draft-ietf-ace-usecases-10.txt   rfc7744.txt 
ACE Working Group L. Seitz, Ed. Internet Engineering Task Force (IETF) L. Seitz, Ed.
Internet-Draft SICS Swedish ICT AB Request for Comments: 7744 SICS Swedish ICT AB
Intended status: Informational S. Gerdes, Ed. Category: Informational S. Gerdes, Ed.
Expires: April 25, 2016 Universitaet Bremen TZI ISSN: 2070-1721 Universitaet Bremen TZI
G. Selander G. Selander
Ericsson Ericsson
M. Mani M. Mani
Itron Itron
S. Kumar S. Kumar
Philips Research Philips Research
October 23, 2015 January 2016
Use Cases for Authentication and Authorization in Constrained Use Cases for Authentication and Authorization
Environments in Constrained Environments
draft-ietf-ace-usecases-10
Abstract Abstract
Constrained devices are nodes with limited processing power, storage Constrained devices are nodes with limited processing power, storage
space and transmission capacities. These devices in many cases do space, and transmission capacities. In many cases, these devices do
not provide user interfaces and are often intended to interact not provide user interfaces, and they are often intended to interact
without human intervention. without human intervention.
This document includes a collection of representative use cases for This document includes a collection of representative use cases for
authentication and authorization in constrained environments. These authentication and authorization in constrained environments. These
use cases aim at identifying authorization problems that arise during use cases aim at identifying authorization problems that arise during
the lifecycle of a constrained device and are intended to provide a the life cycle of a constrained device and are intended to provide a
guideline for developing a comprehensive authentication and guideline for developing a comprehensive authentication and
authorization solution for this class of scenarios. authorization solution for this class of scenarios.
Where specific details are relevant, it is assumed that the devices Where specific details are relevant, it is assumed that the devices
use the Constrained Application Protocol (CoAP) as communication use the Constrained Application Protocol (CoAP) as a communication
protocol, however most conclusions apply generally. protocol. However, most conclusions apply generally.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on April 25, 2016. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7744.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology ................................................4
2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Use Cases .......................................................5
2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4 2.1. Container Monitoring .......................................5
2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5 2.1.1. Bananas for Munich ..................................6
2.1.2. Authorization Problems Summary . . . . . . . . . . . 6 2.1.2. Authorization Problems Summary ......................7
2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 7 2.2. Home Automation ............................................8
2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7 2.2.1. Controlling the Smart Home Infrastructure ...........8
2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7 2.2.2. Seamless Authorization ..............................8
2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 8 2.2.3. Remotely Letting in a Visitor .......................9
2.2.4. Selling the house . . . . . . . . . . . . . . . . . . 8 2.2.4. Selling the House ...................................9
2.2.5. Authorization Problems Summary . . . . . . . . . . . 8 2.2.5. Authorization Problems Summary ......................9
2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9 2.3. Personal Health Monitoring ................................10
2.3.1. John and the heart rate monitor . . . . . . . . . . . 10 2.3.1. John and the Heart Rate Monitor ....................11
2.3.2. Authorization Problems Summary . . . . . . . . . . . 11 2.3.2. Authorization Problems Summary .....................12
2.4. Building Automation . . . . . . . . . . . . . . . . . . . 12 2.4. Building Automation .......................................13
2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 12 2.4.1. Device Life Cycle ..................................13
2.4.2. Public Safety . . . . . . . . . . . . . . . . . . . . 16 2.4.1.1. Installation and Commissioning ............13
2.4.3. Authorization Problems Summary . . . . . . . . . . . 16 2.4.1.2. Operational ...............................14
2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 18 2.4.1.3. Maintenance ...............................15
2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 18 2.4.1.4. Recommissioning ...........................16
2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 19 2.4.1.5. Decommissioning ...........................16
2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 19 2.4.2. Public Safety ......................................17
2.5.4. Authorization Problems Summary . . . . . . . . . . . 19 2.4.2.1. A Fire Breaks Out .........................17
2.4.3. Authorization Problems Summary .....................18
2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 20 2.5. Smart Metering ............................................19
2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 21 2.5.1. Drive-By Metering ..................................19
2.6.2. Authorization Problems Summary . . . . . . . . . . . 21 2.5.2. Meshed Topology ....................................20
2.7. Industrial Control Systems . . . . . . . . . . . . . . . 22 2.5.3. Advanced Metering Infrastructure ...................20
2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 22 2.5.4. Authorization Problems Summary .....................21
2.7.2. Authorization Problems Summary . . . . . . . . . . . 23 2.6. Sports and Entertainment ..................................22
3. Security Considerations . . . . . . . . . . . . . . . . . . . 23 2.6.1. Dynamically Connecting Smart Sports Equipment ......22
3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.6.2. Authorization Problems Summary .....................23
3.2. Configuration of Access Permissions . . . . . . . . . . . 25 2.7. Industrial Control Systems ................................23
3.3. Authorization Considerations . . . . . . . . . . . . . . 25 2.7.1. Oil Platform Control ...............................23
3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.7.2. Authorization Problems Summary .....................24
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 27 3. Security Considerations ........................................24
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 3.1. Attacks ...................................................25
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 3.2. Configuration of Access Permissions .......................26
7. Informative References . . . . . . . . . . . . . . . . . . . 27 3.3. Authorization Considerations ..............................26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 3.4. Proxies ...................................................28
4. Privacy Considerations .........................................28
5. Informative References .........................................28
Acknowledgments ...................................................29
Authors' Addresses ................................................30
1. Introduction 1. Introduction
Constrained devices [RFC7228] are nodes with limited processing Constrained devices [RFC7228] are nodes with limited processing
power, storage space and transmission capacities. These devices are power, storage space, and transmission capacities. These devices are
often battery-powered and in many cases do not provide user often battery-powered and in many cases do not provide user
interfaces. interfaces.
Constrained devices benefit from being interconnected using Internet Constrained devices benefit from being interconnected using Internet
protocols. However, deploying common security protocols can protocols. However, deploying common security protocols can
sometimes be difficult because of device or network limitations. sometimes be difficult because of device or network limitations.
Regardless, adequate security mechanisms are required to protect Regardless, adequate security mechanisms are required to protect
these constrained devices, which are expected to be integrated in all these constrained devices, which are expected to be integrated in all
aspects of everyday life, from attackers wishing to gain control over aspects of everyday life, from attackers wishing to gain control over
the device's data or functions. the device's data or functions.
This document comprises a collection of representative use cases for This document comprises a collection of representative use cases for
the application of authentication and authorization in constrained the application of authentication and authorization in constrained
environments. These use cases aim at identifying authorization environments. These use cases aim at identifying authorization
problems that arise during the lifecycle of a constrained device. problems that arise during the life cycle of a constrained device.
Note that this document does not aim at collecting all possible use Note that this document does not aim at collecting all possible use
cases. cases.
We assume that the communication between the devices is based on the We assume that the communication between the devices is based on the
Representational State Transfer (REST) architectural style, i.e. a Representational State Transfer (REST) architectural style, i.e., a
device acts as a server that offers resources such as sensor data and device acts as a server that offers resources such as sensor data and
actuators. The resources can be accessed by clients, sometimes actuators. The resources can be accessed by clients, sometimes
without human intervention (M2M). In some situations the without human intervention (M2M). In some situations, the
communication will happen through intermediaries (e.g. gateways, communication will happen through intermediaries (e.g., gateways,
proxies). proxies).
Where specific detail is necessary it is assumed that the devices Where specific detail is necessary, it is assumed that the devices
communicate using CoAP [RFC7252], although most conclusions are communicate using CoAP [RFC7252], although most conclusions are
generic. generic.
1.1. Terminology 1.1. Terminology
Readers are required to be familiar with the terms defined in Readers are required to be familiar with the terms defined in
[RFC7228]. [RFC7228].
2. Use Cases 2. Use Cases
This section includes the use cases; each use case first presents a This section includes the use cases; each use case first presents a
general description of the application environment, than one or more general description of the application environment, then one or more
specific use cases, and finally a summary of the authorization- specific use cases, and finally a summary of the authorization-
related problems to be solved. The document aims at listing the related problems to be solved. The document aims at listing the
relevant authorization problems and not to provide an exhaustive relevant authorization problems and not to provide an exhaustive
list. It might not be possible to address all of the listed problems list. It might not be possible to address all of the listed problems
with a single solution; There might be conflicting goals within or with a single solution; there might be conflicting goals within or
among some requirements. among some requirements.
There are various reasons for assigning a function (client or server) There are various reasons for assigning a function (client or server)
to a device, e.g. which device initiates the conversation, how do to a device. The function may even change over time; e.g., the
devices find each other, etc. The definition of the function of a device that initiates a conversation is temporarily assigned the role
device in a certain use case is not in scope of this document. of client, but could act as a server in another context. The
Readers should be aware that there might be reasons for each setting definition of the function of a device in a certain use case is not
and that endpoints might even have different functions at different in scope of this document. Readers should be aware that there might
times. be reasons for each setting and that endpoints might even have
different functions at different times.
2.1. Container monitoring 2.1. Container Monitoring
The ability of sensors to communicate environmental data wirelessly The ability of sensors to communicate environmental data wirelessly
opens up new application areas. Sensor systems make it possible to opens up new application areas. Sensor systems make it possible to
continuously track and transmit characteristics such as temperature, continuously track and transmit characteristics such as temperature,
humidity and gas content while goods are transported and stored. humidity, and gas content while goods are transported and stored.
Sensors in this scenario have to be associated to the appropriate Sensors in this scenario have to be associated with the appropriate
pallet of the respective container. Sensors as well as the goods pallet of the respective container. Sensors, as well as the goods,
belong to specific customers. belong to specific customers.
While in transit goods often pass stops where they are transloaded to While in transit, goods often pass stops where they are transloaded
other means of transportation, e.g. from ship transport to road to other means of transportation, e.g., from ship transport to road
transport. transport.
Perishable goods need to be stored at constant temperature and with Perishable goods need to be stored at a constant temperature and with
proper ventilation. Real-time information on the state of the goods proper ventilation. Real-time information on the state of the goods
is needed by both the transporter and the vendor. Transporters want is needed by both the transporter and the vendor. Transporters want
to prioritize good that will expire soon. Vendors want to react when to prioritize goods that will expire soon. Vendors want to react
goods are spoiled to continue to fulfill delivery obligations. when goods are spoiled to continue to fulfill delivery obligations.
The Intelligent Container (http://www.intelligentcontainer.com) is an The Intelligent Container <http://www.intelligentcontainer.com> is an
example project that explores solutions to continuously monitor example project that explores solutions to continuously monitor
perishable goods. perishable goods.
2.1.1. Bananas for Munich 2.1.1. Bananas for Munich
A fruit vendor grows bananas in Costa Rica for the German market. It A fruit vendor grows bananas in Costa Rica for the German market. It
instructs a transport company to deliver the goods via ship to instructs a transport company to deliver the goods via ship to
Rotterdam where they are picked up by trucks and transported to a Rotterdam where they are picked up by trucks and transported to a
ripening facility. A Munich supermarket chain buys ripened bananas ripening facility. A Munich supermarket chain buys ripened bananas
from the fruit vendor and transports them from the ripening facility from the fruit vendor and transports them from the ripening facility
to the individual markets with their own company trucks. to the individual markets with their own company's trucks.
