skip to main content
10.1145/3339252.3340498acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

DTE Access Control Model for Integrated ICS Systems

Published: 26 August 2019 Publication History

Abstract

Integrating Industrial Control Systems (ICS) with Corporate System (IT) is one of the most important industrial orientations. With recent cybersecurity attacks, the security of integrated ICS systems has become the priority of industrial world. Access control technologies such as firewalls are very important for Integrated ICS (IICS) systems to control communication across different networks to protect valuable resources. However, conventional firewalls are not always fully compatible with Industrial Control Systems. In fact, firewalls can introduce significant latency while ICS systems usually are very demanding in terms of timing requirements. Besides, most of existing firewalls do not support all industrial protocols. This paper proposes a new access control model for integrated ICS systems based on Domain and Type Enforcement (DTE). This new model allows to define and apply enforced access controls with respect of ICS timing requirements. Access controls definition is based on a high level language that can be used by ICS administrators with ease. This paper also proposes an initial generic ruleset based on the ISA95 functional model. This generic ruleset simplifies the deployment of DTE access controls and provides a good introduction to the DTE concepts for administrators.

References

[1]
1999. Enterprise - Control System Integration Part 1: Models and Terminology. ISA-dS95 Standard (Draft 14), 1999 (1999).
[2]
2004. Enterprise - Control System Integration Part 3: Activity Models of Manufacturing Operations Management. ISA-95 Standard 95.00.03 (Draft 16), 2004 (2004).
[3]
2014. Global Mag Security. Global Security Mag, October 2014 (2014).
[4]
2014. Tofino Industrial Security Solutions. https://www.tofinosecurity.com/why/overview
[5]
2015. The Innominate Security Technologies mGuard website. (2015).
[6]
2015. The Tofino Security Appliance website. (2015).
[7]
Lee Badger, Daniel F Sterne, David L Sherman, Kenneth M Walker, and Sheila A Haghighat. 1995. Practical domain and type enforcement for UNIX. In Security and Privacy, 1995. Proceedings., 1995 IEEE Symposium on. IEEE, 66--77.
[8]
Lee Badger, Daniel F Sterne, David L Sherman, Kenneth M Walker, and Sheila A Haghighat. 1996. A domain and type enforcement UNIX prototype. Computing Systems 9, 1 (1996), 47--83.
[9]
Ryan Bradetich and Paul Oman. 2007. Connecting SCADA Systems to Corporate IT Networks Using Security-Enhanced Linux. In Proceedings of 34th Annual Western Protective Relay Conference.
[10]
Ryan Bradetich and Paul Oman. 2008. Implementing SCADA Security Policies Via Security-Enhanced Linux. In proceedings of the 10th Annual Western Power Delivery Automation Conference.
[11]
Marco Cereia, Ivan Cibrario Bertolotti, Luca Durante, and Adriano Valenzano. 2014. Latency evaluation of a firewall for industrial networks based on the Tofino industrial security solution. In Emerging Technology and Factory Automation (ETFA), 2014 IEEE. IEEE, 1--8.
[12]
Marco Cereia, Ivan Cibrario Bertolotti, Luca Durante, and Adriano Valenzano. 2014. Latency evaluation of a firewall for industrial networks based on the Tofino Industrial Security Solution. In Proceedings of the 2014 IEEE Emerging Technology and Factory Automation, ETFA 2014, Barcelona, Spain, September 16-19, 2014. 1--8.
[13]
M. Cheminod, L. Durante, A. Valenzano, and C. Zunino. 2016. Performance impact of commercial industrial firewalls on networked control systems. In 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA). 1--8.
[14]
Gonzalo De La Torre, Paul Rad, and Kim-Kwang Raymond Choo. 2019. Implementation of deep packet inspection in smart grids and industrial Internet of Things: Challenges and opportunities. Journal of Network and Computer Applications.
[15]
R. C. Diovu and J. T. Agee. 2017. A cloud-based openflow firewall for mitigation against ddos attacks in smart grid ami networks. 2017 IEEE PES PowerAfrica (2017).
[16]
R. C. Diovu and J. T. Agee. 2017. Quantitative analysis of firewall security under DDoS attacks in smart grid AMI networks. In 2017 IEEE 3rd International Conference on Electro-Technology for National Development (NIGERCON).
[17]
David Ferraiolo, Janet Cugini, and D Richard Kuhn. 1995. Role-based access control (RBAC): Features and motivations. In Proceedings of 11th annual computer security application conference. 241--48.
[18]
G. Gilchrist. 2008. Secure authentication for DNP3. In 2008 IEEE Power and Energy Society General Meeting - Conversion and Delivery of Electrical Energy in the 21st Century.
[19]
L. A. Rojas H. Eslava and D. Pineda. 2015. An algorithm for optimal firewall placement. iec61850 substations, âĂİ Journal of Power and Energy Engineering (2015).
[20]
S. Hachana, F. Cuppens, and N. Cuppens-Boulahia. 2016. Towards a new generation of industrial firewalls: Operational-process aware filtering. In 2016 14th Annual Conference on Privacy, Security and Trust (PST).
[21]
Serge E Hallyn and Phil Kearns. 2000. Domain and Type Enforcement for Linux. In Annual Linux Showcase & Conference.
[22]
G. Hayes and K. El-Khatib. 2013. Securing modbus transactions using hash-based message authentication codes and stream transmission control protocol. In 2013 Third International Conference on Communications and Information Technology (ICCIT). 179--184.
