Wireless Sensor System

8/14/2019 Wireless Sensor System

1/136

Wireless Sensor Systems:Security Implications for the

Industrial Environment

Dr. Peter L. FuhrChief Scientist

RAE Systems, Sunnyvale, CA

[email protected]


2/136

2ISA Wireless Security, P. Fuhr

RAE Systems Inc. Pervasive Sensing Company based in

Silicon Valley founded in 1991

Capabilities

Radiation detection

Gamma and neutron

Chemical/vapor detection

Toxic gas, VOC, combustible gas,oxygen, CWA, temperature,humidity, C02

Redeployable sensor networks Mobile and fixed wireless monitors

Cargo Container Sensor Systems

Dr. Peter Fuhr, Presenter: 480+ publications&presentations in wireless sensor

networking arena. Old-timer in this areaetc etc.


3/136


ContributorsA number of individuals have provided content for these slides. Theyinclude:

Wayne Manges, Oak Ridge National Laboratory

Robert Poor, EmberPat Gonia, HoneywellHesh Kagan, Foxboro/InvensysKang Lee, NISTTom Kevan, Advanstar

Ramesh Shankar, Electric Power Research InstituteLarry Hill, Larry Hill ConsultingRob Conant, DustRick Kriss, XsilogyGideon Varga, Dept of EnergyJack Eisenhauser, EnergeticsMichael Brambley, Pacific Northwest National LabsDavid Wagner, UC-Berkeley

Undoubtedly, there are other contributors too (apologies if

your name is not listed).


4/136


Wireless Sensor Networkingits not cellular telephony

its not just WiFi...(and it just may be the next big thing)

Each dot represents one cell phone tower.

Wireless devices circa 1930


5/136


Sensor Market: $11B in 2001

Installation (wiring) costs: >$100B

Freedonia Group report on Sensors, April 2002

Fragmented market platformopportunity

Installation cost limitspenetration reducinginstallation costincreases market size

Slide courtesy of Rob Conant, Dust

Highly Fragmented

Sensor Market


6/136


Industrial Market SizingSensor Networking Products

North American Market for Wireless products used in

Applications where transmission distances are 1 mile or

less:

2002 Total: $107 million

2006 Forecast: $713 million

2010 Estimates: $ 2.1 billion

Largest Application areas: 2002: Tank Level Monitoring, Asset Tracking, Preventative

Maintenance

2006: Tank Level Monitoring, Preventative Maintenance,

Environmental Monitoring

Conclusions:

Rapid Growth in Industrial markets Tank Level Monitoring will remain a significant opportunity

Key User Needs: Lower Costs over Wired (or Manual) Solutions

Education of Potential Customers on the Technology

Demonstration of Operational Reliability & Application Domain

Knowledge

Slide courtesy of Rick Kriss, Xsilogy


7/136


The True cost per monitored node to the

End User

3-YrTOC $$

$

Radio RF Range (dB)

Lower

Higher

InstallationCosts

Higher

Lower

DENSEBluetooth,

802.15.4, WiFi etc

SPARSE1xRTT, FLEX

SAT, etc

Meters Miles

$$$$$$

Design For Here

Slide courtesy of Rick Kriss, Xsilogy


8/136


What to do with the data?

Great! But how do you get the output signal from the sensor to the location where theinformation will be interpreted (used)?

Sensor Modifier OutputTransducer

PowerSupply

Parameterof Interest

Measurement SystemOutput Signal

ChemicalElectricalMechanicalThermalRadiationOpticalMagnetic

ChemicalElectricalMechanicalThermalRadiationOpticalMagnetic

Traditionally the output of the sensor was hardwired to some form ofinterpretive device (e.g., PLC) perhaps relying on a 4-20mA signal


9/136


Outline:

1. Security? Who needs it?2. How is security achieved in a wired channel?3. The Situation for Wireless (its RF in an industrial setting.Spectrum, modulation, encryption, spatial)

4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others)

5. An Integrated Solution6. The Big Review


10/136


Oh, who needs security in a

wireless channel anyway!

(pretty ridiculous statement isnt it!


11/136


Lets ask some experts:WINA meeting, Coral Gables, Sept. 2003

www.wireless4industrial.org


12/136


Whats a WINA?

In the spring of 2003, the Wireless Industrial NetworkingAlliance (WINA) was formed to promote the adoption ofwireless networking technologies and practices that will help

increase industrial productivity and efficiency.

WINA will be holding a 1.5 day meeting at ISA-HQ in RTP, NC on Feb 11/12

right after the ISA Wireless Security Expo and conference. Check out

www.wireless4industrial.org for WINA meeting details AND

www.isa.org/wireless for the ISA Wireless Security conf details!


13/136


Back to the Question:

Who needs security in a wirelesschannel anyway!


14/136


Strategy Workshop Participants

Suppliers (13)

System integrators (6)

Industrial end users (10)

Chemicals

Petroleum

Automotive

Industry analysts/venture capitalists (3)

Others (associations, government, media, researchers)

Energy/Utilities

Forest Products

Electronics


15/136


End-User View of Industrial WirelessLikes

Mobility

Compactness

Flexibility

Low cost

Capability to monitor rotating

equipment

Short range (security)

Ease of installation

High reliability

Impetus to enhanceelectronics support

Dislikes

Change to status quo

Complexity

High cost for coverage in largeplants

Security issues

Portability issues (power) Unproven reliability

Too risky for process control

Lack of experience introubleshooting (staff)

Restricted infrastructure flexibilityonce implemented

Lack of analysis tools


16/136


Technology Group: Key Issues

Security

Jamming, hacking, and eavesdropping Power

Value (clear to customer)

Interoperability

Co-existence with other facility networks, sensors,collectors, technology

True engineered solution (sensors, collectors, etc.)

Assured performance & reliability/MTBA*

Software infrastructure, data, & systems management

Robustness (at least as good as wired)

RF characterization (radios, receivers, environments)

*mean time between attention


17/136


Technology Group: Criticality Varies

by Application (5 = most critical)

Attributes Monitor Control Alarm Shutdown

Biz

WLAN

Latency 2-3 3-5 5 5 1

Device Reliability 2-3 3-5 5 5 1

Raw Thru-put

(node / aggr.)

2 / 5 2.5 /2.5 1 / 4 1 / 1 1/5

Scalability

(Max.# nodes)

5 4 4 1 2-3

Data Reliability 1 5 5 5 2

Security 1-5 5 5 5 5

Low Cost 5 2 1-3 1 2-3

Gateway Technology 5 1 3-4 1 1

Engineered Solution 1 5 4 5 3

Applications


18/136


Industrial CyberSecurity

The Case of Vitek Boden


19/136


On October 31, 2001 Vitek Boden was convicted of:

26 counts of willfully using a restricted computer tocause damage

1 count of causing serious environment harm

The facts of the case:

Vitek worked for the contractor involved in the

installation of Maroochy Shire sewage treatmentplant.

Vitek left the contractor in December 1999 andapproached the shire for employment. He wasrefused.

Between Jan 2000 and Apr 2000 the sewagesystem experienced 47 unexplainable faults,causing millions of liters of sewage to be spilled.


20/136


How did he do it?

On April 23, 2000 Vitek was arrested withstolen radio equipment, controller

programming software on a laptop and a fullyoperational controller.

Vitek is now in jail

Disgruntled

Contractor

PLC PLC

Sewage Plant

Rogue Radio


21/136


A Favorite 2.4 GHz Antenna


22/136


WarDriving 802.11 HotSpots in

Silicon Valley


23/136


WarDriving 802.11 HotSpots in

San Francisco


24/136


The Question:Who needs security in a wireless channel

anyway!

The Answer:

We do. SoHow do you provide theappropriate level of security within theacceptable price and inconvenience margin-> Risk Management!


25/136


Inside vs. Outside?

Where do attacks come from?

0

10

20

30

40

50

60

70

80

90

Foreign Gov. Foreign

Corp.

Hackers U.S.

Competitors

Disgruntled

Employees

2002

2001

2000

1999

1998

*Source: 2002 CSI/FBI Computer Crime and Security Survey Computer

Security Institute - www.gocsi.com/losses.

%

ofResponden

ts


26/136


An Outside Example.

When? April 2001


27/136


In the Spring of 2001, the US got its first a

taste of a new form of warfare.Launched from overseas and targeted atUS critical infrastructure.

Hacker War I

H k U i


28/136


Chinese Hacker Group working to advance

and in some cases impose its political agendaDuring the spring of 2001, Honker Unionworked with other groups such as the ChineseRed Guest Network Security Technology

Alliance

Honker Union

Hackers were encouraged to "...make use oftheir skills for China..." Wired.com

Denial of Service Attacks

Website Defacement

E-mailing viruses to US Government Employees

KillUSA package

Attack Methods:


29/136


Cyberwar Cyber attacks and web defacements

increased dramatically after the start of thewar against Iraq.

More than 1,000 sites were hacked in thefirst 48 hours of the conflict, with many ofthe attacks containing anti-war slogans.

Security consultants state that the waragainst Iraq made March the worst month fordigital attacks since records began in 1995.


30/136


31/136


The Question:Who needs security in a wireless channel

anyway?

The Answer:

Everyone.


32/136


Outline:


4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others)

5. An Integrated Solution6. The Big Review


33/136


34/136


Wired Data Security - Encryption

The traditional method involved encrypting the data prior totransmission over a potentially insecure channel. The level ofprotection rests on the encryption algorithm. (There are a fewother factorssuch as the physical media.)

Slide courtesy of Wayne Manges, ORNL


35/136


Outline:

1. Security? Who needs it?2. How is security achieved in a wired channel?3. The Situation for Wireless

4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others)5. An Integrated Solution6. The Big Review


36/136


Wireless Buildings

Key to success: reduced installation costs

From many perspectives, THIS is what a wireless sensor network can provide.

Slide courtesy of Pat Gonia, Honeywell


37/136


E(t) = A(t) cos[ t + (t)]Modulation

Amplitude Modulation (AM)

info is in A(t)

Frequency Modulation (FM)

info is in Phase Modulation (PM)

info is in (t)

P h a s e =0o

P h a s e =1 8 0o

P h a s e =2 7 0o

P h a s e =3 6 0o

( o r b a c k t o0o)

Different vendors use

different schemes - and they

are not interoperable.


38/136


The FCC Frequency Assignment

Different vendors may use

different frequencies within

the various ISM bands

(green in the diagram).

The ISM bands most commonly used are at 433, 915 and 2400 MHz.


39/136


Multiple Sensors Sharing the Medium:

Multiplexing. FDMA, TDMA and CDMA


40/136


Binary Signaling Formats

Used to Improve Digital Signal

Reception and Decision

NRZ: Non-Return to Zero

RZ: Return to Zero

Unipolar: Only one side of 0V

Bipolar: Both sides of 0V Manchester: Bi-Phase (0 in

left 1/2 time slot, 1 in right)


41/136


Narrowband or Spread Spectrum?Narrowband uses a fixed carrier frequency, F0.

The receiver then locks onto the carrier frequency, F0.

Easy to implement (inexpensive).Prone to jamming or interference (two transmitters at the samecarrier frequency, F0.

Least secure modulation scheme.


42/136

N b d S d S t ( t ) ?


43/136


Narrowband or Spread Spectrum (cont.) ?

Direct Sequence Spread Spectrum uses a fixed carrier frequency, F0 but

interleaves the data with a precise mathematical 0/1 data sequence.(This increases the length of the transmitted information vectormaking it longer). The information is replicated many timesthroughout the bandwidth, so if one lobe of the information isjammed, the remainder gets through. Highly robust technique.

The receiver then locks onto the carrier frequency, F0 receives the signal and then must undo the interleaving.

More difficult to implement (more expensive).

Most complicated scheme (of these presented).

Most secure modulation scheme.

DIRECT SEQUENCE SPREAD SPECTRUM


44/136


Data

PN Clock

Data

Data

Clock

Carrier

1

Local PN ClockLocal

Carrier

1

1

Frequency

PowerSpectralDensity

fc Frequency


fc Frequency


fc

DIRECT-SEQUENCE SPREAD-SPECTRUMSIGNALS

Narrow spectrum atoutput of modulatorbefore spreading

Spectrum has wider bandwidthand lower power density afterspreading with PN sequence

(PN Rate >> Data Rate)

Original narrowband, highpower density spectrum isrestored if local PN sequence issame as and lined up withreceived PN sequence

RFISpread

RFI

Phase

Demod

Narrow

BP Filter

Wide

BP Filter

PN Sequence

Generator

PN Sequence

Generator


45/136


Narrowband or Spread Spectrum (cont.) ?

Which is best?

Each has its pluses and minusesand each scheme has its share of die-hardadvocates and/or naysayers!

From a security standpoint, DSSS is best.

Different vendors use these

(and other) schemes at

different frequencies within

the various ISM bands.


46/136


Reality

DSSS FHSS


47/136


No Matter WhatIts Just an

Electromagnetic Field

A(t): amplitude of the wave

: radian frequency of the wave

(t): phase of the wave

E(t) = A(t) cos[ t + (t)]


48/136

There are SO many technical questions: such as


49/136


Network Topologies?

Bus Network

Tree Network

Star Network

Ring Network

Ad Hoc Network



50/136


The Real World Presents theWireless Channel with Multipath and

Attenuationand

M lti thReal World:


51/136


Multipath

The Cause

The Effect

Real World:

Real World:


52/136


Atmospheric Attenuation at 2.4 GHzReal World:

Rayleigh Fading @ 2.4GHz

Real World:


53/136


Signal Attenuation at 2.4 GHzReal World:


54/136


55/136


56/136


57/136


Wireless networks use a variety of techniques to enhance security,

such as spreading and interleaving. These techniques can make thesignal virtually undetectable without prior knowledge about the

network. This can improve the security of the network by orders

of magnitude.

Wireless Data Security: Encryption, Spreading, Interleaving

Slide courtesy of Wayne Manges, ORNL


58/136


The Wireless Market

SHORT

LONG

LOW < DATA RATE > HIGH

PAN

LAN

TEXT GRAPHICS INTERNET HI-FIAUDIO

STREAMINGVIDEO

DIGITALVIDEO

MULTI-CHANNELVIDEO

Bluetooth1

Bluetooth 2

ZigBee

802.11b

802.11a/HL2 & 802.11g


59/136


Bluetooth vs. the Rest (contd)

802.112.4 GHz, DSSS11 chips/bit11Mbps+20 dBm

50m128 devicesCSMA/CAOptional WEPOptional

HomeRF2.4GHz, FHSS50 hops/s1 Mbps+20 dBm

50m128 devicesCSMA/CAOptionalOptional

Bluetooth2.4 GHz, FHSS1000+hops/s1Mbps0, +20dBm

1-10m, 50m8 devices,PiconetEncryption

Yes

ParameterTechnology

Data RatePower

RangeTopology

SecurityVoice Channel

ZigBee(proposed)2.4 GHz,DSSS15 chips/bit40 kbits/s

0dBm100m100s devices,CSMA/CANot yetNo

Bluetooth aka IEEE 802.15.1

ZigBee aka IEEE 802.15.4


60/136


Side by Side


61/136


802.11?

The Worldwide View of the 802.11 Spectral


62/136


The Worldwide pSpace


63/136


Radiated Field from a single AP(Kansas City)


64/136


20dB Attenuation Profile for Univ of Kansas

Eng Bldg., Mesh and AP deployments


65/136


WEP

The industrys solution: WEP (Wired Equivalent Privacy)

Share a single cryptographic key among all devices

Encrypt all packets sent over the air, using the shared key Use a checksum to prevent injection of spoofed packets

(encrypted traffic)


66/136


Early History of WEP

802.11 WEP standard released1997

Simon, Aboba, Moore: some weaknessesMar 2000

Walker: Unsafe at any key sizeOct 2000

Borisov, Goldberg, Wagner:

7 serious attacks on WEP

Jan 30, 2001

NY Times, WSJ break the storyFeb 5, 2001


67/136


Subsequent Events

Jan 2001

Borisov, Goldberg, Wagner

Arbaugh: Your 802.11 networkhas no clothes

Mar 2001

Arbaugh, Mishra: still more attacks

Feb 2002

Arbaugh: more attacks May 2001

Newsham: dictionary attacks on WEP keysJun 2001

Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4Aug 2001


68/136


WEP Attack Tools

Downloadable procedures from the Internet

To crack the Key:

AirSnort

http://airsnort.sourceforge.net

WEPCrack

http://sourceforge.net/projects/wepcrack/

To brute force enter into WLAN,

THC-RUT

http://www.thehackerschoice.com/releases.php

( )


69/136


Wi-Fi Protected Access (WPA)

Flaws in WEP known since January 2001 - flaws include weak encryption,

(keys no longer than 40 bits), static encryption keys, lack of key distributionmethod.

IEEE developing 802.11i standard for enhanced wireless security - Addressesweak data encryption and user authentication within existing 802.11 standard.

802.11i standard will not be ratified until late 2003, possibly early 2004 -outstanding issues.

WPA standard joint effort between Wi-Fi Alliance and IEEE - WPA a subset ofIEEE 802.11i standard (Draft 3.0).

WPA provides stronger data encryption (weak in WEP) and userauthentication (largely missing in WEP).


70/136


WPA Data Encryption WPA uses Temporal Key Integrity Protocol (TKIP) - stronger data encryption, addresses known

vulnerabilities in WEP.

TKIP chosen as primary encryption cipher suite - Easily deployed and

supported in legacy 802.11b hardware compared to other available cipher suites.

TKIP based on RC4 stream cipher algorithm, surrounds WEP cipher engine with 4 newalgorithms,

1. Extended 48-bit Initialization Vector (IV) and IV sequencing rules (compared to the shorter 24-bit WEP RC4 key).

2. New per-packet key mixing function.

3. Derivation and distribution method - a.k.a. re-keying.

4. A message integrity check (MIC) - a.k.a. Michael, ensures messages havent been tampered with during transmission.


71/136


WPA Data Encryption, contd the Temporal Key Integrity Protocol.

DA Destination Address TKIP Temporal Key Integrity ProtocolICV Integrity Check Value TSC TKIP Sequence CounterMPDU Message Protocol Data Unit TTAK result of phase 1 key mixing of Temporal KeyMSDU MAC Service Data Unit and Transmitter AddressRSN Robust Security Network WEP Wired Equivalent PrivacySA Source Address WEP IV Wired Equivalent Privacy Initialization VectorTA Transmitter Address

MIC Key

TSC

SA + DA +Plaintext MSDU

Data

CiphertextMPDU(s)

WEPEncapsulation

MIC

TTAK Key

Plaintex tMSDU +

MIC Fragment(s)

Phase 2

key mixing

PlaintextMPDU(s)

WEP seed(s)(represented asWEP IV + RC4

key)

Phase 1key mixing

TA

Temporal Key

WPA D t E ti td


72/136


WPA Data Encryption, contd

TKIP implements countermeasures - reduces rate which attacker can makemessage forgery attempts down to two packets every 60 seconds.

After 60 second timeout new PMK or Groupwise Key generated, depending onwhich attacked ensures attacker cannot obtain information from attacked key.

Countermeasures bound probability of successful forgery and amount ofinformation attacker can learn about a key.

TKIP is made available as firmware or software upgrade to existing legacyhardware.

TKIP eliminates having to replace existing hardware or having to purchase

new hardware.


73/136


Bluetooth?


