计算机科学 ›› 2021, Vol. 48 ›› Issue (9): 306-316.doi: 10.11896/jsjkx.210300235

• 信息安全 • 上一篇    下一篇

基于区块链的工业控制系统角色委派访问控制机制

郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪   

  1. 兰州理工大学计算机与通信学院 兰州730050
  • 收稿日期:2021-03-23 修回日期:2021-06-24 出版日期:2021-09-15 发布日期:2021-09-10
  • 通讯作者: 郭显(iamxg@163.com)
  • 基金资助:
    国家自然科学基金(61461027);甘肃省自然科学基金(20JR5RA467)

Blockchain-based Role-Delegation Access Control for Industrial Control System

GUO Xian, WANG Yu-yue, FENG Tao, CAO Lai-cheng, JIANG Yong-bo, ZHANG Di   

  1. School of Computer and Communication,Lanzhou University of Technology,Lanzhou 730050,China
  • Received:2021-03-23 Revised:2021-06-24 Online:2021-09-15 Published:2021-09-10
  • About author:GUO Xian,born in 1971,associate professor,is a senior member of China Computer Federation.His main research interests include network and information security,blockchain and design and analysis of security protocol.
  • Supported by:
    National Natural Science Foundation of China(61461027) and Natural Science Foundation of Gansu Province(20JR5RA467).

摘要: IT和OT的融合模糊了工业控制系统“网络边界”的概念,细粒度的访问控制策略是保障工业企业网络安全的基石。基于角色委派的访问控制机制可把域中用户对网络资源的访问权限委派给其他域的用户或企业合作伙伴,这样为企业员工或企业合作伙伴远程访问企业网络资源提供了便利。然而,这种便利可能增加工业控制系统的攻击面。区块链技术固有的去中心化、防篡改、可审计等特征可以成为基于角色委派访问控制管理的基础架构,因而提出了基于区块链技术的角色委派访问控制方案(Delegatable Role-Based Access Control,DRBAC)。DRBAC包括用户角色管理及委派、访问控制、监控机制等几个重要组件,并基于智能合约实现该方案,DRBAC的目的是保证每个网络连接必须受到细粒度访问控制策略的保护。最后,通过搭建本地私有区块链网络测试分析了DRBAC的正确性、可行性和开销。

关键词: 访问控制, 工业控制系统, 角色委派, 区块链, 智能合约

Abstract: The concept of “network perimeter” in industrial control system is becoming vague due to the integration of IT and OT technology.The fine-grained access control strategy that intends to protect each network connection can ensure the network security of industrial control system.The role-delegation-based access control scheme can delegate an access right of user in a domain to a user in another domain or a company partner so that these users can remotely access the network resources of the industrial enterprise.However,these benefits resulted from the delegation may increase the attack surface for industrial control system.The blockchain technology with decentralization,tamper-proof,auditable and other characteristics can be considered as a basic framework of the role-delegation access control for network resources in industrial control system.This paper proposes a role-delegation access control scheme DRBAC based on blockchain.DRBAC includes several important components:user role management and delegation,access control,monitoring mechanism,etc.The DRBAC solution is implemented based on smart contract.The DRBAC ensures that each network connection must be protected by fine-grained access control strategies.Finally,the correctness,feasibility and overhead of DRBAC are tested and analyzed in a private blockchain network.

Key words: Access control, Blockchain, Delegatable role, Industrial control system, Smart contract

中图分类号: 

