Time-critical systems such as the industrial process control systems are real-time cyber-physical systems (CPS) that monitor and control the production lines in a manufacturing plant. The number of devices in such setup keeps increasing. To support more devices and to cope up with frequent changes in the network topology due to addition (removal) of devices to (from) the network, a switch of the communication infrastructure from wired networks to wireless networks is desirable. Among the existing wireless sensor network (WSN) standards, WirelessHART is best suited for the industrial process control systems due to its reliable TDMA-based schedule, centralized architecture, multi-channel support, channel hopping, redundancy in routes, and avoidance of spatial re-use of channels.
Although the use of wireless brings flexibility and adaptability to the communication infrastructure, it increases the threats of cyber attacks. Some recent sophisticated attacks against critical infrastructures such as Stuxnet [langner2011stuxnet] and Dragonfly [dragonfly] have alerted us to the shaky protection of the conventional air gap solution. The main components of a WirelessHART network are the sensors, actuators, Gateway, a network manager, and multiple access points (AP). Each communication between these devices are real-time flows with fixed periods and deadlines. To make the flows schedulable, the schedule in a WirelessHART network is pre-determined by the centralized network manager at the time of network initialization. The same schedule is repeated over every hyper-period (i.e., lowest common multiple of the periods of all the flows in the network), until there is any change in the network topology, such as addition/removal of new/existing devices to/from the network. The repetitive execution of the deterministic flow schedule in a WirelessHART network over every hyper-period makes these systems vulnerable to timing attacks. Such repetition greatly helps the attacker to analyze the eavesdropped traces and infer the schedule. With the inferred schedule, the attacker can further launch various strategic destructive attack steps. For instance, the attacker can selectively jam the transmissions from/to a certain critical sensor/actuator which can eventually breach the safety of the system.
In this work, we aim at reducing the predictability of the time slots in the communication schedule of a real-time WirelessHART network. We propose a moving target defense (MTD) mechanism, the SlotSwapper, that randomizes the time slots in the communication schedule over every hyper-period, satisfying all the feasibility constraints of a real-time WirelessHART network as follows— (1) deadlines of all real-time flows in the network are to be satisfied, (2) the hop sequences associated with each flow are to be preserved and (3) no conflicting transmissions in the network are allowed. From our analysis, the attacker who can monitor the wireless transmissions needs at least two hyper-periods to infer the schedule. Randomizing the schedule over every hyper-period renders the attacker’s inference futile, thereby greatly improving the confidentiality of the WirelessHART network’s operations. More varied are the slots in a schedule, more difficult it is for the attacker to predict them. Hence, the measure of uncertainty in the time slots of a schedule can be expressed in terms of the amount of randomness in the time slots over the hyper-period schedules generated by our algorithm. We re-defined schedule entropy [yoon2016taskshuffler] as a metric to measure the uncertainty in predicting the time slots. We illustrated the feasibility of our proposed algorithm on random topologies with 100 simulated nodes in Contiki Cooja [osterlind2006cross]. To the best of our knowledge, this is the first work on randomization to reduce the determinism of the time slots of a hyper-period schedule in real-time WirelessHART networks.
2 Related Work
Two notable works in the literature which adopt randomization techniques in the context of real-time processor scheduling are taskshuffler [yoon2016taskshuffler] and SPARTA [jiang2016sparta]. [yoon2016taskshuffler] presents a schedule randomization protocol, the taskshuffler, that shuffles a set of fixed priority real-time tasks on a uniprocessor system. [jiang2016sparta] proposes SPARTA, a scheduler to randomize the leakage points in the schedule protecting the system from Differential Power Analysis (DPA) attacks. However, both of these works are on uniprocessor system. Our problem is even harder than multi-processor scheduling. channels and real-time flows of our network can be mapped to processors and real-time tasks respectively. However, the conflicting transmissions among the flows impose additional constraint in our network which makes our problem even harder than multi-processor scheduling.
