Cyber Threat Intelligence for Industrial Control Systems Security

(1)

U

NIVERSITÀ

D

I

P

ISA

D

IPARTIMENTO

D

I

NFORMATICA

PHD THESIS

Cyber Threat Intelligence for Industrial

Control Systems Security

Author Oleksii Osliak Supervisors Anna Bernasconi University of Pisa Fabio Martinelli IIT-CNR March 30, 2021

(2)

(3)

“You cannot hope to build a better world without improving the individuals. To that end each of us must work for his own improvement, and at the same time share a general responsibility for all humanity, our particular duty being to aid those to whom we think we can be most useful.” Maria Skłodowska-Curie

(4)

Abstract

The new industrial revolution known as Industry 4.0 aims at comprising multiple technologies, spanning from mobile computing to cloud computing. It has under-gone vast development in the past decade and currently it is used as commercially available, interconnected systems within the manufacturing domain. However, the concept of Industry 4.0 is not simple and covers many technologies used in a vari-ety of different areas. Existing initiatives of those technologies generate, exchange, and analyze a vast amount of data treated as sensitive, still relying on simplistic ac-cess control models not considering the fast-growing threat landscape.

Therefore, the main objective of this thesis is to enhance the Industrial Control System (ICS) security through the design of a framework consisting of novel ac-cess and usage control models. The framework is also supported by enforceable collaborative knowledge in existing and emerging threats that provides counter-measure strategies. The framework should provide fine-grained continuous control over data usage according to security policies automatically updated according to knowledge in cybersecurity.

As the first step, we present the problem of protecting sensitive information while sharing and analysing Cyber-Threat Intelligence (CTI). We propose a model for representing and enforcing security policies with enforceable operations tar-geted to prevent sensitive information leaks and abuse. We present a framework that enables security specialists to enforce security policies reported using our model on threat intelligence reports.

We also survey existing methods for data communication used in Industry 4.0 to identify the most used and secure standard, as well as limitations of its access control model. We present a new access control model for enhancing a stan-dard used in Industry 4.0 through the application of the Usage Control (UCON) paradigm. Differently from existing methods, our model enables the revocation of the session if conditions are not satisfied, thus enhancing the ICS security.

We also enhance our framework with a system that provides policy manage-ment capabilities. The system utilizes CTI records to retrieve information used to invoke operations for updating UCON policies. These policies are applied to prevent illegal access to the simulated industrial environment.

(5)

Acknowledgement

This thesis would not be possible to accomplish without the support of many peo-ple. First of all, I would like to extend my sincere gratitude and appreciation to my supervisors Dr. Fabio Martinelli and Prof. Anna Bernasconi for giving me this opportunity, their continuous support, and beneficial advises.

Further, I would like to thank the security group of Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche for the great scientific environ-ment that helped me to boost my research skills. Special thanks to Dr. Andrea Saracino, who helped me a lot with my work. I do hope to continue our collabora-tion in the future. Special gratitude is to Ms. Christina Michailidou, Mr. Ganbayar Uuganbayar and Dr. Athanasios Rizos for their support and the close collaboration that we had.

Furthermore, I would like to thank Prof. Antonio Brogi and Prof. Paolo Fer-ragina for the opportunity to carry out the research at the University of Pisa, for their kind help every time when support was needed. Special thanks to Prof. Laura Semini and Prof. Stefano Chessa for their feedback as internal reviewers of this work.

I am especially grateful to external reviewers of my thesis Prof. Igor Kotenko and Prof. Vasileios Gkioulos for their beneficial feedback.

I further thank my big Family for their continious support and that they believed in me during my research. Without them, it would be impossible to become that person I am.

Last but not least, I thank the research projects NeCS (H2020 - GA #675320), CyberSANE (H2020 - GA #833683) and SPARTA (H2020 - GA #830892) that supported my work.

(6)

List of Figures

1.1 Three-level security model of ICS . . . 2

2.1 Industrial Revolutions . . . 17

2.2 Technological Pillars of Industry 4.0 . . . 18

2.3 OPC UA Architecture . . . 21

2.4 OPC UA Security Model . . . 22

2.5 MQTT publish/subscribe . . . 23

2.6 DDS distributed architecture . . . 24

2.7 Access Control Mechanism . . . 28

2.8 XACML Language Model . . . 29

2.9 Usage Control System . . . 34

2.10 U-XACML Policy Meta-model . . . 36

2.11 Cyber Threat Intelligence Model . . . 37

2.12 Structured Threat Information eXpression 2.0 Architecture . . . . 41

3.1 CTI Management System architecture . . . 60

3.2 CTI Management System workflow . . . 61

3.3 Obtained results . . . 70

4.1 The OPC Usage Control model (OPC-UCON) . . . 73

4.2 Smart Factory considered Infrastructure . . . 76

4.3 Integrated UCS into OPC-UA framework . . . 78

4.4 Authorization and access revoke process workflow . . . 79

4.5 UCS Overhead . . . 83

5.1 Proposed framework . . . 90

5.2 Security Management Tool . . . 91

(9)

6.1 The OPC-UCON-CTI framework . . . 102

6.2 Policy Update Workflow . . . 103

6.3 Illustration of the text with possible operations extracted . . . 104

6.4 Attack representation using STIX . . . 107

(10)

List of Tables

2.1 CTI representation approaches . . . 40

2.2 STIX Objects . . . 42

3.1 Email object properties . . . 50

3.2 DSA properties . . . 54

3.3 DSA Bundle properties . . . 56

3.4 Condition properties . . . 57

3.5 Requirement properties . . . 59

3.6 Experimental results . . . 67

3.7 Results obtained for CVE records . . . 69

3.8 Results obtained for STIX 2.0 reports . . . 70

4.1 Formal UCON definitions for OPC Unified Architecture (OPC-UA) 74 4.2 Authorization Functions and Action Decision for OPC-UCON . . 75

4.3 System Performance . . . 82

6.1 U-XACML Policy Update Operations . . . 105

6.2 Attack Entities . . . 108

(11)

Nomenclature

A Set of elements

a∈ A Element of a set

a∧ b Logic "and" a∨ b Logic "or"

a¬b Logic negation

a≡ b Concept equivalence

av b Concept inclusion

at b Union of concepts

au b Conjunction of concepts ∃a ∈ A Existential quantification ∀a ∈ A Universal quantification

(12)

(13)

Chapter 1

Introduction

Originally, Industrial Control Systems (ICSs) were isolated with proprietary con-trol protocols using specialized hardware and software. However, within the fourth industrial revolution, known as Industry 4.0, widely available and low-cost IP-based devices started to replace proprietary solutions, thus optimizing and improv-ing multiple manufacturimprov-ing processes reducimprov-ing production costs. Industry 4.0 de-fines a model of the "smart" factory in which computer-driven systems monitor physical processes, create a virtual copy of the physical world, make decentralized decisions using self-organization mechanisms, and change the state of the physical world. Considering the extensive networking and the high-levels of data sharing, along with requirements on systems’ standardization, availability, reliability, and operability, such a model strongly relies on cybersecurity, including secure access to devices and communication between them.