The fruit vendor's quality management wants to assure the quality of The fruit vendor's quality management wants to assure the quality of
their products and thus equips the banana boxes with sensors. The their products; thus, it equips the banana boxes with sensors. The
state of the goods is monitored consistently during shipment and state of the goods is monitored consistently during shipment and
ripening and abnormal sensor values are recorded (U1.2). ripening, and abnormal sensor values are recorded (U1.2).
Additionally, the sensor values are used to control the climate Additionally, the sensor values are used to control the climate
within the cargo containers (U1.1, U1.5, U1.7). The sensors within the cargo containers (U1.1, U1.5, U1.7). Therefore, the
therefore need to communicate with the climate control system. Since sensors need to communicate with the climate-control system. Since
a wrong sensor value leads to a wrong temperature and thus to spoiled an incorrect sensor value leads to a wrong temperature, and thus to
goods, the integrity of the sensor data must be assured (U1.2, U1.3). spoiled goods, the integrity of the sensor data must be assured
The banana boxes within a container will in most cases belong to the (U1.2, U1.3). The banana boxes within a container will, in most
same owner. Adjacent containers might contain goods and sensors of cases, belong to the same owner. Adjacent containers might contain
different owners (U1.1). goods and sensors of different owners (U1.1).
The personnel that transloads the goods must be able to locate the The personnel that transloads the goods must be able to locate the
goods meant for a specific customer (U1.1, U1.6, U1.7). However the goods meant for a specific customer (U1.1, U1.6, U1.7). However, the
fruit vendor does not want to disclose sensor information pertaining fruit vendor does not want to disclose sensor information pertaining
to the condition of the goods to other companies and therefore wants to the condition of the goods to other companies and therefore wants
to assure the confidentiality of this data (U1.4). Thus, the to assure the confidentiality of this data (U1.4). Thus, the
transloading personnel is only allowed to access logistic information transloading personnel is only allowed to access logistic information
(U1.1). Moreover, the transloading personnel is only allowed to (U1.1). Moreover, the transloading personnel is only allowed to
access the data for the time of the transloading (U1.8). access the data for the time of the transloading (U1.8).
Due to the high water content of the fruits, the propagation of radio Due to the high water content of the fruits, the propagation of radio
waves is hindered, thus often inhibiting direct communication between waves is hindered, thus often inhibiting direct communication between
nodes [Jedermann14]. Instead, messages are forwarded over multiple nodes [Jedermann14]. Instead, messages are forwarded over multiple
hops (U1.9). The sensors in the banana boxes cannot always reach the hops (U1.9). The sensors in the banana boxes cannot always reach the
Internet during the journey (U1.10). Sensors may need to use relay Internet during the journey (U1.10). Sensors may need to use relay
stations owned by the transport company to connect to endpoints in stations owned by the transport company to connect to endpoints on
the Internet. the Internet.
In the ripening facility bananas are stored until they are ready to In the ripening facility bananas are stored until they are ready to
be sold. The banana box sensors are used to control the ventilation be sold. The banana box sensors are used to control the ventilation
system and to monitor the degree of ripeness of the bananas. Ripe system and to monitor the degree of ripeness of the bananas. Ripe
bananas need to be identified and sold before they spoil (U1.2, bananas need to be identified and sold before they spoil (U1.2,
U1.8). U1.8).
The supermarket chain gains ownership of the banana boxes when the The supermarket chain gains ownership of the banana boxes when the
bananas have ripened and are ready to leave the ripening facility. bananas have ripened and are ready to leave the ripening facility.
2.1.2. Authorization Problems Summary 2.1.2. Authorization Problems Summary
o U1.1 Fruit vendors and container owners want to grant different U1.1: Fruit vendors and container owners want to grant different
authorizations for their resources and/or endpoints to different authorizations for their resources and/or endpoints to
parties. different parties.
o U1.2 The fruit vendor requires the integrity and authenticity of U1.2: The fruit vendor requires the integrity and authenticity of
the sensor data that pertains the state of the goods for climate the sensor data that pertains to the state of the goods for
control and to ensure the quality of the monitored recordings. climate control and to ensure the quality of the monitored
recordings.
o U1.3 The container owner requires the integrity and authenticity U1.3: The container owner requires the integrity and authenticity
of the sensor data that is used for climate control. of the sensor data that is used for climate control.
o U1.4 The fruit vendor requires the confidentiality of the sensor U1.4: The fruit vendor requires the confidentiality of the sensor
data that pertains the state of the goods and the confidentiality data that pertains the state of the goods and the
of location data, e.g., to protect them from targeted attacks from confidentiality of location data, e.g., to protect them from
competitors. targeted attacks from competitors.
o U1.5 The fruit vendor may need different protection for several U1.5: The fruit vendor may need different protection for several
different types of data on the same endpoint, e.g., sensor data different types of data on the same endpoint, e.g., sensor
and the data used for logistics. data and the data used for logistics.
o U1.6 The fruit vendor and the transloading personnel require the U1.6: The fruit vendor and the transloading personnel require the
authenticity and integrity of the data that is used to locate the authenticity and integrity of the data that is used to locate
goods, in order to ensure that the goods are correctly treated and the goods, in order to ensure that the goods are correctly
delivered. treated and delivered.
o U1.7 The container owner and the fruit vendor may not be present U1.7: The container owner and the fruit vendor may not be present
at the time of access and cannot manually intervene in the at the time of access and cannot manually intervene in the
authorization process. authorization process.
o U1.8 The fruit vendor, container owner and transloading company U1.8: The fruit vendor, container owner, and transloading company
want to grant temporary access permissions to a party, in order to want to grant temporary access permissions to a party, in
avoid giving permanent access to parties that are no longer order to avoid giving permanent access to parties that are no
involved in processing the bananas. longer involved in processing the bananas.
o U1.9 The fruit vendor, container owner and transloading company U1.9: The fruit vendor, container owner, and transloading company
want their security objectives to be achieved, even if the want their security objectives to be achieved, even if the
messages between the endpoints need to be forwarded over multiple messages between the endpoints need to be forwarded over
hops. multiple hops.
o U1.10 The constrained devices might not always be able to reach U1.10: The constrained devices might not always be able to reach the
the Internet but still need to enact the authorization policies of Internet but still need to enact the authorization policies
their principals. of their principals.
o U1.11 Fruit vendors and container owners want to be able to revoke U1.11: Fruit vendors and container owners want to be able to revoke
authorization on a malfunctioning sensor. authorization on a malfunctioning sensor.
2.2. Home Automation 2.2. Home Automation
One application of the Internet of Things is home automation systems. One application of the Internet of Things is home automation systems.
Such a system can connect household devices that control, for example Such a system can connect household devices that control, for
heating, ventilation, lighting, home entertainment, and home security example, heating, ventilation, lighting, home entertainment, and home
to the Internet making them remotely accessible and manageable. security to the Internet making them remotely accessible and
manageable.
Such a system needs to accommodate a number of regular users Such a system needs to accommodate a number of regular users
(inhabitants, close friends, cleaning personnel) as well as a (inhabitants, close friends, cleaning personnel) as well as a
heterogeneous group of dynamically varying users (visitors, heterogeneous group of dynamically varying users (visitors,
repairmen, delivery men). repairmen, delivery men).
As the users are not typically trained in security (or even computer As the users are not typically trained in security (or even computer
use), the configuration must use secure default settings, and the use), the configuration must use secure default settings, and the
interface must be well adapted to novice users. interface must be well adapted to novice users.
2.2.1. Controlling the Smart Home Infrastructure 2.2.1. Controlling the Smart Home Infrastructure
Alice and Bob own a flat which is equipped with home automation Alice and Bob own a flat that is equipped with home automation
devices such as HVAC and shutter control, and they have a motion devices such as HVAC and shutter control, and they have a motion
sensor in the corridor which controls the light bulbs there (U2.5). sensor in the corridor that controls the light bulbs there (U2.5).
Alice and Bob can control the shutters and the temperature in each Alice and Bob can control the shutters and the temperature in each
room using either wall-mounted touch panels or an internet connected room using either wall-mounted touch panels or an Internet connected
device (e.g. a smartphone). Since Alice and Bob both have a full- device (e.g., a smartphone). Since Alice and Bob both have full-time
time job, they want to be able to change settings remotely, e.g. turn jobs, they want to be able to change settings remotely, e.g., turn up
up the heating on a cold day if they will be home earlier than the heating on a cold day if they will be home earlier than expected
expected (U2.5). (U2.5).
The couple does not want people in radio range of their devices, e.g. The couple does not want people in radio range of their devices,
their neighbors, to be able to control them without authorization. e.g., their neighbors, to be able to control them without
Moreover, they don't want burglars to be able to deduce behavioral authorization. Moreover, they don't want burglars to be able to
patterns from eavesdropping on the network (U2.8). deduce behavioral patterns from eavesdropping on the network (U2.8).
2.2.2. Seamless Authorization 2.2.2. Seamless Authorization
Alice buys a new light bulb for the corridor and integrates it into Alice buys a new light bulb for the corridor and integrates it into
the home network, i.e. makes resources known to other devices in the the home network, i.e., makes resources known to other devices in the
network. Alice makes sure that the new light bulb and her other network. Alice makes sure that the new light bulb and her other
devices in the network get to know the authorization policies for the devices in the network get to know the authorization policies for the
new device. Bob is not at home, but Alice wants him to be able to new device. Bob is not at home, but Alice wants him to be able to
control the new device with his devices (e.g. his smartphone) without control the new device with his devices (e.g., his smartphone)
the need for additional administration effort (U2.7). She provides without the need for additional administration effort (U2.7). She
the necessary configurations for that (U2.9, U2.10). provides the necessary configurations for that (U2.9, U2.10).
2.2.3. Remotely letting in a visitor 2.2.3. Remotely Letting in a Visitor
Alice and Bob have equipped their home with automated connected door- Alice and Bob have equipped their home with automated connected door-
locks and an alarm system at the door and the windows. The couple locks and an alarm system at the door and the windows. The couple
can control this system remotely. can control this system remotely.
Alice and Bob have invited Alice's parents over for dinner, but are Alice and Bob have invited Alice's parents over for dinner, but are
stuck in traffic and cannot arrive in time, while Alice's parents who stuck in traffic and cannot arrive in time; whereas Alice's parents
use the subway will arrive punctually. Alice calls her parents and are using the subway and will arrive punctually. Alice calls her
offers to let them in remotely, so they can make themselves parents and offers to let them in remotely, so they can make
comfortable while waiting (U2.1, U2.6). Then Alice sets temporary themselves comfortable while waiting (U2.1, U2.6). Then, Alice sets
permissions that allow them to open the door, and shut down the alarm temporary permissions that allow them to open the door and shut down
(U2.2). She wants these permissions to be only valid for the evening the alarm (U2.2). She wants these permissions to be only valid for
since she does not like it if her parents are able to enter the house the evening since she does not like it if her parents are able to
as they see fit (U2.3, U2.4). enter the house as they see fit (U2.3, U2.4).
When Alice's parents arrive at Alice's and Bob's home, they use their When Alice's parents arrive at Alice and Bob's home, they use their
smartphone to communicate with the door-lock and alarm system (U2.5, smartphone to communicate with the door-lock and alarm system (U2.5,
U2.9). The permissions Alice issued to her parents only allow U2.9). The permissions Alice issued to her parents only allow
limited access to the house (e.g. opening the door, turning on the limited access to the house (e.g., opening the door, turning on the
lights). Certain other functions, such as checking the footage from lights). Certain other functions, such as checking the footage from
the surveillance cameras is not accessible to them (U2.3). the surveillance cameras, are not accessible to them (U2.3).
Alice and Bob also issue similarly restricted permissions to e.g. Alice and Bob also issue similarly restricted permissions to e.g.,
cleaners, repairmen or their nanny (U2.3). cleaners, repairmen, or their nanny (U2.3).
2.2.4. Selling the house 2.2.4. Selling the House
Alice and Bob have to move because Alice is starting a new job. They Alice and Bob have to move because Alice is starting a new job. They
therefore decide to sell the house, and transfer control of all therefore decide to sell the house and transfer control of all
automated services to the new owners (U2.11). Before doing that they automated services to the new owners (U2.11). Before doing so, they
want to erase privacy relevant data from the logs of the automated want to erase privacy-relevant data from the logs of the automated
systems, while the new owner is interested to keep some historic data systems, while the new owner is interested to keep some historic data
e.g. pertaining to the behavior of the heating system (U2.12). At e.g., pertaining to the behavior of the heating system (U2.12). At
the time of transfer of the house, the new owners also wants make the time of transfer of ownership of the house, the new owners also
sure that permissions issued by the previous owners to access the want to make sure that permissions issued by the previous owners to
house or connected devices (in the case where device management may access the house or connected devices (in the case where device
have separate permissions from house access) are no longer valid management may have separate permissions from house access) are no
(U2.13). longer valid (U2.13).
2.2.5. Authorization Problems Summary 2.2.5. Authorization Problems Summary
o U2.1 A home owner (Alice and Bob in the example above) wants to U2.1: A home owner (Alice and Bob in the example above) wants to
spontaneously provision authorization means to visitors. spontaneously provision authorization means to visitors.
o U2.2 A home owner wants to spontaneously change the home's access U2.2: A home owner wants to spontaneously change the home's access
control policies. control policies.
o U2.3 A home owner wants to apply different access rights for U2.3: A home owner wants to apply different access rights for
different users (including other inhabitants). different users (including other inhabitants).
o U2.4 The home owners want to grant access permissions to a someone U2.4: The home owners want to grant access permissions to someone
during a specified time frame. during a specified time frame.
o U2.5 The smart home devices need to be able to securely U2.5: The smart home devices need to be able to securely
communicate with different control devices (e.g. wall-mounted communicate with different control devices (e.g., wall-
touch panels, smartphones, electronic key fobs, device gateways). mounted touch panels, smartphones, electronic key fobs, and
device gateways).
o U2.6 The home owner wants to be able to configure authorization U2.6: The home owner wants to be able to configure authorization
policies remotely. policies remotely.
o U2.7 Authorized Users want to be able to obtain access with little U2.7: Authorized users want to be able to obtain access with little
effort. effort.
o U2.8 The owners of the automated home want to prevent unauthorized U2.8: The owners of the automated home want to prevent unauthorized
entities from being able to deduce behavioral profiles from entities from being able to deduce behavioral profiles from
devices in the home network. devices in the home network.
o U2.9 Usability is particularly important in this scenario since U2.9: Usability is particularly important in this scenario since
the necessary authorization related tasks in the lifecycle of the the necessary authorization related tasks in the life cycle
device (commissioning, operation, maintenance and decommissioning) of the device (commissioning, operation, maintenance, and
likely need to be performed by the home owners who in most cases decommissioning) likely need to be performed by the home
have little knowledge of security. owners who, in most cases, have little knowledge of security.
o U2.10 Home Owners want their devices to seamlessly (and in some U2.10: Home owners want their devices to seamlessly (and in some
cases even unnoticeably) fulfill their purpose. Therefore the cases even unnoticeably) fulfill their purpose. Therefore,
authorization administration effort needs to be kept at a minimum. the authorization administration effort needs to be kept at a
minimum.
o U2.11 Home Owners want to be able to transfer ownership of their U2.11: Home owners want to be able to transfer ownership of their
automated systems when they sell the house. automated systems when they sell the house.
o U2.12 Home Owners want to be able to sanitize the logs of the U2.12: Home owners want to be able to sanitize the logs of the
automated systems, when transferring ownership, without deleting automated systems when transferring ownership without
important operational data. deleting important operational data.
o U2.13 When a transfer of ownership occurs, the new owner wants to U2.13: When a transfer of ownership occurs, the new owner wants to
make sure that access rights created by the previous owner are no make sure that access rights created by the previous owner
longer valid. are no longer valid.
2.3. Personal Health Monitoring 2.3. Personal Health Monitoring
Personal health monitoring devices, i.e. eHealth devices, are Personal health monitoring devices, i.e., eHealth devices, are
typically battery driven and located physically on or in the user to typically battery-driven and located physically on or in the user to
monitor some bodily function, such as temperature, blood pressure, or monitor some bodily function, such as temperature, blood pressure, or
pulse rate. These devices typically connect to the Internet through pulse rate. These devices typically connect to the Internet through
an intermediary base-station, using wireless technologies and through an intermediary base station, using wireless technologies and through
this connection they report the monitored data to some entity, which this connection they report the monitored data to some entity, which
may either be the user, or a medical caregiver. may either be the user or a medical caregiver.
Medical data has always been considered as very sensitive, and Medical data has always been considered very sensitive, and therefore
therefore requires good protection against unauthorized disclosure. requires good protection against unauthorized disclosure. A
A frequent, conflicting requirement is the capability for medical frequent, conflicting requirement is the capability for medical
personnel to gain emergency access, even if no specific access rights personnel to gain emergency access, even if no specific access rights
exist. As a result, the importance of secure audit logs increases in exist. As a result, the importance of secure audit logs increases in
such scenarios. such scenarios.
Since the users are not typically trained in security (or even Since the users are not typically trained in security (or even
computer use), the configuration must use secure default settings, computer use), the configuration must use secure default settings,
and the interface must be well adapted to novice users. Parts of the and the interface must be well adapted to novice users. Parts of the
system must operate with minimal maintenance. Especially frequent system must operate with minimal maintenance. Especially frequent
changes of battery are unacceptable. changes of battery are unacceptable.
There is a plethora of wearable health monitoring technology and the There is a plethora of wearable health monitoring technology and the
need for open industry standards to ensure interoperability between need for open industry standards to ensure interoperability between
products has lead to initiatives such as Continua Alliance products has lead to initiatives such as Continua Alliance
(continuaalliance.org) and Personal Connected Health Alliance <http://continuaalliance.org> and Personal Connected Health Alliance
(pchalliance.org). <http://www.pchalliance.org>.
2.3.1. John and the heart rate monitor 2.3.1. John and the Heart Rate Monitor
John has a heart condition, that can result in sudden cardiac John has a heart condition that can result in sudden cardiac arrests.
arrests. He therefore uses a device called HeartGuard that monitors He therefore uses a device called "HeartGuard" that monitors his
his heart rate and his location (U3.7). In case of a cardiac arrest heart rate and his location (U3.7). In the event of a cardiac
it automatically sends an alarm to an emergency service, transmitting arrest, it automatically sends an alarm to an emergency service,
John's current location (U3.1). Either the device has long range transmitting John's current location (U3.1). Either the device has
connectivity itself (e.g. via GSM) or it uses some intermediary, long-range connectivity itself (e.g., via GSM) or it uses some
nearby device (e.g. John's smartphone) to transmit such an alarm. To intermediary, nearby device (e.g., John's smartphone) to transmit
ensure Johns safety, the device is expected to be in constant such an alarm. To ensure John's safety, the device is expected to be
operation (U3.3, U3.6). in constant operation (U3.3, U3.6).
The device includes an authentication mechanism, in order to prevent The device includes an authentication mechanism to prevent other
other persons who get physical access to it from acting as the owner persons who get physical access to it from acting as the owner and
and altering the access control and security settings (U3.8). altering the access control and security settings (U3.8).
John can configure additional persons that get notified in an John can configure a list of people that get notified in an
emergency, for example his daughter Jill. Furthermore the device emergency, for example his daughter Jill. Furthermore, the device
stores data on John's heart rate, which can later be accessed by a stores data on John's heart rate, which can later be accessed by a
physician to assess the condition of John's heart (U3.2). physician to assess the condition of John's heart (U3.2).
However John is a privacy conscious person, and is worried that Jill However, John is a privacy-conscious person and is worried that Jill
might use HeartGuard to monitor his location while there is no might use HeartGuard to monitor his location even when there is no
emergency. Furthermore he doesn't want his health insurance to get emergency. Furthermore, he doesn't want his health insurance to get
access to the HeartGuard data, or even to the fact that he is wearing access to the HeartGuard data, or even to the fact that he is wearing
a HeartGuard, since they might refuse to renew his insurance if they a HeartGuard, since they might refuse to renew his insurance if they
decided he was too big a risk for them (U3.8). decided he was too great of a risk for them (U3.8).
Finally John, while being comfortable with modern technology and able Finally, John, while being comfortable with modern technology and
to operate it reasonably well, is not trained in computer security. able to operate it reasonably well, is not trained in computer
He therefore needs an interface for the configuration of the security. Therefore, he needs an interface for the configuration of
HeartGuard security that is easy to understand and use (U3.5). If the HeartGuard security that is easy to understand and use (U3.5).
John does not understand the meaning of a setting, he tends to leave If John does not understand the meaning of a setting, he tends to
it alone, assuming that the manufacturer has initialized the device leave it alone, assuming that the manufacturer has initialized the
to secure settings (U3.4). device to secure settings (U3.4).
NOTE: Monitoring of some state parameter (e.g. an alarm button) and Note: Monitoring of some state parameter (e.g., an alarm button) and
the position of a person also fits well into an elderly care service. the position of a person also fits well into a nursing service
This is particularly useful for people suffering from dementia, where context. This is particularly useful for people suffering from
the relatives or caregivers need to be notified of the whereabouts of dementia, where the relatives or caregivers need to be notified of
the person under certain conditions. In this case it is not the the whereabouts of the person under certain conditions. In that
patient that decides about access. case, it is not the patient that decides about access.
2.3.2. Authorization Problems Summary 2.3.2. Authorization Problems Summary
o U3.1 The wearer of an eHealth device (John in the example above) U3.1: The wearer of an eHealth device (John in the example above)
wants to pre-configure special access rights in the context of an wants to preconfigure special access rights in the context of
emergency. an emergency.
o U3.2 The wearer of an eHealth device wants to selectively allow U3.2: The wearer of an eHealth device wants to selectively allow
different persons or groups access to medical data. different persons or groups access to medical data.
o U3.3 Battery changes are very inconvenient and sometimes U3.3: Battery changes are very inconvenient and sometimes
impractical, so battery life impacts of the authorization impractical, so battery life impacts on the authorization
mechanisms need to be minimized. mechanisms need to be minimized.
o U3.4 Devices are often used with default access control settings U3.4: Devices are often used with default access control settings
which might threaten the security objectives of the device's that might threaten the security objectives of the device's
users. users.
o U3.5 Wearers of eHealth devices are often not trained in computer U3.5: Wearers of eHealth devices are often not trained in computer
use, and especially computer security. use, especially computer security.
o U3.6 Security mechanisms themselves could provide opportunities U3.6: Security mechanisms themselves could provide opportunities for
for denial of service attacks, especially on the constrained denial-of-service (DoS) attacks, especially on the constrained
devices. devices.
o U3.7 The device provides a service that can be fatal for the U3.7: The device provides a service that can be fatal for the wearer
wearer if it fails. Accordingly, the wearer wants the device to if it fails. Accordingly, the wearer wants the device to have
have a high degree of resistance against attacks that may cause a high degree of resistance against attacks that may cause the
the device to fail to operate partially or completely. device to fail to operate partially or completely.
o U3.8 The wearer of an eHealth device requires the integrity and U3.8: The wearer of an eHealth device requires the integrity and
confidentiality of the data measured by the device. confidentiality of the data measured by the device.
