120
Oh

And dont forget that as you layer in all of
these wacky encryption schemes and
CDMA and DSSS andand that it takes
some joules to actually implement this. So
if your wireless network has primepower
(a.k.a. AC) youre ok. But if youre going
off a battery then its a tradeoff of security
versus Power Consumption You
Choose that one!

121
...and in the end...
...or...
Two potential forms of wireless sensor networks.
And they should both be secure!
HoneyBee with RFID
BumbleBee with RF xcvr
122
Outline:

6. The Big Review
7. Glossary and References
123
Glossary

10BASE-T: IEEE 802.3 standard for a twisted-pair Ethernet network. 10 Mbps transmission rate over baseband using unshielded, twisted-
pair cable.

802.11: The IEEE 802.11 standard defines both frequency hopping and direct sequence spread spectrum solutions for use in the 2.4-2.5 MHz
ISM (Industrial, Scientific, Medical) band.

802.11a: The Global System for Mobile Communications standard for worldwide wireless communications on wide area networks (WANs).

802.11b: The portion of the 802.11 specification that defines the 11 Mbps data rate.

A

Access Point: Provides a bridge between Ethernet wired LANs and the wireless network. Access points are the connectivity point between
Ethernet wired networks and devices (laptops, hand-held computers, point-of-sale terminals) equipped with a wireless LAN adapter card.

Analog phone: Comes from the word "analogous," which means similar to. In telephone transmission, the signal being transmitted from the
phonevoice, video or imageis analogous to the original signal.

Antenna-Directional: Transmits and receives radio waves off the front of the antenna. The power behind and to the sides of the antenna is
reduced. The coverage area is oval with the antenna at one of the narrow ends. Typical directional antenna beam width angles are from 90
(somewhat directional) to as little as 20(very directional). A directional antenna directs power to concentrate the coverage pattern in a
particular direction. The antenna direction is specified by the angle of the coverage pattern called the beam width.

Antenna-Omni-directional: Transmits and receives radio waves in all directions. The coverage area is circular with the antenna at the center.
Omni-directional antennas are also referred to as whip or low-profile antennas.

Association: The process of determining the viability of the wireless connection and establishing a wireless network's root and designated
access points. A mobile unit associates with its wireless network as soon as it is powered on or moves into range.

ATM: Asynchronous Transfer Mode. A type of high-speed wide area network.

124
Glossary

B

Backbone: A network that interconnects other networks, employing high-speed transmission paths and often spanning a large geographic
area.

Bandwidth: The range of frequencies, expressed in hertz (Hz), that can pass over a given transmission channel. The bandwidth determines
the rate at which information can be transmitted through the circuit.

Bandwidth Management: Functionality that allocates and manages RF traffic by preventing unwanted frames from being processed by the
access point.

BC/MC: Broadcast frames; Multicast frames

Beacon: A uniframe system packet broadcast by the AP to keep the network synchronized. A beacon Includes the Net_ID (ESSID), the AP
address, the Broadcast destination addresses, a time stamp, a DTIM (Delivery Traffic Indicator Maps) and the TIM (Traffic Indicator
Message).

BFA Antenna Connector: Miniature coaxial antenna connector manufactured by MuRata Manufacturing Corporation.

Bluetooth: See Wireless Personal Area Networks.

Bridge: A device that connects two LANs of the same or dissimilar types. It operates at the Data Link Layer, as opposed to routers. The
bridge provides fast connection of two collocated LAN segments that appear as one logical network through the bridge.

Buffer: A segment of computer memory used to hold data while it is being processed.

125
Glossary

C

CAM: Continuously Aware Mode: Mode in which the adapter is instructed to continually check for network activity.

Card and Socket Services: Packages that work with the host computer operating system, enabling the Wireless LAN adapter to interface with
host computer configuration and power management functions.

Cellular Phone: Low-powered, duplex, radio/telephone that operates between 800 and 900 MHz, using multiple transceiver sites linked to a
central computer for coordination. The sites, or "cells," cover a range of one to six or more miles in each direction.