Due to support for TDMA schedule in WirelessHART networks, these networks are vulnerable to selective jamming attacks [proano2010selective]. [mpitziopoulos2009survey, virmani2014routing] survey various possible jamming attacks and the key ideas of existing security mechanisms against such attacks in WSNs. [pongaliur2008securing] proposes various types of side-channel attacks and their respective countermeasures in WSN. The countermeasures against jamming attacks can be provided from physical-layer solutions as in [mpitziopoulos2009survey, pickholtz1982theory] or cyber-space solutions such as [proano2012packet, wood2007deejam]. [stojanovski2015efficient] presents the steps of an attacker to launch jamming attacks in industrial process control systems. Recent works such as [tiloca2017jammy] and [tiloca2018dish] provide countermeasures against timing attacks in single and multi-channel WSN respectively by permuting the slot utilization pattern at the node level over a super-frame to randomize the schedule. However, the flows considered in these works are not associated with deadlines, hence, randomization of slot utilization pattern at the node level makes the flows schedulable. Our problem is more complex. Each flow in our network is a real-time flow with a strict deadline. Permuting the time-slots at each node does not guarantee deadline satisfaction of all the real-time flows in our network, hence, existing solutions in [tiloca2017jammy] and [tiloca2018dish] are not applicable.
3 WirelessHART Background
The WirelessHART protocol, being compliant with IEEE 802.15.4, is the first open wireless communication standard for measurement and control in network and process industry [lu2016real]. A WirelessHART network consists of a Gateway, multiple field devices, APs and a centralized network manager which are connected via wireless mesh networks. The network manager, connected to the Gateway, is responsible for managing the devices, scheduling, creating the routes and optimizing the network. The field devices are wireless sensors and actuators which can either transmit or receive in a particular time slot. Also, in a time slot, a receiver can receive from exactly one sender. Multiple APs are connected to the Gateway via wired connections to provide redundant paths between the Gateway and the network devices. The key features of the WirelessHART network for which it is suitable for process industries include
TDMA: For reliable collision-free communications in a WirelessHART network, time is globally synchronized and slotted into ms time slots within which a network device sends a packet and receives its corresponding acknowledgment.
Channel and route diversity: WirelessHART supports a maximum of channels [Chen:2010:WRM:1855162] at a frequency band of 2.4 GHz. To avoid interference from neighboring wireless systems, it adopts channel hopping in every time slot. A channel is blacklisted if it suffers from external interference. WirelessHART allows route diversity by transmitting a packet multiple times via multiple paths over different channels.
Avoidance of spatial re-use of channels: To avoid interference and to increase reliability, WirelessHART avoids spatial re-use of channels [Chen:2010:WRM:1855162]. The physical channel assigned to a link in a particular time slot is given by [Chen:2010:WRM:1855162], , where represents Absolute Slot Number and increases at every slot, and are the logical and physical channels assigned to a node, denotes the number of channels in the network.
A WirelessHART network is represented as a graph , where is the set of nodes which are the sensors, actuators and Gateway; is the set of edges or links between the devices. An edge , , is part of , if and only if device can reliably communicate with device . In a transmission along an edge , the transmitting node, , is the sender and the receiving node, , is the receiver of the transmission.
Two transmissions along edges and , where , are said to be conflicting transmissions, if both of them have the same sender or the same receiver, i.e., if . For each edge , there exists a set of conflicting transmissions in . To keep track of the conflicting transmissions in , we store an adjacency list known as the Conflict List. Each index in the list corresponds to an edge in and the list corresponding to stores the list of edges which generate conflicting transmissions with .
An end-to-end communication between a sensor and an actuator occurs in two phases: a sensing phase and a control phase during which the communications are between the sensors and the Gateway and between the Gateway and the actuators respectively.
4 System Model
Our system model consists of a WirelessHART network and end-to-end flows . Each flow periodically generates a packet at the source node with period . The packet passes via Gateway and reaches the destination node within deadline . We assume that our flows are of implicit deadline, i.e., . A packet is scheduled in more than one routes between the source and destination for reliability.
The release time () of the instance of flow () is the time at which the instance of is released at the source node . is defined as
The number of hops in a route of a flow is the number of intermediate devices between the source and the destination in the route of .
