There are a variety of different types of systems in which commands are issued to devices within the system to perform operations, and in which the proper authorization for the issued command, and the authentication of that command's issuer, are paramount to the proper operation of the system. One example of such a system is an energy distribution network. The operational models for such systems can vary, and a number of different parties may exercise authority over different sets of control commands and messages sent to different entities in the network. If an unauthorized command is sent to a device in the network, e.g., instructing a distribution transformer to change its output voltage at a time when the load on the distribution grid cannot accommodate the change, the grid could become unstable and incur outages and/or damage. In another aspect, an unauthorized command to replenish a pay-as-you-go meter could result in theft of the energy resource being distributed via the network. Accordingly, commands issued to the devices should comply with business policies that are designed to prevent such occurrences, and the authentication of commands should be verified at the devices before implementing commanded operations.
Of course, systems other than energy distribution networks have similar types of security concerns. For instance, an enterprise's information technology system may need to protect the configuration of its routers and other network components, even in cases where individual persons have physical access to the components and may be able to enter commands directly into them.
One example of a system that ensures security of commands issued to devices is disclosed in U.S. application Ser. No. 12/939,702, filed Nov. 4, 2010. The disclosed system includes an agent, such as a hardware security module, that implements permitting operations. When a control and/or management application has a command to be sent to a device, the command is first forwarded to the agent, where it is checked to determine whether it complies with policies designed to ensure proper operation of commanded devices. If the command complies, the agent signs the data pertaining to the command, and optionally also encrypts it. The agent then issues a permit containing the signed command data. This permit is transmitted to the device, for execution of the commanded operation.
In a complex system, such as an energy distribution network, a number of responsible parties exercise authority over different sets of control commands and messages that are sent to different entities in the network. Thus, in dependence upon the party issuing the command, and the entity to which the command is sent, different sets of business logic may need to be consulted in order to confirm that the command, and the issuing party, conform to established policies. Over time, some of the business logic may need to be updated to accommodate changes in the configuration of the system, new issuing authorities, and/or other factors that can vary. Accordingly, it is desirable to provide a flexible permit system that can accept permit requests from a variety of sources via a well-defined interface, with configurable rules for each type of source, or each issuance of a permit. In addition, the business logic embodied in the configurable rules should be able to address a wide variety of applications, while ensuring the necessary security of the issued commands.