Centrex: Business telephone service offered by a local telephone company from a local telephone company office. Centrex is basically a single
line phone system leased to businesses as a substitute for a business that is buying or leasing its own on-premises phone system or PBX.

CDMA and TDMA: The Code Division Multiple Access and Time Division Multiple Access standard for wireless communications on wide
area networks (WANs) in North America.

Circuit switching: The process of setting up and keeping a circuit open between two or more users so that users have exclusive and full use of
the circuit until the connection is released.

Client: A computer that accesses the resources of a server.

Client/Server: A network system design in which a processor or computer designated as a server (such as a file server or database server)
provides services to other client processors or computers.

CODEC: Coder-Decoder. Audio compression/decompression algorithm that is designed to offer excellent audio performance. Converts voice
signals from their analog form to digital signals acceptable to modern digital PBXs and digital transmission systems. It then converts those
digital signals back to analog so that you may hear and understand what the other person is saying.

Computer Telephony Integration: Technology that integrates computer intelligence with making, receiving, and managing telephone calls.
Computer telephony integrates messaging, real-time connectivity, and transaction processing and information access.

126
Glossary

D

Data Terminal: Computer transmit and receive equipment, including a wide variety of dumb terminals or terminals without embedded
intelligence in the form of programmed logic. Most data terminals provide a user interface to a more capable host computer, such as a
mainframe or midrange computer.

Decryption: Decryption is the decoding and unscrambling of received encrypted data. The same device, host computer or front-end
processor, usually performs both encryption and decryption.

Desktop Conferencing: A telecommunications facility or service on a PC that permits callers from several diverse locations to be connected
together for a conference call.

Digital Phone System: Proprietary phone system provided by a vendor, such as AT&T, Mitel, Northern Telecom, and so on. The signal being
transmitted in a digital phone system is the same as the signal being transmitted in an analog phone system. The system can consist of a
proprietary PBX system that converts voice signals from their analog form to digital signals, and then converts those digital signals back to
analog. Alternatively, the conversion from analog-to-digital can occur in a digital phone.

Direct Inward Dialing: DID. The ability for a caller outside a company to call an internal extension without having to pass through an
operator or attendant. In large PBX systems, the dialed digits are passed from the PSTN to the PBX, which then completes the call.

Direct-Sequence (DS) Spread Spectrum: Direct sequence transmits data by generating a redundant bit pattern for each bit of information
sent. Commonly referred to as a "chip" or "chipping code," this bit pattern numbers 10 chips to one per bit of information. Compared with
frequency hopping, direct sequence has higher throughput, wider range and is upgradable in the 2.4GHz band.

Diversity Reception: The use of two antennas attached to a single access point to improve radio reception. The second antenna is used only
for receiving radio signals, while the primary is used for both transmitting and receiving.

Driver: A program routine that links a peripheral device, such as a mobile unit's radio card, to the computer system.

127
Glossary

Element-level Management: Level of technologies aimed at small or medium-sized businesses.

Encryption: Entails scrambling and coding information, typically with mathematical formulas called algorithms, before the information is transmitted over a network.

Ethernet: A local area network used for connecting computers, printers, workstations, terminals, servers, and so on, within the same building or campus. Ethernet
operates over twisted wire and over coaxial cable at speeds up to 100 Mbps, with 1 Gbps speeds coming soon.

Filtering: Prevents user-defined frames from being processed by the access point.

Fragmentation Threshold: The maximum size for directed data packets transmitted over the radio. Larger frames fragment into several packets this size or smaller before
transmission over the radio. The receiving station reassembles the transmitted fragments.

Frame Mode: A communications protocol supported by the OEM Modules. The frame protocol implements asynchronous serial Point-to-Point (PPP) frames similar to
those used by serial Internet protocols.

