PolyOrBAC: a security framework for critical infrastructures

International audienceDue to physical and logical vulnerabilities, a critical infrastructure (CI) can encounter failures of various degrees of severity, and since there are many interdependencies between CIs, simple failures can have dramatic consequences on the users. In this paper, we mainly focus on malicious threats that might affect the information and communication system that controls the Critical Infrastructure, i.e., the Critical Information Infrastructure (CII). To address the security challenges that are specific of CIIs, we propose a collaborative access control framework called PolyOrBAC. This approach offers each organization taking part in the CII the capacity of collaborating with the other ones, while maintaining a control on its resources and on its internal security policy. The interactions between organizations participating in the CII are implemented through web services (WS), and for each WS a contract is signed between the service-provider organization and the service-user organization. The contract describes the WS functions and parameters, the liability of each party and the security rules controlling the interactions. At runtime, the compliance of all interactions with these security rules is checked. Every deviation from the signed contracts triggers an alarm, the concerned parties are notified and audits can be used as evidence for sanctioning the party responsible for the deviation. Our approach is illustrated by a practical scenario, based on real emergency actions in an electric power grid infrastructure, and a simulation test bed has been implemented to animate this scenario and experiment with its security issues

Priority-based Event Management using Fuzzy Logic for an IoT-BPM Architecture

International audienceInternet of things (IoT) world is growing at a breathtaking pace. This new paradigm shift affects all the enterprise architecture layers from infrastructure to business. Organizations are nowadays faced with new challenges to keep their quality of service and competitive advantage over other rival organizations. Business Process Management (BPM) is a field among others that will be affected by this new technology. Both IoT and BPM communicate through events, and effective and efficient management of those events ensures a better communication channel between the IoT physical layer and the Business layer. However, the huge amount of those IoT generated events and sometimes the subtle difference between their criticality level, generate uncertainty regarding their priority level determination. In this paper, we propose a fuzzy logic-based event management approach to estimate the criticality level of the incoming IoT events using two fuzzy inference systems (FIS) and to manage the priority of business process instances triggered by those events. A case study is presented and the obtained results from our simulations demonstrate the benefit of our approach and allowed us to confirm the efficiency of our assumptions

Controle d'accès pour les grandes infrastructures critiques. Application au réseau d'énergie électrique.

Because of its physical and logical vulnerabilities, critical infrastructure (CI) may suffer failures, and because of the interdependencies between CIs, simple failures can have dramatic consequences on the entire infrastructure. In our work, we mainly focus on information systems and communications (CII: Critical Information Infrastructure) dedicated to the electrical power grid. We proposed a new approach to address security problems faced by an IIC, particularly those related to access control and collaboration. The goal of this study is to provide each organization belonging to the IIC the opportunity to collaborate with others while maintaining control over its data and its internal security policy. We modeled and developed PolyOrBAC, a platform for collaborative access control, based on the access control model OrBAC and on the Web Services technology, this platform is applicable in the context of a critical infrastructure in general, and more particularly to an electrical power grid.En raison de ses vulnérabilités physiques et logiques, une infrastructure critique (IC) peut subir des défaillances, et en raison des interdépendances entre IC, de simples défaillances peuvent avoir des conséquences dramatiques sur lensemble de linfrastructure. Dans notre travail, nous nous concentrons principalement sur les systèmes dinformation et de communication (lIIC : infrastructure dinformation critique) dédiés au réseau d'énergie électrique. Nous proposons une nouvelle approche pour répondre aux problèmes de sécurité que rencontre une IIC, plus particulièrement, ceux liés au contrôle d'accès et à la collaboration. Le but est doffrir à chaque organisation faisant partie de lIIC la possibilité de collaborer avec les autres, tout en maintenant un contrôle sur ses données et sa politique de sécurité internes. Nous avons modélisé, et développé PolyOrBAC, une plateforme de contrôle daccès collaboratif, basée sur le modèle de contrôle daccès OrBAC et sur la technologie des Services Web, cette plateforme est applicable dans le contexte dune infrastructure critique en général, et plus particulièrement dans le cadre dun réseau électrique

Contrôle d'Accès pour les Grandes Infrastructures Critiques (application au réseau d'énergie électrique)

