【摘要】 IT和OT的融合模糊了工业控制系统"网络边界"的概念,细粒度的访问控制策略是保障工业企业网络安全的基石。基于角色委派的访问控制机制可把域中用户对网络资源的访问权限委派给其他域的用户或企业合作伙伴,这样为企业员工或企业合作伙伴远程访问企业网络资源提供了便利。然而,这种便利可能增加工业控制系统的攻击面。区块链技术固有的去中心化、防篡改、可审计等特征可以成为基于角色委派访问控制管理的基础架构,因而提出了基于区块链技术的角色委派访问控制方案(Delegatable Role-Based Access Control, DRBAC)。DRBAC包括用户角色管理及委派、访问控制、监控机制等几个重要组件,并基于智能合约实现该方案,DRBAC的目的是保证每个网络连接必须受到细粒度访问控制策略的保护。最后,通过搭建本地私有区块链网络测试分析了DRBAC的正确性、可行性和开销。更多还原

【Abstract】 The concept of “network perimeter” in industrial control system is becoming vague due to the integration of IT and OT technology.The fine-grained access control strategy that intends to protect each network connection can ensure the network security of industrial control system.The role-delegation-based access control scheme can delegate an access right of user in a domain to a user in another domain or a company partner so that these users can remotely access the network resources of the industrial enterprise.However, these benefits resulted from the delegation may increase the attack surface for industrial control system.The blockchain technology with decentralization, tamper-proof, auditable and other characteristics can be considered as a basic framework of the role-delegation access control for network resources in industrial control system.This paper proposes a role-delegation access control scheme DRBAC based on blockchain.DRBAC includes several important components: user role management and delegation, access control, monitoring mechanism, etc.The DRBAC solution is implemented based on smart contract.The DRBAC ensures that each network connection must be protected by fine-grained access control strategies.Finally, the correctness, feasibility and overhead of DRBAC are tested and analyzed in a private blockchain network.更多还原