This thesis investigates security solutions used to protect ICSs. It explores access and usage control mechanisms used to provide continuous monitoring of ICS resources usage and at the same time relying on the cybersecurity situational awareness of an organization.

The first section of this chapter overviews ICS basics describing existing se-curity solutions. Section 1.2 focuses on open sese-curity problems and challenges of access control in industrial sector and related Cyber Threat Intelligence (CTI). Sec-tion 1.3 provides a brief overview of the main contribuSec-tions of the thesis together with a list of publications. Finally, Section 1.4 concludes the chapter describing the structure of the thesis.

(14)

1.1 Industrial Control Systems

The ICS term is used to describe a variety of systems comprised of computers, elec-trical and mechanical devices as well as manual processes supervised by humans. ICSs perform automated or partially automated control of equipment in manufac-turing and critical infrastructures including chemical plants, nuclear power plants, water treatment, and many other industries.

Depending on the purpose, ICSs can be very complex, and thus, involving thou-sands of different components. Moreover, those components may be distributed across the country or even internationally to control complex processes in real-time. Due to the enormous number of devices, their diversity, and requirements, ICSs are segmented into operational zones [88] as shown on Figure 1.1.

Figure 1.1: Three-level security model of ICS

As shown in Figure 1.1, an Enterprise Zone includes business networks and other systems that belong to the enterprise. Business networks are commonly based on the Internet Protocol (IP) protocol with a connection to the Internet. Nor-mally, these networks were most of the time kept separate from the operational networks used in the other zones. However, due to the rising interest in controlling industrial processes remotely, separating such networks currently is not a common practice [152].

Similarly to the Enterprise Zone, the Control Zone may also have networks based on the IP protocol. However, in this zone safety and reliability are the main

(15)

factors, which must be achieved. Meanwhile, due to the specificity of the software and continuously running processes, the software of devices in Control Zone may not be updated as often as software of devices in the Enterprise Zone, while the networks may have strict timing constraints. Hence, the irregular software update can lead to the potential exploitation of vulnerabilities.

The Production Field Zone includes devices and networks, which are in charge of controlling and automatizing industrial processes. This zone often includes single-purpose devices, similar to the Programmable Logic Controller (PLC) that has limited computational capabilities. The communication networks in the Pro-duction Field Zone are much more diverse and employed with a large variety of specific industrial protocols and physical interfaces.

Safety, Reliability and Security Requirements

Since usually processes controlled and operated by ICSs are correlated to the criti-cal infrastructure, where the safety of personnel as well as reliability of the system is crucial, the Production Field Zone distinguishes from the Enterprise Zone in the strict requirements both for safety and reliability. These requirements have an impact on multiple aspects of the ICS starting from its design with redundant ele-ments up to maintenance with regular upgrades and patches. Moreover, due to the real-time interaction with the physical environment, the ICS continuously accepts requests (e.g., from sensors) and continuously produces reactions (e.g., to actua-tors), and the correctness of results also depends on the timely delivery of messages and commands. Hence, considering these factors, ICSs that operate critical infras-tructures are required to provide high levels of availability, reliability, and safety under a range of conditions. Moreover, due to the potential consequences caused by the failure of ICSs, which control critical infrastructure, another requirement is to minimize the probability of fault events that are unlikely to occur.

In the industrial sector, to enhance the reliability and safety of systems, and thus dealing with system faults, three approaches exist. The first approach consists in achieving the safety and reliability of the ICS through its design, the second ap-proach considers an assessment of the system to verify the presence of faults. The third approach considers that the system can endure failures, and thus ensures cor-rect operation. In ICS there are two classes of failures, i.e., hardware and software. While hardware faults occur randomly and independently from each other, diverse circumstances may trigger software faults.

(16)

In fact, both hardware and software faults may occur randomly (e.g., material fatigue, software bags, etc). However, software faults fall into two classes i.e., non-malicious and non-malicious failures. While non-non-malicious faults are mostly caused by unintentional mistakes of operators, malicious failures are cyberattacks, thus intro-duced by entities acting with malicious attempts to change the system functioning. In the ICS security area a set of recommendations and practises used to protect those systems against threats exists. Studies [142], [41] and [37] provided by Na-tional Institute of Standards and Technology (NIST), European Network and Infor-mation Security Agency (ENISA) and International Electrotechnical Commission (IEC) respectively, define those requirements. The most relevant of them are:

• Anomaly detection system - used to identify any unexpected or unautho-rized behaviour in industrial networks and systems. May be useful to dis-cover Advanced Persistent Threats (APTs) or insider threats.

• Network security devices - are firewalls, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are required to monitor industrial net-works in order to detect unauthorized traffic.

• System logging - an invaluable approach for identifying malicious or un-usual behaviors. The approach is extremely helpful in incident investiga-tions.

• Source node authentication - a method for validating connection authentic-ity and originalauthentic-ity that industrial elements have received. The method allows to detect malicious communications sent to ICS components.

• Role-based Access Control - provides a security mechanism for managing access permissions of personnel according to a series of roles with predefined privileges.

• End-user device security - any end-user device that interacts with ICS must be protected with installed antivirus, antimalware and other security solu-tions.

• Internet connection - Security solutions must be in use to filter and check all communications in order to avoid unauthorized access and usage of ICS. Although the Internet connection increases the potentiality of ICSs and im-proves their efficiency, thus leveraging them to the next industrial revolution, it

(17)

also discloses vulnerabilities of those systems and introduces new threats and at-tack execution scenarios.

1.1.1 Industrial Security

The fourth industrial revolution, known as Industry 4.0, together with associated technologies brings uncountable opportunities across all market sectors. Mean-while, current internet technology solutions suffer from existing cybersecurity and data privacy issues. Thus, the adaptation of Industry 4.0 is a challenging and error-prone process. Due to the highly integrated Information Technology (IT) and po-tential financial impact caused by cyberattacks, Industry 4.0 faces traditional cyber-security issues as well as its specific cyber-security and privacy challenges [168]. Hence, advantages of Industry 4.0 are valuable if security implications of users, adminis-trator and access to resources are treated adequately.

Some approaches provide secure communication between ICS components and sub-systems, while others like the IEC 62541 OPC-UA, merge and realize mul-tiple security requirements, and therefore, currently it is a standard in Industry 4.0 [140, 174]. The OPC-UA security mechanisms were designed with a consider-ation of the detailed analysis of countless attacks [53] resulting at three levels: user security, application security, and transport security. User level security is man-aged by the security administrator, which is the system-aware entity responsible for security of the system and its correction functioning. The user level security mechanisms provide access to a specific user according to its role while setting up a new session. The application level security includes the exchange of digitally signed X.509v3 [73] certificates issued by a certificate authority [158] in order to authenticate an application or user during secure channel establishment. Finally, the transport level security is used to sign and encrypt messages during a communi-cation session. Hence, signing ensures the integrity and authenticity of a message, while encryption prevents its eavesdropping [101].

