a based access control abac for smart grid & iacs) in ......(abac for smart grid & iacs) in...

1Attribute Based Access Control (ABAC) R&D Dr. Karl Waedt 2020-09-10 Erlangen

Confidentiality Framatome (external) © Framatome - All rights reserved

Data Communications Systems

Attribute Based Access Control(ABAC for Smart Grid & IACS)

in Industrial Practice

Dr. Karl Waedt, Framatome GmbHAsmaa Tellabi, PhD Candidate, Framatome GmbHVenesa Watson, PhD CandidateXinxin Lou, PhD Candidate, Framatome GmbH

Erlangen 2020-09-10



Topics

1 . Standardization Context and Industry Needs

2 . Industrial ABAC R&D Context

3 . Lab & Prototypes at Framatome GmbH / Covalion

4 . Scalable ABAC Architecture for IACS

5 . Ongoing PhD Candidate Topics

6 . Summary and Outlook

3

1 . Standardization Contextand Industry Needs

Horizontal Standards

Vertical Standards

(Industry) Domain-specific Standards



Standardization Context ExampleSafety & Security

IEC 61513: Nuclear Power Plants (NPPs) –

I&C Sys. Important to Safety General Req.

IEC 62645:2019, NPPs – I&C and EPS –

Cybersecurity Requirements

IEC 62859:2016 : NPPs – I&C Systems –

Req. for Coordinating Safety and Security

IEC 61511: Functional Safety –

Safety Instrumented Systems

for the Process Industry Sector

IEC 62443-x-x: Industrial

communication networks –

Network and system security – …

IEC 61508: Functional Safety of Electrical/Electronic/

Programmable Electronic Safety-related Systems

IEC 62541-8: OPC

Unified Architecture –

Data Access IEC 63096 FDIS: NPPs – I&C and EPS –

Security Controls

ISO 26262: Road vehicles –

Functional Safety –

ISO/SAE DIS 21434

Road vehicles —

Cybersecurity engineering …

IEC 61850 – Communication

networks and systems

for power utility automation – …

IEC 62351-8:2020 – … Data and communications security –

Role-based access control for power system management



Administrative and Technical Access ControlIndustry Needs

Attacks on complex Industrial Automation and Control Systems (IACS)

and Insider Attacks in Cyber-Physical Systems (CPS):

▪ CPS: systems comprising physical processes (e.g. Smart Grids or IACS)

that are controlled by digital systems➢ includes power plants, see. IAEA CRP J02008 R&D / Ashera virtual NPP

➢ includes most Safety Automation and Operational Technology (OT)

➢ Includes OT and IT interconnections

▪ Misbehavior, whether malicious or accidental→ can cause malfunction of equipment

→ which can cause damage to health, safety and environment (HSE)

e.g. NSS 8: Preventive and Protective Measures against Insider Threats

▪ Beyond the administrative measures an adequate

support by standardized technical measures is needed



Access ControlPractical RBAC

Practical generic RBAC concepts

▪ Subject names change more frequently than role names➢ Frequently changing entities are stored outside the object

▪ Area of Responsibility (AoR)

e.g. based on network segregation

▪ Security is a distributed service➢ Applications are consumers

of distributed services

▪ Authorization separated

from authentication

Subject

Object

Identity Provider

Repository

Subject

▪ Human User

▪ Automated Agent



Access Control - RBAC for Power System Management

Session▪ associated with

a single subject

Separation of duty

▪ static or

▪ dynamic

Mappings by

Administrator:▪ Subject → Role

▪ Role → Permissions

IEC 62351-8:2020 –

… Data and communications security –

Role-based access control for power system management



Access Control - RBAC “Role Explosion”

Unintended consequence▪ Further access restrictions require

▪ → addition of roles

▪ → additional mappings to subjects

▪ → “Role Explosion”

