Correctly Understanding the Cyber Security Triads
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Cyber security threats appear in variety of formats and became a hot topic during the past decade. The most common Information Technology (IT) related threats are internally or externally generated attacks causing theft of critical information, medical data, identity, etc. Other threats, even more severe, refer to Operation technology (OT) attacks, which may lead to operation outage, damage of equipment and risk to life of people. Most organizations already experienced some form of cyber-attack caused by injection of viruses, phishing, ransomware, Distributed Denial of Service (DDoS), activation of trojan mechanisms, etc., which lead to theft of intellectual property, damage to reputation, operation outage, and more.
In the IT field, identity theft is the attempt to act as someone else in order to retrieve person’s personal information or to take advantage of their access to critical data. In the OT field, sabotage may lead to manipulation of processes (food, pharma, chemicals, energy, etc.) aimed to cause loss of confidence by customers and consequently financial damages to the victim. There are many ways to protect your organization through variety of defense measures, involving deployment of technologies, policies and processes, trainings, collaboration with cyber defense authorities, etc. In this paper, I will elaborate on three defense triads, which are applicable for both IT as well as OT organizations.
The IT security CIA Triad
The three components in the Confidentiality-Integrity and Availability (CIA) triad are equally important, however, depending on your system, some parts may be more critical than others. You shall make your own judgement related to each organization or system architecture you are evaluating.
- The Confidentiality principle states that access to information, assets, etc. should be granted only to certified people and on “need to know” basis, so that information should not be accessible by everyone. There are various levels of confidentiality according the criticality of the information. The encryption process supports enhanced confidentiality, since it protects the information from leakage. The LDP (Leakage Data Prevention) is a subset of the confidentiality requirement. Important also mentioning that you must select strong encryption method such as the AES 256.
- The Integrity part of the CIA makes sure that the information is trustable and not manipulated. The data integrity can be confirmed by variety of tools such as the “one-way hashing” process, in which the calculated hash value (before transit of the data) is sent along with the message. At the recipient side, the received data is hashed using the same process and the outcome value is compared with the received hash value. If both are identical, it confirms data integrity.
- The Availability factor is aimed to assure that services are accessible. The DDoS attack on your organization will not hurt the data confidentiality nor the integrity, but prevents your users accessing the service your organization offers. Important mentioning also that access to data can be blocked also during hurricanes, earthquake, floods, etc. Adding smartly configured and distributed redundancy allows running your business with minimal risk of disruption.
The OT Security SRP Triad
- When dealing with OT security, many experts like to rotate the CIA triad and create several variants like AIC, IAC, etc. While some of these variants are not a huge mistake, the OT cyber experts shall prefer a more accurate and better matching triad: Safety-Reliability- Productivity (SRP).
- The Safety part means that OT systems shall be designed in a way that under no circumstance the machinery might hurt people, and also intentional sabotage or mistaken action by authorized personnel must not damage their safe operation. This goal is achievable through safety-oriented design of the OT control architecture and supported by enhanced cyber security.
- The Reliability part is also highly important. In the past, safe and reliable operation of machinery was the main design criteria for OT, and cyber security requirements were not listed in the specifications. This flaw shall be corrected a.s.a.p. in all future projects and also as much as possible in existing (legacy) installations.
- The Productivity part is very important as it provided the business justification for the entire system. Naturally achieving quality production must be supported by reliable system operation. Furthermore, reliability shall not be at risk due to vulnerable OT design.
The PPT Security Triad
When dealing with both IT and OT security, all experts agree on the critical importance of the People-Processes-Technology (PPT) triad. Actually, as we learned from attacks in the past decade, majority could be prevented or at least minimized through stronger adherence to this triad.
- The People part deals with the ability of people detecting the attack and taking immediate actions to minimize the impact and damage. This requires consistent investment in trainings and drills. Having an on-site cyber range similar to your own system make the training more effective.
- Organizations shall have written documentation related to cyber defense Processes. Having such documents is already a step in the right direction but enforcing their use across the organization is not an easy task. There are published cyber defense-related “best practices” and regulations, from which the CIO and CISO may retrieve information applicable to their organization.
- Enhanced Technology is important towards achieving higher level of cyber defense. The days when an antivirus and a firewall were enough…. past long time ago. The technology-related activity is affected by a range of organization-related barriers and complexities. Lack of management awareness leads to limited budgets and it prevents investment in cyber defense.
The conclusion of this paper is, that enhanced IT & OT cyber defense is achievable through the three triads mentioned above.
The remaining question is; which part of each triad shall be granted the highest priority? I’m not sure if all cyber experts will agree, but my votes for each triad are the following:
- For the IT security triad, I say that assurance of data Integrity shall be positioned on the top.
- For the OT security triad, no doubt that Safety shall be granted the highest priority.
- For the PPT triad, I vote for People, as their negligence failed to prevent majority of attacks.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin