A Comparison of Commercial and Military Computer Security Policies

176

Abstract. Global energy generation and delivery systems are transitioning to a new computerized "smart grid". One of the principle components of the smart grid is an advanced metering infrastructure (AMI). AMI replaces the analog meters with computerized systems that report usage over digital communication interfaces, e.g., phone lines. However, with this infrastructure comes new risk. In this paper, we consider adversary means of defrauding the electrical grid by manipulating AMI systems. We document the methods adversaries will use to attempt to manipulate energy usage data, and validate the viability of these attacks by performing penetration testing on commodity devices. Through these activities, we demonstrate that not only is theft still possible in AMI systems, but that current AMI devices introduce a myriad of new vectors for achieving it.

“…It is preferable however that utility side systems enforce proper user and group management to provide properties such as separation of duties [5].…”

Section: Attacker Modelmentioning

confidence: 99%

Energy Theft in the Advanced Metering Infrastructure

McLaughlin

Podkuiko

McDaniel

2010

176

“…They allow a policy designer to express higher-level organisational security policies. Depending on the organisation, different kinds of authorisation constraints are required such as SoD in the banking field [5] or constraints on delegation and context constraints in the healthcare domain [24]. Later in this paper, different kinds of authorisation constraints are specified and discussed.…”

Section: Rbac and Authorisation Constraintsmentioning

confidence: 99%

“…This directive among other areas applies to clinical information systems where in particular the principle of patient consent must be enforced [4]. In contrast, in the banking domain other security requirements such as data integrity are more important such that often separation of duty policies (SoD) [17,5] must be enforced.…”

Section: Introductionmentioning

confidence: 99%

Specification and Validation of Authorisation Constraints Using UML and OCL

Sohr

Ahn

Gogolla

et al. 2005

Abstract. Authorisation constraints can help the policy architect design and express higher-level security policies for organisations such as financial institutes or governmental agencies. Although the importance of constraints has been addressed in the literature, there does not exist a systematic way to validate and test authorisation constraints. In this paper, we attempt to specify non-temporal constraints and historybased constraints in Object Constraint Language (OCL) which is a constraint specification language of Unified Modeling Language (UML) and describe how we can facilitate the USE tool to validate and test such policies. We also discuss the issues of identification of conflicting constraints and missing constraints.

“…And dynamic policies are very important for many trust-related applications. In particular, things like separation of duties [7,10], the so called Chinese Wall (CW) policy [5], and the effects of the expiration or revocation of a certificate on the power of an agent holding it [2], are all dynamic. Dynamic policies are particularly important for fostering regularity-based trust in electronic commerce, as we will illustrate via an example in the following section.…”

Section: Introductionmentioning

confidence: 99%

Regularity-Based Trust in Cyberspace

Minsky

2003

Abstract. One can distinguish between two kinds of trust that may be placed in a given entity e (a person or a thing), which we call: familiarity-based trust and regularity-based trust. A familiarity-based trust in e is a trust based on personal familiarity with e, or on testimonial by somebody who is familiar, directly or indirectly, with e; or even on some measure of the general reputation of e. A regularity-based trust is based on the recognition that e belongs to a class, or a community, that is known to exhibits a certain regularity-that is, it is known that all members of this class satisfy a certain property, or that their behavior conforms to a certain law. These two types of trust play important, and complementary, roles in out treatment of the physical world. But, as we shall see, the role of regularity-based trust in out treatment of the cyberspace has been limited so far because of difficulties in establishing such trust it in this context. It is this latter kind of trust, which is the focus of this paper. We will describe a mechanism for establishing a wide range of regularity-based trusts, and will demonstrate the effectiveness of this mechanism, by showing how it can enhance the trustworthiness of a certain type of commercial client-server interactions over the internet.