Professional Documents
Culture Documents
ENS
Events Str
Even
Eve
ts
n
n
ts
ts Str
Eve
ts S
en
s
Ev
t re
en
ea
eam
Ev
am
m
Network
Devices Energy Meters
PLCs CEP Engines
Energy Units
Production Devices
Reasoners
and maximize the scalability and management of the Robots ... Conveyors ... ... ... ... ... ... Robots ... Conveyors
Therefore a virtual host can manage one or more P1C1Rob1 P1C1Rob2 P1C1Rob3 PnCsRob1 PnCsRob2 PnCsRob3
can subscribe to the energy monitoring namespace Access Control List Capability List
specifying:
Figure 5. Capability vs ACL access control
EnMonRoot.Production Line P1.*.Robots.*
The namespace concept and its subscription features In capability based access control, therefore, the
provide high flexibility and dynamicity to the ENS, subject has to include in his/her service request the
marking a big difference on other solutions for example capability that asserts his/her rights on the resource and
based on the JMS standard (e.g. solutions using demonstrate he/she is the owner of the presented
ActiveMQ). capability. The service provider has only to check that
Adding a new device to a manufacturing plant does the presented capability is valid and compatible with the
not impact the ENS or monitoring applications: it is request, and that the granted subject, as stated in the
sufficient to provide, on the new added device side, the presented capability, is the subject that has submitted the
information related to the topic under which it has to request. This solution is therefore more scalable, secure
publish the events and how to connect to the ENS, while, and flexible and does not require complex federated
on the monitoring applications side, the changes could identity and access management systems.
even not be required at all if the subscribing The ENS capability based authorization approach is
applications/services have performed a namespace based on ideas and approaches in the mentioned papers,
subscription that already embraces the new device. as well as in the “SPKI Certificate Theory” [34], with
extensions and adjustments to adapt the approach to the
3.6. ENS access control mechanisms IoT context and specifically to the IoT@Work ones.
The ENS access control is based on a Capability As compared to the previous approaches, the
Based Access Control mechanism (see [28], [29]) that is capability based authorization used in IoT@Work
being specifically developed in the IoT@Work project. provides the following additional features:
Capability Access Control, sometimes referred to as delegation support: a subject can grant access
capability based security, [30] “is […] one of the existing rights to another subject, as well as grant the
security models. A capability (known in some systems as right to further delegate all or part of the
a key) is a communicable, unforgeable token of granted rights to a third subject;
authority. It refers to a value that references an object capability revocation: capabilities can be
along with an associated set of access rights. […] A revoked by properly authorized subjects,
capability is defined to be a protected object […] which, therefore solving one of the issues of capability
by virtue of its possession by a user process, grants that based approaches in distributed environments;
process the capability (hence the name) to interact with and is able to meet the following requirements:
an object in certain ways. Those ways might include
reading data associated with an object, modifying the 6 RBAC (Role-Based Access Control) and ABAC (Attribute-Based
Access Control) are widely used access control approaches
easy support of the authorization needs of many The ENS is pursuing the last research trends in
subjects (manufacturers, maintainers, etc.); solutions for data collection in production systems (see
easy control of the nature and characteristics of Section 2 Related work) proposing a solution able to
the information made available through the provide the following benefits:
ENS; decoupling event collection and dispatching
assurance that all subjects access ENS data with from business-logic;
the least privileges; improved security and data access control – as
high security and full auditability of resource stated, the IoT@Work approach brings the data
access even when rights have been delegated; to the interested parties, instead of bringing the
offloading of access control management to parties to the data. This reversed approach
face external subjects dynamics. together with the capability based access
control mechanism, has significant impacts both
3.7. Technologies and additional features on the system’s security and on controlling
The ENS architecture eases the deployment of new what data are provided to whom;
services and features simply connecting new applications scalability: the ENS, thanks to the use of
to it and instructing the ENS to provide only the AMQP solutions, can be tuned in order to
requested set of events. efficiently support the increase of the event
A relevant example is predictive maintenance that can producers (i.e. devices in the factory) and
be achieved connecting CEP (Complex Event consumers (i.e. monitoring applications);
Processing) or semantic engines to the ENS middleware complex event processing and reasoning: the
and deploying specific programs (e.g. pattern-search events can be used to feed a Complex Event
specifications on CEP engines) on these engines. Processing (CEP) engine which can be
On the technological side, the IoT@Work ENS is programmed in order to support predictive
based on the RabbitMQ broker maintenance or other monitoring services.
(http://www.rabbitmq.com), which is one the most The ENS is currently under development and will
accredited AMQP implementation and is being used, for soon be tested within specific validation scenarios the
example, in cloud solutions like: OpenStack IoT@Work consortium is setting up.
