Physical layer security technology for industrial wireless networks

1. Industrial wireless network development and security issues

With the continuous development of Industry 4.0, there is a greater demand for communication systems and higher standards, requiring more efficient, reliable, fast and flexible communication systems. In the current industrial production environment, wired communication technology is mainly used. It has the advantages of high reliability, strong anti-interference and high security, but it has the disadvantages of high installation and maintenance costs, complex layout and poor scalability. Compared with wired communication technology, wireless communication technology breaks these limitations. It has flexibility, scalability and versatility, and can adapt to industrial development. At the same time, wireless communication technology does not require complex wiring, which greatly reduces the cost of network maintenance [1]. However, these advantages are accompanied by a fatal disadvantage. Wireless communication technology is an insecure communication. The reason for the poor security of wireless communication technology is that its transmission is open, so the signal can be easily intercepted or interfered by others maliciously [2]. Therefore, it is necessary to take security measures to address the above problems. The premise of the security measures is to meet the requirements of industrial wireless networks in terms of latency and reliability, but these strict requirements also make most traditional security protection methods unusable. For example, the latency requirement conflicts with the complex encryption system architecture, so the control latency requirement is strictly controlled within a few milliseconds or even lower. This is also reflected in the robustness of the encryption method, which is generally related to the size of the information packet. In many industrial situations, the information packet size is very short, resulting in poor robustness. There are also some types of attacks related to the lower network layers, such as jamming attacks. In such cases, encryption methods cannot cope with them, and security tools at the PHY and MAC layers are needed [1].

2. Attack threats on the physical layer and MAC layer of wireless systems

Wireless is an inherently insecure domain. Radio transmission exposes the process of exchanging information between authorized users to active and passive malicious threats. The general requirements for wireless security must meet confidentiality, authenticity, availability, and integrity [2], as shown in Figure 1.

Figure 1 Wireless communication functions and targeted attacks

There are two types of attacks related to the physical layer of wireless communication systems: eavesdropping attacks and jamming.

Due to the broadcast nature of wireless transmissions, eavesdropping is easier to accomplish than other attacks. The accessibility of the transmitted waveform to a listening receiver makes it more difficult to prevent unauthorized access to the wireless content. Eavesdropping may be accomplished without affecting the intended transmission link, which can make the confidentiality breach undetected and therefore more harmful [3].

Countermeasures to prevent eavesdropping fall into two categories: encryption techniques and channel advantage enhancement techniques. Encryption techniques are widely used in general wireless systems and usually use protocols belonging to the upper layers of the OSI model. The encryption/decryption process is accomplished by algorithms that may involve exchanging different hash keys between the server components and the secure infrastructure, which are specific to the secure infrastructure. These algorithms are usually complex and cause significant processing delays. In short, CSI-based encryption uses channel reciprocity to obtain a secret shared key between the two communicating ends. This fact is a major challenge because the assumption of reciprocity is based on a quasi-static channel, which cannot be guaranteed in wireless links. Another is that attackers can also imitate the CSI of the primary communication link to eavesdrop [4]. The second type of protection technique is channel advantage enhancement, which effectively improves the confidentiality rate of the primary communication channel by reducing the eavesdropping channel or increasing the capacity of the primary channel. Examples of these techniques are artificial noise generation, secure beamforming precoding, cooperative secure transmission, and power allocation.

Jamming is a special case of DoS attack. The jammer transmits a specific waveform (noise-like, periodic, aperiodic, pulsed or continuous) with the intention of disrupting the communication between legitimate nodes in the network. Physical layer jamming technology can be combined with MAC layer jamming technology to improve the attack efficiency. Technologies that improve the robustness of communication systems against jamming attacks include spread spectrum (direct sequence, frequency hopping, wideband frequency hopping and parallel sequence), ultra-wideband modulation, power control and multi-antenna systems.

