Sage Journals: Discover world-class research

Abstract

This article investigates access control in cyber-physical systems, making a decision to permit or deny a user’s request for access operations on a system. Access operations in cyber-physical system result in diverse impacts on human beings and are perceived with different importance. Say, controlling a nuclear plant and reading data from it must be given different priorities. Access requests for these operations must be authorized distinctively with different protection levels, named prioritization issue. Existing solutions, however, do not either satisfy the prioritization requirement efficiently or work well in cyber-physical system environment. To solve the prioritization problem, we propose a new access control mechanism, named multi-factor access control, that employs a multi-factoring technique. In multi-factor access control, a user is granted multiple secret keys (i.e. factors) from independent authorities. When accessing a highly prioritized object, the user must present more than two factors, each of which is issued from different authorities. This decreases the probability that it presents false evidence of qualification, increasing protection level. To demonstrate the feasibility, we implement the proposed scheme and apply it to our smart building testbed. Throughout real-world experiments, we evaluate the performance of computation cost and illustrate automated, prioritized smart building controls.

Keywords

Security access control authorization prioritization cyber-physical system Internet of Things fog computing smart grid

Introduction

A cyber-physical system (CPS) emerges as a new engineering system by merging computing and networking with physical systems.¹ Sensing and actuating devices are deeply embedded inside our physical environment and connected to the Internet. In this setting, a cyberspace can access and interact with a physical world so as to control physical processes in more efficient and favorable ways. Implementing the CPS concept on a large scale, for instance in the energy field, a smart grid links an information network consisting of computer systems with a power network filled with a variety of energy resources (An energy resource is an equipment involved in power generation, transmission, storage, and consumption. For instance, it can be a bulk power generation, a power distribution pole, or an air conditioner at our home.) and then promotes interactions among interconnected resources. It is expected that such sensing and actuating (and eventually interactions) will occur everywhere around us, which often requires to process data in real time, to create location-aware contexts, and to maximize the efficiency of last-mile edge networks. This trend increases the importance of local computing environment, named fog computing. A fog platform, sitting at a network edge, actively interacts with end resources and/or devices and provides local computing capabilities such as storage, data processing, and control tasks.

In such networked interactions, “access control” makes a decision to permit or deny a user’s (or a subject) access request to system resources (or objects). (In an access control system, an object is an entity to be protected from unauthorized use while a subject represents an entity requesting to perform a set of operations (read, write, modify, execute, etc.) upon the object.) To this end, authentication verifies the identity of the accessing user and authorization grants the user privilege (of allowable behaviors) on specific objects. In access control research field, recent studies have focused on a scalability problem and a context-awareness problem.

This article tackles another critical problem in access control, prioritization, that is found everywhere in CPS. Prioritization represents that a highly prioritized process or operation must be secured with higher protection level. For instance, when a user accesses a power plant system through a smart grid network, it can stop power generation as well as read power data. These two access operations will result in different impacts on the power system and eventually on people, and thus must be authorized separately with different priorities. An access request to stop power generation must be examined more strictly with higher protection level than that for data reading.

The prioritization issue has been highlighted recently with the emergence of CPS in which physical systems become connected closely to cyber systems. From a physical domain perspective, an energy management system in a server room of the plant is not directly connected to external networks, and one is required to enter the room physically to control the power plant. That is, the highly prioritized industrial system whose control affects our daily lives immediately is secured by physical separation. However, the industrial system is now seamlessly accessed from cyber systems, say via the Internet. This nullifies the physical firewall and exposes additional cyber vulnerabilities in CPS. In a cyber system (e.g. inside the energy management system), prioritization has been achieved by separating the types of user accounts and their roles. Just as in a Unix system, a root account or an administrator role is given higher privilege than that of a normal user. The role-based solution, however, works efficiently only on authentication, not on authorization. For instance, a compromised manager of the power plant still possesses a valid credential, which authenticates and permits him to turn off the power plant. We still lack a proper authorization scheme while the importance of authorization increases in CPS. There does not exist a feasible solution that distinguishes access requests (even from a same user) based on their priorities and authorizes the access operations with different protection levels.

To solve the prioritization problem in CPS, this article proposes a new access control model, named multi-factor access control (MFAC). To differentiate priorities and protection levels, MFAC adopts the concept of multi-factoring (MF). An authorization module in MFAC requires an accessing user to present multiple, independent credential factors for highly prioritized operations while requiring a single factor for normal operations. We implement MFAC using the concept of attribute-based access control (ABAC)² that also addresses two traditional concerns of scalability and context awareness. We extend the initial implementation so that MFAC works with multiple certificate authorities independent of each other, realizing the MF for authorization without human intervention. A user is granted secret keys (i.e. factors) from different authorities and presents them when accessing objects. In addition to performing prioritized access control, MFAC allows an object to adjust protection level on specific access operations dynamically by changing the number of factors required for permission. This is essential in CPS where application contexts in a physical domain changes every second and so does the priority of each object.

To demonstrate the feasibility of the proposed scheme, we develop a C library and also import it to an Android smartphone so that a mobile user can enjoy MFAC. To demonstrate its applicability, we develop a smart building testbed to which we apply the MFAC library. Throughout experiments, we evaluate the performance of the proposed scheme and illustrate a smart building scenario where energy resources are prioritized differently and MFAC performs access control with different protection levels accordingly.