Frequency Hopping (FH) Spread Spectrum: Hedy Lamarr, the actress, is credited in name only for inventing frequency hopping during World War II. As its label
suggests, frequency hopping transmits using a narrowband carrier that changes frequency in a given pattern. There are 79 channels in a 2.4GHz ISM band, each channel
occupying 1MHz of bandwidth. A minimum hop rate of 2.5 hops per channel per second is required in the United States. Frequency hopping technology is recognized as
superior to direct sequence in terms of echo resistance, interference immunity, cost and ease-of-installation. To date, there has also been a greater selection of WLAN
products from which to chose.

FTP (File Transfer Protocol): A common Internet protocol used for transferring files from a server to the Internet user. It uses TCP/IP commands.

Gain, dBi: Antenna gain, expressed in decibels referenced to a half wave dipole.

Gain, dBi: Antenna gain, expressed in decibels referenced to a theoretical isotropic radiator.

Gain, dBic: Antenna gain, expressed in decibels referenced to a theoretical isotropic radiator that is circularly polarized.

Gatekeeper: Software that performs two important functions to maintain the robustness of the network: address translation and bandwidth management. Gatekeepers map
LAN aliases to IP addresses and provide address lookups when needed.

Gateway: Optional element in an H.323 conference. Gateways bridge H.323 conferences to other networks, communications protocols, and multimedia formats.
Gateways are not required if connections to other networks or non-H.323 compliant terminals are not needed.

GHz: International unit for measuring frequency is Hertz (Hz), which is equivalent to the older unit of cycles per second. One Gigahertz (GHz) is one billion Hertz.
Microwave ovens typically operate at 2.45 GHz.

GSM: The Global System for Mobile Communications standard for worldwide wireless communications on wide area networks (WANs).

128
Glossary

H.323: An umbrella standard from the International Telecommunications Union (ITU) that addresses call control, multimedia management, and bandwidth management
for point-to-point and multi-point conferences, as well as interfaces between LANs and other networks. The most popular standard currently in use.

Handheld PC (HPC): The term adopted by Microsoft and its supporters to describe handheld computers employing Microsoft's Windows CE operating system.

Interactive Voice Response: System used to access a database access application using a telephone. The voice processing acts as a front-end to appropriate databases that
reside on general purpose computers. For instance, DTMF (touch tone) input of a Personal Identification Number can be required for access or more unusual and
expensive techniques such as voice recognition and voice print matching.

Internet: World's largest network, often referred to as the Information Superhighway. The Internet is a virtual network based on packet switching technology. The
participants on the Internet and its topology change on a daily basis.

Internet Commerce: Electronic business transactions that occur over the Internet. Samples of Internet commerce applications include electronic banking, airline
reservation systems, and Internet malls.

Internet Phone: Device used to transmit voice over the Internet, bypassing the traditional PSTN and saving money in the process. An Internet phone can be a small phone
(such as the NetVision Phone) or a multimedia PC with a microphone, speaker, and modem.

Interoperability: The ability of equipment or software to operate properly in a mixed environment of hardware and software, from different vendors. Enabled by the
IEEE 802.11 open standard.

IP (Internet Protocol): The Internet standard protocol that defines the Internet datagram as the unit of information passed across the Internet. Provides the basis of the
Internet connection-less- best-effort packet delivery service. The Internet protocol suite is often referred to as TCP/IP because IP is one of the two fundamental protocols.

International Roaming: Ability to use one adapter worldwide.

Intranet: A private network that uses Internet software and Internet standards. In essence, an intranet is a private Internet reserved for use by people who have been given
the authority and passwords necessary to use that network.

ISDN: Integrated Services Digital Network. Emerging network technology offered by local phone companies that is designed for digital communications, computer
telephony, and voice processing systems.

ISM Band: ISM bands--instrumental (902-928MHz), science (2.4-2.4835GHz), and medical (5.725-5.850GHz)--are the radio frequency bands allocated by the FCC for
unlicensed continuous operations for up to 1W. The most recent band approved by the FCC for WLANs was the medical band in January 1997.

ITU: International Telecommunications Union. Standards body that defined H.323 and other international standards.

Jitter: Noise on a communications line which is based on phase hits, causing potential phase distortions and bit errors..

