Attribute-based Network and System Access Control Architecture for Industrial Machines

With the increasing digitization and interconnection of industry, there are many opportunities for new business models. These promise great economic benefits, but at the same time pose significant threats. The strong interconnection with suppliers, vendors and customers results in an increasingly open production network. Thereby each user group has individual access requirements to the different machines within the company network and corresponding system resources. Therefore, an architecture must be developed capable of controlling access within the network as well as within the machine computer to reduce it to the required minimum. Consequently, we present in this paper an access control architecture that allows attribute-based policies to be enforced both at the network level and at the system level. The required policies are managed centrally in the network. They are then interpreted in the network first, using software-defined networking combined with a suitable policy framework. The request forwarded to the machine is then restricted in the system using an access control architecture on kernel-level and an associated policy module. Afterwards, the presented architecture is prototypically implemented and its performance is evaluated. We come to the conclusion that the presented architecture can be used effectively to reduce the access permissions to the required minimum based on attributes regarding the subject, the environment, the network and system object and the respective action.