74/136


BlueTooth- Some Specifications

Uses unlicensed 2.402 - 2.480 GHz frequency range

Frequency hopping spread spectrum 79 hopsseparated by 1 MHz

Maximum frequency hopping rate: 1600 hops/sec

Nominal range: 10 cm to 10 meters

Nominal antenna power: 0 dBm

One complete Bluetooth data packet can betransmitted within each 625 msec hop slot.

Potential Bluetooth Markets


75/136


Potential Bluetooth Markets

Bluetooth Market Forecast


76/136


Nov03: 100M Bluetooth compliant devices worldwide


77/136

Bluetooth Security


78/136


Bluetooth Security

Supports Unidirectional or Mutual Encryption based

on a Secret Link key Shared Between Two Devices Security Defined In 3 modes:

Mode1- No Security

Mode 2 - Service Level Security: Not Established

Before Channel is Established at L2CAP Mode 3 - Link Level Security: Device Initiates

Security Before LMP Link is Setup

Devices and Services can be Set for Different Levels of Security

Two Trust Levels are Set for Devices Trusted Device: Fixed Relationship and Unrestricted

Access to All Services

Untrusted: No Permanent relationship and RestrictedServices


79/136


Bluetooth Security

Devices and Services can be Set for Different Levelsof Security

Two Trust Levels are Set for Devices

Trusted Device: Fixed Relationship andUnrestricted Access to All Services

Untrusted: No Permanent relationship andRestricted Services

Bluetooth Security


80/136


Bluetooth Security 3 Levels of Service Access

Require Authorization and Authenication Require Authentication Only

Default Security for Legacy Applications


81/136


But is this Wireless Link Secure?

Newsflash: Jan 2001: Norwegian hackers

crack a Bluetooth transmission

Newsflash: Jan 2001: Norwegian hackers

crack a Bluetooth transmission

Analysis of a BlueTooth Transmission


82/136


y

High overhead?


83/136


84/136


IEEE 802.15.4 standard

Includes layers up to and including Link Layer Control

LLC is standardized in 802.1

Supports multiple network topologies including Star, Cluster Tree and

Mesh

IEEE 802.15.4 MAC

IEEE 802.15.4 LLC IEEE 802.2LLC, Type I

IEEE 802.15.4

2400 MHz PHY

IEEE 802.15.4

868/915 MHz PHY

Data Link Controller (DLC)

Networking App Layer (NWK)

ZigBee Application Framework

Features of the MAC:Association/dissociation, ACK,frame delivery, channel accessmechanism, frame validation,guaranteed time slot management,beacon management, channel scan

Low complexity: 26 primitivesversus 131 primitives for802.15.1 (Bluetooth)

PHY overview


85/136


PHY overview Speed

20, 40 or 250 kbps

Channels 1 channel in the 868MHz band

10 channels in the 915MHz band

16 channels in the 2.4GHz band

Modulation

BPSK (868MHz/20kbs) BPSK (915MHz/40kbps)

O-QPSK (2.4GHz/250kbps)

Coexistence w/

802.11b DSSS

802.15.1 FHSS

802.15.3 DSSS


86/136


MAC overview

Security support Power consumption

consideration

Dynamic channel selection

Network topology

Star topology

p2p topology

cluster-tree networktopology

Device classification


87/136


Device classification Full Function Device (FFD)

Any topology

Can talk to RFDs or other FFDs Operate in three modes

PAN coordinator

Coordinator

Device.

Reduced Function Device (RFD) Limited to star topology

Can only talk to an FFD(coordinator)

Cannot become a coordinator

Unnecessary to send largeamounts of data

Extremely simple

Can be implemented usingminimal resources and memorycapacity


88/136


Transmission management Acknowledgement

No ACK

ACK

RetransmissionDuplicate detection

Indirect transmission


89/136


Security

Unsecured mode

ACL mode

Access control

Secured modeAccess control

Data encryption

Frame integrity

Sequential freshness

S l bl S it


90/136


Scalable Security

Assume the attacker can deploy own nodes (can create aring at some distance from controller)[Wisenet 2003]

Enemy nodes mimick the mesh nodes; they ACK thehealth inquiry as if everything was OK but they donot forward to the rest of the net

The rest of the network is virtually cut off frominspection by controller

Need secure key and a random seed that changes at each

round

Wh t Ab t


91/136


What About:

1451.5?1xRTT?

SAT?CDPD?

Others?

No time this morning!

Outline:


92/136


Outline:


4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others)5. An Integrated Solution

6. The Big Review

I t t d I d t i l N t k ?



93/136


Integrated Industrial Networks?

If the sensor network is to integrate into an industrial setting, then you

should be cognizant of the Industrial Networking arena.

Industrial Device Network Topology


94/136


Typically, three layers of networking make up enterprisewide networks. Ethernet

acts as the company's intranet backbone, and it's linked to controllers orindustrial PCs, which supply strategic data to the enterprise.An industrialnetwork, or fieldbus, links sensors and smart devices.A gateway (not uncommonin a large system with lots of devices) links devices that have only RS-232 or RS-485 ports to the fieldbus system.


95/136

Cl ifi i f I d i l


96/136


Classification of Industrial

Networks

Three logical groupings of instrumentation networks used in an

industrial setting.

There are over 100 different proprietary networks in thefield.


97/136


Inside Security Incident

Employee attacks PLC in another plant area

over PLC highway.

Password changed to obscenity, blockinglegitimate maintenance and forcing process

shutdown.

* Source: BCIT Industrial Security Incident Database (ISID)

Disgruntled

Employee

PLC PLC PLCPLC

Steam Plant Paper Plant

Plant Highway

Network Positioning


98/136


-

Functio

nality

+

Ethernet TCP/IP

- Cost +

+

Co

mplexity

-

- Data +

DeviceNet

Other CAN

SDS

Fieldbus H1

Profibus-PA

Modbus

HART

Profibus-DP

Interbus-SRemote I/O

Profibus-FMS

Data Highway+Modbus Plus

ASi, Seriplex,

Hardwiring, RS485 etc.

ControlNet

Foundation Fieldbus H2


99/136


Too Focused on Internet Issues?

Myth #1: Our SCADA/PLC/DCS is safe if

we dont connect to the Internet.

Myth #2: Our Internet firewall will protectour control systems.

Myth #3: Our IT department understands

process control issues and security.

Is Industrial Comm Security Too


100/136


Focused on Internet Issues?

