A Hybrid Access Control Model for CIM-Based SCADA System
Subject Areas : electrical and computer engineeringP. Mahmoudi Nasr 1 , A. Yazdian Varjani 2 *
1 - Tarbiat Modares University
2 - Tarbiat Modares University
Keywords: Access control CIM insider threat SCADA,
Abstract :
Insider attack is one of the most dangerous threats for the security of a critical infrastructure (CI). An insider attack occurs when an authorized operator misuses his/her permissions in order to perform malicious operations in the CI. Providing too many permissions for an operator may backfire when the operator abuses his/her privileges, either intentional or unintentional. Therefore, an access control model is required to provide necessary permissions in order to prevent malicious operations. In this paper, a hybrid access control model (HAC) has been proposed for CI applications which are monitored and controlled by a CIM (IEC-61970-301 common information model)-based supervisory control and data acquisition system. The proposed HAC is an extension of the mandatory and role-based access control models. In the proposed model, the permissions of an operator will be determined according to the predefined types of responsibilities, grid statuses, activation times of roles, security levels, and their periods of validity. A colored Petri-net is employed to simulate and illustrate the effectiveness of the proposed HAC.
[1] C. Alcaraz, J. Lopez, and S. Wolthusen, "Policy enforcement system for secure interoperable control in distributed smart grid systems," J. of Network and Computer Applications, vol. 59, pp. 301-314, Jan. 2016.
[2] P. M. Nasr and A. Y. Varjani, "Alarm based anomaly detection of insider attacks in SCADA system," in Proc. Smart Grid Conf. SGC'14, 6 pp., 9-10 Dec. 2014.
[3] C. W. Ten, C. C. Liu, and G. Manimaran, "Vulnerability assessment of cybersecurity for SCADA systems," IEEE Trans. on Power Systems, vol. 23, no. 4, pp. 1836-1846, Nov. 2008.
[4] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, "SCADA security in the light of cyber-warfare," Computers & Security, vol. 31, no. 4, pp. 418-436, Jun. 2012.
[5] N. Baracaldo and J. Joshi, "An adaptive risk management and access control framework to mitigate insider threats," Computers & Security, vol. 39, pt. B, pp. 237-254, Nov. 2013.
[6] S. Kim, D. K. Kim, L. Lu, S. Kim, and S. Park, "A feature-based approach for modeling role-based access control systems," J. of Systems and Software, vol. 84, no. 12, pp. 2035-2052, Dec. 2011.
[7] IEC 62351-8, Power Systems Management and Associated Information Exchange: Data and Communications Security, International Standard, 2011.
[8] D. Rosic, U. Novak, and S. Vukmirovic, "Role-based access control model supporting regional division in smart grid system," in Proc. Fifth Int. Conf. on Computational Intelligence, Communication Systems and Networks, CICSyN'13, pp. 197-201, 5-7 Jun. 2013.
[9] H. Cheung, A. Hamlyn, T. Mander, C. Yang, and R. Cheung, "Role-based model security access control for smart power-grids computer networks," in Proc. IEEE Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century, 7 pp., 20-24 Jul. 2008.
[10] H. Seng-Phil, A. Gail-Joon, and X. Wenjuan, "Access control management for SCADA systems," IEICE Trans. on Information and Systems, vol. 91, no. 10, pp. 2449-2457, Oct. 2008.
[11] N. Slimani, H. Khambhammettu, K. Adi, and L. Logrippo, "UACML: unified access control modeling language," in Proc. 4th IFIP Int. Conf. on New Technologies, Mobility and Security, NTMS'11, 8 pp., Paris, France, 7-10 Feb. 2011.
[12] International Electrotechnical Commission, IEC 61970-301, Energy Management System Application Program Interface Part 301: Common Information Model (CIM) Base, International Standard, 2009.
[13] E. Bertino, P. A. Bonatti, and E. Ferrari, "TRBAC: a temporal role-based access control model," ACM Trans. on Information and System Security, vol. 4, no. 3, pp. 191-233, Aug. 2001.
[14] Q. Ni, et al., "Privacy-aware role-based access control," ACM Trans. on Information and System Security, vol. 13, no. 3, p. 41-50, Jul. 2010.
[15] V. M. Igure, S. A. Laughter, and R. D. Williams, "Security issues in SCADA networks," Computers & Security, vol. 25, no. 7, pp. 498-506, Oct. 2006.
[16] O. Rysavy, J. Rab, P. Halfar, and M. Sveda, "A formal authorization framework for networked SCADA systems," in Proc. IEEE 19th Int. Conf. and Workshops on Engineering of Computer Based Systems, ECBS'12, pp. 298-302, 11-13 Apr. 2012.
[17] R. R. R. Barbosa, Anomaly Detection in SCADA Systems: A Network Based Approach, University of Twente, 2014.
[18] پ. نیرو، استاندارد سیستمهای اتوماسیون پستهای انتقال و فوق توزیع، وزارت نیرو- توانیر، 1386.
[19] K. Jensen and L. M. Kristensen, Coloured Petri Nets: Modelling and Validation of Concurrent Systems, Springer Science & Business Media, 2009.