Access Control Challenges for Cyber-Physical Systems

Indrakshi Ray and Indrajit RayComputer Science Department

Colorado State UniversityFort Collins, CO 80523-1873

{iray,indrajit}@cs.colostate.edu

Abstract

With the growth of wireless networks and mobile de-vices, we are moving closer towards an era of cyber-physical systems (CPSs). Such systems have the poten-tial to benefit numerous applications in areas as diverseas military, financial, and health care. However, secu-rity issues must be addressed before CPSs can be widelydeployed. The problem is serious because CPSs involveinteractions between a large number of entities that canspan different organizational boundaries. Unlike tra-ditional applications, these applications do not usuallyhave well-defined security perimeters and are dynamicin nature. Moreover, these applications use knowledgeof surrounding physical spaces. This requires securitypolicies to use contextual information that, in turn, mustbe adequately protected from security breaches. Un-controlled disclosure of information or unconstrainedinteractions among entities can lead to very seriousconsequences. Traditional access control policies andmechanisms rarely address these issues and are thus in-adequate for CPSs. New models and mechanisms areneeded to protect such applications.

1. Motivation

With the growth of pervasive computing technolo-gies, cyber-physical systems (CPSs) are becoming a re-ality. Such systems often use numerous, casually ac-cessible, often invisible computing and sensor devices,that are frequently mobile or embedded in the environ-ment and that are inter-connected to each other withwireless or wired technology. This allows CPSs to pro-vide services and functionalities that use the knowl-edge of surrounding physical spaces. However, the veryknowledge that allows CPSs to provide enhanced func-tionality can be exploited to cause security and privacybreaches. One must therefore ensure that the sensitive

resources are adequately protected from unauthorizedaccess. Addressing this problem involves understand-ing what resources an entity has access to, which enti-ties it should interact with, what information can be re-leased to an entity, how to protect the information usedor produced by an entity, which entities can be trustedand to what extent, and how these trust relationshipschange over time.

Consider a potential use of such technology: real-time health care for patients in assisted living. A cardiacpatient lives independently in a smart home equippedwith sensors and wireless controllers. The patient’smovements are tracked by sensors and wireless con-trollers send this information to a monitoring servicethat oversees the patient’s condition and initiates ap-propriate action, such as, alerting emergency services.To operate, the monitoring service needs access to thepatient’s medical history maintained by a health careprovider. In an emergency, these records must be sharedwith the admitting hospital which will perform exami-nations, such as X-rays and ECGs. The hospital mayhave to consult experts unfamiliar with the patient orsearch for similar reports to interpret the patient’s case.Security and privacy are a major concern for such appli-cations. Preventing data transmission to the monitoringservice or sending false data may be fatal. Sending toomany false alarms can cripple emergency services. Dis-closing the patient’s health data to prospective employ-ers may cause financial hardship and disclosing the datato unapproved doctors causes breach of privacy. Com-paring a patient’s report to unauthentic reports of otherpatients may result in incorrect diagnosis. These severeconsequences motivate the need to consider security is-sues when designing secure cyber-physical systems.

Cyber-physical systems are different from conven-tional information processing systems in that they in-volve interactions between the cyber world and thephysical world. Thus, securing such systems involve

