research-article

Public Access

Attribute Based Access Control Model for Protecting Programmable Logic Controllers

Authors:

Shwetha Gowdanakatte,

Siv Hilde HoumbAuthors Info & Claims

Sat-CPS '22: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

Pages 47 - 56

https://doi.org/10.1145/3510547.3517926

Published: 28 April 2022 Publication History

Abstract

Industrial Control Systems (ICS) were traditionally designed as stand-alone systems and isolated from Internet Technology (IT) networks. With the advancement in communication technology, the attack surface has increased; vulnerabilities in ICS components such as Programmable Logic Controllers (PLC), and Human Machine Interfaces (HMI) can now be accessed and exploited. Authentication and access control form the first level of defense for protecting ICS from attacks. Unfortunately, vulnerabilities stemming from improper authentication and access control are very common. We focus our attention to investigate these vulnerabilities, specifically those centered around PLCs, and demonstrate how the use of Attribute-Based Access Control (ABAC) helps protect against them and make ICS more resilient to attacks. We design an ABAC model for PLC, show how it can be enforced, analyze the resulting system and demonstrate their resilience against some sample vulnerabilities.

Supplementary Material

MP4 File (satfp20-gowdanakatte.mp4)

Recorded presentation for Attribute Based Access Control Model for Protecting Programmable Logic Controllers

Download
27.21 MB

References

[1]

A. Adeen, Y. Hyunguk, and A. Irfan. 2021. Empirical Study of PLC Authentication Protocols in Industrial Control Systems. 383--397. https://doi.org/10.1109/SPW53761.2021.00058 Last accessed 12 December 2021.

[2]

D. Adrian-Vasile, G. Béla, and H. Piroska. 2018. Enabling authenticated data exchanges in industrial control systems. 1--5. https://doi.org/10.1109/ISDFS.2018.8355337 Last accessed 12 December 2021.

[3]

M. Aftab, Z. Qin, S. Zakria, S. Ali, Pirah, and J. Khan. 2018. The Evaluation and Comparative Analysis of Role Based Access Control and Attribute Based Access Control Model. In International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP) . 35--39. https://doi.org/10.1109/ICCWAMTIP.2018.8632578

[4]

Rockwell Automation. 2021. FactoryTalk Security System Configuration Guide . https://literature.rockwellautomation.com/idc/groups/literature/documents/qs/ftsec-qs001_-en-e.pdf . Last accessed 21 November 2021.

[5]

E. Biham, S. Bitan, A. Carmel, A. Dankner, U. Malin, and A. Wool. 2019. Rogue Engineering Station Attacks on Simatic S7 PLCs . https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs.pdf/. Last accessed 5 July 2021.

[6]

T. M. Chen and S. Abu-Nimeh. 2011. Lessons from Stuxnet . Computer, Vol. 44, 4 (2011), 91--93. https://doi.org/10.1109/MC.2011.115

[7]

D. Ferraiolo, R. Chandramouli, D. Kuhn., and V. Hu. 2016. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). In ACM International Workshop. 13--24. https://doi.org/10.1145/2875491.2875496

Digital Library

[8]

Honeywell ACS Labs. 2014. RBAC Driven Least Privilege Architecture For Control Systems . https://www.osti.gov/servlets/purl/1124080/. Technical Report (2014). Last accessed 20 June 2021.

[9]

NIST. 2019 a. https://nvd.nist.gov/vuln/detail/CVE-2019--10943/. Last accessed 1 July 2021.

[10]

NIST. 2019 b. https://nvd.nist.gov/vuln/detail/CVE-2019--10952 . Last accessed 1 Jan 2022.

[11]

NIST. 2021 a. https://nvd.nist.gov/vuln/detail/CVE-2020--15782/. Last accessed 1 July 2021.

[12]

NIST. 2021 b. https:https://nvd.nist.gov/vuln/detail/CVE-2021--22681 . Last accessed 1 Jan 2022.

[13]

F. Santiago, A. Javier, and A. Saioba. 2019. A Role-Based Access Control Model in Modbus SCADA Systems. A Centralized Model Approach, Vol. 19. https://doi.org/10.3390/s19204455

[14]

Shodan. [n.,d.]. https://www.shodan.io/. Last accessed 23 July 2021.

[15]

Unknown. 2018. Packet Sniffing in Python . https://www.uv.mx/personal/angelperez/files/2018/10/sniffers_texto.pdf/. Last accessed 15 July 2021.

[16]

E. Yalcinkaya, A. Maffei, and M. Onori. 2017. Application of Attribute Based Access Control Model for Industrial Control Systems . International Journal of Computer Network and Information Security, Vol. 9 (2017), 12--21. https://doi.org/10.5815/ijcnis.2017.02.02

Cited By

Wang JZhu MLi MSun YTian Z(2024)An Access Control Method Against Unauthorized and Noncompliant Behaviors of Real-Time Data in Industrial IoTIEEE Internet of Things Journal10.1109/JIOT.2023.328599211:1(708-727)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3285992
Gowdanakatte SRay IAbdelgawad M(2023)Model Based Risk Assessment and Risk Mitigation Framework for Cyber-Physical Systems2023 5th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)10.1109/TPS-ISA58951.2023.00034(203-212)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TPS-ISA58951.2023.00034

Recommendations

Attribute Based Access Control (ABAC)-Based Cross-Domain Access Control in Service-Oriented Architecture (SOA)
CSSS '12: Proceedings of the 2012 International Conference on Computer Science and Service System

The traditional role-based access control model (RBAC) can not meet the requirements of Service Oriented Architectures (SOA) on the distribution and openness, Attribute-Based Access Control (ABAC), which is more fine-grained in access control, is more ...
Synthesizing and Analyzing Attribute-Based Access Control Model Generated from Natural Language Policy Statements
SACMAT '23: Proceedings of the 28th ACM Symposium on Access Control Models and Technologies

Access control policies (ACPs) are natural language statements that describe criteria under which users can access resources. We focus on constructing NIST Next Generation Access Control (NGAC) ABAC model from ACP statements. NGAC is more complex than ...
Current Research and Open Problems in Attribute-Based Access Control

Attribute-based access control (ABAC) is a promising alternative to traditional models of access control (i.e., discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC)) that is drawing attention in both ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Sat-CPS '22: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

April 2022

124 pages

ISBN:9781450392297

DOI:10.1145/3510547

General Chairs:
Maanak Gupta
Tennessee Technological University, USA
,
Sajad Khorsandroo
North Carolina A&T State University
,
Program Chair:
Mahmoud Abdelsalam
North Carolina A&T State University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 April 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NIST
Statnett
Cyber Risk Research
American Megatrends Inc.
NSF (National Science Foundation)
Army Research Laboratory

Conference

CODASPY '22

Sponsor:

SIGSAC

CODASPY '22: Twelveth ACM Conference on Data and Application Security and Privacy

April 27, 2022

MD, Baltimore, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
304
Total Downloads

Downloads (Last 12 months)105
Downloads (Last 6 weeks)15

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang JZhu MLi MSun YTian Z(2024)An Access Control Method Against Unauthorized and Noncompliant Behaviors of Real-Time Data in Industrial IoTIEEE Internet of Things Journal10.1109/JIOT.2023.328599211:1(708-727)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3285992
Gowdanakatte SRay IAbdelgawad M(2023)Model Based Risk Assessment and Risk Mitigation Framework for Cyber-Physical Systems2023 5th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)10.1109/TPS-ISA58951.2023.00034(203-212)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TPS-ISA58951.2023.00034

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents