End to End Secure Data Exchange in Value Chains with Dynamic Policy Updates
Aintzane Mosteiro-Sanchez, Marc Barcelo, Jasone Astorga, Aitor Urbieta
TL;DR
The paper addresses secure end-to-end data exchange in value chains that include IIoT devices, where dynamic policy updates are essential to adapt to evolving collaboration. It introduces an E2E secure system based on Multi-Layered CP-ABE together with AES-GCM to guard data from production to consumption while allowing policy updates without involving resource-constrained field devices. The approach enables data producers to control access via attribute-based policies, support one-to-many sharing, and revoke outdated permissions through timestamped keys and an External CT Engine, all mapped to ENISA’s high-level reference model. Experimental evaluation on ARM-like hardware demonstrates the practicality and scalability of the solution for IIoT platforms, validating its potential to reduce data breach risks in industrial value chains.
Abstract
Data exchange among value chain partners provides them with a competitive advantage, but the risk of exposing sensitive data is ever-increasing. Information must be protected in storage and transmission to reduce this risk, so only the data producer and the final consumer can access or modify it. End-to-end (E2E) security mechanisms address this challenge, protecting companies from data breaches resulting from value chain attacks. Moreover, value chain particularities must also be considered. Multiple entities are involved in dynamic environments like these, both in data generation and consumption. Hence, a flexible generation of access policies is required to ensure that they can be updated whenever needed. This paper presents a CP-ABE-reliant data exchange system for value chains with E2E security. It considers the most relevant security and industrial requirements for value chains. The proposed solution can protect data according to access policies and update those policies without breaking E2E security or overloading field devices. In most cases, field devices are IIoT devices, limited in terms of processing and memory capabilities. The experimental evaluation has shown the proposed solution's feasibility for IIoT platforms.