Field Devices

Control

Network

SCAD

AProgramming Stations

PLCPLC

Remote

Engineering

Production

Planning

Manufacturing Logistics

Enterprise

Resource Planning

Process

Historian

Enterprise Network

Internet

Firewall

Ethernet

Production Networks

)))))

Handheld

Operator

Terminal

Modem

OEM

802.11

WLAN

Source (used by permission): Interface Technologies, Windsor,CT, 2002

WarDialing

Attack

Outline:


101/136


Outline:


4. Security within various Wireless Delivery Schemes(cellular, WiFi, 802.15.4, Bluetooth, others)5. An Integrated Solution6. The Big Review


102/136

Coding vs. Quality of Service


103/136


g y

Is Coding

Really

Necessary?

Direct Sequence Spread Spectrum


104/136


Comparing Wireless


105/136


Comparing Wireless

Tech. Range RF Power Battery

life

Numbers

In Area

DSSS Medium Low longest High

FHSS Long High Short Medium

UWB Medium Lowest short High

Narrow

band

Longest highest short Lowest


106/136

Statistics on Types of Attacks


107/136


0 20 40 60 80 100 120

Theft of Propriety Info

Sabotage

TelecomEvesdropping

SystemPenetration

Insider Abuse of Net Access

Finacial Fraud

Virus

Unauthorized Insider Access

TelecomFraud

Active Wiretap

Laptop Theft

Denial of Service

1997

1998

1999

2000

20012002

*Source: 2002 CSI/FBI Computer Crime and Security Survey ComputerSecurity Institute - www.gocsi.com/losses.

% of Respondents

Optimization of Security vs Cost


108/136


Optimization of Security vs. Cost Risk reduction is balanced against the cost of

security counter measures to mitigate the risk.

Security Level

Cost ($)

Cost of Security

Countermeasures

Cost of Security

Breaches

Optimal Level of Security

at Minimum Cost

Risk in Safety vs. Risk in Security


109/136


y y

Safety Definition: Risk is a measure of humaninjury, environmental damage, or economic lossin terms of both the incident likelihood and themagnitude of the loss or injury.

Security Definition: Risk is an expression of thelikelihood that a defined threat will exploit aspecific vulnerability of a particular attractivetarget or combination of targets to cause a given

set of consequences.

*Source: CSPP Guidelines For Analyzing And Managing The SecurityVulnerabilities Of Fixed Chemical Sites


110/136


Firewall Architectures

The external router blocks attempts to use theunderlying IP layer to break security (e.g. IPspoofing, source routing, packet fragments, etc) and

forces all traffic to the proxy. The proxy firewall handles potential security holes in

the higher layer protocols.

The internal router blocks all traffic except to the

proxy server. InternalRouter

Internet

External

Router


111/136


Theres lot of Wireless

From cellphones to PDAs to WiFi to

Satellite-based


112/136


Wireless LAN Standards

Existing/Developing


113/136


Existing/Developing

IEEE 802.11 Standards 802.11- 802.11a 802.11b 802.11e 802.11f 802.11g 802.11h 802.11i

802.1x 802.15 802.16

Frequency Hopping/DSSS

54Mbps / HyperLAN

(1999) 11Mbps

Quality of Service

Point 2 Point Roaming

(2003) 54Mbps

European Inspired Changes

(Q2,2004) New Encryption Protocols

(Q2,2004) Port Based Network AccessPersonal Area Network (WPAN)

Wireless Metropolitan Area Network (WMAN)

Wireless Backbone for Inflight Entertainment


114/136


PicoCellBTS

PicoCellBTS

NoiseFloorLifter

6 MCUGSM SERVER

On-Board Network Integration

SDU

and we havent even touched on RFID!


115/136


Theres lot of Wireless

And it all needs to feel more Secure!

For a real review of networking


116/136


For a real review of networking

security Take Eric Byrnes ISA course IC32C

Will History Repeat?


117/136


Will History Repeat?

analog cellphones: AMPS1980

1990

2000

analog cloning, scannersfraud pervasive & costly

digital: TDMA, GSM

TDMA eavesdropping [Bar]

more TDMA flaws [WSK]

GSM cloneable [BGW]GSM eavesdropping

[BSW,BGW]

Future: 3rd gen.: 3GPP,

Cellular networks

802.11, WEP

2001

2002

WEP broken [BGW]WEP badly broken [FMS]

WPA

2000

1999

Future: 802.11i

2003

attacks pervasive

wireless networks

Proprietary systems

2002

1451, 802.15.4, Tiny

Future: ???

2003

sensor networks

wireless security: not just 802.11


118/136

SoIf Nothing else, at leastS f


119/136


PLEASE do this for your WiFi

System!

WLAN Security Countermeasures Conduct site survey

Identify areas of signal strength and weakness

Do a walkaround with NetStumbler

Document and shut down rogue access points

Document and shut down unauthorized wireless NICs

AND TURN ON SOME LEVEL OF THE PROVIDEDPROTECTION!

Oh


120/136


And dont forget that as you layer in all ofthese wacky encryption schemes and

CDMA and DSSS andand that it takes

some joules to actually implement this. Soif your wireless network has primepower

(a.k.a. AC) youre ok. But if youre going

off a battery then its a tradeoff of security

versus Power Consumption YouChoose that one!

...and in the end...


121/136


...or...

Two potential forms of wireless sensor networks.

And they should both be secure!

HoneyBee with RFID

BumbleBee with RF xcvr

Outline:


122/136


1. Security? Who needs it?

2. How is security achieved in a wired channel?3. The Situation for Wireless (its RF in an industrial setting.Spectrum, modulation, encryption, spatial)

4. Security within various Wireless Delivery Schemes

(cellular, WiFi, 802.15.4, Bluetooth, others)5. An Integrated Solution6. The Big Review7. Glossary and References

Glossary10BASE-T: IEEE 802.3 standard for a twisted-pair Ethernet network. 10 Mbps transmission rate over baseband using unshielded, twisted-

pair cable


123/136


pair cable.

802.11: The IEEE 802.11 standard defines both frequency hopping and direct sequence spread spectrum solutions for use in the 2.4-2.5 MHz

ISM (Industrial, Scientific, Medical) band.

802.11a: The Global System for Mobile Communications standard for worldwide wireless communications on wide area networks (WANs).

802.11b: The portion of the 802.11 specification that defines the 11 Mbps data rate.

A

Access Point: Provides a bridge between Ethernet wired LANs and the wireless network. Access points are the connectivity point between

Ethernet wired networks and devices (laptops, hand-held computers, point-of-sale terminals) equipped with a wireless LAN adapter card.

Analog phone: Comes from the word "analogous," which means similar to. In telephone transmission, the signal being transmitted from the

phonevoice, video or imageis analogous to the original signal.

Antenna-Directional: Transmits and receives radio waves off the front of the antenna. The power behind and to the sides of the antenna is

reduced. The coverage area is oval with the antenna at one of the narrow ends. Typical directional antenna beam width angles are from 90

(somewhat directional) to as little as 20(very directional). A directional antenna directs power to concentrate the coverage pattern in a

particular direction. The antenna direction is specified by the angle of the coverage pattern called the beam width.

