AUTHENTICATION, AUTHORIZATION, ACCESS CONTROL, AND PRIVILEGE MANAGEMENT

DAVID FERRAIOLO, RICK KUHN, AND VINCENT HU

National Institute of Standards and Technology, Gaithersburg, Maryland

1 INTRODUCTION

Homeland security applications present a number of cutting-edge challenges for access control and privilege management because they necessarily entail the integration of physical and information technology (IT) system access controls. Airports, industrial plants, and many other critical infrastructure domains have physical assets that could, in the wrong hands, result in significant loss of life. To get a sense of the problem space, consider the following incidents:

• Sewage release. In 2000, an employee of an Australian company that develops industrial control software used a wireless connection to illegally access the control system for a sewage treatment plant, causing eventually the release of 264,000 ga of raw sewage [1].
• Air traffic control and emergency services. In 1997, an attacker disabled a critical telephone switch through a dial-up modem, shutting down tower control and air traffic transmission at an airport in Worcester, Massachusetts. Telephone service was disabled for a nearby town also [2].
• Train derailment. In January, 2008, a 14 year old in Lodz, Poland took over the control system for city trains, derailing four and injuring several people [3].

None of these incidents would have occurred if access control had worked properly, and the potential for terrorist attacks, ...