Lead Security Consultant at Nixu Benelux
Mattijs van Ommeren
Principal Security Consultant at Nixu Benelux
Erwin Paternotte & Mattijs van Ommeren
It WISN't me, attacking industrial wireless mesh networks
Wireless sensor networks are commonly thought of as IoT devices communicating using familiar short-range wireless protocols like Zigbee, MiWi, Thread, and OpenWSN. A lesser-known fact is that about a decade ago, two industrial wireless protocols (WirelessHART and ISA100.11a) have been designed for industrial applications, which are based on the common IEEE 802.15.4 RF standard. These Wireless Industrial Sensor Networks (WISN) are used in process field device networks to monitor temperature, pressure, levels, flow or vibrations. The petrochemical industry uses WISN in oil and gas fields and plants around the world.
Both IEC ratified standards have been commonly praised by the ICS industry for their security features, including strong encryption on multiple layers within the protocol stack, resistance to RF interference, and replay protection. While the standards, in general, look safe on paper, there are potentially interesting attack vectors that require verification. However, security research so far has not yielded any significant results beyond basic attack vectors. Often these attacks have only been theorized, and not (publically) demonstrated. In addition, vendor implementations have not been thoroughly tested for security by independent third parties, due to protocol complexity and the lack of proper (hardware/software) tools. We strongly believe in Wright’s principle, “Security does not improve until practical tools for exploration of the attack surface are made available.”
This presentation will fill this gap by providing the necessary building blocks to perform more in-depth security analysis of WISN, and provide tools to perform practical attacks against these wireless networks in order to verify resistance to real-world attacks.
Erwin works as a lead security consultant at Nixu Benelux. He has 15 years experience conducting penetration tests and security assessments on a wide variety of systems and technology. In the recent years, his focus is shifting towards more advanced tests like red teaming, embedded systems, ICS/SCADA, and telco systems. Within Nixu he is also the practice lead for penetration and security testing.
Mattijs leads the Red Teaming and Hardware Testing team at Nixu Benelux. He has spent most of his career as an information security consultant, both on the offensive as well as the defensive side. Mattijs has a special interest in process automation and industrial systems. Over the years he has discovered numerous vulnerabilities in RTUs, process controllers, industrial firewalls and other equipment. Industrial sensor networks currently have most of his focus, as this is still mainly unexplored terrain.