The contributions of this article are summarized as follows. First, we examine the prioritization issue in access control in depth. Next, we propose a new protocol, MFAC, that resolves the prioritization. Third, we develop a functional code and apply the proposed scheme both to a real-world testbed of smart grid and to a conventional smartphone. Finally, we run experiments on top of real testbeds and analyze the results to evaluate the performance.

The rest of the article is organized as follows. We introduce an access control issue in CPS in section “Access control issue in CPS,” which is followed by discussion on the prioritization problem-definition, existing schemes, and our solution approach in section “Prioritization in access control.” Section “MFAC” describes the proposed scheme in detail that is implemented in the following section. Section “Experiments and results” runs experiments to evaluate our scheme. We review the existing access control research in CPS in section “Related works,” and the article concludes in section “Conclusion.”

Access control issue in cyber-physical system

Of many security issues, access control attracts special attention in CPS environment as everyday objects that have been reached only physically are now accessible via networks. Accessing such objects can disclose details of human behaviors that are expected to remain confidential. In the smart grid, unauthorized collection of energy usage data reveals whether a home resident takes a shower or cooks dinner, not to mention telling his or her presence at home.³ In addition, controlling actuating objects change our physical environment, impacting human activities immediately. While a full scope of threats in CPS can be prevented and mitigated by combining various types of protection technologies, there is a clear understanding that access control is the first line of defense against security breaches.^4,5 Only qualified users should be able to perform access operations on objects.

The importance of access control is recently highlighted by a public report from the National Electric Sector Cybersecurity Organization Resource (NESCOR) project.⁶ The report identifies potential cybersecurity failure scenarios in six application domains of smart grid; they are Advanced Metering Infrastructure (AMI), Distributed Energy Resources (DER), Wide Area Monitoring, Protection, and Control (WAMPAC), Electric Transportation (ET), Demand Response (DR), and Distribution Grid Management (DGM). The NESCOR develops corresponding mitigation strategies categorized into 22 common action groups. Then, the report counts the occurrences of each action group across all failure scenarios. Figure 1 shows the top 10 action groups and the frequency of their occurrence. As shown, the top four action groups relate to access control as follows:

Control access: block unauthorized access;

Authenticate only qualified users;

Detect abnormal or unauthorized activity;

Verify that systems operate as they should (audit).

Figure 1.

Ranking of security mitigation action groups. The NESCOR project ranks the mitigation action groups in the order of their occurrence across all the failure scenarios in the electric sector. We note that the top four most frequent action groups relate to access control.

Prioritization in access control

Problem definition

In the smart grid, a user accesses energy resources and performs a variety of operations on them. The user reads tons of data from the resources, enabling to monitor the current status of power activities in the grid. It also sends command messages to the resources in order to control their physical processes, for instance, shutting off lights, discharging power from a battery, and adjusting configuration in a power plant.

One interesting observation is that these access operations are perceived with different priorities. When accessing an energy resource, controlling the resource often impacts our power system more immediately than reading data from it. Thus, one may say that “controlling” is given higher priority than “reading.”⁷ When prioritizing the operations, however, we also have to take into account the impact of failures in access control. For instance, using an AMI infrastructure, a utility company frequently reads energy usage data from a smart meter installed in a building, but the read privilege can be misused to infer residents’ private activities. An adversary may abuse the control privilege of the meter—say, shutting off the input power to the building and stopping all the business operations immediately.

This article does not argue that “controlling” is given higher priority all the time. Different access operations induce different consequences in the smart grid and indicate different levels of privacy penetration. Thus, we believe that these operations must be weighted distinctively and a resource owner must be able to determine their relative importance. An access control mechanism, then, must be able to enforce the prioritized access control accordingly. We refer to this requirement as prioritization.

The prioritization is also seen within “control” operations. Using the control privilege on the meters in the AMI, a utility server can shut off power of a customer’s house remotely when a resident moves out. At the same time, the server can power off a block of area or a city entirely in the emergency of power grid disturbance, so called “massive disconnection.”⁶ The consequence of these two control operations and their relative priorities are easily discerned, where prioritization is required. Since utility servers and smart meters are interconnected together, inappropriate management of prioritization may cause a catastrophe like the Northeast blackout of 2003 that affected 55 million people.⁸

Existing solutions and limitations

A security policy addressing the prioritization is to distinguish and prioritize access operations and strengthen protection level for highly prioritized ones. This section examines how existing access control mechanisms realize this policy and how the realizations fit to CPS environment.

Role-based access control (RBAC), the most popular mechanism in networked systems, can implement the policy by managing roles. RBAC employs pre-defined roles that carry a specific set of privileges associated with them. Upon receiving an access request from a user, RBAC assigns the user’s identity to one of the roles according to pre-defined mapping rules. In this way, users are not assigned permissions directly, but only acquire them through their roles. Therefore, RBAC enforces special protection on prioritized access operations by defining new roles. This way of protection strategy, however, does not scale. Elliott and Knight⁹ discussed a role explosion problem in RBAC when applying it to large enterprise systems requiring access control of fine granularity. When considering future deployment of a myriad of devices in CPS environment, RBAC will not work efficiently. Section “Related works” reviews research works addressing the scalability issue.