Antenna-Omni-directional: Transmits and receives radio waves in all directions. The coverage area is circular with the antenna at the center.Omni-directional antennas are also referred to as whip or low-profile antennas.

Association: The process of determining the viability of the wireless connection and establishing a wireless network's root and designated

access points. A mobile unit associates with its wireless network as soon as it is powered on or moves into range.

ATM: Asynchronous Transfer Mode. A type of high-speed wide area network.

GlossaryB


124/136


Backbone: A network that interconnects other networks, employing high-speed transmission paths and often spanning a large geographic

area.

Bandwidth: The range of frequencies, expressed in hertz (Hz), that can pass over a given transmission channel. The bandwidth determines the

rate at which information can be transmitted through the circuit.

Bandwidth Management: Functionality that allocates and manages RF traffic by preventing unwanted frames from being processed by the

access point.

BC/MC: Broadcast frames; Multicast frames

Beacon: A uniframe system packet broadcast by the AP to keep the network synchronized. A beacon Includes the Net_ID (ESSID), the AP

address, the Broadcast destination addresses, a time stamp, a DTIM (Delivery Traffic Indicator Maps) and the TIM (Traffic IndicatorMessage).

BFA Antenna Connector: Miniature coaxial antenna connector manufactured by MuRata Manufacturing Corporation.

Bluetooth: See Wireless Personal Area Networks.

Bridge: A device that connects two LANs of the same or dissimilar types. It operates at the Data Link Layer, as opposed to routers. Thebridge provides fast connection of two collocated LAN segments that appear as one logical network through the bridge.

Buffer: A segment of computer memory used to hold data while it is being processed.


125/136


126/136


127/136

GlossaryH.323: An umbrella standard from the International Telecommunications Union (ITU) that addresses call control, multimedia management, and bandwidth management

for point-to-point and multi-point conferences, as well as interfaces between LANs and other networks. The most popular standard currently in use.


128/136


Handheld PC (HPC): The term adopted by Microsoft and its supporters to describe handheld computers employing Microsoft's Windows CE operating system.

Interactive Voice Response: System used to access a database access application using a telephone. The voice processing acts as a front-end to appropriate databases that

reside on general purpose computers. For instance, DTMF (touch tone) input of a Personal Identification Number can be required for access or more unusual and

expensive techniques such as voice recognition and voice print matching.

Internet: World's largest network, often referred to as the Information Superhighway. The Internet is a virtual network based on packet switching technology. The

participants on the Internet and its topology change on a daily basis.

Internet Commerce: Electronic business transactions that occur over the Internet. Samples of Internet commerce applications include electronic banking, airline

reservation systems, and Internet malls.

Internet Phone: Device used to transmit voice over the Internet, bypassing the traditional PSTN and saving money in the process. An Internet phone can be a small phone

(such as the NetVision Phone) or a multimedia PC with a microphone, speaker, and modem.

Interoperability: The ability of equipment or software to operate properly in a mixed environment of hardware and software, from different vendors. Enabled by the

IEEE 802.11 open standard.

IP (Internet Protocol): The Internet standard protocol that defines the Internet datagram as the unit of information passed across the Internet. Provides the basis of the

Internet connection-less- best-effort packet delivery service. The Internet protocol suite is often referred to as TCP/IP because IP is one of the two fundamental protocols.

International Roaming: Ability to use one adapter worldwide.

Intranet: A private network that uses Internet software and Internet standards. In essence, an intranet is a private Internet reserved for use by people who have been given

the authority and passwords necessary to use that network.

ISDN: Integrated Services Digital Network. Emerging network technology offered by local phone companies that is designed for digital communications, computer

telephony, and voice processing systems.

ISM Band: ISM bands--instrumental (902-928MHz), science (2.4-2.4835GHz), and medical (5.725-5.850GHz)--are the radio frequency bands allocated by the FCC for

unlicensed continuous operations for up to 1W. The most recent band approved by the FCC for WLANs was the medical band in January 1997.

ITU: International Telecommunications Union. Standards body that defined H.323 and other international standards.

Jitter: Noise on a communications line which is based on phase hits, causing potential phase distortions and bit errors..

GlossaryKerberos: A widely deployed security protocol that was developed at the Massachusetts Institute of Technology (MIT) to authenticate users and clients in a wired

network environment and to securely distribute encryption keys.


129/136


Key Telephone System: A system in which the telephone has multiple buttons permitting the user to directly select central office phone lines and intercom lines. Key

phone systems are most often found in relatively small business environments, typically around 50 telephones.

Layer: A protocol that interacts with other protocols as part of an overall transmission system.

LPD (Line Printer Daemon): A TCP-based protocol typically used between a Unix server and a printer driver. Data is received from the network connection and sent out

over the serial port.

MAC (Media Access Control): Part of the Data Link Layer, as defined by the IEEE, this sublayer contains protocols for gaining orderly access to cable or wireless

media.

MD5 Encryption: An authentication methodology when MU is in foreign subnet.

MIB (Management Information Base): An SNMP structure that describes the specific device being monitored by the remote-monitoring program.

Microcell: A bounded physical space in which a number of wireless devices can communicate. Because it is possible to have overlapping cells as well as isolated cells,

the boundaries of the cell are established by some rule or convention.

Modem: Equipment that converts digital signals to analog signals and vice versa. Modems are used to send digital data signals over the analog PSTN.

MMCX Antenna Connector: Miniature coaxial antenna connector in use by several major wireless vendors.

Mobile IP: The ability of the mobile unit to communicate with the other host using only its home IP address, after changing its point of attachment to the Internet andintranet.

Mobile Unit (MU): May be a Symbol Spectrum24 terminal, PC Card and PCI adapter, bar-code scanner, third-party device, and other

Mobile Unit Mode: In this mode, the WLAN adapter connects to an access point (AP) or another WLAN installed system, allowing the device to roam freely between AP

cells in the network. Mobile units appear as network nodes to other devices.

Modulation: Any of several techniques for combining user information with a transmitter's carrier signal.

Multipath: The signal variation caused when radio signals take multiple paths from transmitter to receiver.

Multipath Fading: A type of fading caused by signals taking different paths from the transmitter to the receiver and, consequently, interfering with each other.

GlossaryNode: A network junction such as a switch or a routing center.Packet Switching: Refers to sending data in packets through a network to some remote location. In a packet switched network, no circuit is left open on a dedicated basis.

Packet switching is a data switching technique only.


