The sharing of data is becoming increasingly important for the process and manufacturing industries that are using data-driven models and advanced analysis to assess production performance and make predictions, e.g., on wear and tear. In such environments, access to data needs to be accurately controlled to prevent leakage to unauthorized users while providing easy to manage policies. Data should further be shared with users outside trusted domains using encryption. Finally, means for revoking access to data are needed. This paper provides a survey on attribute-based approaches for access control to data, focusing on policy management and enforcement. We aim to identify key properties provided by attribute-based access control (ABAC) and attribute-based encryption (ABE) that can be combined and used to meet the abovementioned needs.We describe such possible combinations in the context of a proposed architecture for secure data sharing. The paper concludes by identifying knowledge gaps to provide direction to future research on attribute-based approaches for secure data sharing in industrial contexts.

In the Industry 4.0 era, secure and efficient data sharing is vital for innovation and operational enhancement. Industry 4.0 envisions a highly connected ecosystem where machines, devices, and stakeholders collaborate in real time to optimize processes, enhance productivity, and create new value propositions. However, this surge in data-driven collaboration brings forth a critical challenge, ensuring the secure and controlled sharing of sensitive information. As organizations embrace the potential of Industry 4.0, the need for robust mechanisms to achieve key data security properties of data integrity, confidentiality, and availability, while enabling efficient data exchange becomes paramount. However, while the promise of Industry 4.0 presents promising opportunities, it also introduces a set of challenges intrinsic to data security solutions. These solutions, while promising in providing fine-grained data security, introduce complexities such as administrative overhead and substantial management efforts for the users. Striking a balance between robust security and operational ease is critical for enabling seamless data exchange within the evolving landscape of Industry 4.0.

This thesis explores the realm of Attribute-based approaches to achieve the desired secure data sharing, pivotal in the digitized Industry 4.0 environment.  An overarching objective is to achieve compatibility of these data-securing mechanisms with the Industry 4.0 paradigms through the usage of attribute-based approaches. This includes the exploration of the existing solutions within the state-of-the-art and its analysis in the context of usability and practicality for industrial adoption. 

Access control entails the establishment of policies and mechanisms to regulate who can access specific resources or information, under what conditions, and to what extent. The study will delve into various access control models and their applicability, with a particular emphasis on Attribute-Based Access Control. Moreover, through the creation of proofs-of-concepts implementations, we explore the usability of Attribute-based Access Control (ABAC) models and policy languages, applied to different aspects of the data-sharing process.  Manageability, user-friendliness, and fine-granularity of the access control were identified as key properties for the usability of data securing technologies in industry. Hence, discovering and addressing challenges for such properties is of special focus for this thesis. 

In addition, this thesis explores attribute-based encryption techniques, seeking to augment data security while minimizing additional operational complexities. Moreover, this thesis also explores the implications of third-party cloud services, popular in Industry 4.0 environments, as well as third-party stakeholder data sharing to motivate the need to ensure both in-transit and at-rest data security.

This thesis makes significant contributions in the domain of secure data sharing in Industry 4.0. First, it contextualizes access control within the broader data security landscape and explores state-of-the-art Attribute-Based Access Control policy languages. The research designs, evaluates, and automates ABAC models to address fine-granularity and manageability gaps, with a focus on user-friendliness for industrial adoption. Furthermore, it proposes and implements an automated management solution for integrating new data sources in Service-Oriented Architecture (SOA) industrial data-sharing applications, within the Eclipse Arrowhead Framework. This includes the innovative proposal of contractual automation of access control policies to enhance efficiency and security. 

Moreover, the research delves into the realm of attribute-based encryption approaches, conducting a state-of-the-art exploration and gap analysis, with a special focus on uncovering the adoption barriers associated with this technology.  Lastly, the thesis designs, implements, and evaluates an ABAC-Enabled ABE solution architecture, covering the discovered gaps, and offering an expressive and user-friendly approach to secure data sharing. These contributions collectively advance the field of data security and access control in the context of Industry 4.0 and similar evolving industrial landscapes

The research indicated that Attribute-based approaches hold promise for practical data protection at rest through access control mechanisms, especially within fine-grained policies. The study explores ABAC in a graph-based policy language, Next-generation Access Control (NGAC), showcasing its potential for reducing administrative workload related to policy management. Simplified policy creation and expression enhance the ease of model implementation. These insights extend to ABE, highlighting the value of delegating attribute management for reduced administrative complexity and improved expressiveness within ABE schemes. This approach allows for automation techniques developed for ABAC policy management to be translated into ABE schemes. 