physical security, information systems security and,most importantly, securing the interaction between thephysical world and the cyber world. Security policiesand mechanisms developed for traditional applicationsare inadequate for cyber-physical applications for sev-eral reasons. First, these applications are complex anddo not have a well-defined security perimeter – the en-tities that a system will interact with or the resourcesthat will be accessed are not always known in advance.This makes almost all traditional access control modelsunsuitable for cyber-physical systems since they basethe access decisions on the successful authentication ofpredefined users. Second, these applications are ex-tremely dynamic in nature – the accessing entities maychange, resources requiring protection may be createdor modified, and an entity’s access to resources maychange while such systems are deployed. Protecting re-sources during application execution remains challeng-ing. In fact, what constitutes secure operation in a dy-namic environment is not yet known. Third, they usethe knowledge of surrounding physical spaces to pro-vide services. This requires security policies to use con-textual information. For instance, access to a resourcemay be contingent upon environmental contexts, suchas the location of the user and time of day. This con-textual information can be used to infer the activitiesof the user and cause a privacy breach. Contextual in-formation must, therefore, be protected by access con-trol policies. Fourth, pervasive applications integratethe physical world with the cyber world. Thus, the ef-fects of physical security must also be considered whendesigning access control policies. For example, if achange in environmental conditions causes the accesscontrol configuration to change, one must ensure thatthe sensors monitoring the environment are adequatelyprotected. Fifth, applications in cyber-physical systemsmay need to interact, cooperate and share resources toaccomplish a given mission. Secure interoperation in adynamic environment is still an open problem. Last, butnot least, cyber-physical systems often involve deviceswith various computation and communication capabil-ities, some of which are severely resource constrained.This will influence the access control mechanisms thatcan be used for such systems.

Researchers are working on various issues that maybe important for cyber-physical systems. Examples in-clude the development of new access control modelsand technologies [10, 13, 14, 18, 34, 35, 37, 41], for-malizing the notion of trust [1, 5, 11, 12, 20, 21, 23, 26,30, 32, 33, 38, 39, 44, 45, 47, 48], and trust managementand trust negotiation strategies [3, 6, 7, 31, 40, 4, 46, 50,51]. Some researchers [2, 8, 15, 24] have addressed se-curity, privacy and trust issues of pervasive computing

environments and others [9, 16, 36, 49, 53] focussedon trust-based approaches for communication in sen-sor and ad hoc networks. Researchers have also ad-dressed the issue of secure interoperation to some extent[17, 19, 25, 27, 28, 29, 43, 52]. However, authorizationand access control, which is often the first line of de-fense against security breaches, has not been addressedadequately in cyber-physical systems. What is missingis an access control model for cyber-physical systemsthat integrates both the cyber and the physical compo-nents of such systems and allows events in the physi-cal world to interact with and change the access con-trol configuration. Secure operation must be defined fordynamic environments and the cyber-physical systemsshould adhere to them. What is also missing is a no-tion of secure interoperation for cyber-physical systemswhere different systems will interact in a dynamic envi-ronment to achieve a common mission. Access controlpolicies should ensure that additional security breachesdo not occur because of the interoperation of the varioussystems.

2. Directions for Future Research

Our preliminary research indicates that access con-trol for cyber-physical systems depends on the follow-ing factors: (i) trustworthiness of entities, (ii) environ-mental context, and (iii) application context. Trustwor-thiness of entities play an important role in access con-trol. This is because cyber-physical systems have nowell-defined security perimeters – interactions betweenentities may be unknown in advance. Moreover, sincemany entities in cyber-physical systems belong to thephysical world, there is a need to integrate the effectsof physical security into access control decisions in thecyber world. The overarching theme between the twotypes of access control – physical and cyber – is a notionof trust. The type of interaction an entity performs withanother often depends on the trust relationship betweenthe two. In traditional access control models, the notionof trust is implicit. That is, authenticated users are fullytrusted and get all the associated permissions, whereasun-authenticated users are totally untrusted and get nopermission. Treating trust as a binary concept – ei-ther an entity is trusted completely or not at all severelyconstrains operation in cyber-physical systems. On theother hand, complete trust may not be achievable ev-ery time because an entity may have only incompleteknowledge of its counterpart. Entities will not interactwith untrusted counterparts. This will often result in un-availability of systems and services. Note, however, inthe physical world access decisions are frequently madeon varying degrees of trust.

One research task, therefore, is to formulate an ap-propriate non-binary trust model suitable for a cyber-physical environment. The model must accommodatethe notion of different degrees of trust, identify how toquantify and measure the trust value for the various de-vices and users in cyber-physical systems, and definehow trust evolves in a dynamic setting. One such gen-eral trust model, proposed by Ray et al. [33], shows howtrust can be represented using Jøsang’s opinion model[22], describes the factors on which trust depends, andshows how to quantify the trust relationship. A lot ofwork, however, remains to be done before such a modelcan be adapted for cyber-physical applications. Onearea that needs further research is investigating how tocompute trustworthiness of different types of entities(device, user and data) that exist in cyber-physical sys-tems, possibly in the absence of complete information.A second area of research involves providing a formalbasis that allows one to compare the different trust re-lationships that exist in cyber-physical systems. Sincemultiple entities are involved in a cyber-physical sys-tem, a third area of research needs to focus on how tocompute group trust in a dynamic environment.

