Protecting critical infrastructures while preserving each organization's autonomy

Abstract

In critical infrastructures (CIs), different organizations must cooperate, while being mutually suspicious since they have different interests and can be in competition on some markets. Moreover, in most cases, there is no recognized authority that can impose global security rules to all participating organizations. In such a context, it is difficult to apply good security practices to the interconnected information systems that control the critical infrastructure. In this paper, we present the PolyOrBAC security framework, aimed at securing global infrastructures while preserving each participating organization's autonomy. In this framework, each organization is able to protect its assets by defining its own security policy and enforcing it by its own security mechanisms, and the global infrastructure is protected by controlling and auditing all interactions between participating organizations. PolyOrBAC helps to satisfy the CII security requirements related to secure cooperation, autonomy and confidentiality, monitoring and audit, and scalability. © 2011 Springer-Verlag.