Engineered Systems Magazine

Security Concerns In Wireless Building Automation

August 4, 2006
New ultra-low power wireless networking technologies are making it practical to embed wireless communications into virtually any building automation product. But is a building that is wirelessly automated inherently vulnerable to malicious security hacks and threats?

Perhaps. Not all wireless environments are created equal. That’s why choosing a wireless system with strong security mechanisms will become increasingly critical as the technology permeates the building automation industry.

Fortunately, the ZigBee™ wireless networking standard requires a security policy based on 128-bit AES encryption to be designed into all ZigBee-compliant devices. ZigBee provides simple yet strong, end-to-end security. It offers a standardized toolbox of security specifications and software, and it is based on a 128-bit AES algorithm incorporating the strong security elements of the IEEE 802.15.4 standard. The ZigBee stack defines security for the MAC, network, and application layers. Its security services include methods for key establishment and transport, device management, and frame protection.

If design engineers choose to use a public application-specific ZigBee profile — such as for lighting or HVAC control — then the security decisions for their applications have already been made for them; they are predefined in the profile. And chances are that even if a developer intends to build a private profile application, he will choose the security mode in one of ZigBee’s predefined stack profiles.

Two levels of security

There are two primary security levels built into the ZigBee specification: a residential mode and a commercial mode. While both modes use the same security mechanisms built on 128-bit AES, the modes have different mechanisms for key distribution, for allowing new devices to join a secure network, and providing network vs. application layer security.

Security at the network layers serves to secure single hop transmissions at each step within the network. The ZigBee Alliance has developed a network layer security option to include additional functionality not available at the MAC layer, including the ability to reject data frames if their freshness cannot be verified.

This network security layer uses a global key that all ZigBee devices on the network share, and is good for applications that need general protection of their network with a basic level of security, e.g., protection against a nefarious device maliciously inserted packets into the network. If a developer needs to establish a route and exchange data between two devices and the network layer frames were not secure, that device could intercept and later replay the packets. Messages received without the proper security level are rejected by all devices in the network.

Typically, in residential applications, ease of installation is a key factor in the design and the security mechanisms must reflect this. Typical methods for allowing new devices to join a network and providing the security key are simple mechanisms such as selected button operations. An application developer within ZigBee can choose to preinstall security keys in such applications or a key can be chosen by the device starting the network and then sent briefly in the clear to a device when it joins the network. Because the start-up of a new device in these residential networks is often based on physical proximity, the risk of rogue devices joining the network is small.

Security is job one

For commercial installations, more security is required and has been provided within ZigBee. Security can be provided at the network level similar to residential security, however, if the application needs the strongest security possible, this can be done at the application layer. Security implemented here utilizes a unique key that can only be authenticated and decrypted by the other device possessing the key. This approach protects against both internal and external attacks, but it requires more memory to implement.

ZigBee commercial security also introduces the concept of a “trust center,” which allows devices into the network, distributes keys, and enables end-to-end security between devices. Only if the trust center approves a device is it allowed into the network and provided the security keys. The key distribution within these commercial networks is done using a master key to encrypt the key being sent to prevent other devices from intercepting a key update. The trust center can also manage encrypted network-wide key updates to ensure security is maintained by the use of new keys. While this centralized trust center requires more memory and imposes restrictions on network formation and growth, it provides a higher level of network and application security required for many applications.

While wireless building automation may pose future security threats, the security mechanisms in ZigBee make it an excellent solution for preventing data and wireless nodes from being compromised, stolen, replayed, or tampered with. The ZigBee security toolbox provides most everything needed by engineers to select the best level of security for their application.IBT