Fdap Security - Honeywell OW-FDAP31 Manual

2.6

FDAP security

OneWireless Network protects plant information and ensures safe operations with industry standard 128-bit
encryption at the mesh, Wi-Fi, and wireless field device level. The FDAP offers a robust embedded wireless
security.
FDAP authentication
FDAP1/ FDAP2 Authentication
In addition to data encryption, Wireless standard requires each FDAP1/ FDAP2 to be authenticated
before joining the network. OneWireless Network relies on a more secured IR authentication key
distribution method as it requires users to be physically next to the FDAP1/ FDAP2 to add it to the
network. The authentication keys are generated and managed by the WDM. A Provisioning Handheld
device is used to upload the authentication keys from the WDM to Provisioning Handheld device and to
download keys to FDAP1/ FDAP2 using IR media. The IR media is used to send an authentication key
from the Provisioning Handheld device to the FDAP1/ FDAP2. Therefore, all Provisioning Handheld
devices and FDAP1/ FDAP2 have IR ports for device commissioning. The keys are encrypted when
distributed over the network. Once a key is deployed to an FDAP1/ FDAP2, it is validated by the WDM
before the FDAP1/ FDAP2 can join the OneWireless Network.
FDAP Gen3 Authentication
In addition to data encryption, Wireless standard requires each FDAP Gen3 to be authenticated before
joining the network. OneWireless Network relies on a more secured Bluetooth Low Energy (BLE)
Module authentication key distribution method as it requires users to be physically next to the FDAP
Gen3 to add it to the network. The BLE module has a range of 10-meter radius. The authentication keys
are generated and managed by the WDM. A Provisioning Handheld device is used to upload the
authentication keys from the WDM to Provisioning Handheld device and to download keys to FDAP
Gen3 using BLE module. The BLE module is used to send an authentication key from the Provisioning
Handheld device to the FDAP Gen3. Therefore, all Provisioning Handheld devices and FDAP Gen3
have BLE modules for device commissioning. The keys are encrypted when
distributed over the network. Once a key is deployed to an FDAP Gen3, it is validated by the WDM
before the FDAP Gen3 can join the OneWireless Network.
Key deployment is a one-time activity, that is, the devices can rejoin the network after power down or after any
other service interruptions without re-keying the device. OneWireless supports a key rotation mechanism to
enable a secure network. Once the devices join the network, a master key and a session key is assigned to each
device, and the session key can be rotated on a periodic basis. The key rotation period can be configured from
the OneWireless user interface. For best system performance, it is recommended to set the key rotation period
as infinite.
In addition, from OneWireless R210 release onwards, over the air provisioning is supported for all ISA100
devices. This allows the FDAPs to join the secure OneWireless Network and establish communication with
other devices and the WDM.
Embedded Wireless security
To reduce security threats, wireless devices requires all process data to be 128-bit encrypted. The data is
encrypted at the source and decrypted at the destination to provide end-to-end security for the process data. The
FDAPs self-discover other neighboring wireless routing devices, such as Access Points, and routing wireless
field devices, to form a reliable and secure wireless mesh network.
Wireless routing algorithm enables an FDAP to dynamically identify the best route to send data to and from
wireless field devices. This algorithm enables the field device mesh network to dynamically re-optimize itself
when FDAPs are added to or removed from the network.
2 INTRODUCTION TO FDAP
15