(http://openstack.org), Heroku cloud application After completing the ENS development, it will be
platform (http://www.heroku.com), NASA Nebula extended via the integration of specific CEP engines for
Cloud Computing Platform (http://nebula.nasa.gov). implementing specific monitoring applications (for
RabbitMQ is written in the Erlang example, energy consumption monitoring).
(http://www.erlang.org) programming language which
has built-in support for concurrency, distribution and References
fault tolerance.
The ENS authorization service is being developed as [1] H. Sundmaeker, P. Guillemin, P. Friess, S. Woelfflé
an OSGi7 application, while the ENS client library is (editors), Vision and Challenges for Realising the
being developed both as a traditional Java and OSGi Internet of Things, ISBN 978-92-79-15088-3,
libraries. doi:10.2759/26127, March 2010.
[2] B. Kowalewski, M. Bubak, B. Balis, “An Event-Based
Approach to Reducing Coupling in Large- Scale
4. Conclusions and future work Applications”, Lecture Notes in Computer Science,
Springer, vol. 5103, pp. 358-367, June 2008.
The previous sections have described the [3] Z. A. Banaszak, B. H. Krogh, “Deadlock avoidance in
functionalities and architecture of the IoT@Work ENS flexible manufacturing systems with concurrently
middleware that act as a flexible and scalable connector competing process flows”, IEEE Trans. on Robotics and
Automation, vol. 6, no. 6, pp. 724-734, December 1990.
among events’ sources and events’ consumers. The ENS
[4] J. Park, S. A. Reveliotis, D. A. Bodner, L. F. Mcginnis,
is not only an asynchronous message-oriented server but
“A distributed, event- driven control architecture for
can be considered an active component of an Event- flexibly automated manufacturing systems”,
Driven Architecture as it fully supports the key features International Journal of Computer Integrated
of that paradigm (e.g.: Broadcast communication, Manufacturing, vol. 15, no. 2, 2002.
Timeliness, Asynchrony, etc.). [5] K. Walzer, J. Rode, D. Wunsch, M. Groch, “Event-
driven manufacturing: Unified management of primitive
and complex events for manufacturing monitoring and
7 The OSGi (Open Services Gateway initiative) framework provides control”, IEEE International Workshop on Factory
functionalities to create Java applications from small, reusable and Communication Systems, WFCS 2008, May 2008, pp.
collaborative components, as well as to dynamically deploy and 383-391.
manage, even remotely, them. The OSGi (http://www.osgi.org) [6] D. Chou, “Using Events in Highly Distributed
specifications are so widely applicable because the platform allows
Architectures”, The Architecture Journal, Microsoft
multiple Java components to efficiently execute in a single Java
Virtual Machine Corporation, no. 17, October 2008.
[7] Rockwell Automation - Global Manufacturing Solutions, automation”, EU FP7 IoT@Work, public project
“RFID in Manufacturing: A practical guide on extracting deliverable, Dec. 2011 (revised).
measurable value from RFID implementations in plant [22] A. M. Houyou et al., “Project Deliverable D2.1 – IoT
and warehousing operations”, October 2004. addressing schemes applied to manufacturing”, EU FP7
[8] Y. M. Lee, F. Cheng, Y. T. Leung, “Exploring the IoT@Work, public project deliverable, Dec. 2011
Impact of RFID Supply Chain Dynamics”, in Proc. 2004 (revised).
Simulation Conference, vol. 2, pp.1145-1152, Dec. 2004. [23] A. M. Houyou et al., “Project Deliverable D2.2 –
[9] S. Toffaletti, J. Soldatos, “RFID-ROI-SME Project General bootstrapping architecture”, EU FP7
Promises Big Help for Small Business”, RFID Journal, IoT@Work, public project deliverable, May 2011.
June 14th, 2010. [24] P. Koen, C. Strömsdörfer, “Distributed Applications in
[10] S. Karadgi, D. Metz, M. Grauer, W. Schäfer, “An Event Manufacturing Environments”, The Architecture
Driven Software Framework for Enabling Enterprise Journal, Microsoft Corporation, no. 17, October 2008.
integration and Control of Enterprise Processes”, in [25] A. Sheth, C. Henson, S. Sahoo, “Semantic Sensor Web”,
Proc. 10th International IEEE Conference on Intelligent IEEE Internet Computing, pp. 78-83, July/August 2008.
System Design and Applications, Nov.-Dec. 2010, pp. [26] R. Akerkar, P. Sajja, Knowledge-Based Systems, Jones &
24-30. Bartlett Learning, ISBN 978-0-7637-7647-3, August
[11] Y.H. Zhang, Q.Y. Dai, R.Y. Zhong, “An Extensible 2009.