  • TP393
[1]LI Q,TANG Q L,CHEN Y T,et al.Research on IntelligentManufacturing System Architecture,Reference Model and Standardization Framework[J].Computer Integrated Manufacturing System,2018,24(3):539-549.
[2]LI J,QIU J J,SHAO M K,et al.Research on the status quo,restriction factors and improvement countermeasures of the key technologies,products and industrial ecology of the integration of industrialization and industrialization in my country[J].Computer Integrated Manufacturing System,2019,25(9):2334-2343.
[3]WANG F Y,ZHANG J,ZHANG J,et al.Industrial Intelligent Networking:Basic Concepts,Key Technologies and Core Applications[J].Acta Automatica Sinica,2018,44(9):1606-1617.
[4]WANG W H,CHEN Z Y.Intelligent Manufacturing Security Model Based on Improved Blockchain[J].Computer Science,2021,48(2):295-302.
[5]FILKINS B,DOUG W,JASON D.SANS 2019 State of OT-ICS Cybersecurity Survey [EB/OL].SANS Survey,2019.https://www.sans.org/webcasts/2019-state-ot-ics-cybersecurity-survey-109625/.
[6]WANG Y T.“New infrastructure” boosts the overall upgrade of artificial intelligence infrastructure[J].Communication World,2020(7):20-21.
[7]GONZALEZ D,ALHENAKI F,MIRAKHORLI M.Architec-tural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities[C]//2019 IEEE International Conference on Software Architecture (ICSA).Hamburg,Germany,2019:31-40.
[8]SHA L T,XIAO F,CHEN W,et al.Backdoor privacy leakage perception method for industrial IoT environment[J].Journal of Software,2018,29(7):1863-1879.
[9]ZHANG W A,HONG Z,ZHU J W,et al.Overview of network intrusion detection methods for industrial control systems[J].Control and Decision,2019,34(11):2277-2288.
[10]ROSE S,BORCHERT O,MITCHELL S,et al.Zero Trust Architecture[R].National Institute of Standards and Technology,2020.
[11]深云SDP[EB/OL].https://www.deepcloudsdp.com/index.html.
[12]ROSIC D,NOVAK U,VUKMIROVIC S.Role-Based AccessControl Model Supporting Regional Division in Smart Grid System[C]//2013 Fifth International Conference on Computational Intelligence,Communication Systems and Networks.Madrid,2013:197-201.
[13]NASR P M,VARJANI A Y.An alarm based access controlmodel for SCADA system[C]//2015 Smart Grid Conference (SGC).Tehran,2015:145-151.
[14]YANG H.Research on Security Access Technology of WindFarm SCADA System Based on Identity Authentication[D].Beijing:North China Electric Power University,2016.
[15]FIGUEROA-LORENZO S,AÑORGA J,ARRIZABALAGA S.A Role-Based Access Control Model in Modbus SCADA Systems.A Centralized Model Approach[J].Sensors,2019,19(20):4455.
[16]ES-SALHI K,ESPES D,CUPPENS N.DTE Access ControlModel for Integrated ICS Systems[C]//Proceedings of the 14th International Conference on Availability,Reliability and Security (ARES '19).New York,NY,USA,2019:1-9.
[17]STOUFFER K,FALCO J,SCARFONE K.Guide to industrial control systems (ICS) security[J].NIST Special Publication,2011,800(82):16.
[18]GILSINN J.ISA-99-Industrial Automation & Control Systems Security ISA99 Committee·Addresses Industrial Automation and Control [EB/OL].https://www.isa.org/standards-and-publications/isa-standards/isa-standards-committees/isa99.
[19]SANDHU R S,COYNE E J,FEINSTEIN H L,et al.Role-based access control models[J].Computer,1996,29(2):38-47.
[20]BARKA E,SANDHU R.Framework for role-based delegation models[C]//Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).New Orleans,LA,USA,2000:168-176.
[21]ZHANG X,OH S,SANDHU R.PBDM:a flexible delegationmodel in RBAC[C]//Proceedings of the Eighth ACM Sympo-sium on Access Control Models and Technologies (SACMAT'03).New York,NY,USA,2003:149-157.
[22]CAI X Q,DENG Y,ZHANG L,et al.The principle and coretechnology of blockchain[J].Chinese Journal of Computers,2021,44(1):84-131.
[23]ZENG S Q,HUO R,HUANG T,et al.A review of blockchain technology research:principles,progress and applications[J].Journal on Communications,2020,41(1):134-151.
[24]SHAO Q F,ZHANG Z,ZHU Y C,et al.Overview of enter-prise-level blockchain technology[J].Journal of Software,2019,30(9):2571-2592.