Given a graph with channels and a set of flows , a feasible schedule is a sequence of transmissions over the slots in along the edges in . Each transmission is a mapping of a flow to a channel in a slot satisfying the following conditions:
1. No transmission conflict: Two transmissions along and can be scheduled in the same time slot , if and are non-conflicting transmissions;
2. No collision: If uses channel and uses channel in the same time slot , then , ;
3. No deadline violation: If a flow , , has hops, then all the hops of are to be scheduled within the deadline ;
4. Flow sequence preservation: If a flow has hops, then the hop cannot be scheduled until all the previous hops are scheduled.
We assume that the network manager blacklists those channels from the network in which the probability of successful transmission is less than a certain threshold[song2008wirelesshart]. Therefore, the number of packet drops in the network can be neglected. At the time of network initialization, the network manager decides the schedule depending on the number of available channels, the topology of the network and available routes for each flow [Chen:2010:WRM:1855162],[song2008complete]. Given a graph , a set of flows over and channels, the network manager runs any scheduling algorithm that generates a schedule satisfying all the conditions of Definition 4. The network manager then informs all the network devices about the allocated slots in which they can transmit (receive) messages from specific neighbors. The network devices become active only in those slots in which they can transmit (receive) messages. The same schedule repeats every hyper-period.
5 Threat Model
The main objective of the adversary is to select a critical sensor or an actuator as the victim node in the network and predict the time slots in which the victim node sends (receives) packets to (from) its neighboring nodes by observing the traffic in the network. Our adversary model is based on the following assumptions:-
The adversary is aware of the network parameters such as the number of channels adopted by the network.
The adversary is equipped with multiple antennae, hence, he is capable of listening to all 16 channels in 2.4 GHz ISM band in the network.
Based on the above assumptions, the adversary has the following capabilities:
Capability 1: The adversary can target a specific node (sensor or actuator) as the victim node in the network and monitor all communications associated with that node. After analyzing the traffic for a sufficiently long period of time, the adversary can predict the time slots in which the victim node communicates with its neighbors.
Due to repetitive nature of the communication schedule, the adversary can estimate the hyper-period of the schedule. The adversary can use this estimate in the subsequent hyper-periods to infer the communication time slots of the victim node.
Capability 3: The adversary can reverse engineer the channel hopping sequences by silently observing the channel activities in the network [mosha2019iotdi].
With the above three capabilities, the adversary can execute further destructive attack steps. For instance, the adversary can target specific transmissions from (to) certain critical sensors (actuators) and can selectively jam the targeted transmissions in specific time slots, thereby causing disruptive effect on the system. Due to repetitive nature of the hyper-period schedules, same flow gets transmitted in the same time slot over every hyper-period. Hence, selectively jamming the predicted channel in specific time slots over every hyper-period results in jamming the targeted flow with probability . Different from the constant jamming attack that jams all the transmissions, selective jamming is more stealthy as it allows the attacker to strategically target certain critical sensors and/or actuators within their proximity with much lower radio transmission power. This reduces the overhead and cost for the attacker to implement the jamming attack [grover2014jamming]. In contrast, random jamming that does not infer the schedule and jams in randomly selected slots is much less effective [xu2005feasibility].
Attack consequences: Selectively jamming the transmissions from a critical sensor node results in blocking the sensor data to reach the Gateway. As a result, proper control commands cannot be delivered to the actuators which in turn may result in degraded performance of the system. Also, selectively jamming the control commands to reach the actuators may hamper the safety of the system.
Motivation of our work: The main objective of our work is to develop a MTD technique, the SlotSwapper, that randomizes the communication time slots over every hyper-period schedule such that the schedule changes before the attacker can estimate it. We present a motivating example to illustrate how the threat can be addressed by randomizing the time slots in every hyper-period schedule.