Security Through Administration

One of the most fundamental issues addressed by security administrator within the ICS is providing an infrastructure for Identity and Access Management. Hence, a security administrator manages access to industrial systems and components through assigning roles, permissions, and defining restrictions to entities that re-quest access to services available on a system. For this reason, identities are

(18)

as-signed to each entity of a smart factory, in order to use those identities for veri-fication by other entities including authentication and authorization mechanisms. Moreover, a security administrator is in charge of monitoring and logging of events, and controlling of system usage in order to perform the necessary accounting, and identify potential privileges abuse.

Security policies might accept requests only from specific IP address ranges since industrial processes can be geologically distributed and controlled remotely by different devices. Moreover, security policies may require devices used to send requests to be connected to secure networks. Hence, security policies should in-clude attributes that characterize entities of the system as well as context informa-tion.

Access Control Approach

Access Control is one of the fundamental security approaches used in IT and cy-bersecurity [162]. One of the significant principles for any access control system is the Least Privilege Principle, which means that entities of the system have only required privileges for the assigned tasks. Thus, this principle decreases potential damages to the system caused by compromised elements. Another principle is the Separation of Duties[36, 147, 28], which means that conflicts of interest are not caused by the privileges of an entity. Hence, entities that act as operators of the ICS machine cannot configure security settings, since it can increase and exceed their privileges.

In ICS security, several techniques were used for specifying access policies at a high level of abstraction. The Discretionary Access Control (DAC) uses the identities of the users and rules that state who is allowed to execute actions on the resources. In the DAC model, users can be authorized to delegate their rights to other users, while an administrative authority is in charge of granting and revoking access rights. In contrast, the Mandatory Access Control (MAC) model assigns rights based on the rules issued by a central authority. One of the most common forms of the MAC model is the multilevel security policy based on resources clas-sification and subjects needing to access them [23].

However, organizations have their unique security requirements, which are dif-ficult to meet using traditional DAC and MAC models since security policies have to be defined for each entity. Therefore, organizations use the Role-based Access Control (RBAC) model that permits or denies access to resources based on roles

(19)

with associated permissions. Entities can hold one or multiple roles, and thus, the associated privileges. The role assignment ensures the least privilege princi-ple and the separation of duties. In fact, RBAC is scalable, since the number of roles is independent of the number of subjects. Therefore, the RBAC model has been implemented in the OPC-UA as a part of the security model, since it allows describing many-to-many relationships between entities and rights comparing to DAC and MAC models [50].

Cybersecurity Awareness and Knowledge Sharing

Nowadays, many organizations starting from Small and Medium Enterprises (SMEs) up to international corporations, share information regarding new cyberattacks and threats also providing recommendations for improving overall security. Sharing threat-related information, known as CTI [108, 29], is a novel weapon in the arsenal of defenders that allows implementing proactive mitigation against the increasing number of cyberattacks. CTI sharing is a new method to create situation aware-ness among sharing entities [113]. Approaches like Structured Threat Information eXpression (STIX), which is a standard for CTI representation and Malware In-formation Sharing Platform (MISP), are widely used by SMEs and international corporations for exchanging information about cyber-attacks in order to share and improve their knowledge in countermeasure capabilities used to prevent systems from those attacks. Hence, security specialist use shared CTI in leveraging se-curity capabilities of defence mechanisms implemented in their organizations in order to successfully handle security incidents.

1.2 Problem Statement

The main purpose of this thesis is to explore the security limitations of ICS and propose a solution. The solution should enable continuous control over data usage and considers collaborative knowledge in countermeasure strategies for handling cyber incidents.

Existing Security Challenges

According to multiple surveys [1, 2, 3], apart from the lack of standardization, liability of current technologies, and social/political concerns, cybersecurity and lack of skilled personnel are most significant challenges to ICSs. Since operations

(20)

within the Industry 4.0 must be well-protected by isolation and firewalls, some of the existing threats are more critical than others. Some of critical threats are:

• Indiscretions by personnel – personnel store their passwords in folders on computers.

• Bypass access controls – employees turn off security measures, do not change default passwords, or same passwords are in use to access ICS equip-ment. Thus, adversaries use credentials of legitimate users to execute mal-ware [44].

• Authorization violation – someone undertakes actions for which they are not authorized, sometimes because of careless enforcement of authorization rules, or due to masquerade, theft, or other illegal means [184, 70].

• Man-in-the-middle – any compromised equipment that allows adversaries to read, modify and send incorrect data [72, 136].

• Resource exhaustion – industrial equipment is intentionally or unintention-ally overloaded and thus cannot perform its functions correctly, or access is denied due to the expired certificate [116].

• Replay – an authenticated control command is copied when it is sent by an operator to a field device. At some later time, this presumably authenticated but copied command is sent again, thus causing an undesired action at that time [89, 24].

Although all of the listed threats are critical, the main objective of the thesis is to address some of them, including bypass of access control, authorization vi-olation, and man-in-the-middle since these types of threats are most common as mentioned in reports provided by Waterfall Security Solutions [12] and German Federal Office for Information Security [74].

Insufficient Cybersecurity Situational Awareness

In fact, the lack of awareness in cyberattacks and potential threats are some of the major problems in securing the industrial system. According to [110], lack of training and security awareness among employees are still some of the main factors that affect system’s security. Although, training of employees can improve security awareness regarding possible problems related ICS and its components. However,

(21)

personnel training by it self cannot improve situational awareness regarding emerg-ing threats and vulnerabilities. Furthermore, the threat landscape changes resultemerg-ing in new and more complex cyber incidents requiring at the same time to address those incidents immediately.

One of the possible solutions is to exchange information about potential threats and relevant countermeasure strategies using different platform and tools [131]. Al-though sharing CTI can be beneficial in protecting industrial systems, information sharing itself poses an issue for sensitive data protection [6] as well as negatively reflect on organizations’ brand. Organizations are not willing to share information about cyberattacks, which have occurred due to their uncertainty that CTI shar-ing may expose sensitive data (e.g., system information, exploited vulnerabilities, personnel data) to third parties [138]. Existing approaches allow organizations to share CTI with other entities that they trust. However, in order to share CTI with third parties, and thus increase its distribution, organizations have to define restric-tions as well as operarestric-tions that might be required to protect sensitive data. Hence, an approach for defining data sharing and anonymization policies between data-consumer and data-producer is required. The approach should allow entities to define restrictions for CTI sharing as well as a necessary set of operations to be enforced on a CTI record before sharing it.

