A comprehensive review of RFID and bluetooth security: practical analysis

The Internet of Things (IoT) provides the ability to digitize physical objects into virtual data, thanks to the integration of hardware (e.g., sensors, actuators) and network communications for collecting and exchanging data. In this digitization process, however, security challenges need to be taken into account in order to prevent information availability, integrity, and confidentiality from being compromised. In this paper, security challenges of two broadly used technologies, RFID (Radio Frequency Identification) and Bluetooth, are analyzed. First, a review of the main vulnerabilities, security risk, and threats affecting both technologies are carried out. Then, open hardware and open source tools like: Proxmark3 and Ubertooth as well as BtleJuice and Bleah are used as part of the practical analysis. Lastly, risk mitigation and counter measures are proposed

An attribute-based access control model in RFID systems based on blockchain decentralized applications for healthcare environments

The growing adoption of Radio-frequency Identification (RFID) systems, particularly in the healthcare field, demonstrates that RFID is a positive asset for healthcare institutions. RFID offers the ability to save organizations time and costs by enabling data of traceability, identification, communication, temperature and location in real time for both people and resources. However, the RFID systems challenges are financial, technical, organizational and above all privacy and security. For this reason, recent works focus on attribute-based access control (ABAC) schemes. Currently, ABAC are based on mostly centralized models, which in environments such as the supply chain can present problems of scalability, synchronization and trust between the parties. In this manuscript, we implement an ABAC model in RFID systems based on a decentralized model such as blockchain. Common criteria for the selection of the appropriate blockchain are detailed. Our access control policies are executed through the decentralized application (DApp), which interfaces with the blockchain through the smart contract. Smart contracts and blockchain technology, on the one hand, solve current centralized systems issues as well as being flexible infrastructures that represent the relationship of trust and support essential in the ABAC model in order to provide the security of RFID systems. Our system has been designed for a supply chain environment with an use case suitable for healthcare systems, so that assets such as surgical instruments containing an associated RFID tag can only access to specific areas. Our system is deployed in both a local and Testnet environment in order to stablish a deep comparison and determining the technical feasibility

Towards decentralized and scalable architectures for access control systems for IIoT scenarios.

