I discovered a podcast done by Dale Peterson of the security-related Digital Bond blog. In the first part of the podcast (1:45 to 31:30), Dale talks with Emerson’s Jeff Potter about the security in the WirelessHART / IEC 62591 global standard. Dale notes:
In the US ICS security community this standard seems to take a backseat to the ISA 100 wireless LAN specifications, but this is a mistake. WirelessHART has been out for a few years now with a significant installed base. It is a completed standard, and it has been blessed as an IEC and European standard.
Jeff describes the security involved in a WirelessHART device joining the network. These devices need to provide a 128-bit AES-encrypted join key. The network can be set up for a common join key or unique join keys from each device. A HART handheld or software program such as AMS Wireless Configurator can create these unique keys for each wireless device. Jeff notes that there is no “read key” command to find out what key is inside the device. There is only a “write key” command to set these join keys.
Once devices have successfully joined the network, then a network key is shared by all the devices on the WirelessHART network that protects status down at the data link layer, hop by hop. Next, there are session keys, which are multi-hop at the transport layer that may go from an end device through possibly a number of hops over to the WirelessHART gateway. Only the end device and the gateway share the secret of an individual session key. Like the join keys, these network and session keys are also 128-bit AES encrypted.
Jeff was asked about the possibility of jamming these wireless communications. Even though the devices are extremely low power, through frequency diversity, path diversity, and time diversity these communications are extremely robust. I highlighted these techniques in an earlier post, Coexistence and Diversity Techniques for Reliable Wireless.
Jeff highlights two concerns most process manufacturers ask about when they consider adding wireless field devices. The first is how it will coexist with existing wireless and radio communications. Once they understand the diversity techniques and perhaps conduct a pilot project with a few devices and gateway, this concern usually subsides. The second major concern is the perception that it can open a “back door” at level 0 of the Purdue Model. Once the security model of the IEC 62591 standard is understood, this concern is reduced.
The flexibility of the HART communications standard and WirelessHART have expanded where data from valve signatures, vibration waveforms, and other complex data types can be communicated from the end device to the automation and/or asset management system to which the wireless network is connected. This opens visibility to the diagnostics in valves and other devices not previously connected back to the operators and maintenance teams.
Dale provides links to a HART Communications Foundation whitepaper on WirelessHART security and a WirelessHART security whitepaper from the Emerson team as good sources to better understand the security aspects of this standard.