Limitations of Access Control model used in ICS

Controlling access and usage of industrial systems is still an issue. Although exist-ing approaches and standards used in ICS security provide secure communication, authentication, and authorization mechanisms, the lack of granularity over the con-trol of the usage of industrial services still remain. In fact, as aforementioned, the RBAC model has been implemented in the OPC-UA as a part of the security. How-ever, in general, RBAC is not flexible enough to specify context information. More-over, with the growing number of devices used to control ICSs remotely using the Internet connection, context information such as geolocation, type of the network, a risk associated with an entity requesting the access, has to be considered since it can affect decision making. One of the popular examples of traditional access control limitation is the Stuxnet attack against Siemens’ PLC, which was carried out by adversary impersonating a legitimate user despite the implemented access control mechanisms. Moreover, multiple analyses of cyberattacks on the power grid [159, 31] have shown that ICSs are vulnerable when adversaries use gained

(22)

legitimate credentials in the system, and thus, acting as authorized users were able to push malware variants to devices. Hence, decision making should be based on attributes of an entity requesting access to a particular resource, still considering context information (e.g., time, number of entities simultaneously accessing the same resource) rather than the role of the entity.

Advantages of using Attribute-Based Access Control (ABAC) model recently have been shown in [179, 181]. The first work proposes an application of the ABAC model for ICS to address the present and future ICS access control chal-lenges. The second work, proposes an enhancement of the existing OPC-UA stan-dard by introducing ABAC model. Notwithstanding the security structure with ABAC provides additional security advantages. However, the ABAC model has a lack of control over the attribute values mutability. Thus, the introduced approach does not support access revocation due to context information described through attributes. However, access revocation is crucial when the execution of an action requested by an authorized user may result in system failures.

Limitations of Access and Usage Control Models

Although UCON provides a more advanced approach comparing with traditional access control models, since it allows defining fine-grained policies and enforces decision during the whole session, limitations regarding the dynamicity of secu-rity policies remain. Existing implementations of traditional access control and UCON models were realized with the assumption that all entities (e.g., subjects, objects) are trustful. Hence, the UCON mechanism necessarily builds upon an ex-isting trust relationships between entities. In fact, trust might be considered as an additional attribute of the entity that requests an access. However, if the attribute value associated with the trust of the entity does not exceed the value specified in the policy and other required attributes satisfy the policy, then a system with the UCON model will permit the access. In this case, adversary may initiate an attack while impersonating authorized entities.

Moreover, since adversaries continuously improve their knowledge and expe-rience in cyberattacks, access, and usage control policies must rely on informa-tion about potential cyber threats and attacks. Obviously, the time required to compromise a system directly depends on multiple factors including adversaries skill level [109, 173]. Meanwhile, the time required to compromise a system may decrease if adversaries are familiar with the ICS and its components i.e., insider

(23)

threat, and thus, know existing vulnerabilities [177, 115]. Moreover, organiza-tion’s employees can act maliciously either by supplying adversaries with confi-dential data or directly executing an attack. Hence, considering the high dynamic-ity of current ecosystems with a continuously rising number of new cyber threats and cyberattacks that are becoming more complex, updating security services in-cluding access and usage control policies, is an essential process, since it may reduce the probability of a system being compromised [48]. However, existing approaches [57, 22, 183] are lacking in the automation of access and usage con-trol policies update according to CTI shared by organizations and communities. It is especially required for addressing cyber incidents in a real time. Hence, an approach that defines intercorrelations between CTI components and security pol-icy elements is required in order to design a system for updating security policies within the ICS ecosystem.

1.3 Summary of contributions

The main objective of the thesis is to address problems pointed in previous sec-tions and propose a novel reliable and flexible authorization framework with inte-grated UCON paradigm that uses fine-grained security policies enhanced with CTI records protected and shared by third parties. The framework should achieve the following goals:

• protect sensitive information while sharing and analyzing CTI records through the enforcement of privacy-preserving actions defined by data owners; • enable continuous enforcement of security policies and provide a control

over data usage;

• enhance security policies through their continuous update according to CTI records shared within the community.

In the following, contributions of the thesis are described in more detail. Cyber-Threat Intelligence sensitive data protection

Organizations that produce and share CTI records with third parties should be able to define the distribution of those records and, if necessary, actions to be enforced

(24)

in order to protect sensitive data from potential abuse. Since CTI is produced au-tomatically by various tools, and its exchange should be as timely as possible [76], the enforcement of privacy-preserving techniques should be done in the same way as well as to guarantee the "freshness" of CTI. In this case, it will allow users to gain maximum utility from such CTI records.

Therefore, we propose an approach that allows organizations to define sharing and anonymization policies in the form of a human-readable Data-Sharing Agree-ment (DSA) to be applied to the CTI record. We provide an extension to the one of the widely used standards for representation and exchange of CTI. The extension allows organizations to describe information both of the producer and data-consumer, specify the type of attributes to which privacy-preserving operations, called Data Manipulation Operation (DMO), should be enforced, as well as other relevant metadata including the period when the DSA is in effect. Additionally, we propose a system for managing and enforcing DSA to the specified CTI records. The proposed system either can be integrated into a platform to manage CTI shar-ing, or used as an independent tool to create DSAs and enforce anonymization functions on CTI records before sharing them with other entities.

Security Mechanism for Continuous Control on Data Usage

Access and usage of the ICS and its elements should be realized through the system that provides continuous enforcement of security policies. Therefore, we propose a novel model for controlling data usage and, if necessary, revoke previously granted access and terminate resource usage. The proposed model is based on the UCON model presented by R. Sandhu and J. Park and exploits advantages of the OPC-UA standard used in Industry 4.0. The UCON model enhances the security of the OPC-UA framework through the enforcement of security policies during all phases of the data usage, and allows revoking access if any security policies violation oc-curs. The UCON model covers scenarios where continuity of control is required and exists a mutability of attribute values. The access decision in UCON is based on the evaluation of authorization and condition predicates. Furthermore, the ad-vantage of the UCON model also considers updating of attribute values as a result of policy enforcement. This thesis presents the Usage Control for the OPC-UA (OPC-UCON) model and its implementation in the virtual environment. It also provides a set of experiments, which confirm the feasibility and efficiency of the proposed approach. Since the system architecture that implements the proposed

(25)

model relies on the communication standard used in Industry 4.0, the proposed ap-proach can be potentially integrated into existing ICS to provide new features and improve overall security.

Continuous Security Policy updates

Access and data usage control management requires fine-grained and up to date security policies. Apart from defining all entities through sets of corresponding attributes, context information, including time, IP address ranges, geolocation of the device, systems functional capacity, etc., are required as well. However, current approaches for updating security policies require policymakers to come into play and update policies manually, thus increasing time comparing to the automated process.

To automate the process of access control policy update, we propose an ap-proach that relies on collaborative CTI shared by organizations. Since any CTI record normally contains different Indicators of Compromise (IoC), including the IP address of the device, the time-window when the malicious event occurred as well as the number of its observations in the system or network, this information may be useful in updating access control policies. Furthermore, CTI records may also include a textual description of countermeasures required to prevent the sys-tem from being compromised by the corresponding attack. Therefore, the proposed approach exploits the advantages of the Natural Language Processing (NLP) to ex-tract a sequence of action names and enforce them within the cloud environment as a part of Industry 4.0.