RBAC:▪ Well suited for a small / limited number of roles

▪ Limited flexibility

▪ No subject attributes

▪ No object attributes

▪ No consideration of the environment

Bottleneck▪ Roles

▪ → “Role Explosion”

9

2 . Industrial ABAC R&DContext

Impact of Industrie 4.0

Use of OPC UA

Access Control, Correlations and Forensic Readiness

Heterogeneous Access Control Approaches



ABAC R&D Impact of Industry 4.0 (Standardization Roadmap V4)

Multiple Access Control Schemes from▪ Machine suppliers

▪ Engineering

tool providers

▪ Service

providers

▪ Logistics

providers

▪ Maintenance

service providers



Access Control: Industry SupportUse of OPC UA in Industry

OPC Unified Architecture

▪ Main Communications protocol of I4.0

▪ Standardized by IEC 62541-x

▪ External industrial grade OPC UA

software libraries available✓ E.g. for server or client

✓ Like MatrikonOPC (used via OPC UA

server license in SIPLUG Monitoring

equipment of Framatome GmbH

▪ Allows savings of up to 90%✓ If clients already have OPC UA support

▪ No ABAC grade access control yet

… Monitoring Equipment,

e.g. SIPLUG with newest

Industry 4.0 Interoperability

OPC Unified Architecture➔



Access Control: RequirementsTamper-proof Logging

Local

Storage

Tamper-proof

Logging

Actuation

Monitoring

Secure Handling of Heavy Doors & Gates

Independent networks and digital devices for

Actuation and Monitoring of heavy doors & gates

controlled by automation and pneumatic equipment

Read-only Access via

Monitoring Networks

Full tracking for

and correlation with

other controls, for

forensic readiness

and for SIEM



SCADA Specific ControlsOPANASec

Supervisory control and data acquisition (SCADA)

▪ Complementary Security Controls➢ Making use of specifics of

the HW and FW of

embedded systems

➢ E.g. OPANASec based

on Function Block level

mechanisms

▪ To be considered with

industrial ABAC solutions

… OPANASec protection for SCADA

Note:

OPANASec

trademark registration

and patents pending

14

2 . Lab & Prototypes

Framatome GmbH

Covalion (separate presentation)



ABAC R&D - Objective: Similar tests as in LNI4.0

In a general context …

Labs Network I4.0 (LNI)

▪ Practical Tests

▪ Test Scenarios

▪ Validated results

for standardization



ABAC R&DElectrical Power Systems (EPS) Example

Full OPC UA interoperability requires

▪ New Siemens TIA Portal SW (V15.1 or newer)

▪ Window 10 Clients

▪ Linux Clients

(to do)

Electrical Circuit Diagram of FWP



ABAC R&DComplete OPC UA Interconnectivity

Electrical Power System of Virtualized Plant

Left Side of Test Lab

Top View of Left Side of Test LabS7-1500 Equipment in Test Lab

SIPROTEC Equipment in Test Lab

18

4 . Scalable ABACArchitecture for IACS

Complete Enterprise Framework

Transition Phase



ABAC R&DEnterprise ABAC Scenario Example

Complete Enterprise Grade Framework▪ Asset Management

▪ Identity Management

▪ Policy Information Point (PIP)

▪ Policy Decision Point (PDP)

▪ Policy Enforcement Point (PEP)

▪ Policy Administration Point (PAP)

▪ Environment Conditions

▪ Logging

▪ Auditability

▪ Repositories

➢ Policies

➢ Attributes

NIST SP 800-162 ABAC



ABAC R&D - Integration with Virtualized Plant Solutions

(1)

Transition from

Modbus TCP/IP

(directly or via

e.g. Softing GW)

(2)

Access to all

data points

modelled

in OPC UA

HMI Data Point

(OPC data

source)

I/O Tags from

Matlab to

OPC

Server

OPC UA &

Modbus

TCP/IP

Interfaces

(transition

phase)

