Application of Attribute Based Access Control Model for Industrial Control Systems

Full Text (PDF, 593KB), PP.12-21

Views: 0 Downloads: 0


Erkan Yalcinkaya 1,* Antonio Maffei 1 Mauro Onori 1

1. Department of Production Engineering, Royal Institute of Technology, Stockholm, Sweden

* Corresponding author.


Received: 11 Aug. 2016 / Revised: 28 Oct. 2016 / Accepted: 1 Dec. 2016 / Published: 8 Feb. 2017

Index Terms

Attribute based access control (ABAC), industrial control systems (ICS), fine grained authorization, central policy enforcement


The number of reported security vulnerabilities and incidents related to the industrial control systems (ICS) has increased recent years. As argued by several researchers, authorization issues and poor access control are key incident vectors. The majority of ICS are not designed security in mind and they usually lack strong and granular access control mechanisms. The attribute based access control (ABAC) model offers high authorization granularity, central administration of access policies with centrally consolidated and monitored logging properties. This research proposes to harness the ABAC model to address the present and future ICS access control challenges. The proposed solution is also implemented and rigorously tested to demonstrate the feasibility and viability of ABAC model for ICS.

Cite This Paper

Erkan Yalcinkaya, Antonio Maffei, Mauro Onori, "Application of Attribute Based Access Control Model for Industrial Control Systems", International Journal of Computer Network and Information Security(IJCNIS), Vol.9, No.2, pp.12-21, 2017. DOI:10.5815/ijcnis.2017.02.02


[1]ICS-CERT, “ICS-CERT Year in Review 2012.” 2012.
[2]ICS-CERT, “ICS-CERT Year in Review 2013.” 2013.
[3]U.S. Department of Homeland Security, “Common Cybersecurity Vulnerabilities in ICS.” May-2011.
[4]ICS-CERT, “ICS-CERT Monitor between September 2014-February 2015.” 2015.
[5]GE Measurement & Control Solutions, “Top 10 Cyber Vulnerabilities for Control Systems.” 2012.
[6]National American Reliability Council, “Top 10 Vulnerabilities of Control Systems and their Mitigations.pdf.” Dec-2006.
[7]M. Bishop, Introduction to computer security. Boston: Addison-Wesley, 2005.
[8]L. Janczewski and A. M. Colarik, Eds., Cyber warfare and cyber terrorism. Hershey: Information Science Reference, 2008.
[9]R. S. Sandhu and P. Samarati, “Access control: principle and practice,” Commun. Mag. IEEE, vol. 32, no. 9, pp. 40–48, 1994.
[10]S. Oh and S. Park, “Task–role-based access control model,” Inf. Syst., vol. 28, no. 6, pp. 533–562, 2003.
[11]R. Sandhu, “Access control: The neglected frontier,” in Information Security and Privacy, 1996, pp. 219–227.
[12]V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone, “Guide to Attribute Based Access Control (ABAC) Definition and Considerations,” National Institute of Standards and Technology, NIST SP 800-162, Jan. 2014.
[13]L. Pietre-Cambacedes, M. Tritschler, and G. N. Ericsson, “Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs,” IEEE Trans. Power Deliv., vol. 26, no. 1, pp. 161–172, Jan. 2011.
[14]A. Valenzano, “Industrial Cybersecurity: Improving Security Through Access Control Policy Models,” IEEE Ind. Electron. Mag., vol. 8, no. 2, pp. 6–17, Jun. 2014.
[15]M. Cheminod, L. Durante, L. Seno, and A. Valenzano, “On the description of access control policies in networked industrial systems” in Factory Communication Systems (WFCS), 2014 10th IEEE Workshop on, 2014, pp. 1–10.
[16]K. Stouffer, J. Falco, and K. Scarfone, “NIST, Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security.” Jun-2011.
[17]“ISA99, Industrial Automation and Control Systems Security - ISA.” [Online]. Available: [Accessed: 04-Apr-2015].
[18]M. Onori and J. Barata, “Evolvable Production Systems: new applications in mechatronic equipment”, Transactions on Industrial Electronics, IEEE Journal, IES Society, 2010.
[19]WSO2 Identity Server 5.0.0. WSO2, 2015.
[20]MySQL Community Server 5.6.24. MySQL, 2015.
[21]SoapUI 5.2. SmartBear, 2015.
[22]U.S. Department of Homeland Security, “Control Systems Communications Encryption Primer” Dec-2009.
[23]U.S. Department of Energy "Communications Requirements of Smart Grid Technologies” Oct-2010.