Understanding CIA in an OT environment

Any IT professional will tell you that the CIA triad is key to understanding, evaluating, and mitigating risk. Those OT professionals who are familiar with the CIA triad, and not all are, are likely to say “you have it backwards!” In this blog we’ll briefly explain what the CIA triad is, how to use its components of Confidentiality, Integrity, and Availability to evaluate OT cybersecurity risks, and how to recognize the differences between them in IT and OT to avoid confusion.

The acronym in IT

Confidentiality: Quite simply, this is the ability to keep the information secret from others. In a traditional IT application, this might be as simple as making sure others cannot read your e-mail, locking your computer when you walk away, or password protecting a file with sensitive documents.

Integrity: This is making sure that the data is not corrupted. If data is changed, or simply made to be not trust-worthy, it can have drastic effects on an organization. An example in the IT space is a spoofed or hacked E-mail, where an e-mail can be sent by unauthorized personnel. Another example would be a man-in-the-middle attack where values are changed during the transmission of information and may be considered trusted information by the receiver.

Availability: This is simply making sure that the systems and applications function. An example of this from the IT space is ensuring maximum uptime for critical servers like e-mail, file shares, VPN connections for remote workers, and other systems that see daily and constant use.

In the IT space confidentiality typically matters the most, then integrity, then availability. It’s much more important that your secrets are always secure, and no one is sending e-mails on your behalf or gaining unapproved access to sensitive documents on a computer or in transit. Ensuring all systems are available every second of every day is not as important when you consider that momentary upsets in IT systems seldom have physical world repercussions.

What it means in OT:

Confidentiality: Since the IT OT line is typically somewhere in L3 in the Purdue model, “confidentiality” applies to OT data such as process values, and production rates in addition to privileged credentials and access. While it is important to keep this information confidential, it may not be useful to even the most sophisticated hackers. However, certain processes are sensitive in nature, or may have support systems that require confidential data in transit. As a result, your specific situation must be evaluated to properly weigh the risks and impact of confidentiality.

Integrity: If unauthorized access to OT assets puts integrity in question, it may compromise quality and safety systems. The compromise of these systems may require the product to be discarded or the system to be shut down. If integrity is compromised and not identified and mitigated it can damage reputation and possibly endanger customers. In the worst case, it can cause server harm or damage to site personnel and equipment, as in the case of Oldsmar and Stuxnet attacks.

Availability: In the context of OT, this may be the most important aspect of the CIA triad. Manufacturing and Infrastructure rely heavily on being available. In some cases, the loss of availability could jeopardize the safety of consumers and producers. Depending on the type and length of availability loss, this can result in economic, ecological, and life-threatening situations. Examples of availability attacks include the recent Colonial Pipeline attack, the 2019 Springhill Memorial Hospital ransomware attack, and the 2015 Sandworm attacks on Ukrainian infrastructure.

How to use CIA:

As shown by the examples above, the specifics of a system determine if Confidentiality, Integrity, or Availability are more important. Therefore, many companies find it helpful to leverage the expertise of a Cybersecurity-experienced system integrator to assist with determining where risks of downtime (availability) or manipulation of data (integrity) rise above the importance of confidentiality. Every organization has different needs when evaluating the CIA triad, and they should take the time to properly consider what is best for them. As cyber attacks continue to expand on an international scale, efforts like this can make or break the future of an organization.