2.4. Building Automation 2.4. Building Automation
Buildings for commercial use such as shopping malls or office Buildings for commercial use such as shopping malls or office
buildings nowadays are equipped increasingly with semi-automatic buildings nowadays are equipped increasingly with semi-automatic
components to enhance the overall living quality and to save energy components to enhance the overall living quality and to save energy
where possible. This includes for example heating, ventilation and where possible. This includes for example heating, ventilation and
air condition (HVAC) as well as illumination and security systems air condition (HVAC) as well as illumination and security systems
such as fire alarms. These components are being increasingly managed such as fire alarms. These components are being increasingly managed
centrally in a Building and Lighting Management System (BLMS) by a centrally in a Building and Lighting Management System (BLMS) by a
facility manager. facility manager.
Different areas of these buildings are often exclusively leased to Different areas of these buildings are often exclusively leased to
different companies. However they also share some of the common different companies. However, they also share some of the common
areas of the building. Accordingly, a company must be able to areas of the building. Accordingly, a company must be able to
control the lighting and HVAC system of its own part of the building control the lighting and HVAC system of its own part of the building
and must not have access to control rooms that belong to other and must not have access to control rooms that belong to other
companies. companies.
Some parts of the building automation system such as entrance Some parts of the building automation system such as entrance
illumination and fire alarm systems are controlled either by all illumination and fire-alarm systems are controlled either by all
parties together or by a facility management company. parties together or by a facility-management company.
2.4.1. Device Lifecycle 2.4.1. Device Life Cycle
2.4.1.1. Installation and Commissioning 2.4.1.1. Installation and Commissioning
Installation of the building automation components often start even Installation of the building automation components often start even
before the construction work is completed. Lighting is one of the before the construction work is completed. Lighting is one of the
first components to be installed in new buildings. A lighting plan first components to be installed in new buildings. A lighting plan
created by a lighting designer provides the necessary information created by a lighting designer provides the necessary information
related to the kind of lighting devices (luminaires, sensors and related to the kind of lighting devices (luminaires, sensors, and
switches) to be installed along with their expected behavior. The switches) to be installed along with their expected behavior. The
physical installation of the correct lighting devices at the right physical installation of the correct lighting devices at the right
locations are done by electricians based on the lighting plan. They locations are done by electricians based on the lighting plan. They
ensure that the electrical wiring is performed according to local ensure that the electrical wiring is performed according to local
regulations and lighting devices which may be from multiple regulations and lighting devices, which may be from multiple
manufacturers are connected to the electrical power supply properly. manufacturers, are connected to the electrical power supply properly.
After the installation, lighting can be used in a default out-of-box After the installation, lighting can be used in a default out-of-box
mode for e.g. at full brightness when powered on. After this step mode, e.g., at full brightness when powered on. After this step (or
(or in parallel in a different section of the building), a lighting in parallel in a different section of the building), a lighting
commissioner adds the devices to the building domain (U4.1) and commissioner adds the devices to the building domain (U4.1) and
performs the proper configuration of the lights as prescribed in the performs the proper configuration of the lights as prescribed in the
lighting plan. This involves for example grouping to ensure that lighting plan. This involves, for example, grouping to ensure that
light points react together, more or less synchronously (U4.8) and light points react together, more or less synchronously (U4.8) and
defining lighting scenes for particular areas of the building. The defining lighting scenes for particular areas of the building. The
commissioning is often done in phases, either by one or more commissioning is often done in phases, either by one or more
commissioners, on different floors. The building lighting network at commissioners, on different floors. The building lighting network at
this stage may be in different network islands with no connectivity this stage may be in different network islands with no connectivity
between them due to lack of the IT infrastructure. between them due to lack of the IT infrastructure.
After this, other building components like HVAC and security systems After this, other building components, like HVAC and security
are similarly installed by electricians and later commissioned by systems, are similarly installed by electricians and later
their respective domain professionals. Similar configurations commissioned by their respective domain professionals. Similar
related to grouping (U4.8) are required to ensure for e.g. HVAC configurations related to grouping (U4.8) are required to ensure,
equipment are controlled by the closest temperature sensor. e.g., HVAC equipment is controlled by the closest temperature sensor.
For the building IT systems, the Ethernet wiring is initially laid For the building IT systems, the Ethernet wiring is initially laid
out in the building according to the IT plan. The IT network is out in the building according to the IT plan. The IT network is
commissioned often after the construction is completed to avoid any often commissioned after the construction is completed to avoid any
damage to sensitive networking and computing equipment. The damage to sensitive networking and computing equipment. The
commissioning is performed by an IT engineer with additional switches commissioning is performed by an IT engineer with additional switches
(wired and/or wireless), IP routers and computing devices. Direct (wired and/or wireless), IP routers, and computing devices. Direct
Internet connectivity for all installed/commissioned devices in the Internet connectivity for all installed/commissioned devices in the
building is only available at this point. The BLMS that monitors and building is only available at this point. The BLMS that monitors and
controls the various building automation components are only controls the various building automation components is only connected
connected to the field devices at this stage. The different network to the field devices at this stage. The different network islands
islands (for lighting and HVAC) are also joined together without any (for lighting and HVAC) are also joined together without any further
further involvement of domain specialist such as lighting or HVAC involvement of domain specialists, such as lighting or HVAC
commissioners. commissioners.
2.4.1.2. Operational 2.4.1.2. Operational
The building automation systems is now finally ready and the The building automation system is now finally ready, and the
operational access is transferred to the facility management company operational access is transferred to the facility management company
of the building (U4.2). The facility manager is responsible for of the building (U4.2). The facility manager is responsible for
monitoring and ensuring that the building automation systems meets monitoring and ensuring that the building automation system meets the
the needs of the building occupants. If changes are needed, the needs of the building occupants. If changes are needed, the
facility management company hires an external installation and facility-management company hires an external installation and
commissioning company to perform the changes. commissioning company to perform the changes.
Different parts of the building are rented out to different companies Different parts of the building are rented out to different companies
for office space. for office space. The tenants are provided access to use the
The tenants are provided access to use the automated HVAC, lighting automated HVAC, lighting, and physical access control systems
and physical access control systems deployed. The safety of the deployed. The safety of the occupants is also managed using
occupants are also managed using automated systems, such as a fire automated systems, such as a fire-alarm system, which is triggered by
alarm system, which is triggered by several smoke detectors which are several smoke detectors that are spread out across the building.
spread out across the building.
Company A's staff move into the newly furnished office space. Most Company A's staff moves into the newly furnished office space. Most
lighting is controlled by presence sensors which control the lighting lighting is controlled by presence sensors that control the lighting
of specific group of lights based on the authorization rules in the of a specific group of lights based on the authorization rules in the
BLMS. Additionally employees are allowed to manually override the BLMS. Additionally, employees are allowed to manually override the
lighting brightness and color in their office rooms by using the lighting brightness and color in their offices by using the switches
switches or handheld controllers. Such changes are allowed only if or handheld controllers. Such changes are allowed only if the
the authorization rules exist in the BLMS. For example lighting in authorization rules exist in the BLMS. For example, lighting in the
the corridors may not be manually adjustable. corridors may not be manually adjustable.
At the end of the day, lighting is dimmed down or switched off if no At the end of the day, lighting is dimmed or switched off if no
occupancy is detected even if manually overridden during the day. occupancy is detected, even if manually overridden during the day.
On a later date company B also moves into the same building, and On a later date, Company B also moves into the same building, and
shares some of the common spaces and associated building automation shares some of the common spaces and associated building automation
components with company A (U4.2, U4.9). components with Company A (U4.2, U4.9).
2.4.1.3. Maintenance 2.4.1.3. Maintenance
Company A's staff are annoyed that the lighting switches off too Company A's staff is annoyed that the lighting switches off too often
often in their rooms if they work silently in front of their in their rooms if they work silently in front of their computers.
computer. Company A notifies the the facility manager of the Company A notifies the facility manager of the building to increase
building to increase the delay before lights switch off. The the delay before lights switch off. The facility manager can either
facility manager can either configure the new values directly in the configure the new values directly in the BLMS or, if additional
BLMS or if additional changes are needed on the field devices, hires changes are needed on the field devices, hire commissioning Company C
a commissioning Company C to perform the needed changes (U4.4). to perform the needed changes (U4.4).
Company C gets the necessary authorization from the facility Company C gets the necessary authorization from the facility-
management company to interact with the BLMS. The commissioner's management company to interact with the BLMS. The commissioner's
tool gets the necessary authorization from BLMS to send a tool gets the necessary authorization from the BLMS to send a
configuration change to all lighting devices in Company A's offices configuration change to all lighting devices in Company A's offices
to increase their delay before they switch off. to increase the delay before they switch off.
At some point the facility management company wants to update the At some point, the facility-management company wants to update the
firmware of lighting devices in order to eliminate software bugs. firmware of lighting devices in order to eliminate software bugs.
Before accepting the new firmware, each device checks the Before accepting the new firmware, each device checks the
authorization of the facility management company to perform this authorization of the facility-management company to perform this
update (U4.13). update (U4.13).
A network diagnostic tool of the BLMS detects that a luminaire in one A network-diagnostic tool of the BLMS detects that a luminaire in one
of the Company A's office room is no longer connected to the network. of Company A's offices is no longer connected to the network. The
The BLMS alerts the facility manager to replace the luminaire. The BLMS alerts the facility manager to replace the luminaire. The
facility manager replaces the old broken luminaire and informs the facility manager replaces the old broken luminaire and informs the
BLMS of the identity (for e.g. MAC address) of the newly added BLMS of the identity (e.g., the Media Access Control (MAC) address)
device. The BLMS then authorizes the new device onto the system and of the newly added device. Then, the BLMS authorizes the new device
transfers seamlessly all the permissions of the previous broken in the system and seamlessly transfers all the permissions of the
device to the replacement device (U4.12). previous broken device to the replacement device (U4.12).
2.4.1.4. Recommissioning 2.4.1.4. Recommissioning
A vacant area of the building has been recently leased to company A.
A vacant area of the building has recently been leased to Company A.
