Wireless Security

WirelessHART employs robust security measures to ensure the network and data are protected at all times. This includes message confidentiality (end-to-end encryption), message integrity checking, authentication (message and device), and secure procedures for devices joining the network. Industry standard techniques are used to provide authentication and encryption.

Wireless Security

  • Confidentiality - End-to end data encryption is employed to prevent sensitive data from being intercepted.
    • Encryption of data prevents an attacker from changing the data
    • Mathematically scrambles the message (AES-128)
    • Statistically very difficult to break
    • All sensor traffic is encrypted, even during the “Join” process
    • Same technology used by banks
  • Verification -Message Integrity Code (MIC) is generated to sign the data end-to-end
    • WirelessHART devices generate a 2nd MIC that signs the entire packet on a per-hop basis
    • An encrypted nonce (message counter) makes replay attacks much more difficult
  • Robust Operation -Denial-of-service attacks are mitigated with channel hopping and redundant paths provided by the mesh infrastructure.
    • Prevent jamming (noise injection) between the device and gateway by changing the frequency of communication across a band of frequencies (frequency hopping)
    • Redundant path routing also helps sidestep noise sources, whether malicious or not
    • Real world testing shows reliability levels equal to or better than wired systems. Refer to Appendix B for more information on network co-existence.
    • Message acknowledgement confirms to successful transmission of data to the sender which could trigger a message retry or use of a redundant path
  • Key Management—Password protection (secure keys) is used to prevent unauthorized devices from joining the network and communicating on the network.
    • Rotating the encryption keys makes them extremely difficult to exploit
    • Separate Join and Network Keys provides additional protection levels
    • Complexity of rotating keys is seamlessly handled during normal operation
  • Authentication—The use of individual encryption codes and passwords on a point to point basis limits the consequences of any individual device being compromised.
    • A Network Manager won’t allow new devices onto the network without prior authentication
    • Uses a joining process that is secure and simple
    • The Network Manager is responsible to maintain a “good” users list (white list), others fall into the Rogue category and are denied access
    • Monitoring: Radical changes in the sensor network topology are detected and MAY be the result of unauthorized activity

A Security Manager application in conjunction with the Network Manager authenticates any new device attempting to join the network and assigns a password (session key) to be used for each point to point communication. These passwords are also used to provide encryption during communications. The Security Manager can be as complex or simple as required for specific application and circumstances (see Appendix C for more details). A base level of security is always enabled in a WirelessHART network.

Ease of Use
As an integral part of the HART technology, WirelessHART devices are supported by the same command structure and device description technology as traditional HART products. This means that WirelessHART devices can be configured and maintained with the same handheld, software tools and asset management systems in used throughout plants today requiring minimal additional knowledge or training.

WirelessHART results in a reliable network that installs easily with no specialized wireless expertise, automatically adapts to unforeseen challenges, and can be extended as needed without sophisticated planning.
HART® is a registered trademark of the HART Communication Foundation