Ask any IT professional about information security and most will probably mention the CIA triad of Confidentiality, Integrity and Availability.
The CIA triad is widely accepted as fundamental to an organisation’s information security practice. Simply put, Confidentiality is about protecting your data from unauthorised viewing or access. Integrity means that your data is protected, reliable and correct. Availability is about ensuring that authorised users have access to the systems and data they need. It helps organisations to better understand, evaluate and mitigate risks in the information domain. When done properly, the security profile of an organisation will be stronger and better equipped to handle threats like data breaches, exfiltration and ransomware.
But how does CIA stack-up in an industrial environment where Operational Technology (OT) is used?
Traditionally, Industrial Security professionals would flip CIA to an AIC triad instead. Reason being- Availability in the context of OT is often considered more important than that of Integrity and Confidentiality. Business continuity or uptime is crucial in industrial environments. The loss of Availability on an Oil and Gas platform would cost the business substantial amounts in lost revenue. Whereas Confidentiality in OT applies to numerical data such as production rates and process values, this is not enticing enough for threat actors to create a ‘catastrophic’ physical impact.
This is where the author turns somewhat unconventional…
Protecting the Integrity of an OT system is more important than Availability and Confidentiality when viewed from an Operational Health and Safety perspective.
If you consider the Stuxnet attack on Iran’s uranium enrichment facilities in 2010, the Triton attack of 2017 or more recently, the Predatory Sparrow attack in 2022, they all targeted the Integrity of the OT system. The Stuxnet attack was a ‘first-of-kind’ event, the Triton attack targeted the Safety Instrumented Systems of a refinery and the latter, an Iranian steel company which resulted in an industrial machine malfunctioning, catching fire and spewing molten steel across the factory floor. This has caused some security experts to question the traditional AIC model. These examples highlight how susceptible industrial facilities can be to cyber-attacks, in particular the Integrity of OT systems; and if successful, how serious the consequences could be to equipment and safety.
Perhaps in an Industrial environment there should be a new triad, one that accurately reflects the importance of OT Integrity in Critical Infrastructure where Safety operations are paramount. Therefore, should industry consider using the IAC triad instead? Regardless of which triad is used, it is vital that industrial companies acknowledge the growing threat and importance of protecting OT to prevent large-scale disruptions or worse, loss of life.
Dane Clackworthy
Senior Account Executive
CyberPrism.net
References:
Predatory Sparrow: Who are the hackers who say they started a fire in Iran? – BBC News
Jonathon Gordon, 2020, Why IT/OT convergence will be the inevitable change that awaits the industrial realm. https://industrialcyber.co/features/why-it-ot-convergence-will-be-the-inevitable-change-that-awaits-the-industrial-realm
CGI, 2016, Convergence brings opportunity and risk – Protecting operational technology from cyber-attacks