RBAC also suffers from a single point of vulnerability nullifying prioritization. There exists at least one user account and corresponding role having full control in RBAC. Any compromise on the account bypasses all the security rules, failing to protect important resources. The NESCOR report also identifies this vulnerability and advises to use an MF technique as mitigation. For instance, MF solutions such as “require multi-factor authentication (MFA)” and “require 2-person rule” are the most recommending prioritization schemes in the groups of “Authenticate” and “Verify.”

In MFA, a user presents two or more authentication credentials (factors) when accessing a resource. Each factor is then verified against who/what it claims to be by other authentication parties. These factors include something the user knows (e.g. password), something the user has (e.g. credit card), and something the user is (e.g. fingerprint). MFA seeks to decrease the probability that the user presents false evidence of his or her identity. In this sense, the number of factors implies the protection level in MFA.

Although MFA enhances assurance level with powerful concept, it does not work well in CPS environment, especially in the smart grid. First, it does not benefit authorization. A compromised employee can still turn off several substations in power transmission. Next, it requires human–computer interaction. Fingerprinting requires a user to stand in front of a scanning machine, which is not always feasible in the smart grid. Finally, the priority of energy resources changes dynamically. An access control mechanism must be able to adjust protection level accordingly that MFA cannot do.

Approach to design an access control mechanism

We strongly believe that the MF is a compelling concept to realize the prioritization. But existing MF solutions and the underlying access control model (i.e. RBAC) are too limited to be applied to CPSs. To solve the prioritized access control problem in CPS, this article proposes a new access control mechanism named MFAC. It adopts the core concept of MF, differentiating protection level by adjusting the number of credential factors, and implements the concept in CPS by taking into account the requirements discussed in the previous section as follows:

Performing access control in a scalable manner;

Removing a single point of vulnerability;

Enforcing prioritization without human involvement;

Adjusting protection levels dynamically.

Multi factor access control

Overview

MFAC implements the concept of ABAC of NIST² and works with multiple authorities. In MFAC, a user contacts a certificate authority (CA) from which he or she is granted a secret key functioning as a factor. A factor consists of a set of attributes, each of which describes the user’s privilege on specific access operations (e.g. controlling an air conditioner located at office 3803). During this factor-granting process, the user’s identification is verified and qualified attributes are only included in the factor. The user can receive as many factors as possible from multiple CAs independent of each other. These factors are cryptographically protected and linked together, and thus, the user cannot modify them and collude with other users. Moreover, since factors are issued from different CAs, a compromise on one factor does not affect others. This prevents the single point of failure. By using these factors, MFAC realizes the core principle of MF for access control.

When accessing an object, the user is given a challenge containing a protection policy prepared by the object. If the user can present proper credentials, that is, any combination of his or her factors and attributes satisfying requirement in the policy, it passes the challenge and thus is privileged. We note that this access decision process uses pre-qualified credentials, avoiding human intervention. Using attribute-based factors in the decision decouples objects (resources) to be protected from identities of accessing users, that is, the object authorizes any users according to attributes in the presented factors. Thus, the object does not need to memorize any prior knowledge of specific users, making MFAC scalable. The decoupling also allows the object to change the protection policy in the runtime. It can simply increase the number of requiring factors within the policy to strength the protection level.

Preliminary

This section introduces elementary concepts and theories on which we develop MFAC.

Attribute-based identification

In CPS, a myriad of devices is connected to networks, generating huge volumes of data every second. Such a deluge of data makes our managing communication partners a non-trivial task. By using attribute-based identification, each user does not remember the ID of partners. Instead, it describes data of interest using keywords and/or attributes and communicates with any users who store contents matching the description.

Attribute-based encryption

The attribute-based identification has been studied in security research. In attribute-based encryption (ABE), a user encrypts data using a set of descriptive attributes, not using a specific user’s public key.^10,11 It also creates an access policy tree, representing a Boolean formula defining the combination of attributes. Any user who can present credentials that correspond to the attributes, that is, satisfying the tree, can decrypt the ciphertext. Figure 2 illustrates an example of a policy tree consisting of two types of Boolean logic gates and four attributes at the leaves. ABE uses a bilinear map–based pairing-based cryptography (PBC) for the secrecy of the attributes and leverages a polynomial interpolation technique to guarantee information theoretic security in the tree.

Figure 2.

Access policy tree. Alice (data owner) creates an access policy tree when encrypting data. Two users, Kevin and Sara, have five attributes in their secret keys. A decryption process begins from the leaves by matching their attributes, and each gate returns true to its parent if children satisfy the logic. If the root returns true, then the user recovers data successfully. In this way, Kevin reads Alice’s data, but Sara cannot.

Lewko and Waters¹² extended ABE and developed a decentralized variant (DeABE), where there are more than two authorities in the system. A user maintains multiple sets of attributes, each of which is granted by different authorities. Unlike ABE, DeABE converts the Boolean formula of the tree into an equivalent linear secret-sharing schemes (LSSS) matrix¹³ to represent the policy in a mathematical form. The accessing user must present a proper set of attributes to recover data, which requires to obtain authorized attributes from two authorities independently.

Decentralized access control entry

Decentralized access control entry (DeACE) is a decentralized extension of a file system access control entry (ACE).⁷ In ACE, each file (object) maintains an ACE that predefines three user classes (owner, group, and others) and determines which privileges (read, write, and execute) are assigned to each class. The privilege for each class is represented by a three-digit code so that a user is authorized to read from, write to, or execute the file. DeACE decentralizes ACE by exploiting ABE and capability-based security. That is, a user is granted a capability “object_1 = 101” by an authority. When the user accesses the object_1, he or she is authorized to read and execute, but not to write. The capability is realized by number-assigned attributes using ABE.