The next task is to identify what types of accesscontrol policies are suitable for cyber-physical systems.Although a lot of research appears in security policies,not much of this is directly applicable to cyber-physicalsystems. Traditional access control policies do not con-sider environmental contexts, such as location and time,when making access decisions. Traditional policies as-sume a very static configuration and the mechanismsenforcing these policies are relatively easy to imple-ment. In cyber-physical systems, the access control re-quirements change when the system context is modi-fied. Consequently, new notions of secure access con-trol in the context of dynamic systems are needed. Thesecurity models developed for cyber-physical applica-tions should conform to them. In short, the researchtask is to identify the types of policies needed in perva-sive computing systems, propose models that formalizetheir syntax and semantics, and propose a notion of se-cure execution for dynamic applications.

Environmental contexts, such as location and time,play a crucial role in access decisions of cyber-physicalsystems. For example, a paramedic can make majormedical decisions while accompanying the patient inan ambulance, but may not be allowed to do once heis admitted. Thus, access control models must take intoaccount environmental factors before making access de-cisions [34, 35, 42]. Application contexts, unlike envi-ronmental contexts, are very application specific. Theapplication context depends on the data obtained fromsensors and other devices. For example, in our example

application, a patient may be hooked up to a system thatcontinuously monitors his health. A sudden increasein the blood sugar level may trigger some action thatgives an actuator permission to inject insulin to stabi-lize the condition. Each application context generatesa specific configuration of the system. One must firstdefine what it means for access control protection in agiven application context, and also ensure that securitybreaches do not occur while the application context isbeing changed. For any given application context, thetime and location of access together with the trustwor-thiness of the entities determine the access privilegesof an user or a device. Note that, for a different appli-cation context, the privilege of this entity may changeeven if the other parameters (trustworthiness, locationand time) remain the same. An access control modelthat captures all these requirements is needed for cyber-physical systems.

Different cyber-physical systems may need to in-teract to achieve a common mission. For example, if thesmart home is on fire, the cyber-physical system of thefire department must interact with that monitoring thepatient’s health to accomplish the rescue mission. Un-der normal circumstances, these applications operate inisolation. However, in case of the rescue mission, allthese applications need to interact and share resourcesto accomplish the goal. The issue is how to formalizethe notion of secure interoperation that takes into ac-count such ad hoc interaction among individual applica-tions. This will require identifying the threats that canoccur because of the interactions and what types of poli-cies are needed to protect against those type of breaches.Secure interoperation requires an application to operateunder different sets of policies. On one hand, the ap-plication must deal with its own policies. On the otherhand, it must deal with the mission’s policies. Conflictsmight occur because of the interaction of different poli-cies. Research is needed to identify how to detect andresolve conflicts. Conflict resolution should be such thatit allows the mission to be accomplished without caus-ing any security breach. Moreover, the effect of the dif-ferent policies on the application must be analyzed toensure that its execution is safe and secure.

Acknowledgment

This work was partially supported by the U.S.AFOSR under contract FA9550-07-1-0042.

References

[1] A. Abdul-Rahman and S. Hailes. Supporting Trust inVirtual Communities. InProceedings of the 33rd An-

nual Hawaii International Conference on System Sci-ences, Maui, Hawaii, January 2000.

[2] J. Al-Muhtadi, A. Ranganathan, R. Campbell, andM. D. Mickunas. Cerberus: A Context-Aware SecurityScheme for Smart Spaces. InProceedings of the IEEEInternational Conference on Pervasive Computing andCommunications, Dallas-Fort Worth, TX, March 2003.