Furthermore, we adopted our approach for UCON policies update within the industrial ecosystem. Together with the proposed OPC-UCON model, the ap-proach aims at improving security by updating security policies using CTI records reported in a structured way.

1.3.1 List of Publications

The following is a list of publications, produced during my PhD studies. The first part of the list enumerates publications used to write this thesis:

• F. Martinelli, O. Osliak, and A. Saracino. Towards general scheme for data sharing agreements empowering privacy-preserving data analysis of struc-tured CTI. In Computer Security, pp. 192-212. Springer, Cham, 2018.

(26)

• O. Osliak, A. Saracino, and F. Martinelli. A scheme for the sticky policy rep-resentation supporting secure cyber-threat intelligence analysis and sharing. Information & Computer Security Journal(2019).

• F. Martinelli, O. Osliak, P. Mori, and A. Saracino. Improving security in industry 4.0 by extending OPC-UA with usage control. In Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1-10. 2020.

• O. Osliak, A. Saracino, F. Martinelli, and T. Dimitrakos. Towards Collab-orative Cyber Threat Intelligence for Security Management. Accepted in Information Systems Security and Privacy, Springer,2021.

• F. Martinelli, O. Osliak, and A. Saracino. Usage Control Policies update us-ing Collaborative Cyber-Threat Intelligence. To be submitted in Computers & Security2021.

• F. Martinelli, C. Michailidou, O. Osliak, A. Rosetti, A. La Marra, and T. Dimitrakos. A Comparison Among Policy Editors for Attribute Based Ac-cess Control Model. In International Workshop on Emerging Technologies for Authorization and Authentication, pp. 108-123. Springer, Cham,2020. The second part lists papers not included in the thesis:

• G. Baldi, Y. Diaz, T. Dimitrakos, F. Martinelli, C. Michailidou, P. Mori, O. Osliak, and A. Saracino. Session-dependent Usage Control for Big Data. In Journal of Internet Services and Information Security (JISIS), volume: 10, number: 3, pp. 76-922020.

1.4 Structure of the thesis

Each chapter of the thesis correspond to the specific contribution listed in the pre-vious section. The complete structure of this thesis is the following:

Chapter 2 provides a fundamental background information on access control models existing in Industry 4.0 as well as security policy languages. Moreover, it outlines the UCON model and describes the Usage Control System (UCS), its components and existing policy languages. Furthermore, Chapter 2 provides in-formation regarding approaches used for Cyber-Threat Intelligence sharing and analysis.

(27)

Chapter 3 provides an approach for preserving sensitive information stored in the CTI records. It also describes the proposed anonymization mechanism that allows entities defining security constraints for regulating the CTI sharing process. Chapter 4 presents the proposed UCON model for ICS. It describes the OPC-UCON formal model, its components and implementation together with relevant security policies and evaluation results.

Chapter 5 proposes an approach for managing security policies using collabo-rative knowledge in cybersecurity. Particularly, it describes the correlation between security policies and CTI records by using ontology for cybersecurity. The archi-tecture of the framework for managing security in cloud environment is presented together with the evaluation results.

Chapter 6 presents the proposed framework for managing security in Indus-try 4.0. The framework uses collaborative knowledge in cybersecurity in a form of structured CTI records to update UCON policies of the OPC-UCON model.

Finally, Chapter 7 briefly recalls obtained results and achievements of the the-sis, and highlights future investigations in the considered research area.

(28)

Chapter 2

Background and State of the Art

This chapter provides the background information about traditional access con-trol models, the UCON [126, 148, 98, 127] model proposed by R. Sandhu and J. Park. Furthermore, this chapter surveys existing solutions for data exchange used in Industry 4.0, also discussing widely in use approaches for the CTI management, representation, and sharing.

The chapter is divided into the following sections. Section 2.2 provides an overview of the Industry 4.0 and associated technologies. Section 2.2 overviews the most popular approaches for data exchange in Industry 4.0, also discussing their security solutions. Section 2.3 describes well known and widely in use access con-trol models. Section 2.3.4 describes the UCON model, a policy language as well as available Usage Control System (UCS). Information regarding CTI approaches for sharing, storing, and analysis is reported in Section 2.4.

2.1 Fourth Industrial Revolution - Industry 4.0

The mechanized and automatized transformation of materials into finished goods is a key element of a country’s economy [141]. From the beginning of the industrial-ization, technological leaps result in several shifts known as industrial revolutions. The first industrial revolution occurred in the period between the 1760s and 1840s caused by the construction of railroads and the steam engine invention, while in the late 90s of 19 century, the second industrial revolution led to the possibility of mass production caused by the advent of the electricity. Finally, the third revolution, also called digital due to the development of semiconductors, mainframe, and personal

(29)

computing, as well as the Internet, began in the 1960s [156].

The vision of future manufacturing and production processes considered mod-ularity and efficiency of industrial systems in order to realize the manufacturing of individual products, and at the same time, maintaining the economic conditions for mass production. Hence, seduced by these future expectations, the "Industry 4.0" term was determined for a planned fourth industrial revolution. Thus, in 2011 the term "Industry 4.0" was named after Germany’s "Industrie 4.0" industrial plan [81]. However, other countries defined Industry 4.0 using different names. Thus, in the United States there are "Industrial Internet of Things" or "Advanced Manufactur-ing", while European Commission and the United Kingdom use "Factories of the Future" and "Future of Manufacturing" respectively. Additionally, researches pro-vided their definitions of the Industry 4.0. However, to the best of our knowledge, Hermann et al [69] presented one of the best definitions for the Industry 4.0. Hence, they described the Industry 4.0 as a term of collected technologies of value chain organizations and Industry 4.0 components are categorized as Cyber-Physical Sys-tem (CPS), the Internet of Things (IoT), Internet of Services and Smart Factory.

Figure 2.1: Industrial Revolutions

According to several studies including [95, 100, 180], the Industry 4.0’s suc-cess depends on two key factors which are integration and interoperability. Thus, the integration of industrial automation systems, including CPS and Cyber-Physical Production System (CPPS), results in greater and more innovative features through networking with stakeholders. Moreover, this factor helps organizations in the cre-ation of connections between the cyber and physical worlds. On the other hand,

(30)

the interoperability facilitates industrial processes, allowing entities to intercon-nect systems and exchange knowledge and experience. Finally, according to [20], the Industry 4.0 factory could result in decrease of production costs by 10-30%, logistic costs by 10-30%, and quality management costs by 10-20%.

Key Pillars of Industry 4.0

Industry 4.0 occurs when a vast number of components form systems that widely use Internet communication technologies, and thus constitute smart factories. In particular, Industry 4.0 uses groups of technologies categorized into 10 pillars. The Boston Consulting Group [143] provided a study of the Industry 4.0, which defines 9 pillars, while other works like [87] and [175] added a new category that includes a number of innovations, however, with limited application domains. Fig-ure 2.2 depicts 10 technologies proposed by Saturno et al., [152] needed to fully implement Industry 4.0. Following, we provide a description of technologies that form a vision of the Industry 4.0.