En raison de ses vulnérabilités physiques et logiques, une infrastructure critique (IC) peut subir des défaillances, et en raison des interdépendances entre IC, de simples défaillances peuvent avoir des conséquences dramatiques sur l ensemble de l infrastructure. Dans notre travail, nous nous concentrons principalement sur les systèmes d information et de communication (l IIC : infrastructure d information critique) dédiés au réseau d'énergie électrique. Nous proposons une nouvelle approche pour répondre aux problèmes de sécurité que rencontre une IIC, plus particulièrement, ceux liés au contrôle d'accès et à la collaboration. Le but est d offrir à chaque organisation faisant partie de l IIC la possibilité de collaborer avec les autres, tout en maintenant un contrôle sur ses données et sa politique de sécurité internes. Nous avons modélisé, et développé PolyOrBAC, une plateforme de contrôle d accès collaboratif, basée sur le modèle de contrôle d accès OrBAC et sur la technologie des Services Web, cette plateforme est applicable dans le contexte d une infrastructure critique en général, et plus particulièrement dans le cadre d un réseau électrique.Because of its physical and logical vulnerabilities, critical infrastructure (CI) may suffer failures, and because of the interdependencies between CIs, simple failures can have dramatic consequences on the entire infrastructure. In our work, we mainly focus on information systems and communications (CII: Critical Information Infrastructure) dedicated to the electrical power grid. We proposed a new approach to address security problems faced by an IIC, particularly those related to access control and collaboration. The goal of this study is to provide each organization belonging to the IIC the opportunity to collaborate with others while maintaining control over its data and its internal security policy. We modeled and developed PolyOrBAC, a platform for collaborative access control, based on the access control model OrBAC and on the Web Services technology, this platform is applicable in the context of a critical infrastructure in general, and more particularly to an electrical power gridINIST-CNRS (INIST), under shelf-number: RP 17272 / SudocSudocFranceF

Priority-based Event Management using Fuzzy Logic for an IoT-BPM Architecture

International audienceInternet of things (IoT) world is growing at a breathtaking pace. This new paradigm shift affects all the enterprise architecture layers from infrastructure to business. Organizations are nowadays faced with new challenges to keep their quality of service and competitive advantage over other rival organizations. Business Process Management (BPM) is a field among others that will be affected by this new technology. Both IoT and BPM communicate through events, and effective and efficient management of those events ensures a better communication channel between the IoT physical layer and the Business layer. However, the huge amount of those IoT generated events and sometimes the subtle difference between their criticality level, generate uncertainty regarding their priority level determination. In this paper, we propose a fuzzy logic-based event management approach to estimate the criticality level of the incoming IoT events using two fuzzy inference systems (FIS) and to manage the priority of business process instances triggered by those events. A case study is presented and the obtained results from our simulations demonstrate the benefit of our approach and allowed us to confirm the efficiency of our assumptions

Access Control for Collaborative Systems: A Web Services Based Approach

International audienceNowadays, systems are more and more open, distributed and collaborative. In this context, access control is an important issue that should be studied, specified and well enforced. This work proposes a new access control model for collaborative systems: “PolyOrBAC”. On the one hand, we extend OrBAC (Organization-Based Access Control Model) to specify local as well as collaboration access control rules; on the other hand, we enforce these security policies by applying web services mechanisms (XML, SOAP, UDDI and WSDL). Then, we present a representative scenario of secure collaborative applications. Furthermore, we propose a XACML-based implementation of PolyOrBAC and we discuss the most important approaches that emphasize access control in collaborative environments

On the performance of transport protocols over mmWave links: empirical comparison of TCP and QUIC

The extensive availability of spectrum resources and the remarkably high data transmission rate of millimeter-wave (mmWave) technology have propelled its significance as a vital component in the advancement of mobile communications, including fifth generation (5G) networks. However, the intermittent nature of mmWave links and their interaction with transport layer protocols pose several challenges, which bring inadequate performance, due to fluctuations in high-frequency channels. Consequently, although these features of mmWave might be advantageous, they can actually hinder the performance. Although these issues have been studied in the literature with TCP, there are few works that have studied how QUIC behaves over this kind of channels. This paper aims to compare the performance of TCP and QUIC over mmWave channels, studying the impact at the application level. We conduct extensive performance evaluations, based on traces that are obtained by means of a detailed simulation of different mmWave scenarios, using the ns-3 simulator. We analyze key performance indicators, such as delay, throughput, and bottleneck buffer. The results evince that QUIC outperforms TCP in highly fluctuating mmWave channels, showing better performance for both throughput and delay.This work was supported by the Spanish Government (Ministerio de Economía y Competitividad, Fondo Europeo de Desarrollo Regional, MINECO-FEDER) by means of the Project SITED: Semantically-Enabled Interoperable Trustworthy Enriched Data-Spaces under Grant PID2021-125725OB-I00