Efforts to secure supervisory control and data acquisition
(SCADA) systems must be supported under the guidance of
sound security policies and mechanisms to enforce them. Critical
elements of the policy must be systematically translated into a format
that can be used by policy enforcement components. Ideally, the
goal is to ensure that the enforced policy is a close reflection of
the specified policy. However, security controls commonly used to
enforce policies in the IT environment were not designed to satisfy
the specific needs of the SCADA environment. This paper presents
a language, based on the well-known XACML framework, for the
expression of authorization policies for SCADA systems.
[1] American Gas Association, Cryptographic Protection of SCADA Communications
Part 1: Background, Policies and Test Plan, Technical Report
AGA Report No. 12 (Part 1), Draft 5, American Gas Association, April
2005.
[2] American Gas Association, Cryptographic Protection of SCADA Communications;
Part 2: Retrofit Link Encryption for Asynchronous Serial
Communications, Technical Report AGA Report No. 12 (Part 2), Draft,
American Gas Association, November 2005.
[3] Scott Barman, Writing Information Security Policies, New Riders, Indiana,
November 2001.
[4] Karl Best, OASIS TC Call for Participation: XACML, OASIS
XACML Mailing List (http://lists.oasis-open.org/archives/xacml/200104/
msg00000.html), April 2001.
[5] Stuart A. Boyer, SCADA: Supervisory Control and Data Acquisition,
Third Edition, ISA - Instrumentation, Systems and Automation Society,
2004.
[6] British Columbia Institute of Technology (BCIT), Good Practice Guide
on Firewall Deployment for SCADA and Process Control Networks,
Technical Report, National Infrastructure Security Coordination Centre
(NISCC), London, United Kingdom, February 2005.
[7] CAN in Automation, CAN in Automation (CiA): Controller Area Network
(CAN) (http://www.can-cia.org/), November 2008.
[8] Emerson Process Management, Network 3000 Communications Application
Programmers Reference, Technical Report D4052, Emerson Process
Management, Watertown, Connecticut, USA, October 2007.
[9] Emerson Process Management, ROC Protocol User Manual, Bulletin
A4199, Emerson Process Management, Houston, Texas, USA, June 2007.
[10] IEC, Communication Networks and Systems in Substations, IEC 61850-
SER, IEC, August 2007.
[11] IEC, Power Systems Management and Associated Information Exchange
- Data and Communications Security, Part 1: Communication Network
and System Security - Introduction to Security Issues, IEC TS 62351-5,
IEC, May 2007.
[12] Innominate Security Technologies AG, Industrial IT Security With Firewall
and VPN Hardware - Home - Innominate (http://www.innominate.
com), November 2008.
[13] Instrumentation Systems and Automation (ISA) Society, Enterprise-
Control System Integration Part 1: Models and Terminology, Technical
Report ANSI/ISA-95.00.01-2000, American National Standards Institute
(ANSI), July 2000.
[14] Instrumentation Systems and Automation (ISA) Society, Security for Industrial
Automation and Control Systems Part 1: Terminology, Concepts
and Models, Technical Report ANSI/ISA-TR99.00.01-2007, American
National Standards Institute (ANSI), 2007.
[15] Instrumentation Systems and Automation (ISA) Society, Security Technologies
for Industrial Automation and Control Systems, Technical Report
ANSI/ISA-TR99.00.01-2007. American National Standards Institute
(ANSI), 2007.
[16] Merriam-Webster, Policy, in Merriam-Webster Online (http://www.
merriam-webster.com/dictionary/policy), July 2008.
[17] Modbus IDA, Modbus Application Protocol Specification (http://www.
modbus.org/specs.php), April 2004.
[18] Modbus IDA, Modbus Messaging on TCP/IP Implementation Guide
(http://www.modbus.org/specs.php), June 2004.
[19] Modbus-IDA, Modbus-IDA: the Architecture for Distributed Automation
(http://www.modbus.org/), October 2008.
[20] Modbus-IDA, Modbus Over Serial Line Specification - Implementation
Guide (http://www.modbus.org/specs.php), February 2002.
[21] OASIS, eXtensible Access Control Markup Language XACML Version
1.0, Technical Report, OASIS, February 2003.