The Industrial Internet of Things (IIoT) architecture is complex due to, among other things, the convergence of protocols, standards, and buses from such heterogeneous environments as Information Technology (IT) and Operational Technology (OT). IT – OT convergence not only makes interoperability difficult but also makes security one of the main challenges for IIoT environments. In this context, this thesis starts with a comprehensive survey of the protocols, standards, and buses commonly used in IIoT environments, analyzing the vulnerabilities in assets implementing them, as well as the impact and severity of exploiting such vulnerabilities in IT and OT environments. The Vulnerability Analysis Framework (VAF) methodology used for risk assessment in IIoT environments has been applied to 1,363 vulnerabilities collected from assets implementing the 33 protocols, standards and buses studied. On the other hand, Access Control Systems emerges as an efficient solution to mitigate some of the vulnerabilities and threats in the context of IIoT scenarios. Motivated by the variety and heterogeneity of IIoT environments, the thesis explores different alternatives of Access Control Systems covering different architectures. These architectures include Access Control Systems based on traditional Authorization policies such as Role-based Access Control or Attribute-based Access Control, as well as Access Control Systems that integrate other capabilities besides Authorization such as Identification, Authentication, Auditing and Accountability. Blockchain technologies are incorporated into some of the proposals as they enable properties not achievable in centralized architectures, at different levels of complexity: they can be used just as a verifiable data registry, executing simple off-chain authorization policies, up to scenarios where the blockchain enables on-chain an Identity and Access Management System, based on Self-Sovereign Identity.La arquitectura del Internet de las Cosas Industrial (del inglés, IIoT) es compleja entre otras cosas, debido a la convergencia de protocolos, estándares y buses de entornos tan heterogéneos como los de tecnologías de la información (del inglés, IT) y tecnologías operacionales (del inglés, OT). La convergencia IT – OT no solamente dificulta la interoperabilidad sino también hace la seguridad uno de los principales retos para los entornos IIoT. En este contexto esta tesis inicia con una exhaustiva revisión de la literatura acerca de los protocolos, estándares y buses comúnmente usados en los entornos IIoT analizando además, las vulnerabilidades en activos que implementan estos protocolos, estándares y buses, así como el impacto y la severidad de explotar dichas vulnerabilidades en entornos puramente IT y puramente OT. Para llevar a cabo dicho análisis se propone la metodología “Vulnerability Analysis Framework” (VAF) usada para la determinación del riesgo en entornos IIoT, la cual ha sido aplicada sobre 1363 vulnerabilidades recolectadas de activos que implementan los 33 protocolos, estándares y buses estudiados. Por otra parte, los Sistemas de control de Acceso emergen como una solución eficiente para mitigar algunas de las vulnerabilidades y amenazas en el contexto de los escenarios IIoT. Motivados por la variedad y la heterogeneidad de los entornos IIoT, la tesis explora diferentes alternativas de Sistemas de Control de Acceso cubriendo diferentes arquitecturas. Estas arquitecturas incluyen Sistemas de Control de Acceso basados en políticas tradicionales de Autorización como Control de Acceso basado en Roles o Control de Acceso basado en Atributos, así como Sistemas de Control de Acceso que integran otras capacidades además de la Autorización como Identificación, Autenticación, Auditoría y Rendición de Cuentas. Las tecnologías blockchain integradas en algunas de las propuestas habilitan propiedades no alcanzables en arquitecturas centralizadas a diferentes niveles, formando parte de escenarios que van desde únicamente ser usadas como un registro de datos verificables ejecutando simples políticas de autorización fuera de la cadena hasta escenarios donde la tecnología blockchain habilita sistemas descentralizados de gestión de la identidad y el acceso basados en Identidad Auto-Soberana

A role-based access control model in modbus SCADA systems. A centralized model approach

Industrial Control Systems (ICS) and Supervisory Control systems and Data Acquisition (SCADA) networks implement industrial communication protocols to enable their operations. Modbus is an application protocol that allows communication between millions of automation devices. Unfortunately, Modbus lacks basic security mechanisms, and this leads to multiple vulnerabilities, due to both design and implementation. This issue enables certain types of attacks, for example, man in the middle attacks, eavesdropping attacks, and replay attack. The exploitation of such flaws may greatly influence companies and the general population, especially for attacks targeting critical infrastructural assets, such as power plants, water distribution and railway transportation systems. In order to provide security mechanisms to the protocol, the Modbus organization released security specifications, which provide robust protection through the blending of Transport Layer Security (TLS) with the traditional Modbus protocol. TLS will encapsulate Modbus packets to provide both authentication and message-integrity protection. The security features leverage X.509v3 digital certificates for authentication of the server and client. From the security specifications, this study addresses the security problems of the Modbus protocol, proposing a new secure version of a role-based access control model (RBAC), in order to authorize both the client on the server, as well as the Modbus frame. This model is divided into an authorization process via roles, which is inserted as an arbitrary extension in the certificate X.509v3 and the message authorization via unit id, a unique identifier used to authorize the Modbus frame. Our proposal is evaluated through two approaches: A security analysis and a performance analysis. The security analysis involves verifying the protocol’s resistance to different types of attacks, as well as that certain pillars of cybersecurity, such as integrity and confidentiality, are not compromised. Finally, our performance analysis involves deploying our design over a testnet built on GNS3. This testnet has been designed based on an industrial security standard, such as IEC-62443, which divides the industrial network into levels. Then both the client and the server are deployed over this network in order to verify the feasibility of the proposal. For this purpose, different latencies measurements in industrial environments are used as a benchmark, which are matched against the latencies in our proposal for different cipher suites

