Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
1Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Data Communications Systems
Attribute Based Access Control(ABAC for Smart Grid & IACS)
in Industrial Practice
Dr. Karl Waedt, Framatome GmbHAsmaa Tellabi, PhD Candidate, Framatome GmbHVenesa Watson, PhD CandidateXinxin Lou, PhD Candidate, Framatome GmbH
Erlangen 2020-09-10
2Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Topics
1 . Standardization Context and Industry Needs
2 . Industrial ABAC R&D Context
3 . Lab & Prototypes at Framatome GmbH / Covalion
4 . Scalable ABAC Architecture for IACS
5 . Ongoing PhD Candidate Topics
6 . Summary and Outlook
3
1 . Standardization Contextand Industry Needs
Horizontal Standards
Vertical Standards
(Industry) Domain-specific Standards
4Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Standardization Context ExampleSafety & Security
IEC 61513: Nuclear Power Plants (NPPs) –
I&C Sys. Important to Safety General Req.
IEC 62645:2019, NPPs – I&C and EPS –
Cybersecurity Requirements
IEC 62859:2016 : NPPs – I&C Systems –
Req. for Coordinating Safety and Security
IEC 61511: Functional Safety –
Safety Instrumented Systems
for the Process Industry Sector
IEC 62443-x-x: Industrial
communication networks –
Network and system security – …
IEC 61508: Functional Safety of Electrical/Electronic/
Programmable Electronic Safety-related Systems
IEC 62541-8: OPC
Unified Architecture –
Data Access IEC 63096 FDIS: NPPs – I&C and EPS –
Security Controls
ISO 26262: Road vehicles –
Functional Safety –
ISO/SAE DIS 21434
Road vehicles —
Cybersecurity engineering …
IEC 61850 – Communication
networks and systems
for power utility automation – …
IEC 62351-8:2020 – … Data and communications security –
Role-based access control for power system management
5Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Administrative and Technical Access ControlIndustry Needs
Attacks on complex Industrial Automation and Control Systems (IACS)
and Insider Attacks in Cyber-Physical Systems (CPS):
▪ CPS: systems comprising physical processes (e.g. Smart Grids or IACS)
that are controlled by digital systems➢ includes power plants, see. IAEA CRP J02008 R&D / Ashera virtual NPP
➢ includes most Safety Automation and Operational Technology (OT)
➢ Includes OT and IT interconnections
▪ Misbehavior, whether malicious or accidental→ can cause malfunction of equipment
→ which can cause damage to health, safety and environment (HSE)
e.g. NSS 8: Preventive and Protective Measures against Insider Threats
▪ Beyond the administrative measures an adequate
support by standardized technical measures is needed
6Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access ControlPractical RBAC
Practical generic RBAC concepts
▪ Subject names change more frequently than role names➢ Frequently changing entities are stored outside the object
▪ Area of Responsibility (AoR)
e.g. based on network segregation
▪ Security is a distributed service➢ Applications are consumers
of distributed services
▪ Authorization separated
from authentication
Subject
Object
Identity Provider
Repository
Subject
▪ Human User
▪ Automated Agent
7Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access Control - RBAC for Power System Management
Session▪ associated with
a single subject
Separation of duty
▪ static or
▪ dynamic
Mappings by
Administrator:▪ Subject → Role
▪ Role → Permissions
IEC 62351-8:2020 –
… Data and communications security –
Role-based access control for power system management
8Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access Control - RBAC “Role Explosion”
Unintended consequence▪ Further access restrictions require
▪ → addition of roles
▪ → additional mappings to subjects
▪ → “Role Explosion”
RBAC:▪ Well suited for a small / limited number of roles
▪ Limited flexibility
▪ No subject attributes
▪ No object attributes
▪ No consideration of the environment
Bottleneck▪ Roles
▪ → “Role Explosion”
9
2 . Industrial ABAC R&DContext
Impact of Industrie 4.0
Use of OPC UA
Access Control, Correlations and Forensic Readiness
Heterogeneous Access Control Approaches
10Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&D Impact of Industry 4.0 (Standardization Roadmap V4)
Multiple Access Control Schemes from▪ Machine suppliers
▪ Engineering
tool providers
▪ Service
providers
▪ Logistics
providers
▪ Maintenance
service providers
11Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access Control: Industry SupportUse of OPC UA in Industry
OPC Unified Architecture
▪ Main Communications protocol of I4.0
▪ Standardized by IEC 62541-x
▪ External industrial grade OPC UA
software libraries available✓ E.g. for server or client
✓ Like MatrikonOPC (used via OPC UA
server license in SIPLUG Monitoring
equipment of Framatome GmbH
▪ Allows savings of up to 90%✓ If clients already have OPC UA support
▪ No ABAC grade access control yet
… Monitoring Equipment,
e.g. SIPLUG with newest
Industry 4.0 Interoperability
OPC Unified Architecture➔
12Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access Control: RequirementsTamper-proof Logging
Local
Storage
Tamper-proof
Logging
Actuation
Monitoring
Secure Handling of Heavy Doors & Gates
Independent networks and digital devices for
Actuation and Monitoring of heavy doors & gates
controlled by automation and pneumatic equipment
Read-only Access via
Monitoring Networks
Full tracking for
and correlation with
other controls, for
forensic readiness
and for SIEM
13Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
SCADA Specific ControlsOPANASec
Supervisory control and data acquisition (SCADA)
▪ Complementary Security Controls➢ Making use of specifics of
the HW and FW of
embedded systems
➢ E.g. OPANASec based
on Function Block level
mechanisms
▪ To be considered with
industrial ABAC solutions
… OPANASec protection for SCADA
Note:
OPANASec
trademark registration
and patents pending
14
