Role-Based Access Control – Potentially a Management Nightmare

摘要

Almost all cybersecurity standards, recommended practices and guidelines require or recommend the need tornimplement role-based access control (RBAC) in configuring and maintaining electrical power utility (EPU)rnintelligent electronic devices. Good in theory, but JWG B5-D2.46 discovered significant management challengesrnto effectively administer a highly distributed schema for vetting protection and control access privileges and usernprivileges in a timely manner. A summary of JWG’s findings is discussed in this paper. A world-wide survey ofrnEPU protection and control (P&C) engineers helped JWG rank the challenges they faced to apply and managerncybersecurity solutions – RBAC management was high on the list. Further analysis by the JWG identified therncore issues of trust in the vetting process for employees, suppliers and partners. Maintaining a coherent databasernof access and use privileges in this heterogeneous environment proved to be labor intensive and not timely to thernrapidly changing roles of P&C engineers and field technicians. System dynamic modeling highlighted theserndeficiencies and provides the basis for JWG’s recommended improvements to effectively administer RBAC. Arnsummary of these recommendations is discussed in this paper.