Consider the network graph shown in Figure 1 with two channels, three flows, , and where the sources are , , ; the destinations are ; the periods and the dealines are , respectively. Consider in Table 1 to be the hyper-period schedule over the flows. Consider node to be the victim node. In the traditional TDMA-based real-time WirelessHART network, the network starts with schedule which repeats every time slots. An attacker listening to the channels in the network will find nodes and communicating every time slots. In particular, to identify this repetitive pattern, the attacker needs to listen to the network for at least two hyper-periods, i.e., time slots. The attacker can launch selective jamming attack earliest in the slot. With our proposed MTD technique, a new schedule is followed in each hyper-period, i.e., if is followed in the first eight slots, then will be followed in the next eight slots and so on. However, there is no communication between nodes and in slot 1 in , i.e., the communicating time slots in two consecutive hyper-periods are different. To identify the repetitive patterns in the schedule, the attacker needs to monitor the communications for at least two hyper-periods. Hence, by changing the schedule every hyper-period, the system will change at a faster pace compared to the learning pace of the attacker, rendering further strategic destructive attack steps (e.g., selective jamming) infeasible.
6 Proposed MTD technique
Our proposed MTD technique, the SlotSwapper, consists of two main phases— (1) An offline schedule generation phase (2) an online schedule selection phase. considers an initial hyper-period schedule for a set of flows over a graph , and generates a new feasible schedule by randomizing the slots in . However, randomization of time slots in is to be done in such a way that all the conditions of generating a feasible schedule (Definition 4) are obeyed. To reduce the repeatability of time slots in , we propose to run times ( is a large number) in offline mode and generate a set of feasible hyper-period schedules . We suggest to select a schedule uniformly at random every hyper-period from and execute that schedule over that hyper-period.
|a network graph over nodes and edges|
|a set of flows defined over|
|number of channels in the network|
|hyper-period of flows|
|a base schedule consisting of mapping of a channel in a slot to a|
|flow over one|
|Conflict List corresponding to the network graph|
|a copy of the base schedule|
|a dictionary to store hop number to slot mapping of all the|
|flow instances in|
|a dictionary to map channel to edge in a particular slot in .|
Consider the same setting as in Figure 1 and Example 1. Let in Table 1 be the base schedule. Let us consider the hop of in with and . The window corresponding to hop of is . For every slot and every channel , we call and check for conflicting transmission. has conflicting transmission with in . Therefore, (slot,channel) pairs such as, , and are rejected due to transmission conflict with . Similarly, (slot,channel) pairs such as and are also rejected by function due to violation of deadlines of the flow instances. (slot,channel) pairs and correspond to the second instance of with release time at slot and deadline at slot. Hence, the second instance of cannot be swapped with any other slot before slot or after slot . Similarly, does not allow (slot,channel) pairs , and in the eligible list in order to preserve the hop sequences of flows. If the transmission corresponding to hop of instance of (via edge ) of (slot,channel) pair is allowed to swap with , then the second hop of that instance of would have been scheduled before the first hop, violating the hop sequences of the flow instances. Finally, the list of eligible (slot,channel) pairs are — . Let be the randomly selected element. Swapping the transmissions and the flow instances between and and iterating the same procedure over all the flow instances generates a completely new feasible schedule.
Online Selection of Schedules: On executing times in offline mode, we get a set of feasible schedules . At the time of network initialization, each node is informed about the time-slots in which it can send/receive messages in each of these hyper-period schedules. The online schedule selector runs at each node once in every hyper-period, selects a schedule from uniformly at random and executes over that hyper-period. To ensure that the same schedule is selected at each node, we propose to use a pseudo-random number generator (PRNG) [wiki:prng] (assumed to be secure) initialized with the same seed at each node. This allows each node to select the same schedule every hyper-period without any additional communication.
7 Measure of Uncertainty
Given a set of schedules generated by , we need to quantify the amount of uncertainty in the schedules in . In [yoon2016taskshuffler], schedule entropy is used to measure the uncertainty of a given schedule for a uniprocessor system. We have redefined schedule entropy as a function of the slot and channel entropy to measure the randomness in the schedules in . In a multi-channel WirelessHART network, each of the slots in a schedule consists of channels which can be represented as . Given a hyper-period schedule over slots and channels for a set of flows , the occurrence of the flow in the channel of
slot is a discrete random variable with possible outcomes fromto , where represents idle flow, is the total number of flows in . Let denotes the flow occurring in the channel of slot of . However, the occurrence of the flow in the channel of the slot restricts the occurrence of some other flow in the same channel of the same slot. Also, if a flow completes its hops in the slot in the schedule, it cannot occur in the subsequent slots until the arrival of its next instance. We therefore, define Schedule entropy as
Schedule entropy over a set of flows for a WirelessHART network with channels is the conditional entropy of occurring in the channel of the slot, given the entropy of all the slots from to . It is represented as
For a multi-channel WirelessHART network with flows (
), the number of possible permutations in the calculation of the joint probability for each slot is exponential. Hence, we consider the empirical probability distribution of the flows across all the channels in each slot which is an upper-approximated value ofslot entropy as the joint probability is always less than or equal to the sum of individual probabilities [shannon2001mathematical]. Further, calculation of conditional entropy in Equation (2) involves joint probability distribution of slots in , which is exponential in nature. So, we consider the empirical probability distribution of the slots in .
