Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems

International Journal of Critical Infrastructure Protection

Volumn 5, Issue 3-4, 2012, Pages 154-174

  Reaves, Bradley ^a   Morris, Thomas ^b  

^a Georgia Institute of Technology   (United States)

^b MISSISSIPPI STATE UNIVERSITY   (United States)

Author keywords

Industrial control systems; Mitigation; Vulnerabilities; Wireless communications

Indexed keywords

CYBER SECURITY; DEFENSE INDUSTRIAL BASE; IEEE 802.11S; IEEE 802.15.4; INDUSTRIAL CONTROL SYSTEMS; MITIGATION; POTENTIAL VECTORS; RADIO TECHNOLOGIES; SHORT-RANGE WIRELESS COMMUNICATIONS; VULNERABILITIES; WATER SECTOR; WIRED COMMUNICATION; WIRELESS COMMUNICATIONS; WIRELESSHART;

CONTROL SYSTEMS; CRITICAL INFRASTRUCTURES; INDUSTRY; MATERIALS HANDLING; NETWORK SECURITY; NUCLEAR REACTORS; PUBLIC WORKS; STANDARDS; WATER SUPPLY; WIRELESS TELECOMMUNICATION SYSTEMS;

CONTROL SYSTEM ANALYSIS;

EID: 84870338599     PISSN: 18745482     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ijcip.2012.10.001     Document Type: Article

References (56)