129
Glossary

Kerberos: A widely deployed security protocol that was developed at the Massachusetts Institute of Technology (MIT) to authenticate users and clients in a wired
network environment and to securely distribute encryption keys.

Key Telephone System: A system in which the telephone has multiple buttons permitting the user to directly select central office phone lines and intercom lines. Key
phone systems are most often found in relatively small business environments, typically around 50 telephones.

Layer: A protocol that interacts with other protocols as part of an overall transmission system.

LPD (Line Printer Daemon): A TCP-based protocol typically used between a Unix server and a printer driver. Data is received from the network connection and sent out
over the serial port.

MAC (Media Access Control): Part of the Data Link Layer, as defined by the IEEE, this sublayer contains protocols for gaining orderly access to cable or wireless
media.

MD5 Encryption: An authentication methodology when MU is in foreign subnet.

MIB (Management Information Base): An SNMP structure that describes the specific device being monitored by the remote-monitoring program.

Microcell: A bounded physical space in which a number of wireless devices can communicate. Because it is possible to have overlapping cells as well as isolated cells,
the boundaries of the cell are established by some rule or convention.

Modem: Equipment that converts digital signals to analog signals and vice versa. Modems are used to send digital data signals over the analog PSTN.

MMCX Antenna Connector: Miniature coaxial antenna connector in use by several major wireless vendors.

Mobile IP: The ability of the mobile unit to communicate with the other host using only its home IP address, after changing its point of attachment to the Internet and
intranet.

Mobile Unit (MU): May be a Symbol Spectrum24 terminal, PC Card and PCI adapter, bar-code scanner, third-party device, and other

Mobile Unit Mode: In this mode, the WLAN adapter connects to an access point (AP) or another WLAN installed system, allowing the device to roam freely between
AP cells in the network. Mobile units appear as network nodes to other devices.

Modulation: Any of several techniques for combining user information with a transmitter's carrier signal.

Multipath: The signal variation caused when radio signals take multiple paths from transmitter to receiver.

Multipath Fading: A type of fading caused by signals taking different paths from the transmitter to the receiver and, consequently, interfering with each other.

130
Glossary

Node: A network junction such as a switch or a routing center.

Packet Switching: Refers to sending data in packets through a network to some remote location. In a packet switched network, no circuit is left open on a dedicated basis.
Packet switching is a data switching technique only.

PBX Phone System: Private Branch eXchange. Small version of the phone company's larger central switching office. An alternative to a PBX is to subscribe to a local
telephone company's Centrex service.

PCMCIA (Personal Computer Memory Card International Association) PC Card: A credit card-size device used in laptop computers and available as removable network
adapters.

PCS (Personal Communications Service): A new, lower powered, higher-frequency competitive technology to cellular. Whereas cellular typically operates in the 800-
900 MHz range, PCS operates in the 1.5 to 1.8 GHz range. The idea with PCS is that the phone are cheaper, have less range, and are digital. The cells are smaller and
closer together, and airtime is cheaper.

Peer-to-peer Network: A network design in which each computer shares and uses devices on an equal basis.

Ping: A troubleshooting TCP/IP application that sends out a test message to a network device to measure the response time.

PLD (Data Link Protocol): A raw packet protocol based on the Ethernet frame format. All frames are sent to the wireless network verbatim--should be used with care as
improperly formatted data can go through with undesirable consequences.

Plug and Play: A feature that allows a computer to recognize the PCI adapter and configure the hardware interrupt, memory, and device recognition addresses; requires
less user interaction and minimizes hardware conflicts.

Pocket PC: The term adopted by Microsoft and its supporters to describe handheld computers employing Microsoft's Pocket PC operating system.

Point-of-Sale Device: A special type of equipment that is used to collect and store retail sales data. This device may be connected to a bar code reader and it may query a
central computer for the current price of that item.

POTS (Plain Old Telephone Service): The basic service supplying standard single line telephones, telephone lines, and access to the public switched telephone network.

Power Management: Algorithms that allow the adapter to sleep between checking for network activity, thus conserving power.