MAC layer attacks can be divided into MAC forgery, MAC spoofing, MAC identity theft, MAC man-in-the-middle, and MAC interference. MAC forgery is the use of legitimate MAC addresses for malicious purposes. MAC spoofing is the change of the original MAC address of a device to hide its true identity and impersonate a legitimate node to gain authorized access to the destination device in the network. MAC identity theft is a malicious node that eavesdrops on network node traffic and steals the MAC identity to access confidential information on the victim node. MAC man-in-the-middle attack is the interception of the addresses of two legitimate nodes and impersonation of the relay between the two to steal the data exchanged between the two. In addition, interference can also be performed at the MAC layer. Interference at the MAC layer requires some understanding of the protocol of the system, which can increase the severity and efficiency of the attack. Interference with the PHY layer also reduces energy consumption [5]. Current interference methods are divided into two categories, statistical jammers and protocol-aware jammers. Statistical jammers observe the distribution time between packet arrivals and effectively disrupt communication. The usual way to counteract statistical jammers is to randomize the transmission schedule or data transmission size, but both methods involve associated delays, hardware requirements (memory), and high overhead [6]. Protocol-aware jammers know the details of the MAC layer and can block legitimate nodes from accessing the communication channel. There are many countermeasures to solve this problem, which can be combined with the wake-up time, delivery time, frame length or channel technology used for communication of hidden nodes [7]. Another type of MAC jammer is network injection, in which malicious nodes establish unnecessary ad-hoc paths to certain victim nodes and send useless traffic, thereby wasting the wireless bandwidth and resources of the victim network.

3. PHY layer security in factory automation wireless systems

The current security measures of wireless communication systems involve too many complex operations and upper layer protocols, which can lead to communication performance that does not meet the requirements of factory automation. The delay of the algorithms and processes of security measures should always be kept below the specifications of factory automation wireless systems. Figure 1 shows the classification of security technologies for PHY-specific attacks. The classification includes three aspects: deception, interference, and eavesdropping.

Figure 2 Classification of PHY layer security technologies

The fundamental measure to prevent eavesdropping attacks in wireless communications is information theoretic security. Confidential key management requires a dedicated architecture, which is not always feasible in sensor-actuator networks. Wyner addressed this problem by proposing a confidential eavesdropping model [8]. This model is applicable to Gaussian channels, fading channels, and MIMO communication systems. PHY security techniques use artificial noise to interfere with the eavesdropper channel while not affecting the communication link. Using multiple antennas or cooperative relays can generate noise for selective interference. Beamforming can also be a tool to increase the protection of wireless systems [9]. Basic goal: Improve the required link performance while generating interference on the eavesdropping link (reducing SNR, generating interference, etc.), thereby maximizing the confidentiality of the communication. Encryption is an alternative method to ensure the confidentiality of the information exchanged on the wireless link. Although upper-level cryptography uses complex algorithms to make the decryption time of the eavesdropper long, the performance of the transmission will also be affected. Therefore, PHY encryption can maximize security by exploiting the unpredictable characteristics of the propagation channel [10]. PHY encryption does not require expensive computing resources, and the security level will only depend on the behavior of the propagation channel. The success of this field depends on two factors: key generation and the agreement process between nodes. In the key generation problem, the communication devices can measure the wireless channel characteristics (usually the channel impulse response or the received signal strength) and use them as a shared random source to create a shared key. In the key generation process, it is assumed that the channel is reciprocal between the nodes, and theoretically, the key obtained at each end will be the same. At the same time, the generation of secret bits at a high rate requires fast and random channel changes in order to obtain a sufficiently long key with minimal delay in terms of data transmission speed. Therefore, efficient and robust key generation depends largely on the propagation conditions between nodes.

Spoofing attacks aim to impersonate legitimate nodes. Countermeasures against spoofing at the PHY layer exploit the unique features of each wireless communication link. The basic principle of PHY anti-spoofing is the expectation of anomalies in the propagation channel characteristics between two legitimate nodes. System nodes will exchange and analyze predefined waveforms or measure the propagation channel. The results of the analysis are unique to their channel, so no malicious node can forge a legitimate identity to deceive any legitimate node. Identity can be defined using a unique hardware fingerprint of each device [10]. Reference fingerprints and related available metrics are diverse: jitter, pulse slope characteristics, clock, transients, waveform impairments, modulation, or a combination of them. Second, another approach exploits propagation channel variables univocally associated with the node's wireless link to identify legitimate nodes. A malicious node attempting to spoof communication will present different propagation channel parameters if it is located at a sufficiently large distance from any legitimate node. The most straightforward scheme uses RSSI variation statistics as a signature, while more sophisticated strategies use CSI data [11].