1. W. Boyes, Industrial wireless: all quiet on the wireless front, control global, Itasca, Illinois, 2011 〈〉. http://www.controlglobal.com/articles/2011/all-quite-on-the-wireless-front.html.
2. Goodspeed T., Highfill D., Singletary B. Low-level design vulnerabilities in wireless control systems hardware, in: Proceedings of the SCADA Security Scientific Symposium 2009, Digital Bond Press, Sunrise, Florida.
3. Fluhrer S., Mantin I., Shamir A. Weaknesses in the key scheduling algorithm of RC4. Revised Papers from the Eighth Annual International Workshop on Selected Areas in Cryptography 2001, 1-24. Springer-Verlag, London. S. Vaudenay, A. Youssef (Eds.).
4. E. Tews, R. Weinmann, A. Pyshkin, Breaking 104 bit WEP in less than 60 seconds, in: Proceedings of the Eighth International Conference on Information Security Applications, 2007, pp. 188-202.
5. E. Tews, M. Beck, Practical attacks against WEP and WPA, in: Proceedings of the Second ACM Conference on Wireless Network Security, 2009, pp. 79-86.
6. F. Halvorsen, O. Haugen, M. Eian, S. Mjolsnes, An improved attack on TKIP, in: Proceedings of the Fourteenth Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age, 2009, pp. 120-132.
7. T. Ohigashi, M. Morii, A practical message falsification attack on WPA, Presented at the Joint Workshop on Information Security, 2009 〈〉. http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf.
8. B. Antoniewicz, 802.11 Attacks, Version 1.0, White Paper, Foundstone Professional Services, McAfee, Santa Clara, California, 〈〉. http://www.mcafee.com/us/resources/white-papers/foundstone/wp-80211-attacks.pdf.
9. R. Moskowitz, Weakness in passphrase choice in WPA interface, Wi-Fi Net News 〈〉, 2003 (accessed 4.11.03). http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html.
10. M. Ahmad, WPA too! Presented at DEF CON 18, 2010 〈〉. http://www.defcon.org/images/defcon-18/dc-18-presentations/Ahmad/DEFCON-18-Ahmad-WPA-Too-WP.pdf.
11. Y. Song, C. Yang, G. Gu, Who is peeping at your passwords at Starbucks? To catch an evil twin access point, in: Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks, 2010, pp. 323-332.
12. Beetle, B. Potter, Rogue AP 101 - Threat, detection and defense, Presented at the Black Hat Federal Conference, 2003 〈〉. http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-beetle/bh-fed-03-beetle-up.pdf.
13. J. Wright, B. Antoniewicz, PEAP: Pwned extensible authentication protocol, Presented at ShmooCon 2008, 2008 〈〉. http://www.willhackforsushi.com/presentations/PEAP_Shmoocon2008_Wright_Antoniewicz.pdf.
14. J. Wright, Asleap, Will Hack for SUSHI, 2008 〈〉. http://www.willhackforsushi.com/?page_id=41.
15. J. Wright, eapmd5pass, Will Hack for SUSHI, 2008 〈〉. http://www.willhackforsushi.com/?page_id=67.
16. E. Bayraktaroglu, C. King, X. Liu, G. Noubir, R. Rajaraman, B. Thapa, On the performance of IEEE 802.11 under jamming, in: Proceedings of the Twenty-Seventh IEEE Conference on Computer Communications, 2008, pp. 1265-1273.
17. J. Bellardo, S. Savage, 802.11 Denial-of-Service attacks: real vulnerabilities and practical solutions, in: Proceedings of the Twelfth USENIX Security Symposium, 2003.
18. U.S. Computer Emergency Readiness Team, IEEE 802.11 wireless network protocol DSSS CCA algorithm vulnerable to denial of service, Vulnerability Note VU#106678, Department of Homeland Security, Washington, DC, 2004 〈〉. http://www.kb.cert.org/vuls/id/106678.
19. N. Sastry, D. Wagner, Security considerations for IEEE 802.15.4 networks, in: Proceedings of the Third ACM Workshop on Wireless Security, 2004, pp. 32-42.
20. J. Brodsky, A. McConnell, Jamming and interference induced denial of service attacks on IEEE 802.15.4 based wireless networks, in: Proceedings of the SCADA Security Scientific Symposium, Digital Bond Press, Sunrise, Florida, 2009.
21. R. Speers, R. Melgares, ZigBee security: find, fix, finish, Presented at ShmooCon 2011, 2011.
22. J. Song, S. Han, A. Mok, D. Chen, M. Lucas, M. Nixon, W. Pratt, WirelessHART: applying wireless technology in real-time industrial process control, in: Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, 2008, pp. 377-386.
23. S. Raza, Secure Communication in WirelessHART and its Integration with Legacy HART, Technical Report 3799, Swedish Institute of Computer Science, Kista, Sweden, 2010.
24. S. Raza, A. Slabbert, T. Voigt, K. Landernas, Security considerations for the WirelessHART protocol, in: Proceedings of the Fourteenth IEEE International Conference on Emerging Technologies and Factory Automation, 2009, pp. 242-249.
25. Daintree Networks, Getting Started with ZigBee and IEEE 802.15.4, Mountain View, California, 2008 〈〉. http://www.daintree.net/downloads/whitepapers/zigbee_primer.pdf.
26. ZigBee Alliance, ZigBee Specification, Zigbee Alliance Standard 053 474r17, San Ramon, California, 2008.
27. J. Wright, KillerBee: practical ZigBee exploitation framework, Presented at ToorCon 11, 2009.
28. T. Kennedy, R. Hunt, A review of WPAN security: attacks and prevention, in: Proceedings of the International Conference on Mobile Technology, Applications and Systems, article no. 56, 2008.
