A schedule randomization policy to mitigate timing attacks in WirelessHART networks

Industrial control systems consist of large-scale wireless sensor-actuator networks (WSAN) that control the physical plant. The communications between the sensors and the actuators need to be reliable and guaranteed within strict deadlines for safe operation of all the system components in industrial setups. WirelessHART is the most suitable and widely adopted WSAN standard that serves as the medium of communication in industries. To satisfy deadlines of real-time flows in WirelessHART networks, the centralized network manager decides the communication schedule during network initialization. The same schedule repeats every hyperperiod. The repetitive nature of the communication slots over every hyperperiod makes the system vulnerable to timing attacks which can eventually disrupt the safety of the system. To mitigate such attacks, we propose SlotSwapper, a moving target defense mechanism that randomizes the communication slots over a hyperperiod schedule without violating the feasibility constraints of real-time flows in WirelessHART networks. We show that SlotSwapper is optimal for single-channel WirelessHART network with real-time harmonic flows. We extensively evaluated our algorithm with 4800 flow sets over 100 Tmote sky motes in Cooja simulator. We use Prediction Probability of slots of a schedule to measure the security provided by SlotSwapper. We use Kullback–Leibler divergence to measure the divergence of our solution w.r.t. a truly random solution.