Access control decision

In an MFAC system, there exist three types of entities—authorities $CA \in C A$ , users $u \in U$ , and objects $\tilde{u} \in \tilde{U}$ . An authority $C A_{j}$ maintains its own set of attributes, $L_{j}$ , that can be in various forms. A primitive attribute form may describe a type of energy resources in a smart building such as lighting, air conditioner, fan, solar panel, and EV. Or it may directly represent a specific employee in a company, for example, employee ID and name. In MFAC, we add a new form of attribute, clearance. The category for clearance includes manager, administrator, and member to which a number is assigned. The number indicates the clearance level within the attribute, for example, “manager = 300.” Each authority can determine the categorization and the levels for its own control.

A user $u$ contacts the authority $C A_{j}$ that grants a factor $F_{j, u}$ after verifying the user. $u$ can communicate with multiple CAs to be granted multiple factors and form his or her factor set $F_{u} = {F_{1, u}, \dots, F_{n, u}}$ . Now, the user sends an access request message to an object $\tilde{u}$ .

Upon receiving the request, $\tilde{u}$ asks $u$ to present one or more factors. To process the request, $\tilde{u}$ maintains a Challenge, an access policy tree as shown in Figure 2. Attributes in the tree may belong to one authority or each attribute may belong to different authorities. For instance, Alice in Figure 2 may use two attributes (service provider and utility) issued by the State of California and another two attributes (electric vehicle (EV) and read) issued by the City of Los Angeles. As mentioned, the number of factors used determines the protection level. For the number-assigned attributes, $\tilde{u}$ sets condition for the clearance level using an inequality like “manager ≥ 200.” Once $u$ presents his or her factors and attributes that satisfy the Challenge, the access request is verified and accepted. We note that the object can dynamically build a variety of Challenge by changing the number of factors and the combination of attributes according to applications’ contexts.

The following section presents mathematical equations for MFAC operations. Figure 3 illustrates a protocol for access control in MFAC and Table 1 summarizes notations.

Figure 3.

Authentication and authorization protocol. A protocol for an access control decision in MFAC.

Table 1.

Notations. This table shows notations used in the proposed access control system, MFAC.

Notation	Description
$u$ , $\tilde{u}$	They represent a user and an object in the system
$u \mapsto \tilde{u} : M$	$u$ sends a message $M$ to $\tilde{u}$
$〈 M_{1}, M_{2} 〉$	Concatenation of messages $M_{1}$ and $M_{2}$
$en c_{x} (y)$	A symmetric key algorithm encrypting a message $y$ with a secret $x$ . A pair notation for decryption is $y = de c_{x} (ciphertext)$
$S K_{j}$ , $P K_{j}$	Secret and public key that an authority $C A_{j}$ generates and maintains
$F_{j, u}$	A factor that an authority $C A_{j}$ grants to $u$ . It contains a set of attributes and corresponding factor keys
$L_{j, u}$	A set of attributes included in the factor $F_{j, u}$
$F K_{j, u}$	A set of factor keys included in the factor $F_{j, u}$
$F_{u}$	$u$ maintains a set of factors granted from $n$ multiple authorities, that is, $F_{u} = {F_{1, u}, \dots, F_{n, u}}$
$T$	An access policy tree that an object $\tilde{u}$ builds. It represents protection level for access operations on $\tilde{u}$ .
$A$	An LSSS matrix corresponding to $T$

System setup

MFAC selects a prime $N$ , groups of $G$ and $G_{T}$ of order $N$ , and a bilinear map $e : G \times G \to G_{T}$ . Then, it publishes and distributes a public parameter $P_{aram}$ to all the authorities and users

P_{aram} = 〈 g, H 〉

where $g$ is a generator of $G$ and a hash function $H : {0, 1}^{*} \to G$ maps the identities of users to $G$ .

Authority setup

An authority $C A_{j} \in C A$ maintains a set of attributes $L_{j}$ . For each attribute $i \in L_{j}$ , $C A_{j}$ chooses two random exponents $α_{i}, y_{i} \in Z_{N}$ and generates two keys—a secret key and a public key. It keeps the secret key $S K_{j}$ and publishes the public key $P K_{j}$

S K_{j} = {α_{i}, y_{i} | \forall i}, P K_{j} = {e (g, g)^{α_{i}}, g^{y_{i}} | \forall i}

Factor generation and distribution

Upon request, the authority $C A_{j}$ verifies the identity of a user $u$ . Then, it selects a set of attributes $L_{j, u} \subset L_{j}$ qualified for $u$ and generates a set of corresponding factor keys

F K_{j, u} = {K_{i, u} = g^{α_{i}} H (u)^{y_{i}} | \forall i \in L_{j, u}}

where $H (u)$ is a hash of the identity of user $u$ . Then, $C A_{j}$ grants a factor $F_{j, u}$ to $u$ in a secure way