PSP (Power Save Polling): stations power off their radios for long periods. When a mobile unit in PSP mode associates with an access point, it notifies the AP of its
activity status. The AP responds by buffering packets received for the MU.

PSTN (Public Switched Telephone Network): Refers to the worldwide voice telephone network accessible to all those with telephones and access privileges. In the U.S.,
the PSTN is provided by AT&T.

131
Glossary

QoS (Quality of Service): Measure of the telephone service quality provided to a subscriber. QoS refers to things like: Is the call easy to hear? Is it clear? Is it loud
enough?

RBOC (Regional Bell Operating Company): One of the seven Bell operating companies set up after the divestiture of AT&T, each of which own two or more Bell
Operating Companies (BOCs).

Roaming: Movement of a wireless node between two microcells. Roaming usually occurs in infrastructure networks built around multiple access points.

Repeater: A device used to extend cabling distances by regenerating signals.

Router: The main device in any modern network that routes data blocks from source to destination using routing tables and determining the best path dynamically. It
functions as an addressable entity on the LAN and is the basic building block of the Internet.

SNMP (Simple Network Management Protocol): The network management protocol of choice for TCP/IP based intranets. Defines the method for obtaining information
about network operating characteristics, change parameters for routers and gateways.

Scanning: A periodic process where the mobile unit sends out probe messages on all frequencies defined by the country code. The statistics enable a mobile unit to re-
associate by synchronizing its frequency to the AP. The MU continues communicating with that access point until it needs to switch cells or roam.

Site Survey: Physical environment survey to determine the placement of access points and antennas, as well as the number of devices necessary to provide optimal
coverage, in a new or expanding installation.

Spread Spectrum: A transmission technique developed by the U.S. military in World War II to provide secure voice communications, spread spectrum is the most
commonly used WLAN technology today. It provides security by "spreading" the signal over a range of frequencies. The signal is manipulated in the transmitter so that
the bandwidth becomes wider than the actual information bandwidth. De-spreading the signal is impossible for those not aware of the spreading parameters; to them, the
signal sounds like background noise. Interference from narrowband signals is also minimized to background noise when it is de-spread by the receiver. Two types of
spread spectrum exist: direct sequence and frequency hopping.

Stream Mode: A communications protocol supported only by the Telnet and TCP protocols. Stream mode transfers serial characters as they are received by encapsulating
them in a packet and sending them to the host.

132
Glossary

T1: A type of dedicated digital leased-line available from a public telephone provider with a capacity of 1.544 Mbps. A T1 line can normally handle 24 voice
conversations, each one digitized at 64 Kbps. With more advanced digital voice encoding techniques, it can handle more voice channels. T1 is the standard for digital
transmission in the U.S. Canada, Hong Kong, and Japan.

TCP/IP: Networking protocol that provides communication across interconnected networks, between computers with diverse hardware architectures, and various
operating systems. TCP/IP is used in the industry to refer to the family of common Internet protocols.

TCP (Transport Communication Protocol): Controls the transfer of data from one client to one host, providing the mechanism for connection maintenance, flow control,
retries, and time-outs.

Telnet (Terminal Emulation Protocol): A protocol that uses the TCP/IP networking protocol as a reliable transport mechanism. Considered extremely stable.

Terminal: An endpoint, which provides for real-time, two-way communications with another terminal, gateway, or mobile unit.

Token Ring: A ring type of local area network (LAN) in which a supervisory frame, or token, must be received by an attached terminal or workstation before that
terminal or workstation can start transmitting. Token ring is the technique used by IBM and others.

UDP (User Datagram Protocol): UDP/IP is a connection-less protocol that describes how messages reach application programs running in the destination machine;
provides low overhead and fast response and is well suited for high-bandwidth applications.

Video Conferencing: Video and audio communication between two or more people via a video CODEC (coder/decoder) at either end and linked by digital circuits.

Voice Mail System: Device or system that records, stores, and retrieves voice messages. The two types of voice mail devices are those which are "stand alone" and those
which offer some integration with the user's phone system.