Event-Driven Manufacturing Management with [27] AMQP Working Group, “Advanced Message Queuing
Complex Event Processing Approach”, International Protocol – Protocol Specification”. Available:
Journal of Control and Automation, vol. 2, no. 4, pp. 13- http://www.amqp.org/confluence/download/attachments/
24, Dec. 2009. 720900/amqp.pdf?version=1&modificationDate=131801
[12] J. L. Martinez Lastra, I. M. Delamer, “Semantic Web 1006000
Services in Factory Automation: Fundamental Insights [28] S. Gusmeroli, S. Piccione, D. Rotondi, “IoT Access
and Research Roadmap”, IEEE Transactions on Control Issues: a Capability Based Approach”, to be
Industrial Informatics, vol. 2, no.1., pp. 1-11, Feb. 2006. published in Proc. 6th International Conference on
[13] L. Monostori, J. Váncza, S. R. T. Kumara, “Agent-Based Innovative Mobile and Internet Services in Ubiquitous
Systems for Manufacturing”, CIRP Annals – Computing (IMIS 2012), International Workshop on
Manufacturing Technology, vol. 55, pp. 697-720, 2006. Extending Seamlessly to the Internet of Things
[14] V. Marik, J. Lazansky, “Industrial applications of agent (esIoT2012)
technologies”, Control Engineering Practice, Special [29] D. Rotondi, C. Seccia, S. Piccione, “Access Control &
Issue on Manufacturing Plant Control: Challenges and IoT: Capability Based Authorization Access Control
Issues, vol. 15, pp. 1364-1380, 2007. System” 1st IoT International Forum, position paper,
[15] V. Marik, P. Vrba, K. H. Hall, F. P. Maturana, Nov. 2011.
“Rockwell automation agents for manufacturing”, in [30] Wikipedia contributors, “Capability-based security”,
Proc. 4th International Joint Conference on Autonomous Wikipedia, The Free Encyclopedia.
Agents and Multiagent Systems, pp. 107-113, July 2005. [31] A. Lackorzynski, A. Warg, “Taming subsystems:
[16] C. Popescu, “Approach to Incremental Modelling of capabilities as universal resource access control in L4”,
Web Services Orchestration - An Application to in Proc. 2nd Workshop on Isolation and Integration in
Deadlock-free Scheduling in Automated Systems”, Embedded Systems (IIES 2009), pp. 25-30, April 2009.
Tampere University of Technology, Publication 832, [32] G. D. Skinner, “Cyber Security Management of Access
2009. Controls in Digital Ecosystems and Distributed
[17] A. W. Colombo, “SOCRADES: Steps Towards the Environments”, in Proc. 6th International Conference on
Factory of the Future”, Projects Magazine EU, edition Information Technology and Applications (ICITA 2009),
12, pp. 20-23. British Publishers Inc. 2009. pp. 77-82, Nov. 2009.
[18] J. Kaiser, C. Mitidieri, C. Brudna, C. E. Pereira, [33] L. Fang, D. Gannon, F. Siebenlist, “XPOLA – An
“COSMIC: A middleware for event-based interaction”, Extensible Capability-based Authorization Infrastructure
in Proc. 9th IEEE International Conference on Emerging for Grids”, 4th Annual PKI R&D Workshop, April 2005.
Technologies and Factory Automation (ETFA 2003), [34] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas,
vol. 2, pp. 669-676, Sept. 2003. T. Ylonen, “IETF RFC 2693 - SPKI Certificate Theory”,
[19] T. Kirkham, D. Savio, H. Smit, R. Harrison, R. P. Sept. 1999.
Monfared, P. Phaithoonbuathong, "SOA middleware and [35] G. Hohpe, “Programming Without a Call Stack – Event-
automation: Services, applications and architectures", in driven Architectures”, 2006.
Proc. 6th IEEE International Conference on Industrial [36] I. M. Delamer, J. L. M. Lastra, “Service-Oriented
Informatics (INDIN 2008), pp. 1419-1424, July 2008. Architecture for Distributed Publish/Subscribe
[20] M. Marinov, N. Magaletti, T. Pavlov, F. Gaus, D. Middleware in Electronics Production”, IEEE
Rotondi, P. Vitliemov, S. Ivanova, “An Approach to Transactions on Industrial Informatics, vol.2, no.4,
Designing Distributed Knowledge-based Software pp.281-294, Nov. 2006
Platform for Injection Mould Industry”, WSEAS
TRANSACTIONS on INFORMATION SCIENCE and
APPLICATIONS, issue 11, vol. 7, Nov. 2010.
[21] D. Rotondi et al., “Project Deliverable D1.1 – State of
the art and functional requirements in manufacturing and