A twofold model for the analysis of access control policies in industrial networked systems

Requirements concerning the specification and correct implementation of access control policies have become more and more popular in industrial networked systems during the last years. Unfortunately, the peculiar characteristics of industrial systems often prevent the designer from taking full advantage of technologies and techniques already developed and profitably employed in other application areas. In particular, the unavailability and/or impossibility of adopting hardware (h/w) and software (s/w) mechanisms able to automatically enforce the policies defined at a high level of abstraction, often results in checking the correctness of policy implementation in the real system manually. The first step towards carrying out this cumbersome task in an automated way is the development of a model able to capture both the high level policy specification as well as the details and low-level mechanisms characterizing the actual system implementation. This paper introduces a twofold model for the description of access control policies in industrial environments aimed at coping with this requirement and which can be profitably adopted in several kinds of automated analysis. A model to describe access control policies in industrial networked systems.The model allows the high level description of access control policies in RBAC.The model allows the detailed description of the real system low level mechanisms.The model allows automated analysis of the correctness of policy implementation.

[1]  Ravi S. Sandhu,et al.  RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control" , 2007, IEEE Security & Privacy.

[2]  Adriano Valenzano,et al.  On the description of access control policies in networked industrial systems , 2014, 2014 10th IEEE Workshop on Factory Communication Systems (WFCS 2014).

[3]  Lin Zhu,et al.  A Key Management Scheme for Secure Communications of Advanced Metering Infrastructure in Smart Grid , 2013, IEEE Trans. Ind. Electron..

[4]  David M. Nicol,et al.  PolicyGlobe: a framework for integrating network and operating system security policies , 2009, SafeConfig '09.

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  David A. Basin,et al.  Automated analysis of security-design models , 2009, Inf. Softw. Technol..

[7]  Adriano Valenzano,et al.  Automated Analysis of Access Policies in Industrial Plants , 2014, ICS-CSR.

[8]  S. Sivanesh,et al.  A secure intrusion detection system for MANETs , 2014, 2014 IEEE International Conference on Advanced Communications, Control and Computing Technologies.

[9]  Elisa Bertino,et al.  On the Complexity of Authorization in RBAC under Qualification and Security Constraints , 2011, IEEE Transactions on Dependable and Secure Computing.

[10]  Arif Ghafoor,et al.  Conformance Testing of Temporal Role-Based Access Control Systems , 2010, IEEE Transactions on Dependable and Secure Computing.

[11]  Ninghui Li,et al.  Towards Formal Verification of Role-Based Access Control Policies , 2008, IEEE Transactions on Dependable and Secure Computing.

[12]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.

[13]  Adriano Valenzano,et al.  Detecting Chains of Vulnerabilities in Industrial Networks , 2009, IEEE Transactions on Industrial Informatics.

[14]  Wolfgang Granzer,et al.  Security in Building Automation Systems , 2010, IEEE Transactions on Industrial Electronics.

[15]  William H. Sanders,et al.  Usable Global Network Access Policy for Process Control Systems , 2008, IEEE Security & Privacy Magazine.

[16]  Chun Chen,et al.  Security Analysis and Improvement of a Secure and Distributed Reprogramming Protocol for Wireless Sensor Networks , 2013, IEEE Transactions on Industrial Electronics.

[17]  Meikang Qiu,et al.  Static Security Optimization for Real-Time Systems , 2009, IEEE Transactions on Industrial Informatics.

[18]  Elisa Bertino,et al.  A Critique of the ANSI Standard on Role-Based Access Control , 2007, IEEE Security & Privacy.

[19]  Alessandro Armando,et al.  Efficient symbolic automated analysis of administrative attribute-based RBAC-policies , 2011, ASIACCS '11.

[20]  Glenn Faden RBAC in UNIX administration , 1999, RBAC '99.

[21]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[22]  Alex X. Liu,et al.  Quantifying and Verifying Reachability for Access Controlled Networks , 2013, IEEE/ACM Transactions on Networking.

[23]  Alessandro Panebianco,et al.  Application-Sensitive Access Control Evaluation Using Parameterized Expressiveness , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[24]  Thomas Novak,et al.  Safety- and Security-Critical Services in Building Automation and Control Systems , 2010, IEEE Transactions on Industrial Electronics.

[25]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[26]  Adriano Valenzano Industrial Cybersecurity: Improving Security Through Access Control Policy Models , 2014, IEEE Industrial Electronics Magazine.

[27]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[28]  Edward J. Coyne,et al.  ABAC and RBAC: Scalable, Flexible, and Auditable Access Management , 2013, IT Professional.

[29]  Helge Janicke,et al.  Verification and enforcement of access control policies , 2013, Formal Methods Syst. Des..

[30]  Tao Xie,et al.  Conformance Checking of Access Control Policies Specified in XACML , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[31]  William H. Sanders,et al.  Experiences Validating the Access Policy Tool in Industrial Settings , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[32]  Tarek R. Sheltami,et al.  EAACK—A Secure Intrusion-Detection System for MANETs , 2013, IEEE Transactions on Industrial Electronics.

[33]  Adriano Valenzano,et al.  Review of Security Issues in Industrial Networks , 2013, IEEE Transactions on Industrial Informatics.

[34]  Qi Xie,et al.  Security Analysis of a Single Sign-On Mechanism for Distributed Computer Networks , 2013, IEEE Transactions on Industrial Informatics.

[35]  Martin C. Rinard,et al.  Automatic error finding in access-control policies , 2011, CCS '11.

[36]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[37]  Alfredo Pironti,et al.  Formal Vulnerability Analysis of a Security System for Remote Fieldbus Access , 2011, IEEE Transactions on Industrial Informatics.