Wi-Fi: A logo granted as the "seal of interoperability" by the Wireless Ethernet Compatibility Alliance (WECA). Only select wireless networking products possess this
characteristic of IEEE802.11b.

Wireless AP Support: Access Point functions as a bridge to connect two Ethernet LANs.

133
Glossary

Wireless Local Area Network (WLAN): A wireless LAN is a data communications system providing wireless peer-to-peer (PC-to-PC, PC-to-hub, or printer-to-hub) and
point-to-point (LAN-to-LAN) connectivity within a building or campus. In place of TP or coaxial wires or optical fiber as used in a conventional LAN, WLANs transmit
and receive data over electromagnetic waves. WLANs perform traditional network communications functions such as file transfer, peripheral sharing, e-mail, and
database access as well as augmenting wired LANs. WLANs must include NICs (adapters) and access points (in-building bridges), and for campus communications
building-to-building (LAN-LAN) bridges.

Wireless Personal Area Network (WPAN): Personal area networks are based on a global specification called Bluetooth which uses radio frequency to transmit voice and
data. Over a short range, this cable-replacement technology wirelessly and transparently synchronizes data across devices and creates access to networks and the Internet.
Bluetooth is ideal for mobile professionals who need to link notebook computers, mobile phones, PDAs, PIMs, and other hand-held devices to do business at home, on
the road, and in the office.

Wireless Wide Area Network (WWAN): Wide area networks utilize digital mobile phone systems to access data and information from any location in the range of a cell
tower connected to a data-enabled network. Using the mobile phone as a modem, a mobile computing device such as a notebook computer, PDA, or a device with a
stand-alone radio card, can receive and send information from a network, your corporate intranet, or the Internet.