130/136


PBX Phone System: Private Branch eXchange. Small version of the phone company's larger central switching office. An alternative to a PBX is to subscribe to a local

telephone company's Centrex service.

PCMCIA (Personal Computer Memory Card International Association) PC Card: A credit card-size device used in laptop computers and available as removable network

adapters.

PCS (Personal Communications Service): A new, lower powered, higher-frequency competitive technology to cellular. Whereas cellular typically operates in the 800-

900 MHz range, PCS operates in the 1.5 to 1.8 GHz range. The idea with PCS is that the phone are cheaper, have less range, and are digital. The cells are smaller and

closer together, and airtime is cheaper.

Peer-to-peer Network: A network design in which each computer shares and uses devices on an equal basis.

Ping: A troubleshooting TCP/IP application that sends out a test message to a network device to measure the response time.

PLD (Data Link Protocol): A raw packet protocol based on the Ethernet frame format. All frames are sent to the wireless network verbatim--should be used with care asimproperly formatted data can go through with undesirable consequences.

Plug and Play: A feature that allows a computer to recognize the PCI adapter and configure the hardware interrupt, memory, and device recognition addresses; requires

less user interaction and minimizes hardware conflicts.

Pocket PC: The term adopted by Microsoft and its supporters to describe handheld computers employing Microsoft's Pocket PC operating system.

Point-of-Sale Device: A special type of equipment that is used to collect and store retail sales data. This device may be connected to a bar code reader and it may query a

central computer for the current price of that item.

POTS (Plain Old Telephone Service): The basic service supplying standard single line telephones, telephone lines, and access to the public switched telephone network.

Power Management: Algorithms that allow the adapter to sleep between checking for network activity, thus conserving power.

PSP (Power Save Polling): stations power off their radios for long periods. When a mobile unit in PSP mode associates with an access point, it notifies the AP of its

activity status. The AP responds by buffering packets received for the MU.

PSTN (Public Switched Telephone Network): Refers to the worldwide voice telephone network accessible to all those with telephones and access privileges. In the U.S.,

the PSTN is provided by AT&T.

GlossaryQoS (Quality of Service): Measure of the telephone service quality provided to a subscriber. QoS refers to things like: Is the call easy to hear? Is it clear? Is it loud

enough?


131/136


RBOC (Regional Bell Operating Company): One of the seven Bell operating companies set up after the divestiture of AT&T, each of which own two or more Bell

Operating Companies (BOCs).

Roaming: Movement of a wireless node between two microcells. Roaming usually occurs in infrastructure networks built around multiple access points.

Repeater: A device used to extend cabling distances by regenerating signals.

Router: The main device in any modern network that routes data blocks from source to destination using routing tables and determining the best path dynamically. It

functions as an addressable entity on the LAN and is the basic building block of the Internet.

SNMP (Simple Network Management Protocol): The network management protocol of choice for TCP/IP based intranets. Defines the method for obtaining information

about network operating characteristics, change parameters for routers and gateways.

Scanning: A periodic process where the mobile unit sends out probe messages on all frequencies defined by the country code. The statistics enable a mobile unit to re-

associate by synchronizing its frequency to the AP. The MU continues communicating with that access point until it needs to switch cells or roam.

Site Survey: Physical environment survey to determine the placement of access points and antennas, as well as the number of devices necessary to provide optimal

coverage, in a new or expanding installation.

Spread Spectrum: A transmission technique developed by the U.S. military in World War II to provide secure voice communications, spread spectrum is the most

commonly used WLAN technology today. It provides security by "spreading" the signal over a range of frequencies. The signal is manipulated in the transmitter so that

the bandwidth becomes wider than the actual information bandwidth. De-spreading the signal is impossible for those not aware of the spreading parameters; to them, the

signal sounds like background noise. Interference from narrowband signals is also minimized to background noise when it is de-spread by the receiver. Two types of

spread spectrum exist: direct sequence and frequency hopping.

Stream Mode: A communications protocol supported only by the Telnet and TCP protocols. Stream mode transfers serial characters as they are received by encapsulating

them in a packet and sending them to the host.

Glossary


132/136


T1: A type of dedicated digital leased-line available from a public telephone provider with a capacity of 1.544 Mbps. A T1 line can normally handle 24 voice

conversations, each one digitized at 64 Kbps. With more advanced digital voice encoding techniques, it can handle more voice channels. T1 is the standard for digital

transmission in the U.S. Canada, Hong Kong, and Japan.

TCP/IP: Networking protocol that provides communication across interconnected networks, between computers with diverse hardware architectures, and variousoperating systems. TCP/IP is used in the industry to refer to the family of common Internet protocols.

TCP (Transport Communication Protocol): Controls the transfer of data from one client to one host, providing the mechanism for connection maintenance, flow control,

retries, and time-outs.

Telnet (Terminal Emulation Protocol): A protocol that uses the TCP/IP networking protocol as a reliable transport mechanism. Considered extremely stable.

Terminal: An endpoint, which provides for real-time, two-way communications with another terminal, gateway, or mobile unit.

Token Ring: A ring type of local area network (LAN) in which a supervisory frame, or token, must be received by an attached terminal or workstation before that

terminal or workstation can start transmitting. Token ring is the technique used by IBM and others.

UDP (User Datagram Protocol): UDP/IP is a connection-less protocol that describes how messages reach application programs running in the destination machine;

provides low overhead and fast response and is well suited for high-bandwidth applications.

Video Conferencing: Video and audio communication between two or more people via a video CODEC (coder/decoder) at either end and linked by digital circuits.

Voice Mail System: Device or system that records, stores, and retrieves voice messages. The two types of voice mail devices are those which are "stand alone" and those

which offer some integration with the user's phone system.

Wi-Fi: A logo granted as the "seal of interoperability" by the Wireless Ethernet Compatibility Alliance (WECA). Only select wireless networking products possess thischaracteristic of IEEE802.11b.

Wireless AP Support: Access Point functions as a bridge to connect two Ethernet LANs.

Glossary


133/136


Wireless Local Area Network (WLAN): A wireless LAN is a data communications system providing wireless peer-to-peer (PC-to-PC, PC-to-hub, or printer-to-hub) and

point-to-point (LAN-to-LAN) connectivity within a building or campus. In place of TP or coaxial wires or optical fiber as used in a conventional LAN, WLANs transmit

and receive data over electromagnetic waves. WLANs perform traditional network communications functions such as file transfer, peripheral sharing, e-mail, and

database access as well as augmenting wired LANs. WLANs must include NICs (adapters) and access points (in-building bridges), and for campus communications

building-to-building (LAN-LAN) bridges.