[25]BUTERIN V.Ethereum:a next generation smart contract anddecentralized application platform [EB/OL].http://ethereum.org/ethereum.html.
[26]LIU A D,DU X H,WANG N,et al.Big data access control mechanism based on blockchain[J].Journal of Software,2019,30(9):2636-2654.
[27]DU R Z,LIU Y,TIAN J F.Access control method based on smart contract in the Internet of Things[J].Computer Research and Development,2019,56(10):2287-2298.
[28]NUSS M,PUCHTA A,KUNZ M.Towards blockchain-basedidentity and access management for internet of things in enterprises[C]//International Conference on Trust and Privacy in Digital Business.Cham:Springer,2018:167-181.
[29]SHI J S,LI R.Summary of blockchain access control under the Internet of Things[J].Journal of Software,2019,30(6):1632-1648.
[30]MAESA D D F,MORI P,RICCI L.Blockchain based access control[C]//IFIP International Conference on Distributed Applications and Interoperable Systems.Cham:Springer,2017:206-220.
[31]MAESA F D D,MORI P,RICCI L,Blockchain Based AccessControl Services[C]//2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).Halifax,NS,Canada,2018:1379-1386.
[32]JEMEL M,SERHROUCHNI A.Decentralized Access ControlMechanism with Temporal Dimension Based on Blockchain[C]//2017 IEEE 14th International Conference on e-Business Engineering (ICEBE).Shanghai,2017:177-182.
[33]WANG S,ZHANG Y,ZHANG Y.A blockchain-based framework for data sharing with fine-grained access control in decentralized storage systems[J].IEEE Access,2018,6:38437-38450.
[34]HU S,HOU L,CHEN G,et al.Reputation-based distributedknowledge sharing system in blockchain[C]//Proceedings of the 15th EAI International Conference on Mobile and Ubiquitous Systems:Computing,Networking and Services (MobiQuitous'18).New York,NY,USA,2018:476-481.
[35]FERDOUS M S,MARGHERI A,PACI F,et al.Decentralised Runtime Monitoring for Access Control Systems in Cloud Fe-derations[C]//2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).Atlanta,GA,2017:2632-2633.
[36]ALANSARI S,PACI F,SASSONE V.A Distributed AccessControl System for Cloud Federations[C]//2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).Atlanta,GA,2017:2131-2136.
[37]ZHANG Y Y,KASAHARA S,SHEN Y L,et al.Smart Contract-Based Access Control for the Internet of Things[J].IEEE Internet of Things Journal,2018,6(2):1594-1605.
[38]CRUZ J P,KAJI Y,YANAI N.RBAC-SC:Role-based access control using smart contract[J].IEEE Access,2018,6:12240-12251.
[39]YAN Z,GAN G,RIAD K.BC-PDS:Protecting Privacy and Self-Sovereignty through Blockchains for OpenPDS[C]//2017 IEEE Symposium on Service-Oriented System Engineering (SOSE).San Francisco,CA,2017:138-144.
[40]RAHMAN M U,GUIDI B,BAIARDI F,et al.Context-Aware and Dynamic Role-Based Access Control Using Blockchain[C]//International Conference on Advanced Information Networking and Applications.Cham:Springer,2020:1449-1460.
[41]GUO H,MEAMARI E,SHEN C C.Multi-authority attribute-based access control with smart contract[C]//Proceedings of the 2019 International Conference on Blockchain Technology.2019:6-11.
[42]MAESA D D F,MORI P,RICCI L.A blockchain based ap-proach for the definition of auditable Access Control systems[J].Computers & Security,2019,84:93-119.
[43]CRAMPTON J,KHAMBHAMMETTU H.Delegation in role-based access control[J].International Journal of Information Security,2008,7(2):123-136.
[44]ZHANG L,AHN G J,CHU B T.A rule-based framework for role-based delegation and revocation[J].ACM Transactions on Information and System Security (TISSEC),2003,6(3):404-441.
[45]WANG R.Research on attribute-based delegated access control model and its application in smart home[D].Xi'an:Xidian University,2019.
[46]GUSMEROLI S,PICCIONE S,ROTONDI D.A capability-based security approach to manage access control in the Internet of Things[J].Mathematical & Computer Modelling,2013,58(5/6):1189-1205.
[47]PUSSEWALAGE H S G,OLESHCHUK V A.BlockchainBased Delegatable Access Control Scheme for a Collaborative E-Health Environment[C]//2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).Halifax,NS,Canada,2018:1204-1211.