134
Berge J.,"Fieldbuses for Process Control: Engineering, Operation, Maintenance". ISA Press 2002, ISBN 1-55617-760-7.
Black U., "Physical Level Interfaces and Protocols". IEEE, ISBN 0-8186-8824-6.
Black U., "The V-series recommendations". McGraw-Hill, ISBN 0-07-005592-0.
Bonfig K., "Feldbus-Systeme". Expert Verlag 1992, 3-8169-0771-7.
Borst W., "Der Feldbus in der Maschinen- und Anlagentechnik". Franzis Verlag, ISBN 3-7723-4621-9.
British Standard Institute, "Guide to the evaluation of fieldbus protocols". Report DISC PD0014:2000.
Brown, "The OSI Dictionary of acronyms". McGraw-Hill 1993, ISBN 0-07-057601-7.
Burton, "Fieldbus for Industrial Control Systems". Chapmann & Hall 1997, ISBN 0-412-57890-5.
Centrum voor Micro-elektronica, "Intelligente sensornetwerken". 1993, 1996
Control Engineering, issues of 1994 and 1995, "Fieldbus series".
Dietrich D., "Feldbustechnik in Forschung, Entwicklung und Anwendung". Springer Verlag, 1997.
ETG Fachbericht 37, "Datenbertragung auf Fahrzeugen mittels serieller Bussysteme". VDE Verlag, ISBN 3-8007-1829-4.
ETZ Report 27, "Standardisierung der Prozedatenkommunikation". VDE Verlag 1991.
Fachzeitschrift DE, "Bussysteme fr die Gebudeinstallation. Hthig & Pflaum, 1999.
Frber, "Bussysteme - parallele und serielle Bussysteme in Theorie und Praxis". Oldenbourg Verlag, ISBN 3-486-28581-5.
Frankort, "Digitale Communicatie". Delta Press 1989, ISBN 90-6674-726-9.
Gladdis, "How to automate your home". Baran-Harper 1991, ISBN 0-9632170-0-3.
Gruhler, G. "Feldbusse und Gerte-Kommunikationssysteme". Franzis Verlag 2001, ISBN 3-7723-5745-8.
Hill, "A distributed control & diagnostic architecture for railway maintenance". University of South-Carolina 1998.
Holzmann, "Design and validation of computer protocols". Prentice-Hall, ISBN 0-13-539834-7.
Huber J.,"Industrial Fiber Optic Networks". ISA Press 1995, ISBN 1-55617-521-3-G.
Hulsebos, R., "Veldbussen". Kluwer 1996, ISBN 90-557-6059-5.
IEE, "Colloquium: Fieldbus devices - A changing future". IEE 1994, Ref. 1994/236.
ISA, "Fieldbus Standard for use in industrial control systems". ISA 1993, ISBN 1-55617-317-2.
ISA, "The ISA Fieldbus Guide". ISA 1997, ISBN 1-55617-637-6.
Johannsmeyer, "Investigation into the intrinsic safety of fieldbus systems (FISCO)". PTB, report W53, ISBN 3-89429-310-1.
Jordan, "Serial networked field instrumentation". Wiley 1995, ISBN 0-471-95236-1.
A Few References
135
Keithley Instruments, "Demanding measurements on the factory floor".
Kluwer, "Handboek Industrile Netwerken". Kluwer 2000, ISBN 90-5404-628-7.
Kriesel, "Bustechnologien fr die Automation, 2nd Ed.". Hthig Verlag 2000, ISBN 3-7785-2778-9.
Lian, "Performance evaluation of control networks for manufacturing systems". Proceedings of the ASME
(Dynamics and Control Division), 1999.
Miklovic, "Real-time control networks". ISA 1993, ISBN 1-55617-231-1.
Mikrocentrum Nederland, Syllabi themadagen "Industrile netwerken". 1993-2001.
Newman, "Direct digital control of building systems". Wiley, 1994, ISBN 0-471-51696-1.
Phoenix, "Grundkurs Sensor/Aktor-Feldbustechnik". Vogel Verlag, ISBN 3-8023-1708-4.
Phoenix, "Grundkurs Feldbustechnik". Vogel Verlag 2000, ISBN 3-8023-1813-7.
Phoenix, "Basic course in sensor/actuator fieldbus technology". Vogel Verlag.
Physikalische Technische Bundesanstalt, "Investigations into the intrinsic safety of fieldbus systems".
PTB 1994, ISBN 3-89429-512-0.
Reinert, "Sichere Bussysteme fr die Automation" Hthig Verlag 2001, ISBN 3-7785-2797-5.
Reienweber B., "Feldbussysteme". Oldenbourg Verlag, 2002, ISBN 3-486-24536-8.
Rikkert de Koe, "OSI-Protocollen lagen 1 t/m 4". Kluwer Telematica, ISBN 90-201-2388-2.
Rosch, "Gebudesystemtechnik: Datenubertragung auf dem 230V Netz". Verlag Moderne Industrie 1998, ISBN 3-
478-93185-1.
Scherff, B. "Feldbussysteme in der Praxis". Springer Verlag 1999, ISBN 3-540-63880-6.
Schnell, G. "Bussysteme in der Automatisierungs- and Prozesstechnik" (4th Ed.). Vieweg Verlag 2000, ISBN 3-528-
36569.
Svacina, "Understanding Device Level Buses". Turck.
Thompson, "Industrial Data Communications: Fundamentals And Applications" 3rd Edition. ISA Press 2002,
ISBN 1-55617-767-4-G.
Texas Instruments, "RS422 and RS485 Application Guide".
VDI/VDE, "Richtlinien 3687: Auswahl von Feldbussysteme durch Bewertung ihrer Leistungseigenschaften fr
verschiedene Anwendungsbereiche". VDI/VDE, 1997.
Wittgruer, F. "Digitale Schnittstellen und Bussysteme". Vieweg Verlag 1999.
Wrobel, "Optische bertragungstechnik in der Praxis, 2nd Ed.". Hthig Verlag 1998, ISBN 3-7785-2638-3.
Wybranietz, "Multicast-Kommunikation in verteilten Systemen". Springer Verlag 1987, ISBN 3-540-52551-3.

References (cont.)
136
Questions?
Comments?

Wireless Sensor Systems Security Imp.

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireless Sensor Systems Security Imp.

Uploaded by

Copyright:

Available Formats

Wireless Sensor Systems:

Security Implications for the

You might also like