2 . Lab & Prototypes
Framatome GmbH
Covalion (separate presentation)
15Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&D - Objective: Similar tests as in LNI4.0
In a general context …
Labs Network I4.0 (LNI)
▪ Practical Tests
▪ Test Scenarios
▪ Validated results
for standardization
16Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&DElectrical Power Systems (EPS) Example
Full OPC UA interoperability requires
▪ New Siemens TIA Portal SW (V15.1 or newer)
▪ Window 10 Clients
▪ Linux Clients
(to do)
Electrical Circuit Diagram of FWP
17Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&DComplete OPC UA Interconnectivity
Electrical Power System of Virtualized Plant
Left Side of Test Lab
Top View of Left Side of Test LabS7-1500 Equipment in Test Lab
SIPROTEC Equipment in Test Lab
18
4 . Scalable ABACArchitecture for IACS
Complete Enterprise Framework
Transition Phase
19Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&DEnterprise ABAC Scenario Example
Complete Enterprise Grade Framework▪ Asset Management
▪ Identity Management
▪ Policy Information Point (PIP)
▪ Policy Decision Point (PDP)
▪ Policy Enforcement Point (PEP)
▪ Policy Administration Point (PAP)
▪ Environment Conditions
▪ Logging
▪ Auditability
▪ Repositories
➢ Policies
➢ Attributes
NIST SP 800-162 ABAC
20Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&D - Integration with Virtualized Plant Solutions
(1)
Transition from
Modbus TCP/IP
(directly or via
e.g. Softing GW)
(2)
Access to all
data points
modelled
in OPC UA
HMI Data Point
(OPC data
source)
I/O Tags from
Matlab to
OPC
Server
OPC UA &
Modbus
TCP/IP
Interfaces
(transition
phase)
Controllers
High Level
Block
Diagrams
Plant Processess
High Level
Block Diagram
(3)
Scalable
ABAC
Solution
21
5 . Ongoing PhDCandidate Topics
PhD Candidates
Master/Bachelor Students
22Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&DPhD Candidate Topics
Framatome part of R&D started effectively in 2019
▪ Official project start 2018-10
▪ 2 PhD candidate positions
▪ Effectively 1-3 PhD candidates, but not continuously
University of Siegen Partner taking the lead
▪ Based on preliminary work on ABAC at the University
▪ Direct involvement in IEC TC 57 WG10
▪ IEC 61850 standard extension planned as baseline
23Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
ABAC R&DPhD Candidate Topics
Key topics on Industry Side
▪ OPC UA solution based on preceding work of partner
▪ OPC UA solution based on open source OPC UA library extension
▪ Evaluation of several commercial and open source products
▪ Synergy with DECENT R&D project on Decentralized Energy Storage
▪ OPC UA use in heterogeneous environments
▪ Embedded devices (including Raspberry Pi4 for tests)
▪ Linux workstations
▪ User Interface for ABAC management tasks
▪ Integrated with process control level feedback
▪ Graphical editing of security policies
▪ Support of auditability related checks
▪ Multi-user synchronization
24
6 . Summary andOutlook
R&D Completion on Industry Side
Industry Grade Prototype
Dissemination Deployment of R&D results
25Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access ControlOngoing ABAC R&D at Industry Side
Summary of ongoing R&D activities (until March 31st 2021):
▪ OPC UA server implementation on embedded device
▪ OPC UA server and client implementations with Mixed Criticality➢ Presentation of Asmaa Tellabi
➢ Including results from Master Thesis of Peter Ludgers
▪ Industry side performance measurements
▪ Further use cases (e.g. subscriber model) with open62541
▪ Use cases with gradually more complex data structures➢ Modelled within OPC UA
➢ Containing safety-related data, e.g. signal value and signal status
▪ Extensible web based user interface➢ Using Vue3, implemented in TypeScript (starting in October 2020)
▪ Outline for OPC UA standard extension recommendations (IEC 62541)
26Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access ControlDissemination of ABAC R&D Results
Past dissemination activities:
▪ Booth at eWorld 2019 (only partner)
▪ Booth at eWorld 2020 (by partner with Framatome PhD candidates)
▪ 16th IEEE Internat. Conference on Industrial Informatics, INDIN 2018, Porto
▪ At IACS/GI Workshop in Kassel, Sept. 2019, (virtual) Sept. 2020
▪ At IAEA CRP J02008 related technical meetings➢ Participants from 13 countries
➢ Gradual transition to use of OPC UA
▪ At DECENT R&D project meeting (10 partner institutes)
▪ At 3-days cybersecurity training in Shenzhen in 2019 (50 attendees)
▪ At inter-regional corporate exchange meetings on cybersecurity
▪ At internal world-wide corporate R&D exchange activities
27Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Access ControlDeployment of ABAC R&D Results
Initial deployment activities:
▪ Preparation of a first potential offer (Smart Grid related)
▪ Contact to further interested industrial cybersecurity decision makers
▪ In-depth introductions to internal experts and sales staff
Planned deployment activities:
▪ Refinement of requirements for future IACS security hardware that will also
be suitable for a ABAC gateway and firewall implementation
▪ Refinement of user interface requirements in line with corporate guidelines
▪ Preparation of positioning ABAC as a product in the
cybersecurity products and services portfolio
28Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Any reproduction, alteration, transmission to any third party or
publication in whole or in part of this document and/or its
content is prohibited unless Framatome has provided its prior
and written consent.
This document and any information it contains shall not
be used for any other purpose than the one for which they were
provided. Legal action may be taken against any infringer
and/or any person breaching the aforementioned obligations
29Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen
Confidentiality Framatome (external) © Framatome - All rights reserved
Thank you