Center for Wireless Innovation Norway cwin.no CWI Norway ISO 15926 and Semantic Technologies Sogndal, 5.-6.Sep2013 Attribute based access to industrial life-cycle data, the semantic dimension Josef Noll , Martin Follestad, Zahid Iqbal fredag 6. september 13
35
Embed
Semantic technologies for attribute based access: measurable security for the Internet of People, Things and Services
This presentation provides an intro into the need for "measurable security" when envisioning an Internet for each of us ("People"), powered by sensors and devices ("Things"), and providing Services tailored to your needs. It handles the challenge of information security, postulating that different applications need different security mechanisms: "To inform somebody about a train arrival time" requires less security than "controlling an industrial plant by automated processes, based on input from sensors".
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Center for Wireless Innovation Norway
cwin.no
CWINorway ISO 15926 and Semantic Technologies
Sogndal, 5.-6.Sep2013
Attribute based access to industrial life-cycle data, the semantic
Sep 2013, Josef NollSecurity in Industrial LifeCycle
newSHIELD.eu approach
l Security, here– security (S)– privacy (P)– dependability (D)
l across the value chain– from sensors to
servicesl measurable security
15
IntelligenceOverlay
Sensors, Embedded Systems
Network
Cloud services
Is made byCould be
can be composed
System Components and functionalities
SPD Components, SPD functionalities
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Limitations of the traditional approach
l Scalability– Threats– System– Vulnerability
l System of Systems– sensors– gateway– middleware– business processes
16
Vulnerability
Threat
Asset/System
Securityattribute
Control
OrganisationControltype
Severityscale
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Limitations of the traditional approach
l Scalability– Threats– System– Vulnerability
l System of Systems– sensors– gateway– middleware– business processes
16
Vulnerability
Threat
Asset/System
Securityattribute
Control
OrganisationControltype
Severityscale
Recommendation:
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Limitations of the traditional approach
l Scalability– Threats– System– Vulnerability
l System of Systems– sensors– gateway– middleware– business processes
16
Vulnerability
Threat
Asset/System
Securityattribute
Control
OrganisationControltype
Severityscale
One ontology per aspect:- security- system- threats...
Recommendation:
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Security description
17
Securityattributes
availability
confidentiality
integrity
safety
reliability
maintainability
Systemcomponents
memory
sensor
network connection
... ...
Security functionality
authentication
identity
encryptionerror
control ...
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Security description
17
Securityattributes
availability
confidentiality
integrity
safety
reliability
maintainability
Systemcomponents
memory
sensor
network connection
... ...
Security functionality
authentication
identity
encryptionerror
control ...
Recommendation: One ontology per aspectfredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Goal description
l Specific parameters for each application?– availability = 0.8– confidentiality = 0.7– reliability = 0.5– ...
l more specificl easier to understand(?)
18
l Common approach?– SPD = level 4
l universal approach– code “red”
l based on application specific goal, e.g. high reliability
this way? that way?
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Goal description
l Specific parameters for each application?– availability = 0.8– confidentiality = 0.7– reliability = 0.5– ...
l more specificl easier to understand(?)
18
l Common approach?– SPD = level 4
l universal approach– code “red”
l based on application specific goal, e.g. high reliability
this way? that way?
Open Issue - way on how to describe the security goalfredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Base of knowledge
Threat description through Metrics
Factors to be considered
•Elapsed Time•Expertise•Knowledge of functionality
•Window of opportunity•Equipmentwith
Essential to build
Factor Value
Elapsed Time
<= one day 0
<= one week 1
<= one month 4
<= two months 7
<= three months 10
<= four months 13
<= five months 15
<= six months 17
> six months 19
Expertise
Layman 0
Proficient 3*(1)
Expert 6
Multiple experts 8
Knowledge of functionality
Public 0
Restricted 3
Sensitive 7
Critical 11
Window of
Unnecessary / unlimited access
0
Easy 1
Moderate 4
Difficult 10
Unfeasible 25**(2)
Equipment
Standard 0
Specialised 4(3)
Bespoke 7
Multiple bespoke 9
where
19
System Functionality
SPD system
Attack scenariosSPDlevel
SPD attributes
SPD threats
Calculated attack potential
Minimum attack potential value to exploit a vulnerability
= SPD value
SPD = security, privacy, dependability
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
From security assessment to Attribute-based access
l Security assessment of the Internet of Things– Apply SHIELD methodology for SecPrivDep (SPD)– Describe functionalities in terms of security (ontologies)– Assess threats through Metrics– achieve a mean for SPD
l Access to information– who, – what kind of information – from where
l Attribute-based access– role (in project, company)– device, network– security tokens
20fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Semantic attribute based (S-ABAC)
l Access to information– Sensor, Person, Service
l Attributes– roles– type of access– device– reputation– behaviour– ...
21
Oil and Gasknowledge
drilling
production
transport
market request
price calculation
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Semantic attribute based (S-ABAC)
l Access to information– Sensor, Person, Service
l Attributes– roles– type of access– device– reputation– behaviour– ...
21
Oil and Gasknowledge
drilling
production
transport
market request
price calculation
finance
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Semantic attribute based (S-ABAC)
l Access to information– Sensor, Person, Service
l Attributes– roles– type of access– device– reputation– behaviour– ...
21
Oil and Gasknowledge
drilling
production
transport
market request
price calculation
financeproduction
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Bringing attributes to IoPTS
22
connection
monitoring
security
control
Abstraction and Virtualization
l Ontology-representation of accessl needs: “SPD access = 0.7”l based on attributes
fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
Example - Smart Energy Gridl who has control to what?
23fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle
ODATA - based ABACl ODATA,
– released Feb2009– Entity Data Model (EDM)– Common Schema Definition
Language (CSDL)– Entity Framework to infer the
conceptual model– Query language LINQ– is a query language
l Used by: StackOverflow, eBay, TechEd, Netflix,...
l Microsoft’s approach for interworking
24fredag 6. september 13
Sep 2013, Josef NollSecurity in Industrial LifeCycle