Survey on Delegated and Self-Contained Authorization Techniques in CPS and IoT

Authentication, authorization, and digital identity management are core features required by secure digital systems. In this, authorization is a key component for regulating the detailed access credentials with respect to required service resources. Authorization, therefore, plays a significant role in the trust management of autonomous devices and services. Due to the heterogeneous nature of cyber-physical systems and the Internet of Things, several authorization techniques using different access control models, accounts, groups, tokens, and delegations have both strengths and weaknesses. Many studies exist in the literature that focus on other main security requirements, such as authentication, identity management, and confidentiality. However, there is a need for a comprehensive review of different authorization techniques in cyber-physical systems and the Internet of Things. A specific target of this paper is authorization in the cyber-physical system and Internet of Things networks with non-constrained devices in an industrial context with mobility, subcontractors, and autonomous machines that are able to carry out advanced tasks on behalf of others. We study the different authorization techniques using our three-dimensional classification, including access control models, subgranting models, and authorization governance. We focus on the state of the art of authorization subgranting, including delegation techniques by access control/authorization server and self-contained authorization using a new concept of power of attorney. Comparisons are performed with respect to several parameters, such as type of communication, method of authorization, control of expiration, and use of techniques such as public key certificate, encryption techniques, and tokens. The results show the differences and similarities of server-based and power of attorney-based authorization subgranting. The most common standards are also analyzed in light of those classifications.