[48]TAPAS N,MERLINO G,LONGO F.Blockchain-Based IoT-Cloud Authorization and Delegation[C]//2018 IEEE International Conference on Smart Computing (SMARTCOMP).Taormina,2018:411-416.
[49]LE T,MUTKA M W.CapChain:A Privacy Preserving Access Control Framework Based on Blockchain for Pervasive Environments[C]//2018 IEEE International Conference on Smart Computing (SMARTCOMP).Taormina,2018:57-64.
[50]OUADDAH A,ABOU ELKALAM A,AIT OUAHMAN A.FairAccess:anew Blockchain-based access control framework for the Internet of Things[J].Security and Communication Networks,2016,9(18):5943-5964.
[51]XU R,CHEN Y,BLASCH E,et al.BlendCAC:A BLockchain-Enabled Decentralized Capability-Based Access Control for IoTs[C]//2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).Halifax,NS,Canada,2018:1027-1034.
[52]XU R,CHEN Y,BLASCH E,et al.Blendcac:A smart contract enabled decentralized capability-based access control mechanism for the iot[J].Computers,2018,7(3):39.
[53]NAKAMURA Y,ZHANG Y,SASABE M,et al.ExploitingSmart Contracts for Capability-Based Access Control in the Internet of Things[J].Sensors,2020,20(6):1793.
[54]LIN C,HE D,HUANG X,et al.BSeIn:A blockchain-based secure mutual authentication with fine-grained access control system for industry 4.0[J].Journal of Network and Computer Applications,2018,116:42-52.
[55]ISA 95/PERA [EB/OL].https://isa-95.com.
[1] 郭鹏军, 张泾周, 杨远帆, 阳申湘.
飞机机内无线通信网络架构与接入控制算法研究
Study on Wireless Communication Network Architecture and Access Control Algorithm in Aircraft
计算机科学, 2022, 49(9): 268-274. https://doi.org/10.11896/jsjkx.210700220
[2] 王子凯, 朱健, 张伯钧, 胡凯.
区块链与智能合约并行方法研究与实现
Research and Implementation of Parallel Method in Blockchain and Smart Contract
计算机科学, 2022, 49(9): 312-317. https://doi.org/10.11896/jsjkx.210800102
[3] 黄松, 杜金虎, 王兴亚, 孙金磊.
以太坊智能合约模糊测试技术研究综述
Survey of Ethereum Smart Contract Fuzzing Technology Research
计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069
[4] 李博, 向海昀, 张宇翔, 廖浩德.
面向食品溯源场景的PBFT优化算法应用研究
Application Research of PBFT Optimization Algorithm for Food Traceability Scenarios
计算机科学, 2022, 49(6A): 723-728. https://doi.org/10.11896/jsjkx.210800018
[5] 傅丽玉, 陆歌皓, 吴义明, 罗娅玲.
区块链技术的研究及其发展综述
Overview of Research and Development of Blockchain Technology
计算机科学, 2022, 49(6A): 447-461. https://doi.org/10.11896/jsjkx.210600214
[6] 高健博, 张家硕, 李青山, 陈钟.
RegLang:一种面向监管的智能合约编程语言
RegLang:A Smart Contract Programming Language for Regulation
计算机科学, 2022, 49(6A): 462-468. https://doi.org/10.11896/jsjkx.210700016
[7] 卫宏儒, 李思月, 郭涌浩.
基于智能合约的秘密重建协议
Secret Reconstruction Protocol Based on Smart Contract
计算机科学, 2022, 49(6A): 469-473. https://doi.org/10.11896/jsjkx.210700033
[8] 毛典辉, 黄晖煜, 赵爽.
符合监管合规性的自动合成新闻检测方法研究
Study on Automatic Synthetic News Detection Method Complying with Regulatory Compliance
计算机科学, 2022, 49(6A): 523-530. https://doi.org/10.11896/jsjkx.210300083
[9] 周航, 姜河, 赵琰, 解相朋.
适用于各单元共识交易的电力区块链系统优化调度研究
Study on Optimal Scheduling of Power Blockchain System for Consensus Transaction ofEach Unit
计算机科学, 2022, 49(6A): 771-776. https://doi.org/10.11896/jsjkx.210600241
[10] 王思明, 谭北海, 余荣.
面向6G可信可靠智能的区块链分片与激励机制
Blockchain Sharding and Incentive Mechanism for 6G Dependable Intelligence
计算机科学, 2022, 49(6): 32-38. https://doi.org/10.11896/jsjkx.220400004
[11] 孙浩, 毛瀚宇, 张岩峰, 于戈, 徐石成, 何光宇.
区块链跨链技术发展及应用
Development and Application of Blockchain Cross-chain Technology
计算机科学, 2022, 49(5): 287-295. https://doi.org/10.11896/jsjkx.210800132
[12] 阳真, 黄松, 郑长友.
基于区块链与改进CP-ABE的众测知识产权保护技术研究
Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE
计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075
[13] 任畅, 赵洪, 蒋华.
一种量子安全拜占庭容错共识机制
Quantum Secured-Byzantine Fault Tolerance Blockchain Consensus Mechanism
计算机科学, 2022, 49(5): 333-340. https://doi.org/10.11896/jsjkx.210400154
[14] 冯了了, 丁滟, 刘坤林, 马科林, 常俊胜.
区块链BFT共识算法研究进展
Research Advance on BFT Consensus Algorithms
计算机科学, 2022, 49(4): 329-339. https://doi.org/10.11896/jsjkx.210700011
[15] 刘凯祥, 谢永芳, 陈新, 吕飞, 刘俊矫.
基于DTMC的工业串行协议状态检测算法
Industrial Serial Protocol State Detection Algorithm Based on DTMC
计算机科学, 2022, 49(3): 301-307. https://doi.org/10.11896/jsjkx.210200078
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!