Figure 2.2: Technological Pillars of Industry 4.0

• Cloud Computing allows storing and analyzing large amounts of labeled data, which is generated during production processes. Moreover, it reduces investment in technological resources, thus providing the storage space and processing capacity to be contracted on demand [167]. Hence, providing flexibility, agility, and adaptability. There are three models of cloud com-puting. The Software as a Service (SaaS) model provides access depending

(31)

on the customer purchase. The Platform as a Service (PaaS) model defines whether customers are allowed to access their applications on the cloud. Fi-nally, the Infrastructure as a Service (IaaS) model offers basic activities, in-cluding storage capabilities.

• Mobile Technologies are being increasingly considered for adoption within Industry 4.0 in order to provide engineers and personnel with ubiquitous access to system and control functions [16].

• Machine-to-Machine plays a key role in enabling Industry 4.0 systems and technologies. ICSs are real-time complex systems that constitute of various elements that use different communication protocols. The interoperability of those protocols is one of the crucial requirements that must be satisfied in order to allow systems to communicate with each other regardless their geolocation and with minimum delays.

• 3D Printing is used to produce specific and high personalized products that require precise design. Together with additive manufacturing, 3D Printing technologies allow constructing and testing prototypes with new materials, while finished products are used by customers.

• Advanced Robotics are used in production in order to solve complex tasks, which can not be solved by a human. Moreover, robots are widely used in en-vironments that are harmful for humans. Industrial robotics modernize most of existing production lines and corresponding work methodologies [137]. Advanced Robotics ranges from additive manufacturing to inspection, secu-rity and maintenance of plants [187, 10].

• Big Data Analytics allows to process the enormous volume of information generated in the Industry 4.0 ecosystem. Techniques such as advanced, his-torical, predictive, and descriptive analysis enable to evaluate the state and functionality of the industrial machines [185]. Data analysis for predictive maintenance improves efficiency and reduces costs.

• Internet of Things all IoT objects share strict requirements in terms of power consumption. Wireless Sensor Networks (WSNs) are widely used nowadays in ICS to provide communication between wireless sensors, actu-ators and other components [135]. In the Industry 4.0, the IoT is probably

(32)

the key pillar technology used to connect various devices with the Internet, thus providing more data interoperability methods [102].

• Simulation allows organizations to reproduce business and production pro-cesses in order to analyze inputs and outputs in real-time without interrupting manufacturing processes.

• Cognitive Computing together with big data is one of the major advantages in business decision making. Cognitive Computing is used to reproduce hu-man skills through building artificial models and computational algorithms. This combination is deployed for handling human tasks and transferring hu-man decision-making processes to intelligent systems to enhance automation capabilities [85, 13].

• Cybersecurity plays a key role in the Industry 4.0 since data is transmitted digitally. Traditionally, in IT systems, cybersecurity is based on three core pillars: confidentiality, availability and integrity [25].

2.2 Data communication in Industry 4.0

As discussed in previous section, Industry 4.0 merges multiple technologies. Thus, such implementation increases the need for data exchange between all components, also supporting the integration of different systems. Industry 4.0 includes a middle-ware level that enables system developers to establish and manage communication between various devices and systems by introducing an intermediate layer that pro-vides a high-level Application Programming Interface (API) with an abstraction of the low-level details. Some approaches use it including OPC-UA, IoT@Work [66] uses the Advanced Message Queuing Protocol (AMQP) [164] middleware system, and ISA100.15 [112] architecture includes a middleware level without specifying the middleware system used. Moreover, according to a research presented in [172], other protocols, including Constrained Application Protocol (CoAP) [160], Exten-sible Messaging and Presence Protocol (XMPP) [144] and previously mentioned AMQP are most widely in use approaches in the area of IoT. However, it is not the case for the Industry 4.0, while the OPC-UA, Data Distribution Service (DDS), Robot Operating System (ROS), and Message Queue Telemetry Transport (MQTT) are commonly used solutions.

(33)

2.2.1 OPC Unified Architecture - OPC UA

Introduced by the OPC Foundation in 2006, the OPC-UA is the current technology and de-facto a standard in industrial automation used for secure, reliable, and in-teroperable transport of raw data and preprocessed information [101]. In practice, organizations do not change the technologies that they use since it is not a trivial task, especially in the industrial sector. Even though organizations use the older

Figure 2.3: OPC UA Architecture

version of the OPC, i.e., OPC Data Access (OPC-DA), they consider the adapta-tion of new technologies, rather than complete system reinstallaadapta-tion. However, the OPC-UA approach allows such integration without the need of complete system reinstallation [68].

An architecture of the OPC-UA based on OPC-UA Client and Server as in-teracting entities, whose applications use corresponding APIs to exchange data is shown in Figure 2.3. The API of the OPC-UA is an internal interface that sepa-rates the Client/Server application code from the OPC-UA Communication Stack, which converts calls into Messages and sends them through the communication entity. In the OPC-UA, an implementation of the communication stack does not require a specific technology, thus allowing the use of future technologies based on the existing design. Meanwhile, the communication stack of the OPC-UA

(34)

sup-ports two transport methods, including an efficient low-level method, that is based on TCP/IP and called tcp.opc (i.e., UA Transmission Control Protocol (TCP)) and ubiquitous Simple Object Access Protocol (SOAP) Web services over Hypertext Transfer Protocol (HTTP). In addition, the OPC-UA communication stack supports UA Binaryand XML/SOAP as two methods for encoding messages. Consequently, the OPC-UA uses UA Binary since it is small on the wire and thus requires less processing overhead comparing to XML/SOAP encoding. On the other hand, the XML/SOAP encoding allows a wide variety of applications to consume OPC-UA messages. The OPC-UA server uses AddressSpace [54], which provides a standard

Figure 2.4: OPC UA Security Model

way for objects representation. In the OPC-UA information model [56], the Ad-dressSpace is a collection of nodes each representing real object, its definition and relationships with other objects. Depending on the class, each node has different number of attributes, which may be mandatory (e.g., NodeID) or optional (e.g., Description), while relationships are realized by references, which do not have any attributes, instead it has different reference types.

The security of ICS was underestimated with assumption that it should be han-dled by operating systems [26]. As a result, after being connected to the Internet, ICS were vulnerable to numerous cyberattacks [114]. Therefore, the OPC-UA security is realized at the application and communication layers [53] as shown on Figure 2.4. While the application layer deals with the authentication and authoriza-tion of a user, the communicaauthoriza-tion layer provides a secure channel, thus allowing the application layer to pass data from the client to the server, still considering application authentication, confidentiality, and integrity. Particularly, the user

(35)

au-thentication is implemented through the username and password, or X.509v3 [73] certificate, while for the authorization, and thus accessing certain services [55], the OPC-UA relies on RBAC model [53, 18, 170], that, as was mentioned before, has disadvantages comparing to other models.