Upper-approximated slot entropy and Upper-approximated schedule entropy are defined respectively as follows
where is the probability mass function of the flow occurring in the channel of the slot.
Simulation setup: We use Cooja simulator [osterlind2006cross] of Contiki 3.0 to test the feasibility of our schedules. We generated three random topologies with 100 simulated Tmote Sky motes by varying the degree of nodes () or the number of incoming and outgoing edges incident on a node — (1) Graph A ( between 2 to 4) (2) Graph B ( between 3 to 6) (3) Graph C ( between 3 to 8). More the degree of a node, more are the chances of conflicting transmissions and less is the number of available flows for a particular time-slot. Nodes with highest number of neighbors are considered to be the APs.
Flow Generation: A fraction () percent of the nodes are randomly selected as the source and destination nodes. The source and destination nodes are disjoint. In our experiments we varied between 20-80%. We selected the number of hops of each flow to be between 2 to 8 [alur2009modeling] and considered the shortest path as the primary path. The flows have implicit-deadline with periods varying randomly in the range of to .
Experiments: We fixed the hyper-period at time slots and ran experiments upto 10000 hyper-periods with the number of flows and the number of channels varying between 10 to 40 and 1 to 4 respectively. For each condition, we generated 100 random instances and measured the upper approximated schedule entropy () for each of these instances. Figure 2 shows for all the tested scenarios. It has been observed that is maximum for single-channel WirelessHART network for all three graphs. This is because in single-channel WirelessHART networks, there is no conflicting transmissions among the flows in the network. As a result, a flow can be scheduled at any slot within its release time and deadline. For a fixed number of channels, increases significantly with increase in the number of flows upto 30. After that, there is no significant increase in the value of with increase in the number of flows. This is because, with increase in the number of flows more flows can appear in a slot. However, as the number of flows increase, the number of conflicting transmissions among the flows increase which in turn restricts the number of available flows to be scheduled in a particular slot. also increases with increase in the number of channels between 2 to 4, as the number of available positions for a flow to be scheduled get increased. However, it has been observed that with increase in the number of channels, the increase in is significantly less for Graph C. Among all the three graphs, the number of edges is maximum in Graph C resulting in more conflicting transmissions among the flows thereby restricting the number of available positions to schedule a flow.
Although we ran our algorithm upto 10000 hyper-periods to measure the randomness in the generated schedules, the amount of memory available to each Tmote sky mote is not sufficiently large to store large number of schedules. We measured that each mote can only support a maximum of 2000 time slot information. We observed that, if a node is in the path of all the 40 flows, then it requires to store at-least 80 time slot information per schedule (40 for transmissions and 40 for re-transmissions). With this specification, we were able to store 25 schedules in each node. We can manually tune the nodes with different sets of schedules after several hyper-periods to further reduce the chance of predicting the schedules. Our MTD technique only involves an additional random number generation in each node once in every hyper-period, the power consumption of which is negligibly small.
In this work, we presented an MTD mechanism, the SlotSwapper, to reduce the predictability of TDMA slots in a real-time WirelessHART network. We used schedule entropy to measure the uncertainty of the schedules generated by our algorithm. We illustrated the feasibility of the schedules on simulated networks in Cooja with 100 Tmote sky motes.
This work was conducted within the Delta-NTU Corporate Lab for Cyber-Physical Systems with funding support from Delta Electronics Inc. and the National Research Foundation (NRF) Singapore under the Corp Lab@University Scheme.