[3] E. Bertino, E. Ferrari, and A. Squicciarini. Trust-X:A Peer to Peer Framework for Trust Establishment.IEEE Transactions on Knowledge and Data Engineer-ing, 16(7):827–842, July 2004.

[4] E. Bertino, E. Ferrari, and A. C. Squicciarini. PrivacyPreserving Trust Negotiations. InProceedings of the4th International Workshop on Privacy Enhancing Tech-nologies, Toronto, Canada, May 2004.

[5] T. Beth, M. Borcherding, and B. Klein. Valuation ofTrust in Open Networks. InProceedings of the 3rdEuropean Symposium on Research in Computer Secu-rity, volume 875 ofLecture Notes in Computer Science,Brighton, UK, November 1994.

[6] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D.Keromytis. The Role of Trust Management in Dis-tributed System. In J. Vitek and C. Jensen, editors,Se-cure Internet Programming: Security Issues for Mobileand Distributed Objects, Lencture Notes in ComputerScience State-of-the-Art Survey. Springer-Verlag, 1999.

[7] M. Blaze, J. Feigenbaum, and J. Lacy. DecentralizedTrust Management. InProceedings of the IEEE Sympo-sium on Security and Privacy, Oakland, CA, May 1996.

[8] R. Campbell, J. Al-Muhtadi, P. Naldurg, G. Sampemane,and M. D. Mickunas. Towards Security and Privacyfor Active Spaces. InProceedings of the Mext-NSF-JSPS International Symposium, Tokyo, Japan, Novem-ber 2002.

[9] S. Chakraborty, N. Poolsappasit, and I. Ray. ReliableDelivery of Event Triggered Obligation Policies fromSensors to Actuators in Pervasive Computing Environ-ments. InProceedings of the 21st Annual IFIP TC-11WG 11.3 Working Conference on Data and ApplicationsSecurity, Redondo Beach, CA, July 2007.

[10] S. Chakraborty and I. Ray. TrustBAC: Integrating TrustRelationships into the RBAC Model for Access Controlin Open Systems. InProceedings of the 11th ACM Sym-posium on Access Control Models and Technologies,Lake Tahoe, CA, June 2006.

[11] S. Chakraborty and I. Ray. p-Trust: A New Model ofTrust to Allow Finer Control over Privacy in Peer-to-Peer Framework. Journal of Computers, 2(2), April2007.

[12] M. Clifford, C. Lavine, and M. Bishop. The Solar TrustModel. InProceedings of the 14th Annual Computer Se-curity Applications Conference, Phoenix, AZ, Decem-ber 1998.

[13] M. J. Covington, P. Fogla, Z. Zhan, and M. Ahamad. AContext-Aware Security Architecture for Emerging Ap-plications. InProceedings of the Annual Computer Se-curity Applications Conference, Las Vegas, NV, Decem-ber 2002.

[14] M. J. Covington, W. Long, S. Srinivasan, A. Dey,M. Ahamad, and G. Abowd. Securing Context-AwareApplications Using Environment Roles. InProceedingsof the 6th ACM Symposium on Access Control Modelsand Technologies, Chantilly, VA, May 2001.

[15] C. English, P. Nixon, S. Terzis, A. McGettrick, andH. Lowe. Dynamic Trust Models for Ubiquitous Com-puting Environments. InProceedings of the 4th Interna-tional Conference on Ubiquitous Computing, Goteberg,Sweden, September 2002.

[16] S. Ganeriwal and M. Srivastava. Reputation-BasedFramework for High Integrity Sensor Networks. InProceedings of the 2nd ACM Workshop on Security ofAd Hoc and Sensor Networks, Alexandria, VA, October2004.

[17] L. Gong and X. Qian. Computational Issues in SecureInteroperation. IEEE Transactions on Software Engi-neering, 22(1):43–52, January 1996.

[18] U. Hengartner and P. Steenkiste. Implementing AccessControl to People Location Information. InProceedingsof the Symposium on Access Control Models and Tech-nologies, Yorktown Heights, NY, June 2004.