2.2.2 Message Queuing Telemetry Transport Protocol - MQTT The MQTT protocol was initially developed by IBM in cooperation with Arcom back in 1999. It is a lightweight messaging protocol designed for constrained de-vices with low bandwidth, high latency, and unreliable networks. The MQTT is entirely based on the publish/subscribe model, where the main element is a broker that holds data of communication partners, i.e., subscribers. The MQTT protocol

Figure 2.5: MQTT publish/subscribe

provides three levels of Quality of Service (QoS) for message delivery depend-ing on the criticality of the application [35]. The comparison of OPC-UA and MQTT regarding the data exchange performance provided in [133], shown that the OPC-UA performance is higher than the MQTT in the round-trip time package delivery. This drawback of the MQTT is caused by the User Datagram Protocol (UDP) [132] connections, while the OPC-UA uses direct TCP connection between nodes. Another research has shown that the OPC-UA standard achieved better per-formance than the MQTT since its protocol design is more adopted for cyclic data exchange [43].

However, the MQTT protocol is considered as a standard in IoT ecosystem and, it primarily targets data exchange without offering any other features.

(36)

Al-though works towards enhancing MQTT security were proposed [92, 93], it still requires integration into ICS. On the contrary, the OPC-UA was designed with a focus on the industrial sector, also providing other features, including data model-ing, address space, alarm and event management, variable history, access control, etc. Furthermore, the MQTT implies on the usage of additional tools to define data types sent between devices, message sequences, and historical data services. 2.2.3 Data Distribution Service - DDS

In 2004, the Object Management Group (OMG) has introduced the DDS [62] stan-dard that defines a data-centric publish/subscribe middleware [46] for highly dy-namic distributed systems. It uses a Global Data Space (GDS) in order to identify

Figure 2.6: DDS distributed architecture

data circulating in the system. The DDS realizes a backbone for the QoS-enabled data dissemination in a timely and reliable way. It provides interoperability with guaranteed QoS through the standard language-independent interfaces and trans-port protocols. Transtrans-port protocols allow applications based on DDS to dynami-cally interconnect and define QoS policies aimed to negotiate QoS levels for in-formation delivery, received, and locally processed. Since the DDS defines the publish/subscribe model, the data producers and data consumers are called Pub-lishers and Subscribers, which automatically discover and match each other if they have a common topic as shown in Figure 2.6. Thus, each publisher sends data into the common GDS, while the DDS disseminate data to subscribers, which make this

(37)

data available to applications.

Although the DDS overlay is decentralized and implements a peer-to-peer model that does not require any centralized broker, thus granting high reliability, the DDS data security can be comparable neither with OPC-UA nor with MQTT approaches since it supports only Private Key Infrastructure (PKI) authentication. It is worth mentioning that some works proposed adaptation of security [21], how-ever the lack of control on data usage over time remains an unsolved issue.

2.3 Access and Usage Control Models

Access controlis a security mechanism used to assure that only trusted principals are granted to access a resource [4]. Another definition given in [161], defines ac-cess control as "a proac-cess by which the use of resources is regulated according to a security policy and is permitted only by authorized users, programs, processes, or other systems according to that policy". In practice, access control models rely on and accompany with other security mechanisms in a computer environment [151] including authorization database, auditing systems, etc. Access control is enforced by a component known as a reference monitor that mediates every subject’s access attempt to objects in the ecosystem. This component communicates with the au-thorization database that includes security policies, in order to determine if the user attempting to do the operation is authorized to perform it.

Starting from the Lampson’s matrix [94] introduced in late 1960’s, many ac-cess control models have been proposed. However, in practice only DAC [151], MAC [149] and RBAC [51, 150] achieved success. Meanwhile, those traditional access control models [145] check whether subjects hold the proper rights before granting them the access to the requested objects. In fact, other access control ap-proaches provided by Context Aware Access Control (CAAC) [188], Task-Based Access Control (TBAC) [169] and Risk-Adaptable Access Control (RAdAC) [49] models are also used in security administration. However, both RBAC and ABAC are currently widely in use approaches.

2.3.1 Role-Based Access Control

Security administration in organizations with a large number of employees is a complex process that requires security specialist to define specific access rights for different users. Security administrators widely use an approach provided by the

(38)

RBAC model in order to simplify this process since various users may be assigned to the same role, and thus have different privileges. Hence, the most important con-cept in RBAC model is the role, which is a grouping mechanism used to categorize subjects based on various properties [77]. The role may arise from the hierarchy of the organization, while each employee, i.e., subject, may be assigned to one or multiple roles, thus having different access privileges [39]. Moreover, RBAC con-siders the usage of groups, privileges groupings [18, 170], and separation of duty concept [36, 147, 28].

Several extensions to RBAC by combining attributes and roles have been pro-posed. Thus, some works define parameterized privileges for restricting access to a subset of objects [60, 5, 47], while other works proposed to consider object sensitive role [52] and attributed role [155].

Despite benefits and advantages comparing to other traditional access control approaches [117], the RBAC model has limitations regarding contextual informa-tion starting from time and locainforma-tion up to environmental-specific condiinforma-tions like temperature, pressure, available amount of money of the user’s credit card, etc. To overcome limitations existing in the RBAC model, a new approach, known as ABAC was introduced.

2.3.2 Attribute-Based Access Control

The ABAC model [122, 77, 71] became a promising approach for security admin-istrators in defining access restrictions to resources in various infrastructures [65, 77, 91, 64]. This model is a result of the approach that encompasses the benefits of traditional access control models including aforementioned DAC, MAC, and RBAC, whilst surpassing their limitations. Literature provides several definitions of the ABAC model [178, 40, 186]. However, one of the most consummate defini-tions that cover all aspects of ABAC model is given by the NIST, defining it as "an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions"[71].

Differently from the RBAC model, instead of relying on predefined roles, the ABAC uses attributes to express identities, clearances, sensitivity and other prop-erties of entities (e.g., users, subjects, objects) as well as operational environment (e.g., time, location, etc.). Hence, the ABAC allows modeling policies also

(39)

consid-ering context information that may affect the decision making. The core compo-nents of the ABAC are the following:

Attributes are characteristics used to define specific aspects of the subjects, objects, environment conditions. Every attribute is a property expressed as a name:value pair associated with any entity in the system.

A subject is an entity that requests to perform an operation upon the object. Attributes of subjects may describe their names, ID numbers, affiliation to an organization, location, IP addresses, etc.

An object is an information system-related entity that contains or receives information. It can be the resource entity (e.g., files, records, tables) as well as anything upon which a subject may request to execute an operation (e.g., applications, services, devices). Attributes of the object may describe its type, capacity, sensitivity, location, etc.

An operation also sometimes referred as action, represents an execution of a function that the subject requests upon an object. Operations may vary from simple functions like read, write, delete up to the execution of specific processes.