C A_{j} \mapsto u : F_{j, u} = 〈 L_{j, u}, F K_{j, u} 〉

Access request

The user $u$ is about to access an object $\tilde{u}$ to perform a specific operation on $\tilde{u}$ . To this end, $u$ prepares an access request message $M_{o}$ and chooses a random $\hat{a} \in Z$ . Then, it transmits an access request $A R$ to $\tilde{u}$

u \mapsto \tilde{u} : A R = 〈 g^{\hat{a}}, M_{o} 〉

Challenge generation

Upon receiving $A R$ , $\tilde{u}$ generates a challenge $C$ that will be used to authorize $u$ . To this end, $\tilde{u}$ chooses two random $\hat{b}$ and $\hat{c} \in Z$ and takes own sequence number $z$ . After obtaining $g^{\hat{a}}$ from $A R$ , it computes two variables $z_{1} = g^{\hat{b}}$ and $z_{2} = en c_{z} (\hat{c}, (g^{\hat{a}})^{\hat{b} \hat{c}})$ , where $en c_{x} (y)$ is a symmetric key algorithm that encrypts a message $y$ with a secret $x$ . By concatenating two variables, $\tilde{u}$ generates a challenge message

M_{c} = 〈 z_{1}, z_{2} 〉

Now, $\tilde{u}$ builds a protection policy by creating an access policy tree $T$ . For all attributes (i.e. leaf nodes) in $T$ , it obtains involved factors and corresponding factor keys from authorities’ public keys $PK$ . $\tilde{u}$ then converts the tree $T$ to an equivalent $n \times l$ LSSS matrix $A$ , where $l$ is the number of leaves in the access tree and $n$ is determined by the tree shape.¹² Figure 4 illustrates an example of conversion. Given $M_{c}$ , public keys $PK$ , and a matrix $A$ , $\tilde{u}$ selects and computes the following variables:

Choose a random $s \in Z_{N}$ ;

Choose two random vectors, $v \in Z_{N}^{l}$ with $s$ as the first entry and $w \in Z_{N}^{l}$ with 0 as the first entry;

Compute $λ_{x} = A_{x} \cdot v$ and $w_{x} = A_{x} \cdot w$ , where $A_{x}$ is row $x$ of $A$ and $\cdot denotes$ multiplication;

Choose a random $r_{x} \in Z_{N}$ for each row $A_{x}$ of $A$ ;

Obtain $ρ (x)$ , a mapping from $A_{x}$ to the attribute $i$ that locates at the corresponding leaf in the access tree $T$ .

Figure 4.

Conversion algorithm. A vector space construction algorithm converts an access policy tree to a LSSS matrix.

Then, $\tilde{u}$ constructs the challenge $C$ and transmits it to $u$

\begin{matrix} C = 〈 A, ρ, C_{0} = M_{c} e {(g, g)}^{s} \\ C_{1, x} = e {(g, g)}^{λ_{x}} e {(g, g)}^{α_{ρ (x)} r_{x}} \forall x \\ C_{2, x} = g^{r_{x}} \forall x, C_{3, x} = g^{y_{ρ (x)} r_{x}} g^{w_{x}} \forall x 〉 \\ \tilde{u} \mapsto u : C \end{matrix}

Challenge response

Upon receiving $C$ , $u$ obtains the matrix $A$ and $ρ$ . If his or her factor set $F_{u}$ contains factor keys corresponding to $K_{ρ (x), u}$ for the set of attributes { $ρ (x) : x \in A_{x}$ }, then $u$ proceeds. Otherwise, $u$ stops here since it is not qualified. Obtaining other variables from $C$ and factor keys, $u$ computes for each $x$

\begin{matrix} val (x) = \frac{C_{1, x} \cdot e (H (u), C_{3, x})}{e (K_{ρ (x), u}, C_{2, x})} \\ \underset{x}{Π} {(val (x))}^{c_{x}} = \underset{x}{Π} {(e {(g, g)}^{λ_{x}} e {(H (u), g)}^{w_{x}})}^{c_{x}} = e {(g, g)}^{s} \end{matrix}

where $u$ chooses constants $c_{x} \in Z_{N}$ such that $\sum_{x} c_{x} A_{x} = (1, 0, \dots, 0)$ . Then, $u$ recovers a challenge message, let say it $M'_{c}$ for future evaluation, in computation of

M'_{c} = \frac{C_{0}}{e {(g, g)}^{s}} = 〈 z'_{1}, z'_{2} 〉

Using the random number $\hat{a} \in Z$ pre-selected in the access request procedure, $u$ constructs a challenge response and transmits it to $\tilde{u}$

u \mapsto \tilde{u} : C R = 〈 (z'_{1})^{\hat{a}'}, z'_{2} 〉

where $\hat{a}'$ is used instead of $\hat{a}$ for future evaluation.

Access decision

Upon receiving $C R$ , $\tilde{u}$ obtains $z'_{2}$ . Using its unique sequence number z, the one used in the challenge generation procedure computes $de c_{z} (z'_{2}) = 〈 \hat{c}, (g^{\hat{a}})^{\hat{b} \hat{c}} 〉$ . Then, $\tilde{u}$ compares two variables

((z'_{1})^{\hat{a}'})^{\hat{c}} = (g^{\hat{a}})^{\hat{b} \hat{c}}

If the result returns true, $\tilde{u}$ verifies $u$ . Then, it performs the requested operation $M_{o}$ and acknowledges. Otherwise, it denies the access request.