Before moving into its new office, Company A wishes to replace the Before moving into its new office, Company A wishes to replace the
lighting with a more energy efficient and a better light quality lighting with more energy efficient and better light quality
luminaries. They hire an installation and commissioning company C to luminaries. They hire an installation and commissioning Company C to
redo the illumination. Company C is instructed to integrate the new redo the illumination. Company C is instructed to integrate the new
lighting devices, which may be from multiple manufacturers, into the lighting devices, which may be from multiple manufacturers, into the
existing lighting infrastructure of the building which includes existing lighting infrastructure of the building, which includes
presence sensors, switches, controllers etc (U4.1). presence sensors, switches, controllers, etc. (U4.1).
Company C gets the necessary authorization from the facility Company C gets the necessary authorization from the facility-
management company to interact with the existing BLMS (U4.4). To management company to interact with the existing BLMS (U4.4). To
prevent disturbance to other occupants of the building, Company C is prevent disturbance to other occupants of the building, Company C is
provided authorization to perform the commissioning only during non- provided authorization to perform the commissioning only during non-
office hours and only to modify configuration on devices belonging to office hours and only to modify configuration on devices belonging to
the domain of Company A's space (U4.5). Before removing existing the domain of Company A's space (U4.5). Before removing existing
devices, all security and configuration material that belongs to the devices, all security and configuration material that belongs to the
domain are deleted and the devices are set back to factory state domain is deleted and the devices are set back to factory state
(U4.3). This ensures that these devices may be reused at other (U4.3). This ensures that these devices may be reused at other
installations or in other parts of the same building without installations or in other parts of the same building without
affecting future operations. After installation (wiring) of the new affecting future operations. After installation (wiring) of the new
lighting devices, the commissioner adds the devices into the company lighting devices, the commissioner adds the devices into Company A's
A's lighting domain. lighting domain.
Once the devices are in the correct domain, the commissioner Once the devices are in the correct domain, the commissioner
authorizes the interaction rules between the new lighting devices and authorizes the interaction rules between the new lighting devices and
existing devices like presence sensors (U4.7). For this, the existing devices, like presence sensors (U4.7). For this, the
commissioner creates the authorization rules on the BLMS which define commissioner creates the authorization rules on the BLMS that define
which lights form a group and which sensors/switches/controllers are which lights form a group and which sensors/switches/controllers are
allowed to control which groups (U4.8). These authorization rules allowed to control which groups (U4.8). These authorization rules
may be context based like time of the day (office or non-office may be context based, like time of the day (office or non-office
hours) or location of the handheld lighting controller etc (U4.5). hours) or location of the handheld lighting controller, etc. (U4.5).
2.4.1.5. Decommissioning 2.4.1.5. Decommissioning
Company A has noticed that the handheld controllers are often Company A has noticed that the handheld controllers are often
misplaced and hard to find when needed. So most of the time staff misplaced and hard to find when needed. So most of the time, staff
use the existing wall switches for manual control. Company A decides use the existing wall switches for manual control. Company A decides
it would be better to completely remove handheld controllers and asks it would be better to completely remove handheld controllers and asks
Company C to decommission them from the lighting system (U4.4). Company C to decommission them from the lighting system (U4.4).
Company C again gets the necessary authorization from the facility Company C again gets the necessary authorization from the facility-
management company to interact with the BLMS. The commissioner now management company to interact with the BLMS. The commissioner now
deletes any rules that allowed handheld controllers authorization to deletes any rules that allowed handheld controllers authorization to
control the lighting (U4.3, U4.6). Additionally the commissioner control the lighting (U4.3, U4.6). Additionally, the commissioner
instructs the BLMS to push these new rules to prevent cached rules at instructs the BLMS to push these new rules to prevent cached rules at
the end devices from being used. Any cryptographic key material the end devices from being used. Any cryptographic key material
belonging to the site in the handheld controllers are also removed belonging to the site in the handheld controllers is also removed,
and they are set to the factory state (U4.3). and they are set to the factory state (U4.3).
2.4.2. Public Safety 2.4.2. Public Safety
The fire department requires that as part of the building safety As part of the building safety code, the fire department requires
code, that the building have sensors that sense the level of smoke, that the building have sensors that sense the level of smoke, heat,
heat, etc., when a fire breaks out. These sensors report metrics etc., when a fire breaks out. These sensors report metrics that are
which are then used by a back-end server to map safe areas and un- then used by a back-end server to map safe areas and unsafe areas
safe areas within a building and also possibly the structural within a building and possibly the structural integrity of the
integrity of the building before fire-fighters may enter it. building before firefighters may enter it.
Sensors may also be used to track where human/animal activity is Sensors may also be used to track where human/animal activity is
within the building. This will allow people stuck within the within the building. This will allow people stuck in the building to
building to be guided to safer areas and suggest possible actions be guided to safer areas and allow the suggestion of possible actions
that they may take (e.g. using a client application on their phones, that they may take (e.g., using a client application on their phones
or loudspeaker directions) in order to bring them to safety. In or giving loudspeaker directions) in order to bring them to safety.
certain cases, other organizations such as the Police, Ambulance, and In certain cases, other organizations such as the police, ambulance,
federal organizations are also involved and therefore the co- and federal organizations are also involved and therefore the co-
ordination of tasks between the various entities have to be carried ordination of tasks between the various entities have to be carried
out using efficient messaging and authorization mechanisms. out using efficient messaging and authorization mechanisms.
2.4.2.1. A fire breaks out 2.4.2.1. A Fire Breaks Out
On a really hot day James who works for company A turns on the air James, who works for Company A, turns on the air conditioning in his
condition in his office. Lucy who works for company B wants to make office on a really hot day. Lucy, who works for Company B, wants to
tea using an electric kettle. After she turned it on she goes make tea using an electric kettle. After she turns it on, she goes
outside to talk to a colleague until the water is boiling. outside to talk to a colleague until the water is boiling.
Unfortunately, her kettle has a malfunction which causes overheating Unfortunately, her kettle has a malfunction that causes overheating
and results in a smoldering fire of the kettle's plastic case. and results in a smoldering fire of the kettle's plastic case.
Due to the smoke coming from the kettle the fire alarm is triggered. Due to the smoke coming from the kettle, the fire alarm is triggered.
Alarm sirens throughout the building are switched on simultaneously Alarm sirens throughout the building are switched on simultaneously
(using a group communication scheme) to alert the staff of both (using a group communication scheme) to alert the staff of both
companies (U4.8). Additionally, the ventilation system of the whole companies (U4.8). Additionally, the ventilation system of the whole
building is closed off to prevent the smoke from spreading and to building is closed off to prevent the smoke from spreading and to
withdraw oxygen from the fire. The smoke cannot get into James' withdraw oxygen from the fire. The smoke cannot get into James'
office although he turned on his air condition because the fire alarm office, even though he turned on his air conditioning, because the
overrides the manual setting by sending commands (using group fire alarm overrides the manual setting by sending commands (using
communication) to switch off all the air conditioning (U4.10). group communication) to switch off all the air conditioning (U4.10).
The fire department is notified of the fire automatically and arrives The fire department is notified of the fire automatically and arrives
within a short time. They automatically get access to all parts of within a short time. They automatically get access to all parts of
the building according to an emergency authorization policy (U4.4, the building according to an emergency authorization policy (U4.4,
U4.5). After inspecting the damage and extinguishing the smoldering U4.5). After inspecting the damage and extinguishing the smoldering
fire a fire fighter resets the fire alarm because only the fire fire, a firefighter resets the fire alarm because only the fire
department is authorized to do that (U4.4, U4.11). department is authorized to do that (U4.4, U4.11).
2.4.3. Authorization Problems Summary 2.4.3. Authorization Problems Summary
o U4.1 During commissioning, the building owner or the companies add
new devices to their administrative domain. Access control should
then apply to these devices seamlessly.
o U4.2 During a handover, the building owner or the companies U4.1: During commissioning, the building owner or the companies add
integrate devices that formerly belonged to a different new devices to their administrative domain. Access control
administrative domain to their own administrative domain. Access should then apply to these devices seamlessly.
control of the old domain should then cease to apply, with access
control of the new domain taking over.
o U4.3 During decommissioning, the building owner or the companies U4.2: During a handover, the building owner or the companies
remove devices from their administrative domain. Access control integrate devices that formerly belonged to a different
should cease to apply to these devices and relevant credentials administrative domain to their own administrative domain.
need to be erased from the devices. Access control of the old domain should then cease to apply,
with access control of the new domain taking over.
o U4.4 The building owner and the companies want to be able to U4.3: During decommissioning, the building owner or the companies
delegate specific access rights for their devices to others. remove devices from their administrative domain. Access
control should cease to apply to these devices and relevant
credentials need to be erased from the devices.
o U4.5 The building owner and the companies want to be able to U4.4: The building owner and the companies want to be able to
define context-based authorization rules. delegate specific access rights for their devices to others.
o U4.6 The building owner and the companies want to be able to U4.5: The building owner and the companies want to be able to
revoke granted permissions and delegations. define context-based authorization rules.
o U4.7 The building owner and the companies want to allow authorized U4.6: The building owner and the companies want to be able to
entities to send data to their endpoints (default deny). revoke granted permissions and delegations.
o U4.8 The building owner and the companies want to be able to U4.7: The building owner and the companies want to allow authorized
authorize a device to control several devices at the same time entities to send data to their endpoints (default deny).
using a group communication scheme.
o U4.9 The companies want to be able to interconnect their own U4.8: The building owner and the companies want to be able to
subsystems with those from a different operational domain while authorize a device to control several devices at the same
keeping the control over the authorizations (e.g. granting and time using a group communication scheme.
revoking permissions) for their endpoints and devices.
o U4.10 The authorization mechanisms must be able to cope with U4.9: The companies want to be able to interconnect their own
extremely time-sensitive operations which have to be carried out subsystems with those from a different operational domain
in a quick manner. while keeping the control over the authorizations (e.g.,
granting and revoking permissions) for their endpoints and
devices.
o U4.11 The building owner and the public safety authorities want to U4.10: The authorization mechanisms must be able to cope with
be able to perform data origin authentication on messages sent and extremely time-sensitive operations that have to be carried
received by some of the systems in the building. out quickly.
o U4.12 The building owner should be allowed to replace an existing U4.11: The building owner and the public safety authorities want to
device with a new device providing the same functionality within be able to perform data origin authentication on messages
their administrative domain. Access control from the replaced sent and received by some of the systems in the building.
device should then apply to these new devices seamlessly.
o U4.13 When software on a device is updated, this update needs to U4.12: The building owner should be allowed to replace an existing
be authenticated and authorized. device with a new device providing the same functionality
within their administrative domain. Access control from the
replaced device should then apply to these new devices
seamlessly.
U4.13: When software on a device is updated, this update needs to be
authenticated and authorized.
2.5. Smart Metering 2.5. Smart Metering
Automated measuring of customer consumption is an established Automated measuring of customer consumption is an established
technology for electricity, water, and gas providers. Increasingly technology for electricity, water, and gas providers. Increasingly,
these systems also feature networking capability to allow for remote these systems also feature networking capability to allow for remote
management. Such systems are in use for commercial, industrial and management. Such systems are in use for commercial, industrial, and
residential customers and require a certain level of security, in residential customers and require a certain level of security, in
order to avoid economic loss to the providers, vulnerability of the order to avoid economic loss to the providers, vulnerability of the
distribution system, as well as disruption of services for the distribution system, as well as disruption of services for the
customers. customers.