Wireless Personal Area Network (WPAN): Personal area networks are based on a global specification called Bluetooth which uses radio frequency to transmit voice and

data. Over a short range, this cable-replacement technology wirelessly and transparently synchronizes data across devices and creates access to networks and the Internet.

Bluetooth is ideal for mobile professionals who need to link notebook computers, mobile phones, PDAs, PIMs, and other hand-held devices to do business at home, onthe road, and in the office.

Wireless Wide Area Network (WWAN): Wide area networks utilize digital mobile phone systems to access data and information from any location in the range of a cell

tower connected to a data-enabled network. Using the mobile phone as a modem, a mobile computing device such as a notebook computer, PDA, or a device with a

stand-alone radio card, can receive and send information from a network, your corporate intranet, or the Internet.

A Few References


134/136


e J.,"Fieldbuses for Process Control: Engineering, Operation, Maintenance". ISA Press 2002, ISBN 1-55617-760-U., "Physical Level Interfaces and Protocols". IEEE, ISBN 0-8186-8824-6.U., "The V-series recommendations". McGraw-Hill, ISBN 0-07-005592-0.

g K., "Feldbus-Systeme". Expert Verlag 1992, 3-8169-0771-7.W., "Der Feldbus in der Maschinen- und Anlagentechnik". Franzis Verlag, ISBN 3-7723-4621-9.h Standard Institute, "Guide to the evaluation of fieldbus protocols". Report DISC PD0014:2000.n, "The OSI Dictionary of acronyms". McGraw-Hill 1993, ISBN 0-07-057601-7.n, "Fieldbus for Industrial Control Systems". Chapmann & Hall 1997, ISBN 0-412-57890-5.um voor Micro-elektronica, "Intelligente sensornetwerken". 1993, 1996ol Engineering, issues of 1994 and 1995, "Fieldbus series".ich D., "Feldbustechnik in Forschung, Entwicklung und Anwendung". Springer Verlag, 1997.

achbericht 37, "Datenbertragung auf Fahrzeugen mittels serieller Bussysteme". VDE Verlag, ISBN 3-8007-18eport 27, "Standardisierung der Prozedatenkommunikation". VDE Verlag 1991.zeitschrift DE, "Bussysteme fr die Gebudeinstallation. Hthig & Pflaum, 1999.r, "Bussysteme - parallele und serielle Bussysteme in Theorie und Praxis". Oldenbourg Verlag, ISBN 3-486-285ort, "Digitale Communicatie". Delta Press 1989, ISBN 90-6674-726-9.is, "How to automate your home". Baran-Harper 1991, ISBN 0-9632170-0-3.

ler, G. "Feldbusse und Gerte-Kommunikationssysteme". Franzis Verlag 2001, ISBN 3-7723-5745-8.A distributed control & diagnostic architecture for railway maintenance". University of South-Carolina 1998.ann, "Design and validation of computer protocols". Prentice-Hall, ISBN 0-13-539834-7.

r J.,"Industrial Fiber Optic Networks". ISA Press 1995, ISBN 1-55617-521-3-G.bos, R., "Veldbussen". Kluwer 1996, ISBN 90-557-6059-5.Colloquium: Fieldbus devices - A changing future". IEE 1994, Ref. 1994/236.Fieldbus Standard for use in industrial control systems". ISA 1993, ISBN 1-55617-317-2.The ISA Fieldbus Guide". ISA 1997, ISBN 1-55617-637-6.nsmeyer, "Investigation into the intrinsic safety of fieldbus systems (FISCO)". PTB, report W53, ISBN 3-89429-n, "Serial networked field instrumentation". Wiley 1995, ISBN 0-471-95236-1.

Keithley Instruments, "Demanding measurements on the factory floor".Kluwer, "Handboek Industrile Netwerken". Kluwer 2000, ISBN 90-5404-628-7.Kriesel "Bustechnologien fr die Automation 2nd Ed " Hthig Verlag 2000 ISBN 3 7785 2778 9

References (cont.)


135/136


Kriesel, Bustechnologien fr die Automation, 2nd Ed. . Hthig Verlag 2000, ISBN 3-7785-2778-9.Lian, "Performance evaluation of control networks for manufacturing systems". Proceedings of theASME(Dynamics and Control Division), 1999.Miklovic, "Real-time control networks". ISA 1993, ISBN 1-55617-231-1.Mikrocentrum Nederland, Syllabi themadagen "Industrile netwerken". 1993-2001.Newman, "Direct digital control of building systems". Wiley, 1994, ISBN 0-471-51696-1.Phoenix, "Grundkurs Sensor/Aktor-Feldbustechnik". Vogel Verlag, ISBN 3-8023-1708-4.Phoenix, "Grundkurs Feldbustechnik". Vogel Verlag 2000, ISBN 3-8023-1813-7.Phoenix, "Basic course in sensor/actuator fieldbus technology". Vogel Verlag.Physikalische Technische Bundesanstalt, "Investigations into the intrinsic safety of fieldbus systems".PTB 1994, ISBN 3-89429-512-0.

Reinert, "Sichere Bussysteme fr die Automation" Hthig Verlag 2001, ISBN 3-7785-2797-5.Reienweber B., "Feldbussysteme". Oldenbourg Verlag, 2002, ISBN 3-486-24536-8.Rikkert de Koe, "OSI-Protocollen lagen 1 t/m 4". Kluwer Telematica, ISBN 90-201-2388-2.Rosch, "Gebudesystemtechnik: Datenubertragung auf dem 230V Netz". Verlag Moderne Industrie1998, ISBN 3-478-93185-1.Scherff, B. "Feldbussysteme in der Praxis". Springer Verlag 1999, ISBN 3-540-63880-6.Schnell, G. "Bussysteme in der Automatisierungs- and Prozesstechnik" (4th Ed.). Vieweg Verlag2000, ISBN 3-528-36569.

Svacina, "Understanding Device Level Buses". Turck.Thompson, "Industrial Data Communications: Fundamentals And Applications" 3rd Edition. ISA Press2002, ISBN 1-55617-767-4-G.

Texas Instruments, "RS422 and RS485 Application Guide".VDI/VDE, "Richtlinien 3687: Auswahl von Feldbussysteme durch Bewertung ihrerLeistungseigenschaften fr verschiedene Anwendungsbereiche". VDI/VDE, 1997.Wittgruer, F. "Digitale Schnittstellen und Bussysteme". Vieweg Verlag 1999.Wrobel, "Optische bertragungstechnik in der Praxis, 2nd Ed.". Hthig Verlag 1998, ISBN 3-7785-

2638-3.


136/136

Wireless Sensor System

Documents

Transcript of Wireless Sensor System