[23]
Victoria Pillitteri Marshall Abrams Keith Stouffer, Suzanne Lightman and Adam Hahn. 2015. Guide to industrial control systems (ICS) security. NIST special publication, vol. 800, no.82, 2015 800, 82 (2015), 16--16.
[24]
A. H. Khosroshahi and H. Shahinzadeh. 2016. Security technology by using firewall for smart grid. Bulletin of Electrical Engineering and Informatics (2016).
[25]
HyungJun Kim. 2012. Security and vulnerability of SCADA systems over IP-based wireless sensor networks. International Journal of Distributed Sensor Networks 2012 (2012).
[26]
Schweitzer Engineering Laboratories. {n. d.}. SEL-3021-1 Serial Encrypting Transceiver. Pullman, Washington ({n. d.}).
[27]
Schweitzer Engineering Laboratories. {n. d.}. SEL-3620 Ethernet Security Gateway. Pullman, Washington ({n. d.}).
[28]
Dong Li, Huaqun Guo, Jianying Zhou, Luying Zhou, and Jun Wen. 2018. SCADAWall: A CPI-enabled firewall model for SCADA security. Computers & Security 80 (10 2018).
[29]
Munir Majdalawieh, Francesco Parisi-Presicce, and Duminda Wijesekera. 2006. DNPSec: Distributed Network Protocol Version 3 (DNP3) Security Framework. In Advances in Computer, Information, and Systems Sciences, and Engineering, Khaled Elleithy, Tarek Sobh, Ausif Mahmood, Magued Iskander, and Mohammad Karim (Eds.). Springer Netherlands.
[30]
Anand Nagarajan and Christian Damsgaard JensenâĂă. 2010. A generic role based access control model for wind power systems. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (2010).
[31]
J. Nivethan and M. Papa. 2016. A Linux-based firewall for the DNP3 protocol. In 2016 IEEE Symposium on Technologies for Homeland Security (HST).
[32]
National Cybersecurity Agency of France. 2013. Classification Method and Key Measures. ANSSI, 2013 (2013).
[33]
Karen A Oostendorp, Lee Badger, Christopher D Vance, Wayne G Morrison, Michael J Petkac, David L Sherman, and Daniel F Sterne. 2000. Domain and type enforcement firewalls. In DARPA Information Survivability Conference and Exposition, 2000. DISCEX'00. Proceedings, Vol. 1. IEEE, 351--361.
[34]
D. Rosic, U. Novak, and S. Vukmirovic. 2013. Role-Based Access Control Model Supporting Regional Division in Smart Grid System. In 2013 Fifth International Conference on Computational Intelligence, Communication Systems and Networks.
[35]
K. Salah, K. Elbadawi, and R. Boutaba. 2012. Performance Modeling and Analysis of Network Firewalls. IEEE Transactions on Network and Service Management (March 2012).
[36]
A. Shahzad, M. Lee, Y. K. Lee, S. Kim, N. Xiong, J. Y. Choi, and Y. Cho. 2015. Real time MODBUS transmissions and cryptography security designs and enhancements of protocol sensitive information.
[37]
Wenli Shang, Quansheng Qiao, Ming Wan, and Peng Zeng. 2016. Design and Implementation of Industrial Firewall for Modbus/TCP. JcP 11, 5 (2016), 432--438.
[38]
Baoyi Wang, Shaomin Zhang, and Zhilei Zhang. 2008. DRBAC based access control method in substation automation system. In 2008 IEEE International Conference on Industrial Technology.
[39]
D. Wei, F. Darie, and L. Shen. 2013. Application layer security proxy for smart Grid substation automation systems. In 2013 IEEE PES Innovative Smart Grid Technologies Conference (ISGT).
[40]
D. Wei, Y. Lu, M. Jafari, P. M. Skare, and K. Rohde. 2011. Protecting Smart Grid Automation Systems Against Cyberattacks. IEEE Transactions on Smart Grid (Dec 2011).
[41]
Davison Zvabva, Pavol Zavarsky, Sergey Butakov, and John Luswata. 2018. Evaluation of Industrial Firewall Performance Issues in Automation and Control Networks. In 2018 29th Biennial Symposium on Communications (BSC). IEEE, 1--5.

Cited By

View all
  • (2022)Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust ArchitectureApplied Cryptography and Network Security Workshops10.1007/978-3-031-16815-4_7(104-123)Online publication date: 24-Sep-2022
  • (2022)Hybrid isolation model for device application sandboxing deployment in Zero Trust architectureInternational Journal of Intelligent Systems10.1002/int.2303737:12(11167-11187)Online publication date: 26-Aug-2022

Index Terms

  1. DTE Access Control Model for Integrated ICS Systems

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security
    August 2019
    979 pages
    ISBN:9781450371643
    DOI:10.1145/3339252
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 26 August 2019

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Access Control
    2. DTE Firewall
    3. Domain and Type Enforcement
    4. Security policy
    5. Segregation

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    ARES '19

    Acceptance Rates

    Overall Acceptance Rate 228 of 451 submissions, 51%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)5
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 16 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2022)Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust ArchitectureApplied Cryptography and Network Security Workshops10.1007/978-3-031-16815-4_7(104-123)Online publication date: 24-Sep-2022
    • (2022)Hybrid isolation model for device application sandboxing deployment in Zero Trust architectureInternational Journal of Intelligent Systems10.1002/int.2303737:12(11167-11187)Online publication date: 26-Aug-2022

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media