Introduction

The Internet of Things (IoT) has become a transformative technology, enabling connectivity and communication between billions of devices across diverse sectors, including smart cities, healthcare, industrial and home automation. As interconnected devices grow, ensuring secure and appropriate access to IoT resources becomes critical. Access control is fundamental in safeguarding IoT systems by defining who can access which resources and under what conditions [1].

Types of Access Control in IoT

Access control mechanisms in IoT can be broadly categorised into the following types:

  1. Discretionary Access Control (DAC): In DAC, the owner of a resource decides who is permitted to access it and what operations they can perform. This model offers flexibility but is susceptible to unauthorised access due to poor policy management—some examples of DAC-based access control solutions from academia.
  2. Mandatory Access Control (MAC): MAC enforces strict policies an administrator defines, restricting access based on predefined security classifications. This model suits high-security environments, such as military or government applications.
  3. Role-Based Access Control (RBAC): RBAC assigns permissions based on the roles of users within an organisation. For example, a maintenance technician in a smart building might have access to HVAC systems but not security cameras.
  4. Attribute-Based Access Control (ABAC): ABAC uses a combination of user, resource, and environmental attributes to determine access rights. This model provides fine-grained control and is highly adaptable to complex IoT environments.
  5. Policy-Based Access Control (PBAC): PBAC evaluates access requests based on policies that define conditions under which access is granted. This model is often used in dynamic and large-scale IoT environments.
  6. Blockchain-Based Access Control: This emerging model manages access control policies through smart contracts on a blockchain. It offers decentralised, tamper-proof access control suitable for large-scale distributed IoT systems.

Requirements of Access Control Solutions in IoT

Effective access control solutions in IoT must meet several functional requirements [2]. Below, is a list of a few:

  1. Scalability: Ability to handle a growing number of devices and users.
  2. Interoperability: Seamless integration with various IoT platforms and protocols.
  3. Fine-Grained Control: Support for detailed access rules based on multiple attributes.
  4. Dynamic Policy Management: Capability to update policies in real-time based on changing conditions.
  5. Decentralisation: Avoidance of single points of failure, especially in large-scale IoT deployments.
  6. Low Latency: Minimal processing delay to ensure real-time responsiveness.
  7. Security and Privacy: Protection against unauthorised access and data breaches.

Suitability of Access Control Types for Smart City Applications

Different access control types are suitable for various application areas within smart cities. Below is a brief discussion on which access control type should be used based on the application area where it is implemented. It is just a suggestion based on various access control mechanisms in literature.

  1. Discretionary Access Control (DAC): Suitable for small-scale and less critical applications, such as community-driven IoT networks.
  2. Mandatory Access Control (MAC): Ideal for critical infrastructure like energy grids and water distribution systems, where strict security is essential.
  3. Role-Based Access Control (RBAC): Well-suited for municipal operations, where users have predefined roles, such as traffic management and waste collection.
  4. Attribute-Based Access Control (ABAC): Effective for complex environments with dynamic requirements, such as smart transportation systems and emergency response.
  5. Policy-Based Access Control (PBAC): Suitable for adaptive environments requiring flexible and dynamic access rules, such as smart parking systems.
  6. Blockchain-Based Access Control: Ideal for large-scale distributed applications like smart grid management and city-wide surveillance systems.

Examples of Access Control Solutions

Numerous access control solutions are available covering different application areas of Smart Cities. Below is a list of commercial access control solutions.

  1. AWS IoT Core: Provides fine-grained access control policies for devices and services using AWS Identity and Access Management (IAM) [3].
  2. Azure IoT Hub: Offers secure access control features through role-based and policy-driven mechanisms [4].
  3. OpenIoT: An open-source middleware platform that supports flexible access control policies [5].
  4. Hyperledger Fabric: A blockchain-based framework that supports decentralised access control through smart contracts [6].
  5. IoTivity: An open-source framework with built-in security and access control mechanisms for IoT applications [7].

Conclusion

Access control is crucial to securing IoT ecosystems, especially as they become integral to smart cities and other critical applications. By understanding and implementing appropriate access control models, organisations can ensure IoT systems' secure and efficient operation, fostering trust and resilience in smart city environments.

References

  1. Golightly, Lewis, et al. "Securing distributed systems: A survey on access control techniques for cloud, blockchain, IoT and SDN." Cyber Security and Applications 1 (2023): 100015.
  2. Ouaddah, Aafaf, et al. "Access control in the Internet of Things: Big challenges and new opportunities." Computer Networks 112 (2017): 237-262.
  3. https://aws.amazon.com/iot-core
  4. https://azure.microsoft.com/en-us/products/iot-hub
  5. Soldatos, John, et al. "Openiot: Open source internet-of-things in the cloud." Interoperability and Open-Source Solutions for the Internet of Things: International Workshop, FP7 OpenIoT Project, Held in Conjunction with SoftCOM 2014, Split, Croatia, September 18, 2014, Invited Papers. Springer International Publishing, 2015.
  6. Androulaki, Elli, et al. "Hyperledger fabric: a distributed operating system for permissioned blockchains." Proceedings of the thirteenth EuroSys conference. 2018.
  7. https://iotivity.org/