Controllers

High Level

Block

Diagrams

Plant Processess

High Level

Block Diagram

(3)

Scalable

ABAC

Solution

21

5 . Ongoing PhDCandidate Topics

PhD Candidates

Master/Bachelor Students



ABAC R&DPhD Candidate Topics

Framatome part of R&D started effectively in 2019

▪ Official project start 2018-10

▪ 2 PhD candidate positions

▪ Effectively 1-3 PhD candidates, but not continuously

University of Siegen Partner taking the lead

▪ Based on preliminary work on ABAC at the University

▪ Direct involvement in IEC TC 57 WG10

▪ IEC 61850 standard extension planned as baseline



ABAC R&DPhD Candidate Topics

Key topics on Industry Side

▪ OPC UA solution based on preceding work of partner

▪ OPC UA solution based on open source OPC UA library extension

▪ Evaluation of several commercial and open source products

▪ Synergy with DECENT R&D project on Decentralized Energy Storage

▪ OPC UA use in heterogeneous environments

▪ Embedded devices (including Raspberry Pi4 for tests)

▪ Linux workstations

▪ User Interface for ABAC management tasks

▪ Integrated with process control level feedback

▪ Graphical editing of security policies

▪ Support of auditability related checks

▪ Multi-user synchronization

24

6 . Summary andOutlook

R&D Completion on Industry Side

Industry Grade Prototype

Dissemination Deployment of R&D results



Access ControlOngoing ABAC R&D at Industry Side

Summary of ongoing R&D activities (until March 31st 2021):

▪ OPC UA server implementation on embedded device

▪ OPC UA server and client implementations with Mixed Criticality➢ Presentation of Asmaa Tellabi

➢ Including results from Master Thesis of Peter Ludgers

▪ Industry side performance measurements

▪ Further use cases (e.g. subscriber model) with open62541

▪ Use cases with gradually more complex data structures➢ Modelled within OPC UA

➢ Containing safety-related data, e.g. signal value and signal status

▪ Extensible web based user interface➢ Using Vue3, implemented in TypeScript (starting in October 2020)

▪ Outline for OPC UA standard extension recommendations (IEC 62541)



Access ControlDissemination of ABAC R&D Results

Past dissemination activities:

▪ Booth at eWorld 2019 (only partner)

▪ Booth at eWorld 2020 (by partner with Framatome PhD candidates)

▪ 16th IEEE Internat. Conference on Industrial Informatics, INDIN 2018, Porto

▪ At IACS/GI Workshop in Kassel, Sept. 2019, (virtual) Sept. 2020

▪ At IAEA CRP J02008 related technical meetings➢ Participants from 13 countries

➢ Gradual transition to use of OPC UA

▪ At DECENT R&D project meeting (10 partner institutes)

▪ At 3-days cybersecurity training in Shenzhen in 2019 (50 attendees)

▪ At inter-regional corporate exchange meetings on cybersecurity

▪ At internal world-wide corporate R&D exchange activities



Access ControlDeployment of ABAC R&D Results

Initial deployment activities:

▪ Preparation of a first potential offer (Smart Grid related)

▪ Contact to further interested industrial cybersecurity decision makers

▪ In-depth introductions to internal experts and sales staff

Planned deployment activities:

▪ Refinement of requirements for future IACS security hardware that will also

be suitable for a ABAC gateway and firewall implementation

▪ Refinement of user interface requirements in line with corporate guidelines

▪ Preparation of positioning ABAC as a product in the

cybersecurity products and services portfolio



Any reproduction, alteration, transmission to any third party or

publication in whole or in part of this document and/or its

content is prohibited unless Framatome has provided its prior

and written consent.

This document and any information it contains shall not

be used for any other purpose than the one for which they were

provided. Legal action may be taken against any infringer

and/or any person breaching the aforementioned obligations



Thank you

a based access control abac for smart grid & iacs) in ......(abac for smart grid & iacs) in...

Documents