Methodological performance analysis applied to a novel IIoT access control system based on permissioned blockchain

Considering that RFID technology presents a significant growth in IIoT environments, industrial manufacturing is being one of the most benefited by this growth. As growth implies increased security risks, access control systems have emerged as an essential solution for IIoT environments and particularly in RFID systems. Considering Hyperledger Fabric Blockchain as a modular project oriented to environments with high level of performance in terms of speed and scalability, our manuscript proposes a performance analysis based on a methodological framework to demonstrate the viability of a comprehensive access control system which includes Identification, Authentication, Authorization and Accountability/Auditing based on the permissioned blockchain Hyperledger Fabric Blockchain. Our proposal promotes a novel approach to reliable data privacy, based on private data collection solution promoted by Hyperledger Fabric to implement the registration phase of our access control system. In this regard, the feasibility of using private data collection with respect to a private data local management solution is demonstrated. Finally, thanks to the modularity promoted by Hyperledger Fabric Blockchain, we define the optimal network model for our use case. To demonstrate these approaches, several experiments are conducted, based on a proposed methodological performance framework

A survey of IIoT protocols: A measure of vulnerability risk analysis based on CVSS

Industrial Internet of Things (IIoT) is present in many participants from the energy, health, manufacturing, transport, and public sectors. Many factors catalyze IIoT, such as robotics, artificial intelligence, and intelligent decentralized manufacturing. However, the convergence between IT, OT, and to I' environments involves the integration of heterogeneous technologies through protocols, standards, and buses. However, this integration brings with it security risks. To avoid the security risks, especially when systems in different environments interact, it is important and urgent to create an early consensus among the stakeholders on the IIoT security. The default Common Vulnerability Scoring System (CVSS) offers a mechanism to measure the severity of an asset's vulnerability and therefore a way to characterize the risk. However, CVSS by default has two drawbacks. On the one hand, to carry out a risk analysis, it is necessary to have additional metrics to the one established by CVSSv3.1. On the other hand, this index has been used mostly in IT environments and although there are numerous efforts to develop a model that suits industrial environments, there is no established proposal. Therefore, we first propose a survey of the main 33 protocols, standards, and buses used in an IIoT environment. This survey will focus on the security of each one. The second part of our study consists of the creation of a framework to characterize risk in industrial environments, i.e., to solve both problems of the CVSS index. To this end, we created the Vulnerability Analysis Framework (VAF), which is a methodology that allows the analysis of 1,363 vulnerabilities to establish a measure to describe the risk in IIoT environments

Modbus access control system based on SSI over hyperledger fabric blockchain.

Security is the main challenge of the Modbus IIoT protocol. The systems designed to provide security involve solutions that manage identity based on a centralized approach by introducing a single point of failure and with an ad hoc model for an organization, which handicaps the solution scalability. Our manuscript proposes a solution based on self-sovereign identity over hyperledger fabric blockchain, promoting a decentralized identity from which both authentication and authorization are performed on-chain. The implementation of the system promotes not only Modbus security, but also aims to ensure the simplicity, compatibility and interoperability claimed by Modbus

Towards decentralized and scalable architectures for access control systems for IIoT scenarios.

