Idea: Set of wireless sentinels to identify and locate jamming attempts in or around a plant site.
The big two industrial wireless protocols are WirelessHART and ISA100.11A. Unlike most ICS protocols they are not insecure by design. They have encryption and authentication, based on well vetted standards, that have withstood a fair amount of third party testing. They do a good job, great compared to other ICS protocols, providing confidentiality and integrity when attacked.
Where ISA100 and WirelessHART fall short is in availability … they can be jammed quite easily. Therefore we need to consider carefully the availability requirements, physical security perimeter and threat before using these wireless protocols for control or critical monitoring.
Today I attended PACSECJP in Tokyo and heard the Sentinel idea from Jonathan Andersson of TippingPoint (Trend Micro) in his Attacking the Internet of Things with Software Defined Radio presentation. The presentation focused on the components and operation SDR, modulation and jamming some basic wireless protocols ZWave, Zigbee, 802.11. The SDR review is useful if you don’t have a radio background.
The real gem, for me at least, was right at the end when he was talking about jamming mitigations, and specifically this idea of the Sentinel. This could be a modified WirelessHart or ISA100 gateway that is looking for signals that are dropped because they fail due to initialization, authentication or format errors. The Sentinel would have a wired connection to the network that could report these errors when they exceed a certain threshold that indicates a jamming attempt or some other miscommunication that is affecting proper operation in the wireless network. The wired connection is key to avoid the Sentinel reporting itself being jammed.
Now imagine you have three of these Sentinels deployed at various points at your site and can use the detected jamming signal as data to feed direction finding to locate the jammer. This becomes a way to limit the consequence of a jamming attack to the communication outage impact related to a now quantifiable time it takes to identify, locate and disable the jammer.
Direction finding of radio signals is not new, but I’ve not heard about this being developed as an accessory / security control for ISA100 or WirelessHART. Does it already exist? Is anyone working on it?