Implementing MFAC in smart grid

Fine-grained access control and prioritization

The proposed MFAC can be applied to various situations in many CPS applications as prioritization occurs everywhere. This article considers a fine-grained access control in a smart building context as a sample scenario. As introduced in section “Prioritization in access control,” people perceive the access operations of “reading” and “controlling” with different priorities. Accommodating this intuition, we distinguish the privilege of controlling from that of reading and then build prioritization policy in the following way. For the access of data reading, a user is required to present one type of credential factor, whereas it must present two types of factors to control energy resources. As shown in Figure 5, the user must be verified in advance from two independent authorities in order to gain privilege to control resources, thus differentiating protection level.

Figure 5.

An example of MFAC in the smart grid. Fine-grained access control to energy resources using MFAC.

We also consider that priority of an energy resource changes dynamically and apply this dynamism to the “controlling” operation. To this end, we assign priority values to energy resources according to criticality of the resources’ operations in the building. Then, their protection levels correspond to the value and energy price changing every 1 h. At a normal price, a user presents two factors to control them. As price increases, resources with low priority adjust their protection policy, thus requiring one factor for controlling. When the price reaches next threshold, resources having higher priority change their policy. We note that the priority values and energy price are two example elements changing the protection level dynamically. Instead, we can take other application contexts to enrich the prioritization in MFAC.

Testbed implementation

To demonstrate the application scenario, that is, prioritization in fine-grained access control, we develop and deploy a smart building testbed¹⁴ as shown in Figure 6. Within the building, we deploy several types of energy resources. Office appliances including monitor, printer, and water dispenser are plugged into plug load meters. The meters are capable of measuring their energy usage every 1 min and turning on/off the input power with embedded relay. We also instrument LED lights that can adjust own operations beyond a simple on/off status. Each LED operates with eight steps of brightness and temperature that affect its power consumption directly.

Figure 6.

A real-world testbed for experiments. We build a real-world testbed and apply and run the proposed weighted fine-grained access control scheme.

The building deploys an energy management system (or gateway) that communicates with these energy resources via the Ethernet and IEEE 802.15.4 ZigBee communications. A building resident can access the resources through the gateway as well as control them manually. The gateway places at a logical boundary of the building and communicates with external entities outside the building.

The testbed deploys three external users, each of which represents different levels of access privilege to the energy resources. A building owner uses his or her own smartphone to control all the resources as well as to read data. A data analysis service is only able to read energy usage from all the resources. It collects data, analyzes the building’s energy usage pattern, and makes a recommendation for efficient building operations to reduce energy bill. A curtailment service provider (CSP) makes an automated demand response (ADR) service contract with the building owner, in which a group of energy resources are registered to the service. It also contracts with a local utility company running the service server. Upon receiving a DR signal from the server, the CSP directly controls the registered resources to reduce the building’s energy usage down to a pre-contracted level.

For access control, we develop a C library of the proposed MFAC: we develop a DeABE component on top of the PBC library¹⁵ and implement the MFAC protocol. Then, the library is applied to the smart building testbed. We import the MFAC library into an Android platform for the building owner. Our testbed deploys three authorities (not shown in the figure) that issue factor keys to the users. They play a utility company, a building owner, and a city council to which the service providers are registered.

Experiments and results

MFAC performs access control by running mathematical operations of computationally expensive pairing-based cryptosystems. Thus, this section evaluates its operational cost by measuring processing time. We also run experiments on the smart building testbed and illustrate results.

Computation cost

We implement MFAC on laptops that use Intel Core 2 Duo running with 2.26 GHz of clock speed and 8GB of memory. This experiment varies the number of attributes involved in the access policy tree. For comparison, we implement a baseline of a fine-grained access control model⁷ representing single-factor authorization.

Figure 7 compares the computation time of the operations for setup, factor generation (MFAC), and key generation (baseline). When comparing two setup times, the difference is mainly attributed to the different scopes of setup procedures. In baseline, an authority generates one public and secret key, which does not consume any attributes. This makes the curve even over varying number of attributes. However, in MFAC, each authority generates a public–secret key pair for each attribute belonging to itself. The computation cost of a bilinear pairing, one of the most expensive portion, influences the performance. However, the overhead in MFAC due to pre-computation on attributes is rewarded in the next operations: factor generation in MFAC versus key generation in baseline. The pre-computation simplifies the cost of factor generation. Baseline takes 3.27 times and 3.55 times longer than MFAC with 25 and 50 attributes, respectively.

Figure 7.

Measurement of computation cost I. Computation costs for setup, factor generation, and key generation are measured.

The cost of the main operations in MFAC and baseline is illustrated in Figure 8. The cost of challenge generation in MFAC can be compared with that of authorization request in baseline. The challenge generation takes around 200 ms with 50 attributes, which is quite reasonable for conventional applications. However, the running time of authorization request in baseline reaches up to 671 ms with 50 attributes. This is mainly attributed to the exponentiations required for each leaf in the access tree. Challenge response in MFAC and authorization response in baseline show quite similar performance. Challenge response demonstrates 49.7 ms on average with 4.63 of standard deviation, whereas authorization response shows 56.8 ms on average with 6.52 of standard deviation. Such fast running time is mainly attributed to computational optimization in Bethencourt et al.¹⁰ One of such optimization uses dynamic programming, reducing the number of highly expensive computation of exponentiations in the operations.

Figure 8.

Measurement of computation cost II. Computation costs for challenge generation/response and authorization request/response are measured.