[22] OASIS. eXtensible Access Control Markup Language XACML version
2.0, Technical Report, OASIS, February 2005.
[23] Organization for the Advancement of Structured Information Standards
(OASIS), Oasis Foundation Web Page (http://www.oasis-open.org/home/
index.php), June 2008.
[24] Jon Postel, Transmission Control Protocol, RFC 793 (Standard), September
1981.
[25] Hal Stern, Managing NFS and NIS, O-Reilly and Associates, Inc.,
Sebastopol, California, USA, 2001.
[26] Keith Stouffer, Joe Falco and Karen Scarfone, Guide to Industrial
Control Systems (ICS) Security, NIST Special Publication 800-82, Final
Public Draft, NIST, September 2008.
[27] Sun Microsystems, Sun-s XACML implementation (http://sunxacml.
sourceforge.net/), November 2008.
[28] Mike Thesing, Transporting DNP V3.00 Over Local and Wide Area
Networks, Technical Report, DNP Users Group, December 1993.
[29] Mike Thesing, DNP3 Specification Volume 7: IP Networking, Technical
Report, DNP Users Group, 1998.
[30] Xin Wang, Guillermo Lao, Thomas DeMartini, Hari Reddy, Mai Nguyen
and Edgar Valenzuela, XrML - eXtensible Rights Markup Language, in
XMLSEC -02: Proceedings of the 2002 ACM workshop on XML security,
ACM, New York, New York, USA, pp. 71-79, 2002.
[31] Andrea Westerinen, John Schnizlein, John Strassner, Mark Scherling,
Bob Quinn, Shai Herzog, An-Ny Huynh, Mark Carlson, Jay Perry
and Steve Waldbusser, Terminology for Policy-Based Management, RFC
3198, November 2001.
[32] Kurt D. Zeilenga. Lightweight Directory Access Protocol (LDAP):
Technical Specification Road Map, RFC 4510, June 2006.
[1] American Gas Association, Cryptographic Protection of SCADA Communications
Part 1: Background, Policies and Test Plan, Technical Report
AGA Report No. 12 (Part 1), Draft 5, American Gas Association, April
2005.
[2] American Gas Association, Cryptographic Protection of SCADA Communications;
Part 2: Retrofit Link Encryption for Asynchronous Serial
Communications, Technical Report AGA Report No. 12 (Part 2), Draft,
American Gas Association, November 2005.
[3] Scott Barman, Writing Information Security Policies, New Riders, Indiana,
November 2001.
[4] Karl Best, OASIS TC Call for Participation: XACML, OASIS
XACML Mailing List (http://lists.oasis-open.org/archives/xacml/200104/
msg00000.html), April 2001.
[5] Stuart A. Boyer, SCADA: Supervisory Control and Data Acquisition,
Third Edition, ISA - Instrumentation, Systems and Automation Society,
2004.
[6] British Columbia Institute of Technology (BCIT), Good Practice Guide
on Firewall Deployment for SCADA and Process Control Networks,
Technical Report, National Infrastructure Security Coordination Centre
(NISCC), London, United Kingdom, February 2005.
[7] CAN in Automation, CAN in Automation (CiA): Controller Area Network
(CAN) (http://www.can-cia.org/), November 2008.
[8] Emerson Process Management, Network 3000 Communications Application
Programmers Reference, Technical Report D4052, Emerson Process
Management, Watertown, Connecticut, USA, October 2007.
[9] Emerson Process Management, ROC Protocol User Manual, Bulletin
A4199, Emerson Process Management, Houston, Texas, USA, June 2007.
[10] IEC, Communication Networks and Systems in Substations, IEC 61850-
SER, IEC, August 2007.
[11] IEC, Power Systems Management and Associated Information Exchange
- Data and Communications Security, Part 1: Communication Network
and System Security - Introduction to Security Issues, IEC TS 62351-5,
IEC, May 2007.
[12] Innominate Security Technologies AG, Industrial IT Security With Firewall
and VPN Hardware - Home - Innominate (http://www.innominate.
com), November 2008.