A policy is a collection of rules that determine the set of permissible opera-tions, which a subject may execute on an object in predefined environment conditions.

Since the ABAC model relies on attributes describing entities, it avoids the need in the direct assignment of explicit authorizations to individual subjects before any request to perform an operation on the object [71]. Furthermore, the ABAC model provides a flexible approach for large enterprises, since access control manage-ment is often a time-consuming and sophisticated process due to the large Access Control List (ACL) as well as a variety of roles and groups considered in security policies.

Typical Access Control Mechanism (ACM) includes multiple functional ele-ments as shown on Figure 2.7 and better known as points [71]. These points are designed to handle specific operations, including retrieval and management of se-curity policies, access requests evaluation, and attributes retrieval and assessment. Each functional point of the ACM is defined as follows:

(40)

Figure 2.7: Access Control Mechanism

• Policy Decision Point (PDP) - a component of the ACM that computes the access decision;

• Policy Enforcement Point (PEP) - a component, which either gives or denies access to the resource;

• Policy Information Point (PIP) - a component that enables ACM to retrieve attributes or another data required for the policy evaluation;

• Policy Administration Point (PAP) - a component that serves as a user inter-face that allows creating and managing security policies.

Depending on security needs, size of an organization, application of the ACM, its implementation may have multiple elements with the same functionalities. How-ever, the main objective will remain unaltered.

2.3.3 Existing Policy Languages

Since security policies are a set of rules that regulate access to organizations’ re-sources, defining those policies is a crucial process, which requires considering all aspects that may affect the security of assets. Those aspects, known as condi-tions, may concern specific characteristics of a subject, object, or the operational environment, in which the subject requests execution of a predefined operation. Organizations may use different available languages in order to determine access control policies, also specifying conditions upon which access is granted to autho-rized entities.

(41)

According to a survey presented in [83], there are several languages used to define security policies at the same time satisfying security and privacy require-ments. The majority of these languages, including well known eXtensible Ac-cess Control Markup Language (XACML) [11], XML AcAc-cess Control Language (XACL) [90], Adaptable and Programmable Policy Environment and Language (APPEL) [171] are based on the Extensible Markup Language (XML) scheme, whilst other like AIR Web Rule Language (AIR) [86], Contract Specification Lan-guage (ConSpec) [7], and Jeeves [182] do not follow the XML scheme. More-over, presented languages were designed for different scopes (e.g., access control, authentication, agreements, etc.), thus it is difficult to categorize them only by one category. Although XACML, Ponder [42] and Rei [80] are highly expressive approaches with natural language expressiveness design in mind, nowadays, the XACML is considered as a standard for representing security policies since it sup-ports capturing and evaluating within the policy rules a multiplicity of conditions. Figure 2.8 depicts the XACML policy language model. The XACML policy

lan-Figure 2.8: XACML Language Model

guage consists of three core elements: policy sets, policies, and rules. A policy set can contain multiple policy elements and policy sets, while policy elements may

(42)

include multiple rules. In the XACML, rule elements define the desired effect, either Permit or Deny. Moreover, every rule element apart from the effect may contain following components:

• a target defines the set of requests to which the corresponding rule is applied as a logical expression of attributes in the request.

• conditions define a set of decision factors, which represent a Boolean ex-pression refining the applicability of the rule.

• obligation expressions represent a set of requirements, which a subject has to fulfill once the access is granted.

In fact, official documentation of the XACML standard also defines advice expres-sions, which may be specified by the policy author in practice, those elements are not very common in use.

2.3.4 Usage Control - UCON

This section describes the usage control model proposed by R. Sandhu and J. Park referred as UCON. UCON enhances traditional ABAC [122, 77, 71] model provid-ing continuity of control also considerprovid-ing mutability of attributes [127]. Hence, val-ues of attributes used for the decision-making process are mutable and can change in time. Furthermore, attribute value changes might cause the entire security pol-icy enforcement, thus re-evaluating the request and possibly revoking previously granted access. The continuity of control means that access decisions are evaluated before granting access and during access rights execution on a resource. Thus, if attribute values change while the access in process and new values do not satisfy the security policy anymore, the system with the implemented UCON paradigm revokes the granted access rights and terminates the usage of a resource.

Both in ABAC and UCON models attributes of the entity that requests the ac-cess, resource, and environment are used to evaluate a request to access resources. Therefore, in the UCON model there are multiple components, which represent the resource (object) to be protected, entities that issue requests (subjects) to access and execute some access rights on resources.

Subjects. A subject is an entity that requests an access to a resource and ex-ecutes granted access rights on requested resources [125]. In the UCON model, a

(43)

subject is represented by a set of corresponding attributes, AT T (S), which may de-fine subject’s characteristics, properties, and capabilities (e.g. ID, affiliation, role, location).

Objects. Objects represent resources that subjects can access or use. Depend-ing on the application of the UCON model, objects can be of various types start-ing from files, network sockets up to high-level services, low-level computational resources, etc. Same as subject, objects in UCON are characterized by a set of corresponding attributes denoted as AT T (O) and may vary from, the type, compu-tational capability, security label assigned, etc.

Attributes. Additionally to attributes of subjects and objects, the UCON model defines environmental attributes, denoted as AT T (E), which are system-central characteristics about the computational environment, in which a subject and an object operate. The most common environmental attribute is a system time.

The main novelty of the UCON model is the mutability of attribute values. This aspect is also a backbone of the model since changes of attribute values may affect previously taken access decisions in a sense that the system with the enabled UCON paradigm will re-evaluate the request against security policies. Although depending on the application domain of the UCON model, the number and the type of attributes may be different, there are only three main reasons that cause changes in attribute values. Thus, attribute values change may be caused by the nature, by activities of subjects and objects and attribute values can be modified as the result of access.

Moreover, the UCON model specifies two main categories as mutable and im-mutablee.g., time and subject’s ID respectively. As stated in [128], mutable at-tributes are categorized as follow:

• Exclusive/Inclusive attributes which are used to resolve conflicts of interests, e.g. dynamic separation of duty;

• Consumable attributes which are destroyed as the result of a security policy enforcement;

• Immediate revocation attributes which terminate access if attribute value changed to a certain number, e.g., time, amount of money available on the back account;

• Obligation attributes are attributes whose values change as the result of obli-gationactions fulfillment.

Cyber Threat Intelligence for Industrial Control Systems Security

U

NIVERSITÀ

D

I

P

ISA

D

D

I

Cyber Threat Intelligence for Industrial

Control Systems Security

Abstract

Acknowledgement

Contents

List of Figures

List of Tables

Nomenclature

Chapter 1

Introduction

1.1

Industrial Control Systems

1.2

Problem Statement

1.3

Summary of contributions

1.4

Structure of the thesis

Chapter 2

Background and State of the Art

2.1

Fourth Industrial Revolution - Industry 4.0

2.2

Data communication in Industry 4.0

2.3

Access and Usage Control Models