Cracking the channel hopping sequences in IEEE 802.15.4e-based industrial TSCH networks.

Industrial networks typically connect hundreds or thousands of sensors and actuators in industrial facilities, such as manufacturing plants, steel mills, and oil refineries. Although the typical industrial applications operate at low data rates, they pose unique challenges because of their critical demands for reliable and real-time communication in harsh industrial environments. IEEE 802.15.4 based Wireless Sensor-Actuator Networks (WSANs) technology is appealing for use to construct industrial networks because it does not require wired infrastructure and can be manufactured inexpensively. Battery-powered wireless modules easily and inexpensively retrofit existing sensors and actuators in industrial facilities without running cables for communication and power. To address the stringent real-time and reliability requirements, WSANs made a set of unique design choices such as employing the Time-Synchronized Channel Hopping (TSCH) technology that distinguish themselves from traditional wireless sensor networks that require only best effort services. The function-based channel hopping used in TSCH simplifies the network operations at the cost of security. Our study shows that an attacker can reverse engineer the channel hopping sequences by silently observing the channel activities and put the network in danger of selective jamming attacks. To our knowledge, this paper represents the first systematic study that investigates the security vulnerability of TSCH channel hopping in IEEE 802.15.4e under realistic traffic. In this paper, we demonstrate the process of cracking the TSCH channel sequences, present two case studies using publicly accessible TSCH implementations (developed for Orchestra and WirelessHART), and provide a set of insights.