29. R. Silva, S. Nunes, Security issues on Zigbee, Presented at the INESC Seminario da Rede Tematica de Comunicacoes Moveis, 2005 〈〉. http://telecom.inescporto.pt/fileadmin/rtcm/WorkShop_22_Jul_05/s2_Security_Issues_on_ZigBee.pdf.
30. K. Masica, Recommended Practices Guide for Securing ZigBee Wireless Networks in Process Control System Environments (DRAFT), Technical Report, Lawrence Livermore National Laboratory, Livermore, California, 2007.
31. B. Reaves, T. Morris, Discovery, infiltration, and denial of service in a process control system wireless network, in: Proceedings of the eCrime Researchers Summit, 2009.
32. M. Andersson, Wireless technologies for industrial applications, connectBlue, Malmo, Sweden, 2001 〈〉. http://www.connectblue.com/fileadmin/Connectblue/Web2006/Documents/White_papers/Industrial_Bluetooth.pdf.
33. K. Haataja, Evaluation of the Current State of Bluetooth Security, Licentiate Thesis, Department of Computer Science, University of Kuopio, Kuopio, Finland, 2007.
34. K. Finistere, T. Zoller, Bluetooth hacking revisited, Presented at the Twenty-Third Chaos Communication Congress, 2006 〈〉. http://www.nruns.com/_downloads/23C3-Berlin-Bluetooth-Hacking-Revisited-Thierry-Zoller.pdf.
35. Trifinite Group, Long distance snarfing, 2006 〈〉. http://trifinite.org/trifinite_stuff_lds.html.
36. Y. Shaked, A. Wool, Cracking the bluetooth PIN, in: Proceedings of the Third International Conference on Mobile Systems, Applications and Services, 2005, pp. 39-50.
37. n.runs, BTCrack - bluetooth PIN cracker 〈〉. http://secdev.zoller.lu/btcrack.zip.
38. K. Finistere, Bluetooth: theft of link keys for fun and profit? 2005 〈〉. http://seclists.org/fulldisclosure/2005/Aug/385.
39. Tenable Network Security Protecting Critical Infrastructure, Columbia, Maryland, 2008.
40. MaxStream, MaxStream extends ZigBee range up to 40 miles, Digi International, Minnetonka, Minnesota 〈〉, 2006 (accessed 25.10.06). http://www.digi.com/news/pressrelease?prid=275.
41. McGrew R., Vaughn R. Discovering vulnerabilities in control system human-machine interface software. Journal of Systems and Software 2009, 82(4):583-589.
42. R. Langner, A time bomb with fourteen bytes, Langner Communications, Hamburg, Germany, 2001 〈〉. http://www.langner.com/en/2011/07/21/a-time-bomb-with-fourteen-bytes/.
43. N. Falliere, L. O'Murchu, E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011 〈〉. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.
44. Slay J., Miller M. Lessons learned from the Maroochy water breach. Critical Infrastructure Protection 2008, 73-82. Springer, Boston, Massachusetts. E. Goetz, S. Shenoi (Eds.).
45. T. Morris, S. Pan, J. Lewis, J. Moorhead, N. Younan, R. King, M. Freund, V. Madani, Cybersecurity testing of substation phasor measurement units and phasor data concentrators, in: Proceedings of the Seventh Annual ACM Cyber Security and Information Intelligence Research Workshop, article no. 24, 2011.
46. M. Bristow, ModScan: a SCADA Modbus network scanner, Presented at DEF CON 16, 2008 〈〉. http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-bristow.pdf.
47. T. Morris, R. Vaughn, Y. Dandass, A retrofit network intrusion detection system for Modbus RTU and ASCII industrial control systems, in: Proceedings of the Forty-Fifth IEEE Hawaii International Conference on System Sciences, 2012, pp. 2338-2345.
48. J. Farris, D. Nicol, Evaluation of secure peer-to-peer overlay routing for survivable SCADA systems, in: Proceedings of the Thirty-Sixth Winter Simulation Conference, 2004, pp. 300-308.
49. Mateti P. Hacking techniques in wireless networks. The Handbook of Information Security 2005, vol. III:83-93. Wiley, Chichester.
50. R. Anderson, Why cryptosystems fail, in: Proceedings of the First ACM Conference on Computer and Communications Security, 1993, pp. 215-227.
51. Fovino I., Carcano A., Masera M., Trombetta A. Design and implementation of a secure Modbus protocol. Critical Infrastructure Protection III 2009, 83-96. Springer, Heidelberg. C. Palmer, S. Shenoi (Eds.).
52. Majdalawieh M., Parisi-Presicce F., Wijesekera D. DNPSec. distributed network protocol version 3 (DNP3) security framework. Advances in Computer, Information and Systems Sciences, and Engineering 2007, 227-234. Springer, Dordrecht. K. Elleithy, T. Sobh, A. Mahmood, M. Iskander, M. Karim (Eds.).
53. International Electrotechnical Commission, Power Systems Management and Associated Information Exchange - Data and Communications Security, Technical Specification IEC TS 62351, Geneva, Switzerland, 2007.
54. Fernandez J., Fernandez A. SCADA systems. vulnerabilities and remediation. Journal of Computing Sciences in Colleges 2005, 20(4):160-168.
55. J. Farshchi, Wireless intrusion detection systems, Symantec, Mountain, View, California, 2003 〈〉. http://www.symantec.com/connect/articles/wireless-intrusion-detection-systems.
56. Sun B., Osborne L., Xiao Y., Guizani S. Intrusion detection techniques in mobile ad hoc and wireless sensor networks. IEEE Wireless Communications 2007, 14(5):56-63.