MFAC on smartphone

We run experiments to measure the performance of MFAC in an Android smartphone. This experiment fixes the number of attributes to 5, varies the number of factors in the access policy from 1 to 5, and then measures the running time of challenge generation. The number of factors in the experiment directly indicates how confident the object is that the user is qualified. We note that how to evaluate quantitatively the impact of MF (or protection levels) on the security level still remains as a research question. Figure 9 draws the running time of challenge generation, showing that the number of factors hardly affects performance in MFAC. This is because all the attributes are processed in the same way even though they are issued from different authorities. The average processing time is 2347 ms with five attributes. This is acceptable in most smart grid applications, but there remain rooms to be further enhanced.

Figure 9.

Experiments on a smartphone. We measure computation cost on challenge generation.

With smartphones, we extend the scope of our application scenario to include device-to-device communications, where a direct “data reading” occurs frequently, whereas a “control” operation barely occurs. If this is the case, MFAC can be optimized by replacing the challenge message $M_{c}$ in challenge generation with real data and by eliminating the challenge response operation. To accommodate the scenario, we vary the data size in our experiments, and the results are shown in the figure. MFAC shows constant performance until 1000 KB, but starts jumping at 10 MB. We think that this is a limitation due to data size, but not to the algorithm’s computation cost.

Prioritized resource control over real-time price

This experiment runs our smart building scenario with the ADR service. To this end, we deploy an OpenADR server providing an automated real-time pricing (RTP) service. The ADR server acquires a power price forecast from a wholesale market in California.¹⁶ Figure 10 draws a curve of day-ahead prices over 48 h. The wholesale market price is 42.4 US$/MWh on average from which the server determines a retail market price, a unit price of 4 cents/KWh. The star-marked line in the figure draws the changes in power price in the retail market. The server, then, generates a DR event of the RTP program. Taking values on day 2, the event starts at 11am and lasts until 9pm. The DR signal is delivered to both the CSP and two LED lights having different priorities. The CSP dims the lights as the price changes from 4 to 12. As a result, the power draw of the low-priority light directly responds to the brightness level and the price (solid colored bars in Figure 11). However, the high-priority light is set to be controllable above price 10 cents/KWh) and thus is not dimmed at 11am and 9pm (the additional patterned bars).

Figure 10.

Experimental results with the RTP-based ADR scenario I. An ADR server obtains price forecast from a California wholesale market and determines real-time power prices for a retail market.

Figure 11.

Experimental results with the RTP-based ADR scenario II. The CPS responds to the changes in the power price by controlling the brightness of two LED lights.

Discussion on performance of multi-factoring protocols

An MF technique uses more than one factor to verify a security statement, thus enhancing protection levels as introduced briefly in section “Prioritization in access control.” Until today, two performance issues in MF protocols are qualification of factors and independence between factors, that is, each factor must be of an appropriate (qualified) type for the security purpose, and factors involved must belong to different domains and be verified independently. In authentication that verifies a user’s identification, for instance, MFA considers three types of factors: knowledge factor (e.g. password and PIN number), possession factor (e.g. credit card and security token), and inherence factor (e.g. biometrics such as fingerprint, retina, and voice). In front of an ATM machine, a user is generally required to present both a password and its card to make a money transaction. A recent mobile phone two-factor authentication method regards a smartphone as another possession factor and delivers a one-time passcode to the user via a different communication channel such as SMS. The use of additional channel strengthens the level of verification independence. In MFA, a factor represents a very low computation complexity; numbers of 4–6 bits are generated and matched. This simplicity is mainly attributed to human being’s involvement in the verification process.

This article applies the MF concept to authorization in the CPS environment where access control policy may change dynamically according to the system’s contexts and automated operations are dominant without human involvement. To the best of authors’ knowledge, this is the first study of MFA. To address the two issues, we adopt PBC, LSSS matrix, and DeACE, which represent expensive computation costs. Unlike in MFA, qualification of factors and independence between factors are defined and verified via more complicated mathematical computation processes in MF authorization. Given the observation that the MF ensures enhanced protection levels, we examine computations to assess the performance of MF protocols in this article.

Related works

Of many security issues, access control is especially highlighted as the first-line defense in CPS that does not have explicit perimeter security.^4,5 Most access control research has extended the conventional RBAC model. But as discussed in Elliott and Knight,⁹ RBAC suffers from role explosion problem in a scalable network like CPS.

To overcome the scalability limitation, ABAC² has been actively investigated. The concept of ABAC has been studied in web research as the Internet grows in size.^17,18 Recent literature applied ABAC to CPS.^19–21 Fadlullah et al.¹⁹ applied an ABE technique directly to a control center that broadcasted encrypted control messages only to qualified energy devices, realizing late authorization. Ruj et al.²⁰ implemented ABAC to enforce selective access control on energy data stored in data repositories and used by different smart grid users.

Another branch of access control research in CPS takes into account situational contexts dynamically changing in the physical domain.^22,23 Mo et al.²⁴ and Sridhar et al.²⁵ further explored cyber-physical inter-dependency in the smart grid and examined potential attack vectors from both physical power applications and underlying cyber infrastructure. So, they highlighted the significance of information security in conjunction with system-theoretic security to prevent and mitigate cyber attacks. The proposed MFAC addresses the scalability problem and accommodates dynamically changing application contexts in access control. Moreover, it resolves the prioritization problem that is critical in CPS but has not been investigated in previous research.

