590 CHAPTER 23 Policies, Access Control, and Formal Methods executed. Possible approaches include the use of a temporal-RBAC (T-RBAC) [18], and the use of triggers able to refer to events and con- ditions concerning context and situation. Strong authentication for role usage. As roles are assigned to users based on the user iden- tity, it is important that users be strongly authenticated before being able to use roles corresponding to critical functions in the org- anization. Possible approaches include the use of authentication preconditions for the use of critical roles [44], and the use of SAML [45] for encoding authentication statements. Integration with physical control. For the use of critical roles, it may be important that users are restricted to use these roles only from physically controlled facilities. Possible approaches includes the use of geographically constrained RBAC (GEO-RBAC) [19], and of location-aware access control [20]. Support for multidomain environments. For large-scale critical infrastructures consisting of multiple administrative units, interop- eration is critical. Interoperation policies should specify which role in an administrative domain allows a user to gain access to which role in another administrative domain. Pos- sible approaches include the use of multido- main preconditions for role usage [46] and use of SAML [45] for exchanging statements about which roles users possess in which administrative domains. Protection from insider threats. As malicious insiders represent a major threat [43], the access control system must provide support for protection from this threat. Also, pro- tection from malicious role administrators is crucial. Possible approaches include the use of profiles of role behavior and anomaly detection [47]; joint administration for the execution of critical role and permission man- agement operations [48]. 23.5. ACCESS CONTROL FOR CRITICAL INFRASTRUCTURES ­ OPEN PROBLEMS AND POSSIBLE APPROACHES Access control is particularly critical for the pro- tection of critical infrastructures. In the power grid, for example, it is crucial to ensure that crit- ical data are only modified by authorized sub- jects, as malicious modifications to data may lead to severe incidents. A critical requirement for a suitable access control management system is to be based on a high-level scalable access con- trol model, which can be effectively managed. A model satisfying such requirement is RBAC. Conventional RBAC models, however, need sig- nificant extensions for use in the context of crit- ical infrastructures and, especially for large-scale dynamic systems like infrastructures such as the energy delivery systems, must be supported by comprehensive management environments. Rel- evant requirements for the design of a suitable RBAC access control systems include: 1. Attribute- and context-based user-to-role assignment. It refers to the automatic assign- ment of roles to users based on properties of the users and of the user contexts, such as for example, level of training, employment sta- tus, and plant status [43]. As such assignment is an expensive and critical role manage- ment function, it is crucial that be carried automatically. Possible approaches include the use of preconditions for role assignment and activation, where preconditions can be in terms of credentials and context. 2. Context- and situation-based role activa- tion/deactivation. It refers to making the roles available (nonavailable) for use by autho- rized users based on context, such as time and situations. In case of emergency situ- ations, for example, it may be necessary to temporarily disable certain roles, which are not needed during the emergency, and enable roles that are needed for the emer- gency. To assure real-time responses, role acti- vation/deactivation has to be automatically 3. 4. 5. 6. 23.6. CONCLUDING REMARKS In this chapter we have surveyed the main notions and models for access control and the most