The Industrial Internet of Things (IIoT) architecture is complex due to, among other things, the convergence of protocols, standards, and buses from such heterogeneous environments as Information Technology (IT) and Operational Technology (OT). IT – OT convergence not only makes interoperability difficult but also makes security one of the main challenges for IIoT environments. In this context, this thesis starts with a comprehensive survey of the protocols, standards, and buses commonly used in IIoT environments, analyzing the vulnerabilities in assets implementing them, as well as the impact and severity of exploiting such vulnerabilities in IT and OT environments. The Vulnerability Analysis Framework (VAF) methodology used for risk assessment in IIoT environments has been applied to 1,363 vulnerabilities collected from assets implementing the 33 protocols, standards and buses studied. On the other hand, Access Control Systems emerges as an efficient solution to mitigate some of the vulnerabilities and threats in the context of IIoT scenarios. Motivated by the variety and heterogeneity of IIoT environments, the thesis explores different alternatives of Access Control Systems covering different architectures. These architectures include Access Control Systems based on traditional Authorization policies such as Role-based Access Control or Attribute-based Access Control, as well as Access Control Systems that integrate other capabilities besides Authorization such as Identification, Authentication, Auditing and Accountability. Blockchain technologies are incorporated into some of the proposals as they enable properties not achievable in centralized architectures, at different levels of complexity: they can be used just as a verifiable data registry, executing simple off-chain authorization policies, up to scenarios where the blockchain enables on-chain an Identity and Access Management System, based on Self-Sovereign Identity.La arquitectura del Internet de las Cosas Industrial (del inglés, IIoT) es compleja entre otras cosas, debido a la convergencia de protocolos, estándares y buses de entornos tan heterogéneos como los de tecnologías de la información (del inglés, IT) y tecnologías operacionales (del inglés, OT). La convergencia IT – OT no solamente dificulta la interoperabilidad sino también hace la seguridad uno de los principales retos para los entornos IIoT. En este contexto esta tesis inicia con una exhaustiva revisión de la literatura acerca de los protocolos, estándares y buses comúnmente usados en los entornos IIoT analizando además, las vulnerabilidades en activos que implementan estos protocolos, estándares y buses, así como el impacto y la severidad de explotar dichas vulnerabilidades en entornos puramente IT y puramente OT. Para llevar a cabo dicho análisis se propone la metodología “Vulnerability Analysis Framework” (VAF) usada para la determinación del riesgo en entornos IIoT, la cual ha sido aplicada sobre 1363 vulnerabilidades recolectadas de activos que implementan los 33 protocolos, estándares y buses estudiados. Por otra parte, los Sistemas de control de Acceso emergen como una solución eficiente para mitigar algunas de las vulnerabilidades y amenazas en el contexto de los escenarios IIoT. Motivados por la variedad y la heterogeneidad de los entornos IIoT, la tesis explora diferentes alternativas de Sistemas de Control de Acceso cubriendo diferentes arquitecturas. Estas arquitecturas incluyen Sistemas de Control de Acceso basados en políticas tradicionales de Autorización como Control de Acceso basado en Roles o Control de Acceso basado en Atributos, así como Sistemas de Control de Acceso que integran otras capacidades además de la Autorización como Identificación, Autenticación, Auditoría y Rendición de Cuentas. Las tecnologías blockchain integradas en algunas de las propuestas habilitan propiedades no alcanzables en arquitecturas centralizadas a diferentes niveles, formando parte de escenarios que van desde únicamente ser usadas como un registro de datos verificables ejecutando simples políticas de autorización fuera de la cadena hasta escenarios donde la tecnología blockchain habilita sistemas descentralizados de gestión de la identidad y el acceso basados en Identidad Auto-Soberana

Alarm collector in smart train based on ethereum blockchain events-log.

The European Union is moving toward the "smart" era having as one of the key topics the smart mobility. What is more, the European union (EU) is moving toward Mobility as a Service (MaaS). The key concept behind MaaS is the capability to offer both the traveler's mobility and goods' transport solutions based on travel needs. For example, unique payment methods, intermodal tickets, passenger services, freight transport services, etc. The introduction of new services implies the integration of many Internet-of-Things (IoT) sensors. At this point, security gains a key role in the railway sector. Considering an environment where sensor data are monitored from sensor events, and alarms are detected and emitted when events contain an anomaly, this document proposes the development of an alarms collection system, which ensures both traceability and privacy of these alarms. This system is based on Ethereum blockchain events-log, as an efficient storage mechanism, which guarantees that any railway entity can participate in the network, ensuring both entity security and information privacy