The smart metering equipment for gas and water solutions is battery The smart metering equipment for gas and water solutions is battery-
driven and communication should be used sparingly due to battery driven and communication should be used sparingly due to battery
consumption. Therefore the types of meters sleep most of the time, consumption. Therefore, these types of meters sleep most of the
and only wake up every minute/hour to check for incoming time, and only wake up every minute/hour to check for incoming
instructions. Furthermore they wake up a few times a day (based on instructions. Furthermore, they wake up a few times a day (based on
their configuration) to upload their measured metering data. their configuration) to upload their measured metering data.
Different networking topologies exist for smart metering solutions. Different networking topologies exist for smart metering solutions.
Based on environment, regulatory rules and expected cost, one or a Based on environment, regulatory rules, and expected cost, one or a
mixture of these topologies may be deployed to collect the metering mixture of these topologies may be deployed to collect the metering
information. Drive-By metering is one of the most current solutions information. Drive-by metering is one of the most current solutions
deployed for collection of gas and water meters. deployed for collection of gas and water meters.
Various stakeholders have a claim on the metering data. Utility Various stakeholders have a claim on the metering data. Utility
companies need the data for accounting, the metering equipment may be companies need the data for accounting, the metering equipment may be
operated by a third party Service Operator who needs to maintain it, operated by a third-party service operator who needs to maintain it,
and the equipment is installed in the premises of the consumers, and the equipment is installed in the premises of the consumers,
measuring their consumption, which entails privacy questions. measuring their consumption, which entails privacy questions.
2.5.1. Drive-by metering 2.5.1. Drive-By Metering
A service operator offers smart metering infrastructures and related A service operator offers smart metering infrastructures and related
services to various utility companies. Among these is a water services to various utility companies. Among these is a water
provider, who in turn supplies several residential complexes in a provider, who in turn supplies several residential complexes in a
city. The smart meters are installed in the end customer's homes to city. The smart meters are installed in the end customer's homes to
measure water consumption and thus generate billing data for the measure water consumption and thus generate billing data for the
utility company, they can also be used to shut off the water if the utility company. They can also be used to shut off the water if the
bills are not paid (U5.1, U5.3). The meters do so by sending and bills are not paid (U5.1, U5.3). The meters do this by sending and
receiving data to and from a base station (U5.2). Several base receiving data to and from a base station (U5.2). Several base
stations are installed around the city to collect the metering data. stations are installed around the city to collect the metering data.
However in the denser urban areas, the base stations would have to be However, in the denser urban areas, the base stations would have to
installed very close to the meters. This would require a high number be installed very close to the meters. This would require a high
of base stations and expose this more expensive equipment to number of base stations and expose this more expensive equipment to
manipulation or sabotage. The service operator has therefore chosen manipulation or sabotage. The service operator has therefore chosen
another approach, which is to drive around with a mobile base-station another approach, which is to drive around with a mobile base station
and let the meters connect to that in regular intervals in order to and let the meters connect to that in regular intervals in order to
gather metering data (U5.4, U5.6, U5.8). gather metering data (U5.4, U5.6, U5.8).
2.5.2. Meshed Topology 2.5.2. Meshed Topology
In another deployment, the water meters are installed in a building In another deployment, the water meters are installed in a building
that already has power meters installed, the latter are mains that already has power meters installed, the latter are mains
powered, and are therefore not subject to the same power saving powered, and are therefore not subject to the same power saving
restrictions. The water meters can therefore use the power meters as restrictions. The water meters can therefore use the power meters as
proxies, in order to achieve better connectivity. This requires the proxies, in order to achieve better connectivity. This requires the
security measures on the water meters to work through intermediaries security measures on the water meters to work through intermediaries
(U5.9). (U5.9).
2.5.3. Advanced Metering Infrastructure 2.5.3. Advanced Metering Infrastructure
A utility company is updating its old utility distribution network A utility company is updating its old utility distribution network
with advanced meters and new communication systems, known as an with advanced meters and new communication systems, known as an
Advanced Metering Infrastructure (AMI). AMI refers to a system that Advanced Metering Infrastructure (AMI). AMI refers to a system that
measures, collects and analyzes usage, and interacts with metering measures, collects, and analyzes usage, and interacts with metering
devices such as electricity meters, gas meters, heat meters, and devices such as electricity meters, gas meters, heat meters, and
water meters, through various communication media either on request water meters, through various communication media either on request
(on-demand) or on pre-defined schedules. Based on this technology, (on-demand) or on predefined schedules. Based on this technology,
new services make it possible for consumers to control their utility new services make it possible for consumers to control their utility
consumption (U5.2, U5.7) and reduce costs by supporting new tariff consumption (U5.2, U5.7) and reduce costs by supporting new tariff
models from utility companies, and more accurate and timely billing. models from utility companies, and more accurate and timely billing.
However the end-consumers do not want unauthorized persons to gain However, the end consumers do not want unauthorized persons to gain
access to this data. Furthermore, the fine-grained measurement of access to this data. Furthermore, the fine-grained measurement of
consumption data may induce privacy concerns, since it may allow consumption data may induce privacy concerns, since it may allow
others to create behavioral profiles (U5.5, U5.10). others to create behavioral profiles (U5.5, U5.10).
The technical solution is based on levels of data aggregation between The technical solution is based on levels of data aggregation between
smart meters located at the consumer premises and the Meter Data smart meters located at the consumer premises and the Meter Data
Management (MDM) system located at the utility company (U5.9). For Management (MDM) system located at the utility company (U5.9). For
reasons of efficiency and cost, end-to-end connectivity is not always reasons of efficiency and cost, end-to-end connectivity is not always
feasible, so metering data is stored and aggregated in various feasible, so metering data is stored and aggregated in various
intermediate devices before being forwarded to the utility company, intermediate devices before being forwarded to the utility company,
and in turn accessed by the MDM. The intermediate devices may be and in turn accessed by the MDM. The intermediate devices may be
operated by a third party service operator on behalf of the utility operated by a third-party service operator on behalf of the utility
company (U5.7). One responsibility of the service operator is to company (U5.7). One responsibility of the service operator is to
make sure that meter readings are performed and delivered in a make sure that meter readings are performed and delivered in a
regular, timely manner. An example of a Service Level Agreement regular, timely manner. An example of a Service Level Agreement
between the service operator and the utility company is e.g. "at between the service operator and the utility company is, for example,
least 95 % of the meters have readings recorded during the last 72 at least 95% of the meters have readings recorded during the last 72
hours". hours.
2.5.4. Authorization Problems Summary 2.5.4. Authorization Problems Summary
o U5.1 Devices are installed in hostile environments where they are
physically accessible by attackers (including dishonest
customers). The service operator and the utility company want to
make sure that an attacker cannot use data from a captured device
to attack other parts of their infrastructure.
o U5.2 The utility company wants to control which entities are U5.1: Devices are installed in hostile environments where they are
allowed to send data to, and read data from their endpoints. physically accessible by attackers (including dishonest
customers). The service operator and the utility company
want to make sure that an attacker cannot use data from a
captured device to attack other parts of their
infrastructure.
o U5.3 The utility company wants to ensure the integrity of the data U5.2: The utility company wants to control which entities are
stored on their endpoints. allowed to send data to, and read data from, their endpoints.
o U5.4 The utility company wants to protect such data transfers to U5.3: The utility company wants to ensure the integrity of the data
and from their endpoints. stored on their endpoints.
o U5.5 Consumers want to access their own usage information and also U5.4: The utility company wants to protect such data transfers to
prevent unauthorized access by others. and from their endpoints.
o U5.6 The devices may have intermittent Internet connectivity but U5.5: Consumers want to access their own usage information and also
still need to enact the authorization policies of their prevent unauthorized access by others.
principals.
o U5.7 Neither the service operator nor the utility company are U5.6: The devices may have intermittent Internet connectivity but
always present at the time of access and cannot manually intervene still need to enact the authorization policies of their
in the authorization process. principals.
o U5.8 When authorization policies are updated it is impossible, or U5.7: Neither the service operator nor the utility company are
at least very inefficient to contact all affected endpoints always present at the time of access and cannot manually
directly. intervene in the authorization process.
o U5.9 Authorization and authentication must work even if messages U5.8: When authorization policies are updated it is impossible, or
between endpoints are stored and forwarded over multiple nodes. at least very inefficient to contact all affected endpoints
directly.
o U5.10 Consumers may not want the Service Operator, the Utility U5.9: Authorization and authentication must work even if messages
company or others to have access to a fine-grained level of between endpoints are stored and forwarded over multiple
consumption data that allows the creation of behavioral profiles. nodes.
U5.10: Consumers may not want the service operator, the utility
company or others to have access to a fine-grained level of
consumption data that allows the creation of behavioral
profiles.
2.6. Sports and Entertainment 2.6. Sports and Entertainment
In the area of leisure time activities, applications can benefit from In the area of leisure-time activities, applications can benefit from
the small size and weight of constrained devices. Sensors and the small size and weight of constrained devices. Sensors and
actuators with various functions can be integrated into fitness actuators with various functions can be integrated into fitness
equipment, games and even clothes. Users can carry their devices equipment, games, and even clothes. Users can carry their devices
around with them at all times. around with them at all times.
Usability is especially important in this area since users will often Usability is especially important in this area since users will often
want to spontaneously interconnect their devices with others. want to spontaneously interconnect their devices with others.
Therefore the configuration of access permissions must be simple and Therefore, the configuration of access permissions must be simple and
fast and not require much effort at the time of access. fast and not require much effort at the time of access.
Continuously monitoring allows authorized users to create behavioral Continuously monitoring allows authorized users to create behavioral
or movement profiles, which corresponds on the devices intended use, or movement profiles, that correspond to the devices' intended use,
and unauthorized access to the collected data would allow an attacker and unauthorized access to the collected data would allow an attacker
to create the same profiles. to create the same profiles.
Moreover, the aggregation of data can seriously increase the impact Moreover, the aggregation of data can seriously increase the impact
on the privacy of the users. on the privacy of the users.
2.6.1. Dynamically Connecting Smart Sports Equipment 2.6.1. Dynamically Connecting Smart Sports Equipment
Jody is a an enthusiastic runner. To keep track of her training Jody is an enthusiastic runner. To keep track of her training
progress, she has smart running shoes that measure the pressure at progress, she has smart running shoes that measure the pressure at
various points beneath her feet to count her steps, detect various points beneath her feet to count her steps, detect
irregularities in her stride and help her to improve her posture and irregularities in her stride, and help her to improve her posture and
running style. On a sunny afternoon, she goes to the Finnbahn track running style. On a sunny afternoon, she goes to the Finnbahn track
near her home to work out. She meets her friend Lynn who shows her near her home to work out. She meets her friend Lynn, who shows her
the smart fitness watch she bought a few days ago. The watch can the smart fitness watch she bought a few days ago. The watch can
measure the wearer's pulse, show speed and distance, and keep track measure the wearer's pulse, show speed and distance, and keep track
of the configured training program. The girls detect that the watch of the configured training program. The girls realize that the watch
can be connected with Jody's shoes and then can additionally display can be connected with Jody's shoes and can display the information
the information the shoes provide. the shoes provide.