[19] J. Jin and G. J. Ahn. Role-based Access Management forAd-hoc Collaborative Sharing . InProceedings of the11th ACM Symposium on Access Control Models andTechnologies, pages 200–209, Lake Tahoe, CA, U.S.A.,June 2006.

[20] A. J. I. Jones and B. S. Firozabadi. On the Character-ization of a Trusting Agent – Aspects of a Formal Ap-proach. In C.Castelfranchi and Y.Tan, editors,Trust andDeception in Virtual Societies. Kluwer Academic Pub-lishers, 2000.

[21] C. M. Jonker and J. Treur. Formal Analysis of Modelsfor the Dynamics of Trust Based on Experience. InPro-ceedings of the 9th European Workshop on ModellingAutonomous Agents in a Multi-Agent System Engineer-ing, Berlin, July 1999.

[22] A. Jøsang. A Subjective Metric of Authentication. InProceedings of the 5th European Symposium on Re-search in Computer Security, volume 1485 ofLectureNotes in Computer Science, Louvain-la-Neuve, Bel-gium, September 1998.

[23] A. Jøsang. An Algebra for Assessing Trust in Certifi-cation Chains. InProceedings of the Network and Dis-tributed Systems Security Symposium, San Diego, CA,February 1999.

[24] L. Kagal, T. Finin, and A. Joshi. Trust Based Security ina Pervasive Computing Environment.IEEE Computer,34(12):154–157, December 2001.

[25] D. Keppler, V. Swarup, and S. Jajodia. Redirection Poli-cies for Mission-based Information Sharing . InPro-ceedings of the 11th ACM Symposium on Access Con-trol Models and Technologies, Lake Tahoe, CA, U.S.A.,June 2006.

[26] L. X. Li and L. Liu. A Reputation-Based Trust ModelFor Peer-To-Peer Ecommerce Communities. InPro-ceedings of IEEE Conference on E-Commerce, NewportBeach, CA, June 2003.

[27] D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo. Policy De-composition for Collaborative Access Control. InPro-ceedings of the 13th ACM Symposium on Access ControlModels and Technologies, Estes Park, CO, U.S.A., June2008.

[28] P. Mazzoleni, B. Crispo, S. Sivasubramanian, andE. Bertino. XACML Policy Integration Algorithms.ACM Transactions on Information and System Security,11(1):1–29, February 2008.

[29] C. C. Pan, P. Mitra, and P. Liu. Semantic Access Controlfor Information Interoperation. InProceedings of the11th ACM Symposium on Access Control Models andTechnologies, Lake Tahoe, CA, U.S.A., June 2006.

[30] S. Purser. A Simple Graphical Tool For ModellingTrust. Computers & Security, 20(6):479–484, Septem-ber 2001.

[31] I. Ray, E. Bertino, A. C. Squicciarini, and E. Fer-rari. Anonymity Preserving Techniques in Trust Negoti-ations. InProceedings of the Workshop on Privacy En-hancing Technologies, Dubrovnik, Croatia, May 2005.

[32] I. Ray and S. Chakraborty. A Vector Model of Trustfor Developing Trustworthy Systems. InProceedings ofthe 9th European Symposium on Research in ComputerSecurity, Sophia Antipolis, France, September 2004.

[33] I. Ray, I. Ray, and S. Chakraborty. An InteroperableContext Sensitive Model of Trust.Journal of IntelligentInformation Systems, 32(1):75–104, February 2009.

[34] I. Ray and M. Toahchoodee. A Spatio-Temporal Role-Based Access Control Model. InProceedings of the 21stAnnual IFIP TC-11 WG 11.3 Working Conference onData and Applications Security, Redondo Beach, CA,July 2007.

[35] I. Ray and M. Toahchoodee. A Spatio-Temporal Ac-cess Control Model Supporting Delegation for PervasiveComputing Applications. InProceedings of the 5th In-ternational Conference on Trust, Privacy and Securityin Digital Business, Turin, Italy, September 2008.

[36] K. Ren, T. Li, Z. Wan, F. Bao, R.H. Deng, and K. Kim.Highly Reliable Trust Establishment Scheme in Ad HocNetworks.Computer Networks, 45(6):687–699, August2004.