A large number of PHY security technologies in wireless systems are dedicated to countering jamming attacks. Radio frequency (RF), spread spectrum, time synchronization and PHY/MAC combination technologies. Spread spectrum is one of the most widely used protection strategies, including traditional frequency hopping spread spectrum (FH-SS), direct sequence spread spectrum (DS-SS) and various combinations. Other spread spectrum strategies such as bandwidth hopping spread spectrum (BH-SS) are also under investigation. Parallel sequence spread spectrum is the latest solution for industrial communication environments. Ultra-wideband (UWB) relies on principles similar to spread spectrum. There is no consensus on the practical use of DS-SS and UWB in preventing interference. DS-SS hardware complexity, power consumption and transmission power limitations of currently available standards (IEEE 802.15.4) are the main technical drawbacks. Other anti-jamming technologies are related to the RF aspects of the protected communication system. For example, regulated transmit power, antenna polarization and directional transmission. Time synchronization can protect communications from reactive jammers. These attackers try to improve energy efficiency by generating interference at selected points in time when communication occurs. Reactive jammers must listen to the channel for a certain amount of time to confirm whether a signal is being transmitted. Therefore, the inherent time taken by the attacker to check the channel can be used by the communication system to evade jamming [12]. Finally, some strategies combine PHY and MAC anti-jamming tools by modifying frame and packet characteristics. In all cases, the goal is to hide the MAC protocol functionality from the smart jammer (MAC-level jammer). Another process is to add data protection to avoid time-selective short jammers. Other anti-jamming solutions address the problem in multi-node environments by isolating blocked areas and blocked nodes. In this case, the system uses the remaining nodes to maintain the overall network functionality as much as possible.

4. Conclusion

Currently, wireless networks are increasingly used in the industrial field, and security issues are particularly prominent. This article sorts out the current security threats and security measures faced by wireless security physical layer security, so as to deepen the understanding of industrial wireless network physical layer security.

References

[1] P. Angueira et al., "A Survey of Physical Layer Techniques for Secure Wireless Communications in Industry," in IEEE Communications Surveys & Tutorials, vol. 24, no. 2, pp. 810-838, Secondquarter 2022.

[2] Y. Zou, J. Zhu, X. Wang and L. Hanzo, "A Survey on Wireless Security: Technical Challenges, Recent Advances, and Future Trends," in Proceedings of the IEEE, vol. 104, no. 9, pp. 1727-1765, Sept. 2016.

[3] Y.-S. Shiu, SY Chang, H.-C. Wu, SC-H. Huang, and H.-H. Chen, “Physical layer security in wireless networks: A tutorial,” IEEE Wireless Commun., vol. 18, no. 2, pp. 66–74, Apr. 2011.

[4] J. Hua, S. Jiang, W. Lu, Z. Xu, and F. Li, “A novel physical layer encryption algorithm based on statistical characteristics of time-selective channels,” IEEE Access, vol. 6, pp. 38225–38233, 2018.

[5] T. Hamza, G. Kaddoum, A. Meddeb, and G. Matar, “A survey on intel-ligent MAC layer jamming attacks and countermeasures in WSNs,” in Proc. 84th IEEE Conf. (VTC-Fall), Montreal, QC, Canada, Sep. 2016, pp. 1–5.

[6] A. Hussain, NA Saqib, U. Qamar, M. Zia, and H. Mahmood, “Protocol-aware radio frequency jamming in Wi-Fi and commercial wireless networks,” J. Commun. Netw., vol. 16, no. 4, pp. 397–406, Aug. 2014.

[7] YW Law, M. Palaniswami, LV Hoesel, J. Doumen, P. Hartel, and P. Havinga, “Energy-efficient link-layer jamming attacks against wire-less sensor network MAC protocols,” ACM Trans Sens. Netw., vol.5, no. 1, p. 6, Feb. 2009.

[8] AD Wyner, “The wire-tap channel,” Bell Syst. Techn. J., vol. 54, no. 8, pp. 1355–1387, Oct. 1975.

[9] F. Zhu and M. Yao, “Improving physical-layer security for CRNs using SINR-based cooperative beamforming,” IEEE Trans. Veh. Technol., vol. 65, no. 3, pp. 1835–1841, Mar. 2016.

[10] J. Zhang, TQ Duong, A. Marshall, and R. Woods, “Key generation from wireless channels: A review,” IEEE Access, vol. 4, pp. 614–626, 2016.

[11] K. Zeng, K. Govindan, and P. Mohapatra, “Non-cryptographic authentication and identification in wireless networks [security and privacy in emerging wireless networks],” IEEE Wireless Commun., vol. 17, no. 5, pp. 56–62, Oct. 2010.

[12] S. Fang, Y. Liu, and P. Ning, “Wireless communications under broad-band reactive jamming attacks,” IEEE Trans. Dependable Secure Comput., vol. 13, no. 3, pp. 394–408, May/Jun. 2016.