Data sharing is becoming increasingly important as organizations seek to improve their operations and gain a competitive advantage. The data sharing between organizations, stakeholders, and even internal teams requires access control policies that define who can access what data, under what circumstances, and for what purposes.Attribute-based access control (ABAC) provides a flexible and fine-grained mechanism for enforcing such policies, preventing data leakage, and improving security and compliance. A challenge is that these policies should be able to support the agility and adaptability of constantly evolving modern industrial systems, where new data sources, services, and users are frequently added and removed.  As the number of data sources and associated policies grows, the manual management of ABAC policies in evolving systems becomes a bottleneck, which prevents the adoption of fine-grained access control mechanisms. This paper presents a model based on tag-matching to automate the process of connecting new data sources and users to existing access control policies. In the proposed model, tag-matching means matching metadata elements to policy attributes to reduce the administrative work of managing access policies. The model takes advantage of the identity abstraction of ABAC policies to connect existing rules between attributes and the target resource or user. We present a proof-of-concept implementation of the tag-matching model in Eclipse Arrowhead and provide an evaluation of the proposed solution. 

The Industry 4.0 revolution relies heavily on data to generate value, innovation, new services, and optimize current processes [1]. Technologies such as Internet of Things (IoT), machine learning, digital twins, and much more depend directly on data to bring value and innovation to both discrete manufacturing and process industries. The origin of data may vary from sensor data to financial statements and even strictly confidential user or business data. In data-driven ecosystems, collaboration between different actors is often needed to provide services such as analytics, logistics, predictive maintenance, process improvement, and more. Data therefore cannot be considered a corporate internal asset only. Hence, data needs to be shared among organizations in a data-driven ecosystem for it to be used as a strategic resource for creating desired values, innovations, or process improvements [2]. When sharing business critical and sensitive data, the access to the data needs to be accurately controlled to prevent leakage to authorized users and organizations. 

Access control is a mechanism to control actions of users over objects, e.g., to read, write, and delete files, accessing data, writing over registers, and so on. This thesis studies one of the latest access control mechanisms in Attribute Based Access Control (ABAC) for industrial data sharing. ABAC emerges as an evolution of the commonly industry-wide used Role-based Access Control. ABAC presents the idea of attributes to create access policies, rather than manually assigned roles or ownerships, enabling for expressive fine-granular access control policies. Furthermore, this thesis presents approaches to implement ABAC into industrial IoT data sharing applications, with special focus on the manageability and granularity of the attributes and policies.  The thesis also studies the implications of outsourced data storage on third party cloud servers over access control for data sharing and explores how to integrate cryptographic techniques and paradigms into data access control. In particular, the combination of ABAC and Attribute-Based Encryption (ABE) is investigated to protect privacy over not-fully trusted domains. In this, important research gaps are identified. 

Data is important for the industry to take advantage of digitalization, realize automation, assure quality, and more. Values from data are not only created individually by companies, but also in eco-systems in which data is shared among participating organizations. Secure data sharing is essential in such eco-systems to prevent unauthorized access and use of the data. Usage control extends traditional access control with restrictions concerned with requirements that pertain to data processing contractual obligations, rather than data access provisions only. Thus, usage control is relevant in the context of intellectual property protection, compliance with regulations, and digital rights management. This paper presents a method to negotiate contractual obligations and access provisions, and automatically enforce those provisions with access control. Finalized negotiations establish Ricardian contracts at two levels; a superordinate level with a connected subordinate level. These contracts contain provisions in terms of access control attributes. Using our implementation of a negotiation engine we demonstrate the automatic creation of NIST Next Generation Access Control (NGAC) access control policies. Our negotiation engine uses a lightweight model for the storage of an unforgeable and immutable log of the established contracts based on digital signatures and hashing.

