Title: RBAC Driven Least Privilege Architecture For Control Systems

The concept of role based access control (RBAC) within the IT environment has been studied by researchers and was supported by NIST (circa 1992). This earlier work highlighted the benefits of RBAC which include reduced administrative workload and policies which are easier to analyze and apply. The goals of this research were to expand the application of RBAC in the following ways. Apply RBAC to the control systems environment: The typical RBAC model within the IT environment is used to control a user’s access to files. Within the control system environment files are replaced with measurement (e.g., temperature) and control (e.g. valve) points organized as a hierarchy of control assets (e.g. a boiler, compressor, refinery unit). Control points have parameters (e.g., high alarm limit, set point, etc.) associated with them. The RBAC model is extended to support access to points and their parameters based upon roles while at the same time allowing permissions for the points to be defined at the asset level or point level directly. In addition, centralized policy administration with distributed access enforcement mechanisms was developed to support the distributed architecture of distributed control systems and SCADA; Extend the RBAC model to include access control for software and devices: The established RBAC approach is to assign users to roles. This work extends that notion by first breaking the control system down into three layers 1) users, 2) software and 3) devices. An RBAC model is then created for each of these three layers. The result is that RBAC can be used to define machine-to-machine policy enforced via the IP security (IPsec) protocol. This highlights the potential to use RBAC for machine-to-machine connectivity within the internet of things; and Enable dynamic policy based upon the operating mode of the system: The IT environment is generally static with respect to policy. However, large cyber physical systems such as industrial controls have various operating modes (start-up, normal operation, emergency, shut-down and maintenance are typical). The policy enforcement architecture must be able to support changes in access permissions as the mode of the control system changes. For example an operator’s role may not allow the operator to shut down a pump during “normal operation” but that same operator role may be given permission to shut down the pump if the refinery transitions to “emergency” mode. The effectiveness of the approach was validated by applying it to the Experion Process Knowledge System. This is a large commercial industrial control system often used to control oil refineries and other assets within the oil and gas sector. As a by-product, other industries using Experion (Pharmaceuticals, Specialty Chemicals, etc.) also benefit from increased security. Policies representative of those that would be used within an oil refinery were created and validated against the RBAC model as implemented in the underlying SQL database. The administration of policy is simplified which in turn makes it practical for security administrators to specify policies which enforce least privilege. The result is a qualitative reduction in risk. The benefits of the enhanced RBAC model are clear and as a result. Honeywell is incorporating portions of the RBAC research into the 2014 release of Experion.