Digital Power of Attorney for authorization in industrial cyber-physical systems

Abstract: In the age of digitization, many Cyber-Physical Systems are semi-autonomous and have sufficient power and resources to perform tasks on behalf of users. This thesis defines an authorization technique to transfer the power of legitimate users to trusted CPS or IoT devices, allowing the device to sign or access resources on behalf of the user. The authorization technique is based on digital Power of Attorney, which is a self-contained document generated by the user (principal) and sent to the agent (trusted device). A Power of Attorney contains a timestamp, that makes it invalid after a period of time predefined by the principal. Here, the agent who receives the PoA does not require a separate account; instead, it uses the principal account with limited features. The thesis studies and analyzes other delegation based and subgranting based authorization techniques, such as the OAuth standard. There are certain similarities and differences between OAuth and PoA, that are analyzed based on metrics such as protocol flow, communication type, token format, and control expiration. Considering the benefits and challenges of both the OAuth and PoA, this thesis combines these two techniques and proposes a multilevel subgranting system. The conceptual architecture, protocol flow, design overview, PoA format, use case scenarios, and implementation details of the proposed system are presented. The system is implemented based on an industrial CPS usecase scenario. The results are qualitatively analysed and also quantitatively evaluated based on the metric of computational time.Future work includes security analysis, result evaluation, and comparison of findings with respect to OAuth and other delegation based authorization standards, implementation of PoA based authorization technique from the scratch, and integration with frameworks such as Arrowhead.