Wireless sensor and actuator networks for critical infrastructure protection
FP7 project WSAN4CIP
Wireless Sensor and Actuator Networks are a premium candidate technology when it comes to the challenge of protecting Critical Infrastructures (CI). WSANs can be relatively easily deployed at large scale to cover large geographic areas. As they are normally built from low-cost devices, they provide a very cost-efficient monitoring solution without requiring an additional infrastructure.
In addition, due to the distributed nature and due to the self-configuration capabilities of WSANs, they will even under adverse conditions very likely stay operational, at least on a minimum level. The information that is still harvested and provided will help the CI operator to prevent further damage and to begin the recovery process.
The use of WSANs has significant impact on the dependability of the CI control system and the CI itself. In particular, it is well-known that wireless communication channels are more vulnerable to environmental noise, and hence are in general less reliable than wired links. Moreover, wireless channels are also vulnerable to attacks, such as jamming, injection of forged data and eavesdropping, that are more difficult to carry out in a wired environment, where access to the communication links is physically limited.
Shortcomings of current WSAN technology
Even though the research community has made tremendous achievements within the last years regarding the autonomous, resilient and secure operation of WSANs, a sufficiently high level of dependability of WSANs is still not achieved. In application areas relevant for Critical Infrastructure Protection, wired connections are the reference. Here WSANs have to deal with severe constraints, such as limited resources and publicly shared mediums. In addition, some of the essentially needed core features are still contradictory, for example: strong security and reliable data transfer versus long battery lifetime, or low cost versus stronger processing resources.
In order to resolve these conflicts and to make WSANs a building block for applications that require a high level of dependability, open issues on all protocol layers related to security and reliability have to be investigated. This also holds true for the software deployed on wireless sensor nodes such as operating systems. In addition, designing dependable systems under severe constraints, as it is the case for WSANs, is a highly complex task.
The whole life cycle needs attention
To ensure dependability of WSANs at a degree sufficient for their use as a means for protecting Critical Infrastructures, their complete lifecycle needs to be taken into account, starting with the design phase, including requirements, engineering and determination of its software components via deployment, and normal operations phase.
EU project WSAN4CIP
In January 2009 the EU FP7 project WSAN4CIP – Wireless Sensor and Actuator Networks for
the Protection of Critical Infrastructures – was launched to address current insufficiencies of WSAN technology. The goal of WSAN4CIP is to advance WSAN technology beyond the current state of the art, in order to enable their application for the protection of Critical Infrastructures. WSAN4CIP is a STREP in the ICT security area under Objective 1.7: “Critical Infrastructure Protection”. The figure shows the research items that are addressed by WSAN4CIP.
from an application-centric view
One of the major goals of WSAN4CIP is to provide an application-centric engineering framework for WSAN communication systems. The framework should support system engineers in analysing requirements of the target CIP application and the installation site, e.g. a nuclear power station. We finalized our work on a systematic requirement-driven, tool-supported design flow for WSANs and have implemented a prototype of such a tool. Complementary to that, we specified a simulation environment which can be used to verify dependability properties of network nodes and communication protocols. Moreover, we also analysed network topology issues to increase the resilience of the WSAN. As a result of this work a software tool to compute the strength of given network topologies was developed which can be conveniently used for designing and analysing node deployment strategies.
Protecting the nodes of a WSAN
Concerning the protection of individual nodes, we implemented selected approaches on the hardware platform of a WSAN node. In addition, we designed and implemented a secure key establishment protocol that enables a secure communication between WSAN nodes. The benefit of our approach is that no key distribution is required and that only those two nodes which are willing to communicate are capable to compute the correct key. In order to detect attacks against nodes or parts of the network, a new method called “significance analysis” was researched. First simulations show that it is a promising technology to detect unexpected behaviour. An analysis has shown that the required processing effort
on the node meets the power constraints of a battery-driven sensor node.
Secure software update
on the sensor node
It may happen that vulnerabilities or bugs are detected in the software of sensor nodes after their deployment. For this case, WSAN4CIP aims at providing a mechanism for a secure code update in a secure execution environment. In a two-step approach new applications as well as updates are first designed using the tools developed in the project.
Secondly, after the required security level has been verified, software will be deployed using the secure code update, which is almost fully implemented. As a final building block, code attestation techniques to verify the correctness of a deployed system have been researched. The result is a new attestation technique which, however, requires additional hardware for fully secure execution.
Securing the communication
between network nodes
The work concerning network protocols focussed on specification and implementation of protocols for all layers. For example, for the network layer, implementations of the two operating systems tinyOS and Linux have already been finalised.
In order to improve the dependability of WSANs, a tool supporting network planning was realised. In addition, new schemes for determining what specific role each respective node in the WSAN should fulfil have been defined. The goal is to hide information on the roles of nodes so that potential attackers are unable to select the most attractive victims, i.e. those nodes which provide a major benefit for the attacker when destroyed or compromised.
Figure: Overview on WSAN4CIP architecture
Connecting the WSAN
with the control system
A WSAN deployed for protecting a Critical Infrastructure needs to be connected to the control system of the CI operator, a system which is called Supervisory Control And Data Acquisition (SCADA). In order to define this interface, a conceptual framework for the design of a SCADA system has been developed. The major innovation achieved by WSAN4CIP is that the framework allows the operator not only to monitor the WSAN but also to give access to the WSAN in order to manage it. This kind of integrated communication network management was not available so far.
In order to evaluate our research results, we selected two application areas: energy distribution networks and drinking water supply. Two prototypical demonstrators will be deployed in a part of the power distribution network of EDP Distribuição Energia, a major energy distribution company in Portugal, and in the drinking water network of FWA (Frankfurter Wasser- und Abwassergesellschaft), a regional drinking water and waste water management company in Frankfurt/Oder, Germany.
The field of wireless sensor networks has developed with an exciting pace from pure research to a more or less ready to use technology which is going to be applied in various areas. WSANs will become the glue between a Critical Infrastructure and the ICT Infrastructure which monitors and controls the Critical Infrastructure. A dependable WSAN can keep up the information flow in critical situations, because WSANs are by design fault-tolerant up to a certain level, and thus make the information flow independent of the wired-based control system. WSANs are an ideal technology to inexpensively monitor and manage information about critical infrastructures across large areas.
You can find more information about WSAN4CIP at www.wsan4cip.eu.