Jody asks Lynn to let her try the watch and lend it to her for the Jody asks Lynn to let her try the watch and lend it to her for the
afternoon. Lynn agrees but doesn't want Jody to access her training afternoon. Lynn agrees, but she doesn't want Jody to access her
plan (U6.4). She configures the access policies for the watch so training plan (U6.4). She configures the access policies for the
that Jody's shoes are allowed to access the display and measuring watch so that Jody's shoes are allowed to access the display and
features but cannot read or add training data (U6.1, U6.2). Jody's measuring features but cannot read or add training data (U6.1, U6.2).
shoes connect to Lynn's watch after only a press of a button because Jody's shoes connect to Lynn's watch at the press of a button,
Jody already configured access rights for devices that belong to Lynn because Jody already configured access rights for devices that belong
a while ago (U6.3). Jody wants the device to report the data back to to Lynn a while ago (U6.3). Jody wants the device to report the data
her fitness account while she borrows it, so she allows it to access back to her fitness account while she borrows it, so she allows it to
her account temporarily. access her account temporarily.
After an hour, Jody gives the watch back and both girls terminate the After an hour, Jody gives the watch back and both girls terminate the
connection between their devices. connection between their devices.
2.6.2. Authorization Problems Summary 2.6.2. Authorization Problems Summary
o U6.1 Sports equipment owners want to be able to grant access U6.1: Sports equipment owners want to be able to grant access rights
rights dynamically when needed. dynamically when needed.
o U6.2 Sports equipment owners want the configuration of access U6.2: Sports equipment owners want the configuration of access
rights to work with very little effort. rights to work with very little effort.
o U6.3 Sports equipment owners want to be able to pre-configure U6.3: Sports equipment owners want to be able to preconfigure access
access policies that grant certain access permissions to endpoints policies that grant certain access permissions to endpoints
with certain attributes (e.g. endpoints of a certain user) without with certain attributes (e.g., endpoints of a certain user)
additional configuration effort at the time of access. without additional configuration effort at the time of access.
o U6.4 Sports equipment owners want to protect the confidentiality U6.4: Sports equipment owners want to protect the confidentiality of
of their data for privacy reasons. their data for privacy reasons.
2.7. Industrial Control Systems 2.7. Industrial Control Systems
Industrial control systems (ICS) and especially supervisory control Industrial control systems (ICS) and especially supervisory control
and data acquisition systems (SCADA) use a multitude of sensors and and data acquisition systems (SCADA) use a multitude of sensors and
actuators in order to monitor and control industrial processes in the actuators in order to monitor and control industrial processes in the
physical world. Example processes include manufacturing, power physical world. Example processes include manufacturing, power
generation, and refining of raw materials. generation, and refining of raw materials.
Since the advent of the Stuxnet worm it has become obvious to the Since the advent of the Stuxnet worm, it has become obvious to the
general public how vulnerable these kind of systems are, especially general public how vulnerable these kind of systems are, especially
when connected to the Internet [Karnouskos11]. The severity of these when connected to the Internet [Karnouskos11]. The severity of these
vulnerabilities are exacerbated by the fact that many ICS are used to vulnerabilities are exacerbated by the fact that many ICS are used to
control critical public infrastructure, such as nuclear power, water control critical public infrastructure, such as nuclear power, water
treatment of traffic control. Nevertheless the economical advantages treatment, or traffic control. Nevertheless, the economical
of connecting such systems to the Internet can be significant if advantages of connecting such systems to the Internet can be
appropriate security measures are put in place (U7.5). significant if appropriate security measures are put in place (U7.5).
2.7.1. Oil Platform Control 2.7.1. Oil Platform Control
An oil platform uses an industrial control system to monitor data and An oil platform uses an industrial control system to monitor data and
control equipment. The purpose of this system is to gather and control equipment. The purpose of this system is to gather and
process data from a large number of sensors, and control actuators process data from a large number of sensors and control actuators
such as valves and switches to steer the oil extraction process on such as valves and switches to steer the oil extraction process on
the platform. Raw data, alarms, reports and other information are the platform. Raw data, alarms, reports, and other information are
also available to the operators, who can intervene with manual also available to the operators, who can intervene with manual
commands. Many of the sensors are connected to the controlling units commands. Many of the sensors are connected to the controlling units
by direct wire, but the operator is slowly replacing these units by by direct wire, but the operator is slowly replacing these units by
wireless ones, since this makes maintenance easier (U7.4). wireless ones, since this makes maintenance easier (U7.4).
Some of the controlling units are connected to the Internet, to allow Some of the controlling units are connected to the Internet, to allow
for remote administration, since it is expensive and inconvenient to for remote administration, since it is expensive and inconvenient to
fly in a technician to the platform (U7.3). fly in a technician to the platform (U7.3).
The main interest of the operator is to ensure the integrity of The main interest of the operator is to ensure the integrity of
control messages and sensor readings (U7.1). Access in some cases control messages and sensor readings (U7.1). Access in some cases
needs to be restricted, e.g. the operator wants wireless actuators needs to be restricted, e.g., the operator wants wireless actuators
only to accept commands by authorized control units (U7.2). only to accept commands by authorized control units (U7.2).
The owner of the platform also wants to collect auditing information The owner of the platform also wants to collect auditing information
for liability reasons (U7.1). for liability reasons (U7.1).
Different levels of access apply e.g. for regular operators, vs. Different levels of access apply e.g., for regular operators vs.
maintenance technician, vs. auditors of the platform (U7.6) maintenance technician vs. auditors of the platform (U7.6).
2.7.2. Authorization Problems Summary 2.7.2. Authorization Problems Summary
o U7.1 The operator of the platform wants to ensure the integrity U7.1: The operator of the platform wants to ensure the integrity and
and confidentiality of sensor and actuator data. confidentiality of sensor and actuator data.
o U7.2 The operator wants to ensure that data coming from sensors U7.2: The operator wants to ensure that data coming from sensors and
and commands sent to actuators are authentic. commands sent to actuators are authentic.
o U7.3 Some devices do not have direct Internet connection, but U7.3: Some devices do not have direct Internet connection, but they
still need to implement current authorization policies. still need to implement current authorization policies.
o U7.4 Devices need to authenticate the controlling units, U7.4: Devices need to authenticate the controlling units, especially
especially those using a wireless connection. those using a wireless connection.
o U7.5 The execution of unauthorized commands or the failure to U7.5: The execution of unauthorized commands or the failure to
execute an authorized command in an ICS can lead to significant execute an authorized command in an ICS can lead to
financial damage, and threaten the availability of critical significant financial damage and threaten the availability of
infrastructure services. Accordingly, the operator wants a critical infrastructure services. Accordingly, the operator
authentication and authorization mechanisms that provide a very wants authentication and authorization mechanisms that provide
high level of security. a very high level of security.
o U7.6 Different users should have different levels of access to the U7.6: Different users should have different levels of access to the
control system (e.g. operator vs. auditor). control system (e.g., operator vs. auditor).
3. Security Considerations 3. Security Considerations
As the use cases listed in this document demonstrate, constrained As the use cases listed in this document demonstrate, constrained
devices are used in various environments. These devices are small devices are used in various environments. These devices are small
and inexpensive and this makes it easy to integrate them into many and inexpensive and this makes it easy to integrate them into many
aspects of everyday life. With access to vast amounts of valuable aspects of everyday life. With access to vast amounts of valuable
data and possibly control of important functions these devices need data and possible control of important functions, these devices need
to be protected from unauthorized access. Protecting seemingly to be protected from unauthorized access. Protecting seemingly
innocuous data and functions will lessen the possible effects of innocuous data and functions will lessen the possible effects of
aggregation; attackers collecting data or functions from several aggregation; attackers collecting data or functions from several
sources can gain insights or a level of control not immediately sources can gain insights or a level of control not immediately
obvious from each of these sources on its own. obvious from each of these sources on its own.
Not only the data on the constrained devices themselves is Not only the data on the constrained devices themselves is
threatened, the devices might also be abused as an intrusion point to threatened, the devices might also be abused as an intrusion point to
infiltrate a network. Once an attacker gains control over the infiltrate a network. Once an attacker gains control over the
device, it can be used to attack other devices as well. Due to their device, it can be used to attack other devices as well. Due to their
limited capabilities, constrained devices appear as the weakest link limited capabilities, constrained devices appear as the weakest link
in the network and hence pose an attractive target for attackers. in the network; hence, they pose an attractive target for attackers.
This section summarizes the security problems highlighted by the use This section summarizes the security problems highlighted by the use
cases above and provides guidelines for the design of protocols for cases above and provides guidelines for the design of protocols for
authentication and authorization in constrained RESTful environments. authentication and authorization in constrained RESTful environments.
3.1. Attacks 3.1. Attacks
This document lists security problems that users of constrained This document lists security problems that users of constrained
devices want to solve. Further analysis of attack scenarios is not devices want to solve. Further analysis of attack scenarios is not
in scope of the document. However, there are attacks that must be in scope of the document. However, there are attacks that must be
considered by solution developers. considered by solution developers.
Because of the expected large number of devices and their ubiquity, Because of the expected large number of devices and their ubiquity,
constrained devices increase the danger from Pervasive Monitoring constrained devices increase the danger from Pervasive Monitoring
[RFC7258] attacks. Solution Designers should consider this in the [RFC7258] attacks. Solution Designers should consider this in the
design of their security solution and provide for protection against design of their security solution and provide for protection against
this type of attack. In particular, messages containing sensitive this type of attack. In particular, messages containing sensitive
data that are send over unprotected channels should be encrypted if data that are sent over unprotected channels should be encrypted if
possible. possible.
Attacks aimed at altering data in transit (e.g. to perpetrate fraud) Attacks aimed at altering data in transit (e.g., to perpetrate fraud)
are a problem that is addressed in many web security protocols such are a problem that is addressed in many web security protocols such
as TLS or IPSec. Developers need to consider this type of attacks, as TLS or IPsec. Developers need to consider these types of attacks,
and make sure that the protection measures they implement are adapted and make sure that the protection measures they implement are adapted
to the constrained environment. to the constrained environment.
As some of the use cases indicate, constrained devices may be As some of the use cases indicate, constrained devices may be
installed in hostile environments where they are physically installed in hostile environments where they are physically
accessible (see Section 2.5). Protection from physical attacks is accessible (see Section 2.5). Protection from physical attacks is
not in the scope of this document, but should be kept in mind by not in the scope of this document, but it should be kept in mind by
developers of authorization solutions. developers of authorization solutions.
Denial of service (DoS) attacks threaten the availability of services Denial-of-service (DoS) attacks threaten the availability of services
a device provides and constrained devices are especially vulnerable a device provides and constrained devices are especially vulnerable
to these types of attacks because of their limitations. Attackers to these types of attacks because of their limitations. Attackers
can illicit a temporary or, if the battery is drained, permanent can illicit a temporary or, if the battery is drained, permanent
failure in a service simply by repeatedly flooding the device with failure in a service simply by repeatedly flooding the device with
connection attempts; for some services (see section Section 2.3), connection attempts; for some services (see Section 2.3),
availability is especially important. Solution designers must be availability is especially important. Solution designers must be
particularly careful to consider the following limitations in every particularly careful to consider the following limitations in every
part of the authorization solution: part of the authorization solution:
o Battery usage o Battery usage
o Number of required message exchanges o Number of required message exchanges
o Size of data that is transmitted (e.g. authentication and access o Size of data that is transmitted (e.g., authentication and access
control data) control data)
o Size of code required to run the protocols o Size of code required to run the protocols
o Size of RAM memory and stack required to run the protocols o Size of RAM memory and stack required to run the protocols
o Resources blocked by partially completed exchanges (e.g. while one o Resources blocked by partially completed exchanges (e.g., while
party is waiting for a transaction time to run out) one party is waiting for a transaction time to run out)
Solution developers also need to consider whether the session should Solution developers also need to consider whether the session should
be protected from information disclosure and tampering. be protected from information disclosure and tampering.