The construction industry is characterized by its extensive and dynamic collaborations between contractors providing various services and expertise. In such eco-systems, the secure sharing of information, data and equipment challenges the access control needs to be application agnostic. Furthermore, it needs fine-grained access policies including means for abstraction to ease administration, and support for delegated authorization in Service-Oriented Architecture (SOA) based systems. In this paper, we explore the use of delegated access using OAuth 2.0 with Attribute-Based Access Control (ABAC) for the collaborative sharing of equipment at construction sites. In particular, we investigate the use of contextual attributes to capture the dynamic aspects, such as location and urgency, in the booking of construction lifts. Through this study, we propose a solution based on the IoT Application-scoped Access Control as a Service (IAACaaS) architecture model combined with NIST Next Generation Access Control (NGAC). We present an architecture for a general Identity and Access Management (IAM) system for the construction industry, and provide a design and guide for implementation of this architecture in terms how key functionalities should be captured as reusable micro-services. Moreover, we describe how these micro-services can be combined to make the system a general and reusable solution providing access control for collaborative sharing of data, information and equipment at construction sites.

Industrial Internet of Things (IIoT) and Industry 4.0 rely heavily on data for reasons such as production follow-up, planning and optimization. Industrial data come in large volumes from production logs and sensors whereof some data carries business and strategic value, sensitive information, or a combination of both. Such data must be protected from unauthorized access, but also be easy to access for authorized users to facilitate work to gain business and operational values from the data. The efficient creation and maintenance of access policies for secure data sharing is hence essential, but unfortunately also challenging in terms of the complexity and administrative effort for fine-grained such. Attribute-based access control (ABAC) such as the Next Generation Access Control (NGAC) provides efficient models for handling access policies. Existing access control models fail however to provide a simple and easy-to-maintain policy language capable of efficiently enforcing fine-grained access control policies for large volumes of time-series data. In this paper, we propose extensions to NGAC based on filter strings that facilitates efficient enforcement of row-level value and time constraint policies for time-series data. We evaluate two approaches for storing and retrieving these filter strings and provide a qualitative and quantitative discussion of the results.

In Industry 4.0 and Industrial Internet of Things (IIoT), large amounts of time-series sensor data is collected from devices and machines. Industrial data typically contain sensitive information that may harm the data owner should it leaks. Although such risks exist, selected data frequently needs to be shared in partner eco-systems to take advantage of expertise in analyzing the data and to synchronize between partners collaborating in the production system. Consequently, access control must support efficient data selection and sharing. The access control should be capable of managing and enforcing access policies for different operations and with different levels of granularity, while being simple to properly maintain and potentially automate. In this paper we examine the possible use of Next-Generation Access Control (NGAC) for such access control. NGAC is an attribute-based access control (ABAC) standard based on relations between data elements to create, manage and enforce access control policies. We propose an Access control model that maps the NGAC policy language to thequerylanguageoftime-seriesdatabasestofacilitateasecure and efficient data sharing system for IIoT sensor data

Decentralized data repositories and external cloud-based services are pivotal in facilitating industrial data sharing, but they often come with administrative overhead. These solutions provide the scalability and accessibility needed for efficient storage and sharing of industrial data, enhancing collaboration and data-driven decision-making while ensuring data security. In this paper, we explore means to combine Attribute-based Access Control and Attribute-based Encryption (ABE). We propose an innovative approach to secure data sharing at rest and at transit with low administrative and management overhead. The solution leverages ABE's ability to encrypt data with fine-grained policies while keeping ABAC's flexibility and ease of management. We provide an evaluation of our solution and discuss the results in the context of industrial data-sharing use cases and applications. Moreover, we provide design guidelines for implementation. Our findings provide valuable insights into the effectiveness of ABE in preserving data privacy during the data-sharing process. Importantly, this is achieved without introducing significant time complexity, even when considering factors like policy size and the number of attributes involved. Furthermore, our study demonstrates that these benefits can be realized while still maintaining the ease of management and the fine-grained control inherent in ABAC schemes.