[37] G. Sampemane, P. Naldurg, and R. H. Campbell. AccessControl for Active Spaces. InProceedings of the AnnualComputer Security Applications Conference, Las Vegas,NV, December 2002.

[38] B. Shand, N. Dimmock, and J. Bacon. Trust for Ubiqui-tous, Transparent Collaboration. InProceedings of the1st IEEE International Conference on Pervasive Com-puting and Communications, Dallas – Ft. Worth, TX,March 2003.

[39] G. Simmons and C. Meadows. The Role of Trust inInformation Integrity Protocols.Journal of ComputerSecurity, 3(1):199–209, 1994.

[40] A. Squicciarini, E. Bertino, E. Ferrari, and I. Ray.Achieving Privacy in Trust Negotiations with anOntology-Based Approach.IEEE Transactions on De-pendable and Secure Computing, 3(1):13–30, January-March 2006.

[41] M. Toahchoodee and I. Ray. On the Formal Analysis of aSpatio-Temporal Role-Based Access Control Model. InProceedings of the 22nd Annual IFIP TC-11 WG 11.3Working Conference on Data and Applications Security,London, U.K., July 2008.

[42] M. Toahchoodee, I. Ray, K. Anastasakis, G. Georg, andB. Bordbar. Ensuring Spatio-Temporal Access Controlfor Real-World Applications . InProceedings of the 14thACM Symposium on Access Control Models and Tech-nologies, Stresa, Italy, June 2009.

[43] J. Warner, V. Atluri, R. Mukkamala, and J. Vaidya. Us-ing Semantics for Automatic Enforcement of AccessControl Policies among Dynamic Coalitions. InPro-ceedings of the 12th ACM Symposium on Access Con-trol Models and Technologies, Sophia Antipolis, France,June 2007.

[44] W. H. Winsborough and N. Li. Protecting Sensitive At-tributes in Automated Trust Negotiation. InProceedingsof the ACM Workshop on Privacy in the Electronic So-ciety, Washington D.C., November 2002.

[45] W. H. Winsborough and N. Li. Towards Practical Au-tomated Trust Negotiation. InProceedings of the 3rdInternational Workshop on Policies for Distributed Sys-tems and Networks, Monterey, CA, May 2002.

[46] W. H. Winsborough and N. Li. Safety in AutomatedTrust Negotiation. InProceedings of the IEEE Sympo-sium on Security and Privacy, Oakland, CA, May 2004.

[47] R. Yahalom and B. Klein. Trust-based Navigation inDistributed Systems.Computing Systems, 7(1):45–73,Winter 1994.

[48] R. Yahalom, B. Klein, and T. Beth. Trust Relationshipin Secure Systems: A Distributed Authentication Per-spective. InProceedings of the IEEE Computer SocietySymposium on Security and Privacy, Oakland, CA, May1993.

[49] Z. Yan, P. Zhang, and T. Virtanen. Trust EvaluationBased Security Solution in Ad Hoc Networks. InPro-ceedings of the 7th Nordic Workshop on Secure IT Sys-tems, Gjøvik, Norway, 2003.

[50] T. Yu and M. Winslett. A Unified Scheme for ResourceProtection in Automated Trust Negotiation. InProceed-ings of the IEEE Symposium on Security and Privacy.Oakland, CA, May 2003.

[51] T. Yu, M. Winslett, and K. E. Seamons. SupportingStructured Credentials and Sensitive Policies throughInteroperable Strategies for Automated Trust Negotia-tion. ACM Transactions on Information and System Se-curity, 6(1):1–42, February 2003.

[52] X. Zhang, M. Nakae, M.J. Covington, and R.S. Sandhu.Toward a Usage-Based Security Framework for Collab-orative Computing Systems.ACM Transactions on In-formation and System Security, 11(1), February 2008.

[53] H. Zhu, F. Bao, R.H. Deng, and K. Kim. Computing ofTrust in Wireless Networks. InProceedings of the 60thIEEE Vehicular Technology Conference, Los Angeles,CA, September 2004.