Access Control Management for SCADA Systems

The information technology revolution has transformed all aspects of our society including critical infrastructures and led a significant shift from their old and disparate business models based on proprietary and legacy environments to more open and consolidated ones. Supervisory Control and Data Acquisition (SCADA) systems have been widely used not only for industrial processes but also for some experimental facilities. Due to the nature of open environments, managing SCADA systems should meet various security requirements since system administrators need to deal with a large number of entities and functions involved in critical infrastructures. In this paper, we identify necessary access control requirements in SCADA systems and articulate access control policies for the simulated SCADA systems. We also attempt to analyze and realize those requirements and policies in the context of role-based access control that is suitable for simplifying administrative tasks in large scale enterprises.

[1]  James Lyle Peterson,et al.  Petri net theory and the modeling of systems , 1981 .

[2]  Tadao Murata,et al.  Petri nets: Properties, analysis and applications , 1989, Proc. IEEE.

[3]  Kurt Jensen,et al.  Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Vol. 2, Analysis Methods , 1992 .

[4]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[5]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[6]  Ravi S. Sandhu,et al.  Rationale for the RBAC96 family of access control models , 1996, RBAC '95.

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  Kurt Jensen,et al.  Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use: volume 1 , 1996 .

[9]  Emil C. Lupu,et al.  Role-based security for distributed object systems , 1996, Proceedings of WET ICE '96. IEEE 5th Workshop on Enabling Technologies; Infrastucture for Collaborative Enterprises.

[10]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[11]  Ravi S. Sandhu,et al.  The URA97 Model for Role-Based User-Role Assignment , 1997, DBSec.

[12]  Pierangela Samarati,et al.  Authentication, Access Controls, and Intrusion Detection , 1997, The Computer Science and Engineering Handbook.

[13]  Ravi S. Sandhu,et al.  How to do discretionary access control using roles , 1998, RBAC '98.

[14]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[15]  Gail-Joon Ahn,et al.  The RSL99 language for role-based separation of duty constraints , 1999, RBAC '99.

[16]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[17]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[18]  Konstantin Knorr,et al.  Analyzing Separation of Duties in Petri Net Workflows , 2001, MMM-ACNS.

[19]  Dana A. Shea Critical Infrastructure: Control Systems and the Terrorist Threat [Updated October 1, 2002] , 2002 .

[20]  Seng-Phil Hong,et al.  Reconstructing a formal security model , 2002, Inf. Softw. Technol..

[21]  Krzysztof Juszczyszyn,et al.  Verifying enterprise's mandatory access control policies with coloured Petri nets , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[22]  Giovanni Cordeiro Barroso,et al.  An Advanced Function for the Supervisory System of an Electrical Distribution Substation: An Application using Colored Petri Nets , 2003, Modelling and Simulation.

[23]  Jason Edwin Stamp,et al.  COMMUNICATION VULNERABILITIES AND MITIGATIONS IN WIND POWER SCADA SYSTEMS , 2003 .

[24]  Chuang Lin,et al.  Security analysis of mandatory access control model , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[25]  Basit Shafiq,et al.  A role-based access control policy verification framework for real-time systems , 2005, 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems.