Home / Blog / Applying security in WirelessHART

Applying security in WirelessHART

Posted on 12/22/2015, by INCIBE
catching wireless communications

Typical wired means of communication of control systems are being substituted to a greater or lesser extent by wireless means. One of the most important reasons for this change is that it represents economical saving, since a communication line is not needed for each device, sensor or actuator, which translates into a greater capacity for the deployment of equipment where before it was not possible.

Industrial wireless communications can be implemented with different protocols: traditional industrial protocols which are developed to incorporate wireless capacities or new generation protocols. This article focuses on WirelessHART, the wireless development of the industrial protocol HART.

Protocol definition

WirelessHART (specification HART 7) is a protocol based on the specification IEEE 802.15.4 in the bottom layers of the OSI model, the same as Zigbee or ISA 100. This specification covers the upper layers. The main characteristic of this protocol is its low consumption, which enables it to be used in devices powered by batteries without depleting them in a short space of time.

OSI Model vs. WirelessHART

- WirelessHART layers model with regards to the OSI model -

Included among the protocol´s characteristics is network management, creating dynamically the architecture in grid form.

Example of WirelessHART Network

- WirelessHART Network -

WirelessHART is the wired HART protocol developed through a complete specification of the protocol, incorporating several security measures, which is one of its strong points.

The specification defines different equipment within the WirelessHART network:

  • Network devices:
    • Field devices: Sensors and actuators connected through WirelessHART. They have capacities to direct packets to other devices.
    • Hand-held devices: Devices to interact with the system. Used by the operators.
  • Routers or repeaters: Devices responsible only for redirecting packages. Generally, these devices are not necessary since any field device can carry out this function.
  • Adaptors: Enables HART devices to be united to the WirelessHART network. Has a wired and a wireless interface. Should be capable of interpreting security material for those equipment previous to the HART 7 specification.
  • Gateway: Responsible for connecting the WirelessHART network with other networks. It is the single connection point with the WirelessHART network.
  • Access Point: Responsible for providing the wireless network. It communicates directly with the Gateway. Several access points can communicate with the Gateway.
  • Network Manager: Maintains and updates routes, contains the list of devices and manages bandwidth.
  • Security Manager: Responsible for creating and managing passwords used by the network to encrypt communication.

Gateway devices, access point, network manager and security manager can be integrated in one physical device.

Security measures

WirelessHART protocol security measures cannot be disabled, and it is possible to distinguish between those that have an effect on a logical level and those that have an effect on a physical level.

Physical security measures

  • Frequency channel hopping (FHSS). Each time a transmission is made, the channel is changed.
  • Adjustable power emission

Logical security measures:

  • Encrypted using 128-bit AES encryption
  • At least 4 different keys
    • 2 for broadcast traffic encryption (for network and application management)
    • 2 for point-to-point encryption (for network and application management)
  • Rotation of the encryption key used to connect to the network, automatically and on demand
  • Device authentication and data integrity
  • Unique encryption key for each message

This enables physical control of emissions in noisy environments, allowing signal strength to be adapted or the emission channel to be changed in the event that communication through the channel being used is impossible. On a logical level, it enable several access levels and security event notifications such as message integrity failure report or authentication failures.

WirelessHART has an encryption key for network traffic, but it also enables the encrypted exchange of packets between two devices only, and these will have a specific key for each of them. These keys are communicated by the communication Gateway to the field devices and are stored in the security manager, a separate device in the network which only communicates with the Gateway through the wired network.

Even though communication through WirelessHART has different security characteristics, this network´s communication with the wired part (devices such as the network and security manager), and with other HART protocol devices, is not considered in the specification.

Security benefits in WirelessHART

By default, all WirelessHART devices require a password known as a Join Key to be able to connect to the network. The password must be configured in the device before it is joined to the network, since it is necessary for the exchange of control packets with the network Gateway.

But use of the unique password is not recommended since this password is used in all broadcast communications, which means that it is highly used in the network. As an alternative, the Access Control List (ACL) can be used. These ACLs used to control access to the network function using verification by Gateway of the origin of the packet (through MAC or the transmitter´s serial number). If the element is permitted, the packet will be decrypted for its treatment using the join key. Once the device is accepted in the network, the rest of the devices will receive the new member message.

There is another option to give more security to the network, which consists of mixing the shared key option, and once the device is joined to the network, an Access Control List is created and the devices are given a new key. This is done by the Gateway and the security manager.

Once the devices are joined to the network, they can communicate with each other and with the Gateway. Communications between two devices are also allowed, using a specific key. Negotiation of this key is carried out by the Gateway, which will distribute it to the two devices so they can use it to communicate with each other, so that it will no longer depend on the Gateway.

Technology limitations

Despite WirelessHART specification´s efforts to make a secure and reliable protocol, it presents some weaknesses that must be taken into account when selecting and implementing it. Among them, we highlight the following:

  • The use of certificates (public-key cryptography) is not supported, which means that non-repudiation cannot be guaranteed. Other measures such as strong authentication are also not possible, since the password must be sent through the network.
  • There are no specialised mechanisms to provide authentication and register services.
  • The complete key management system (generate, renew, revoke, store and deny) is not specified; whereas the key distribution commands have been specified.
  • Security in the wired part of the network, for example, devices such as the network and security manager, is not specified, nor is it enforced as is the case with integration between WirelessHART and old HART devices (HART 6 specification or previous specifications). However, it provides ways to add HART devices to the WirelessHART network using adaptors.
  • No route redundancy in the wired part of the network.
  • Secure multicast communication between field devices is not compatible.
  • Security manager architecture and the architecture of the interface between the security manager and the Gateway is not specified in the regulations.
  • Security mechanisms to protect the WirelessHART network are not specified in a concrete document but are scattered between different documents which make up the WirelessHART specification. This make it difficult for designers and developers to implement security services since they need to explore the whole WirelessHART specification.
  • There are also no security mechanisms to protect communications between the Gateway and possible applications (also called host application) that use WirelessHART technology.