3.2. Configuration of Access Permissions 3.2. Configuration of Access Permissions
o The access control policies need to be enforced (all use cases): o The access control policies need to be enforced (all use cases):
The information that is needed to implement the access control The information that is needed to implement the access control
policies needs to be provided to the device that enforces the policies needs to be provided to the device that enforces the
authorization and applied to every incoming request. authorization and applied to every incoming request.
o A single resource might have different access rights for different o A single resource might have different access rights for different
requesting entities (all use cases). requesting entities (all use cases).
Rationale: In some cases different types of users need different Rationale: In some cases, different types of users need different
access rights, as opposed to a binary approach where the same access rights, as opposed to a binary approach where the same
access permissions are granted to all authenticated users. access permissions are granted to all authenticated users.
o A device might host several resources where each resource has its o A device might host several resources where each resource has its
own access control policy (all use cases). own access control policy (all use cases).
o The device that makes the policy decisions should be able to o The device that makes the policy decisions should be able to
evaluate context-based permissions such as location or time of evaluate context-based permissions such as location or time of
access (see Section 2.2, Section 2.3, Section 2.4). Access may access (see Sections 2.2, 2.3, and 2.4). Access may depend on
depend on local conditions, e.g. access to health data in an local conditions, e.g., access to health data in an emergency.
emergency. The device that makes the policy decisions should be The device that makes the policy decisions should be able to take
able to take such conditions into account. such conditions into account.
3.3. Authorization Considerations 3.3. Authorization Considerations
o Devices need to be enabled to enforce authorization policies o Devices need to be enabled to enforce authorization policies
without human intervention at the time of the access request (see without human intervention at the time of the access request (see
Section 2.1, Section 2.2, Section 2.4, Section 2.5). Sections 2.1, 2.2, 2.4, and 2.5).
o Authorization solutions need to consider that constrained devices o Authorization solutions need to consider that constrained devices
might not have internet access at the time of the access request might not have Internet access at the time of the access request
(see Section 2.1, Section 2.3, Section 2.5, Section 2.6). (see Sections 2.1, 2.3, 2.5, and 2.6).
o It should be possible to update access control policies without o It should be possible to update access control policies without
manually re-provisioning individual devices (see Section 2.2, manually re-provisioning individual devices (see Sections 2.2,
Section 2.3, Section 2.5, Section 2.6). 2.3, 2.5, and 2.6).
Rationale: Peers can change rapidly which makes manual re- Rationale: Peers can change rapidly which makes manual
provisioning unreasonably expensive. re-provisioning unreasonably expensive.
o Authorization policies may be defined to apply to a large number o Authorization policies may be defined to apply to a large number
of devices that might only have intermittent connectivity. of devices that might only have intermittent connectivity.
Distributing policy updates to every device for every update might Distributing policy updates to every device for every update might
not be a feasible solution (see Section 2.5). not be a feasible solution (see Section 2.5).
o It must be possible to dynamically revoke authorizations (see e.g. o It must be possible to dynamically revoke authorizations (see
Section 2.4). Section 2.4 for example).
o The authentication and access control protocol can put undue o The authentication and access control protocol can put undue
burden on the constrained system resources of a device burden on the constrained system resources of a device
participating in the protocol. An authorization solutions must participating in the protocol. An authorization solution must
take the limitations of the constrained devices into account (all take the limitations of the constrained devices into account (all
use cases, see also Section 3.1). use cases, see also Section 3.1).
o Secure default settings are needed for the initial state of the o Secure default settings are needed for the initial state of the
authentication and authorization protocols (all use cases). authentication and authorization protocols (all use cases).
Rationale: Many attacks exploit insecure default settings, and Rationale: Many attacks exploit insecure default settings, and
experience shows that default settings are frequently left experience shows that default settings are frequently left
unchanged by the end users. unchanged by the end users.
o Access to resources on other devices should only be permitted if a o Access to resources on other devices should only be permitted if a
rule exists that explicitly allows this access (default deny) (see rule exists that explicitly allows this access (default deny) (see
e.g. Section 2.4). Section 2.4 for example).
o Usability is important for all use cases. The configuration of o Usability is important for all use cases. The configuration of
authorization policies as well as the gaining access to devices authorization policies as well as the gaining access to devices
must be simple for the users of the devices. Special care needs must be simple for the users of the devices. Special care needs
to be taken for scenarios where access control policies have to be to be taken for scenarios where access control policies have to be
configured by users that are typically not trained in security configured by users that are typically not trained in security
(see Section 2.2, Section 2.3, Section 2.6). (see Sections 2.2, 2.3, and 2.6).
o Software updates are an important operation for which correct o Software updates are an important operation for which correct
authorization is crucial. Additionally authenticating the authorization is crucial. Additionally, authenticating the
receiver of a software update is also important, for example to receiver of a software update is also important, for example, to
make sure that the update has been received by the intended make sure that the update has been received by the intended
device. device.
3.4. Proxies 3.4. Proxies
In some cases, the traffic between endpoints might go through In some cases, the traffic between endpoints might go through
intermediary nodes (e.g. proxies, gateways). This might affect the intermediary nodes (e.g., proxies, gateways). This might affect the
function or the security model of authentication and access control function or the security model of authentication and access control
protocols e.g. end-to-end security between endpoints with DTLS might protocols e.g., end-to-end security between endpoints with Datagram
not be possible (see Section 2.5). Transport Layer Security (DTLS) might not be possible (see
Section 2.5).
4. Privacy Considerations 4. Privacy Considerations
The constrained devices in focus of this document collect data from The constrained devices in focus of this document either collect data
the physical world via sensors or affect their surrounding via from the physical world via sensors or affect their surroundings via
actuators. The collected and processed data often can be associated actuators. The collected and processed data often can be associated
with individuals. Since sensor data may be collected and distributed with individuals. Since sensor data may be collected and distributed
on a regular interval a significant amount of information about an on a regular interval, a significant amount of information about an
individual can be collected and used as input to learning algorithms individual can be collected and used as input for learning algorithms
as part of big data analysis and used in an automated decision making as part of big data analysis and used in an automated decision making
process. process.
Offering privacy protection for individuals is important to guarantee Offering privacy protection for individuals is important to guarantee
that only authorized entities are allowed to access collected data that only authorized entities are allowed to access collected data,
and to trigger actions, to obtain consent prior to the sharing of to trigger actions, to obtain consent prior to the sharing of data,
data, and to deal with other privacy-related threats outlined in RFC and to deal with other privacy-related threats outlined in RFC 6973.
6973.
RFC 6973 was written as guidance for engineers designing technical RFC 6973 was written as guidance for engineers designing technical
solutions. For a short description about the deployment-related solutions. For a short description about the deployment-related
aspects of privacy and further references relevant for the Internet aspects of privacy and further references relevant for the Internet
of Things sector please read Section 7 of RFC 7452. of Things sector, please see Section 7 of RFC 7452.
5. Acknowledgments
The authors would like to thank Olaf Bergmann, Sumit Singhal, John
Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna
Schmitt, Hannes Tschofenig, Erik Wahlstroem, Andreas Baeckman, Samuel
Erdtman, Steve Moore, Thomas Hardjono, Kepeng Li, Jim Schaad,
Prashant Jhingran, Kathleen Moriarty, and Sean Turner for reviewing
and/or contributing to the document. Also, thanks to Markus Becker,
Thomas Poetsch and Koojana Kuladinithi for their input on the
container monitoring use case. Furthermore the authors thank Akbar
Rahman, Chonggang Wang, Vinod Choyi, and Abhinav Somaraju who
contributed to the building automation use case.
Ludwig Seitz and Goeran Selander worked on this document as part of
EIT-ICT Labs activity PST-14056.
6. IANA Considerations
This document has no IANA actions.
7. Informative References 5. Informative References
[Jedermann14] [Jedermann14]
Jedermann, R., Poetsch, T., and C. LLoyd, "Communication Jedermann, R., Poetsch, T., and C. LLoyd, "Communication
techniques and challenges for wireless food quality techniques and challenges for wireless food quality
monitoring", Philosophical Transactions of the Royal monitoring", Philosophical Transactions of the Royal
Society A Mathematical, Physical and Engineering Sciences, Society A Mathematical, Physical and Engineering Sciences,
May 2014. May 2014, <http://rsta.royalsocietypublishing.org/
content/372/2017/20130304.short>.
[Karnouskos11] [Karnouskos11]
Karnouskos, S., "Stuxnet Worm Impact on Industrial Cyber- Karnouskos, S., "Stuxnet Worm Impact on Industrial Cyber-
Physical System Security", IECON 2011 - 37th Annual Physical System Security", IECON 2011 - 37th Annual
Conference on IEEE Industrial Electronics Society, pp. Conference on IEEE Industrial Electronics Society, pp.
4490-4494 , November 2011. 4490-4494 10.1109/econ.2011.612.0048, November 2011,
<http://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=6120048>.
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228, DOI 10.17487/ Constrained-Node Networks", RFC 7228,
RFC7228, May 2014, DOI 10.17487/RFC7228, May 2014,
<http://www.rfc-editor.org/info/rfc7228>. <http://www.rfc-editor.org/info/rfc7228>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, DOI 10.17487/ Application Protocol (CoAP)", RFC 7252,
RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<http://www.rfc-editor.org/info/rfc7252>. <http://www.rfc-editor.org/info/rfc7252>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <http://www.rfc-editor.org/info/rfc7258>. 2014, <http://www.rfc-editor.org/info/rfc7258>.
Acknowledgments
The authors would like to thank Olaf Bergmann, Sumit Singhal, John
Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna
Schmitt, Hannes Tschofenig, Erik Wahlstroem, Andreas Baeckman, Samuel
Erdtman, Steve Moore, Thomas Hardjono, Kepeng Li, Jim Schaad,
Prashant Jhingran, Kathleen Moriarty, and Sean Turner for reviewing
and/or contributing to the document. Also, thanks to Markus Becker,
Thomas Poetsch, and Koojana Kuladinithi for their input on the
container monitoring use case. Furthermore, the authors thank Akbar
Rahman, Chonggang Wang, Vinod Choyi, and Abhinav Somaraju who
contributed to the building automation use case.
Ludwig Seitz and Goeran Selander worked on this document as part of
EIT-ICT Labs activity PST-14056; and as part of the CelticPlus
project CyberWI, with funding from Vinnova.
Authors' Addresses Authors' Addresses
Ludwig Seitz (editor) Ludwig Seitz (editor)
SICS Swedish ICT AB SICS Swedish ICT AB
Scheelevaegen 17 Scheelevaegen 17
Lund 223 70 Lund 223 70
Sweden Sweden
Email: ludwig@sics.se Email: ludwig@sics.se
 End of changes. 236 change blocks. 
590 lines changed or deleted 604 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/