Conclusion

The prioritization becomes one of the most concerning security challenges in CPSs as augmented computers pervade deeply into our physical environment. This article has presented a novel access control mechanism, MFAC, that employs an MF technique to solve the prioritization problem. In addition, it is implemented using an ABAC model working well in a large-scale CPS network. In MFAC, a user is granted more than two factors consisting of attributes from independent authorities, and an object develops its own access control policy by combining arbitrary number of factors. When accessing the object, the user is challenged with the policy. If his or her attributes and factors satisfy the policy, it is qualified. By adjusting the number of factors, the object can change own protection level dynamically and MFAC enforces prioritized access control. We implemented and applied MFAC to a fine-grained access control scenario in our smart building testbed. The experiments measured its computation cost and showed reasonable performance. We also illustrated an automated, prioritized smart building control in which protection levels changed along with real-time power price.

Footnotes

Handling Editor: Miguel A Zamora

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was supported by the Incheon National University Research Grant in 2016.

References

Cyber-Physical Systems: executive summary. CPS Steering Group, The U.S. Networking and Information Technology Research and Development (NITRD) Program, March 2008.

Ferraiolo

Kuhn

et al . Guide to attribute based access control (ABAC) definition and considerations. NIST SP 800-162, January 2014, http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf

Froehlich

Larson

Gupta

et al . Disaggregated end-use energy sensing for the smart grid. IEEE Pervas Comput 2011; 10(1): 28–39.

Ray

. Access control challenges for cyber-physical systems. In: NSF workshop on cyber-physical systems, July 2009, http://cimic.rutgers.edu/positionPapers/paper_Indrakshiray.pdf

Metke

Ekl

. Security technology for smart grid networks. IEEE T Smart Grid 2010; 1(1): 99–107.

Electric Sector Failure Scenarios and Impact Analyses. NESCOR, http://www.smartgrid.epri.com/nescor.aspx (accessed September 2013).

Lee

E-K

Gadh

Gerla

. Resource centric security to protect customer energy information in the smart grid. In: 2012 IEEE third international conference on smart grid communications, Tainan, Taiwan, 5–8 November 2012. New York: IEEE.

Final report on the August 14, 2003 blackout in the United States and Canada: causes and recommendations. Washington, DC: U.S.-Canada Power System Outage Task Force, April 2004.

Elliott

Knight

. Role explosion: acknowledging the problem. In: International conference on software engineering research and practice, July 2010, http://knight.segfaults.net/papers/20100502%20-%20Aaron%20Elliott%20-%20WOLRDCOMP%202010%20Paper.pdf

10.

Bethencourt

Sahai

Waters

. Ciphertext-policy attribute-based encryption. In: IEEE symposium on security and privacy, Berkeley, CA, 20–23 May 2007. New York: IEEE.

11.

Goyal

Pandey

Sahai

et al . Attribute-based encryption for fine-grained access control of encrypted data. In: CCS’06 Proceedings of the 13th ACM conference on computer and communications security, Alexandria, VA, 30 October–3 November 2006. New York: ACM.

12.

Lewko

Waters

. Decentralizing attribute-based encryption. In: EUROCRYPT, May 2011, https://eprint.iacr.org/2010/351.pdf

13.

Beimel

. Secure schemes for secret sharing and key distribution. PhD thesis, Israel Institute of Technology, Haifa, 1996.

14.

Lee

E-K

Gadh

Gerla

. Energy service interface: accessing to customer energy resources for smart grid interoperation. IEEE J Sel Area Comm 2013; 31(7): 1195–1204.

15.

The PBC library, http://www.crypto.stanford.edu/pbc.

16.

Open Access Same-Time Information System (OASIS), California Independent System Operator (CAISO), http://oasis.caiso.com/

17.

Yuan

Tong

. Attributed based access control (ABAC) for web services. In: IEEE International conference on web services, Orlando, FL, 11–15 July 2005. New York: IEEE.

18.

OASIS eXtensible Access Control Markup Language (XACML), https://www.oasis-open.org/committees/xacml

19.

Fadlullah

Kato

et al . Toward secure targeted broadcast in smart grid. IEEE Commun Mag 2012; 50(5): 150–156.

20.

Ruj

Nayak

. A decentralized security framework for data aggregation and access control in smart grids. IEEE T Smart Grid 2013; 4(1): 196–205.

21.

Tong

Deyton

Sun

et al . S³ A: a secure data sharing mechanism for situational awareness in the power grid. IEEE T Smart Grid 2013; 4(4): 1751–1759.

22.

Toahchoodee

Ray

Anastasakis

et al . Ensuring spatio-temporal access control for real-world applications. In: ACM symposium on access control models & technologies, Stresa, 3–5 June 2009. New York: ACM.

23.

Garcia-Morchon

Wehrle

. Modular context-aware access control for medical sensor networks. In: ACM symposium on access control models & technologies, Pittsburgh, PA, 9–11 June 2010. New York: ACM.

24.

Kim

TH-K

Brancik

et al . Cyber-physical security of a smart grid infrastructure. P IEEE 2012; 100(1): 195–209.

25.

Sridhar

Hahn

Govindarasu

. Cyber-physical system security for the electric power grid. P IEEE 2012; 100(1): 210–224.

Prioritized access control enabling weighted,fine-grained protection in cyber-physical systems