[13] Instrumentation Systems and Automation (ISA) Society, Enterprise-
Control System Integration Part 1: Models and Terminology, Technical
Report ANSI/ISA-95.00.01-2000, American National Standards Institute
(ANSI), July 2000.
[14] Instrumentation Systems and Automation (ISA) Society, Security for Industrial
Automation and Control Systems Part 1: Terminology, Concepts
and Models, Technical Report ANSI/ISA-TR99.00.01-2007, American
National Standards Institute (ANSI), 2007.
[15] Instrumentation Systems and Automation (ISA) Society, Security Technologies
for Industrial Automation and Control Systems, Technical Report
ANSI/ISA-TR99.00.01-2007. American National Standards Institute
(ANSI), 2007.
[16] Merriam-Webster, Policy, in Merriam-Webster Online (http://www.
merriam-webster.com/dictionary/policy), July 2008.
[17] Modbus IDA, Modbus Application Protocol Specification (http://www.
modbus.org/specs.php), April 2004.
[18] Modbus IDA, Modbus Messaging on TCP/IP Implementation Guide
(http://www.modbus.org/specs.php), June 2004.
[19] Modbus-IDA, Modbus-IDA: the Architecture for Distributed Automation
(http://www.modbus.org/), October 2008.
[20] Modbus-IDA, Modbus Over Serial Line Specification - Implementation
Guide (http://www.modbus.org/specs.php), February 2002.
[21] OASIS, eXtensible Access Control Markup Language XACML Version
1.0, Technical Report, OASIS, February 2003.
[22] OASIS. eXtensible Access Control Markup Language XACML version
2.0, Technical Report, OASIS, February 2005.
[23] Organization for the Advancement of Structured Information Standards
(OASIS), Oasis Foundation Web Page (http://www.oasis-open.org/home/
index.php), June 2008.
[24] Jon Postel, Transmission Control Protocol, RFC 793 (Standard), September
1981.
[25] Hal Stern, Managing NFS and NIS, O-Reilly and Associates, Inc.,
Sebastopol, California, USA, 2001.
[26] Keith Stouffer, Joe Falco and Karen Scarfone, Guide to Industrial
Control Systems (ICS) Security, NIST Special Publication 800-82, Final
Public Draft, NIST, September 2008.
[27] Sun Microsystems, Sun-s XACML implementation (http://sunxacml.
sourceforge.net/), November 2008.
[28] Mike Thesing, Transporting DNP V3.00 Over Local and Wide Area
Networks, Technical Report, DNP Users Group, December 1993.
[29] Mike Thesing, DNP3 Specification Volume 7: IP Networking, Technical
Report, DNP Users Group, 1998.
[30] Xin Wang, Guillermo Lao, Thomas DeMartini, Hari Reddy, Mai Nguyen
and Edgar Valenzuela, XrML - eXtensible Rights Markup Language, in
XMLSEC -02: Proceedings of the 2002 ACM workshop on XML security,
ACM, New York, New York, USA, pp. 71-79, 2002.
[31] Andrea Westerinen, John Schnizlein, John Strassner, Mark Scherling,
Bob Quinn, Shai Herzog, An-Ny Huynh, Mark Carlson, Jay Perry
and Steve Waldbusser, Terminology for Policy-Based Management, RFC
3198, November 2001.
[32] Kurt D. Zeilenga. Lightweight Directory Access Protocol (LDAP):
Technical Specification Road Map, RFC 4510, June 2006.
@article{"International Journal of Information, Control and Computer Sciences:58999", author = "Rodrigo Chandia and Mauricio Papa", title = "Access Policy Specification for SCADA Networks", abstract = "Efforts to secure supervisory control and data acquisition
(SCADA) systems must be supported under the guidance of
sound security policies and mechanisms to enforce them. Critical
elements of the policy must be systematically translated into a format
that can be used by policy enforcement components. Ideally, the
goal is to ensure that the enforced policy is a close reflection of
the specified policy. However, security controls commonly used to
enforce policies in the IT environment were not designed to satisfy
the specific needs of the SCADA environment. This paper presents
a language, based on the well-known XACML framework, for the
expression of authorization policies for SCADA systems.", keywords = "Access policy specification, process control systems,network security.", volume = "4", number = "6", pages = "1061-10", }
