Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32145
Access Policy Specification for SCADA Networks

Authors: Rodrigo Chandia, Mauricio Papa


Efforts to secure supervisory control and data acquisition (SCADA) systems must be supported under the guidance of sound security policies and mechanisms to enforce them. Critical elements of the policy must be systematically translated into a format that can be used by policy enforcement components. Ideally, the goal is to ensure that the enforced policy is a close reflection of the specified policy. However, security controls commonly used to enforce policies in the IT environment were not designed to satisfy the specific needs of the SCADA environment. This paper presents a language, based on the well-known XACML framework, for the expression of authorization policies for SCADA systems.

Keywords: Access policy specification, process control systems, network security.

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2127


[1] American Gas Association, Cryptographic Protection of SCADA Communications Part 1: Background, Policies and Test Plan, Technical Report AGA Report No. 12 (Part 1), Draft 5, American Gas Association, April 2005.
[2] American Gas Association, Cryptographic Protection of SCADA Communications; Part 2: Retrofit Link Encryption for Asynchronous Serial Communications, Technical Report AGA Report No. 12 (Part 2), Draft, American Gas Association, November 2005.
[3] Scott Barman, Writing Information Security Policies, New Riders, Indiana, November 2001.
[4] Karl Best, OASIS TC Call for Participation: XACML, OASIS XACML Mailing List ( msg00000.html), April 2001.
[5] Stuart A. Boyer, SCADA: Supervisory Control and Data Acquisition, Third Edition, ISA - Instrumentation, Systems and Automation Society, 2004.
[6] British Columbia Institute of Technology (BCIT), Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, Technical Report, National Infrastructure Security Coordination Centre (NISCC), London, United Kingdom, February 2005.
[7] CAN in Automation, CAN in Automation (CiA): Controller Area Network (CAN) (, November 2008.
[8] Emerson Process Management, Network 3000 Communications Application Programmers Reference, Technical Report D4052, Emerson Process Management, Watertown, Connecticut, USA, October 2007.
[9] Emerson Process Management, ROC Protocol User Manual, Bulletin A4199, Emerson Process Management, Houston, Texas, USA, June 2007.
[10] IEC, Communication Networks and Systems in Substations, IEC 61850- SER, IEC, August 2007.
[11] IEC, Power Systems Management and Associated Information Exchange - Data and Communications Security, Part 1: Communication Network and System Security - Introduction to Security Issues, IEC TS 62351-5, IEC, May 2007.
[12] Innominate Security Technologies AG, Industrial IT Security With Firewall and VPN Hardware - Home - Innominate (http://www.innominate. com), November 2008.
[13] Instrumentation Systems and Automation (ISA) Society, Enterprise- Control System Integration Part 1: Models and Terminology, Technical Report ANSI/ISA-95.00.01-2000, American National Standards Institute (ANSI), July 2000.
[14] Instrumentation Systems and Automation (ISA) Society, Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts and Models, Technical Report ANSI/ISA-TR99.00.01-2007, American National Standards Institute (ANSI), 2007.
[15] Instrumentation Systems and Automation (ISA) Society, Security Technologies for Industrial Automation and Control Systems, Technical Report ANSI/ISA-TR99.00.01-2007. American National Standards Institute (ANSI), 2007.
[16] Merriam-Webster, Policy, in Merriam-Webster Online (http://www., July 2008.
[17] Modbus IDA, Modbus Application Protocol Specification (http://www., April 2004.
[18] Modbus IDA, Modbus Messaging on TCP/IP Implementation Guide (, June 2004.
[19] Modbus-IDA, Modbus-IDA: the Architecture for Distributed Automation (, October 2008.
[20] Modbus-IDA, Modbus Over Serial Line Specification - Implementation Guide (, February 2002.
[21] OASIS, eXtensible Access Control Markup Language XACML Version 1.0, Technical Report, OASIS, February 2003.
[22] OASIS. eXtensible Access Control Markup Language XACML version 2.0, Technical Report, OASIS, February 2005.
[23] Organization for the Advancement of Structured Information Standards (OASIS), Oasis Foundation Web Page ( index.php), June 2008.
[24] Jon Postel, Transmission Control Protocol, RFC 793 (Standard), September 1981.
[25] Hal Stern, Managing NFS and NIS, O-Reilly and Associates, Inc., Sebastopol, California, USA, 2001.
[26] Keith Stouffer, Joe Falco and Karen Scarfone, Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, Final Public Draft, NIST, September 2008.
[27] Sun Microsystems, Sun-s XACML implementation (http://sunxacml., November 2008.
[28] Mike Thesing, Transporting DNP V3.00 Over Local and Wide Area Networks, Technical Report, DNP Users Group, December 1993.
[29] Mike Thesing, DNP3 Specification Volume 7: IP Networking, Technical Report, DNP Users Group, 1998.
[30] Xin Wang, Guillermo Lao, Thomas DeMartini, Hari Reddy, Mai Nguyen and Edgar Valenzuela, XrML - eXtensible Rights Markup Language, in XMLSEC -02: Proceedings of the 2002 ACM workshop on XML security, ACM, New York, New York, USA, pp. 71-79, 2002.
[31] Andrea Westerinen, John Schnizlein, John Strassner, Mark Scherling, Bob Quinn, Shai Herzog, An-Ny Huynh, Mark Carlson, Jay Perry and Steve Waldbusser, Terminology for Policy-Based Management, RFC 3198, November 2001.
[32] Kurt D. Zeilenga. Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map, RFC 4510, June 2006.