BlogDefinition & Learning

Confidentiality vs Integrity vs Availability vs Authenticity vs Non-repudiation. CIAAN in ICS/OT with Safety & Reliability considerations

Most people have heard about the CIA Triad. It is abbreviation for Confidentiality, Integrity & Availability. It is utilized as a guiding model for Information Security.

However, CIAAN is an extension to the CIA triad and is often referred to as pillars of information security. Its abbreviation for Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation. They are crucial for understanding how information is protected in various systems and processes. While they overlap and interact, each represents a distinct aspect of securing valuable data.

In addition, in an Operational Technology Environment, Safety & Reliability are more important than the above. The whole system right from design to the production could be abbreviated as SRCIAAN (Safety, Reliability, Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation).

Below are the details of these pillars:

Confidentiality: This principle ensures that only authorized individuals or systems can access specific information. Think of it as keeping secrets. Encryption, access controls, and data masking are common techniques used to achieve confidentiality.

Integrity: This principle guarantees that information remains accurate and complete, unaltered from its original state. It’s like safeguarding the truthfulness of the information. Techniques like digital signatures, message authentication codes, and data hashing help maintain integrity.

Availability: This principle ensures that authorized users can access and use information whenever they need it. Imagine a library being open during designated hours. Redundancy, disaster recovery plans, and system uptime monitoring are used to ensure availability.

Authenticity: This principle verifies the legitimacy of the source of information or communication. It’s like confirming the sender’s identity on a phone call. Authentication protocols, digital certificates, and biometric identification are methods used for authenticity.

Non-repudiation: This principle prevents individuals from denying their involvement in a transaction or communication. It’s like having a signed document as proof. Digital signatures, timestamps, and tamper-proof logs help achieve non-repudiation.

Safety: There cannot be any compromise on safety in the OT environment. Hence any design or architecture should keep safety into consideration working in an OT environment.

Reliability: This ensures that the entire system should work as per the design and there is no failure that could cause unnecessary or uncontrolled scenario in the environment.

Example of CIAAN in an Operational environment (OT/ICS/Critical Infrastructure):

Let us take an example of an ICS system in a manufacturing sector. Each example below illustrates difference between each of CIAAN principles:

Confidentiality:

  • Example: The recipe for a special chemical used in a critical component is only accessible to authorized personnel with high-level clearance. This ensures unauthorized individuals cannot steal the intellectual property.
  • Implementation: Access controls restrict who can view and modify the chemical. Encryption protects the data during transmission and storage.

Integrity:

  • Example: Sensor readings must be accurate and reliable to ensure optimal production quality. Any manipulation of these readings could lead to defective products.
  • Implementation: Digital signatures verify the origin and authenticity of sensor data, preventing unauthorized tampering. Error detection and correction mechanisms identify and rectify any discrepancies.

Availability:

  • Example: The OT system must be operational 24/7 to avoid production downtime and financial losses.
  • Implementation: Redundant systems and backup plans ensure continuous operation even if one component fails. Disaster recovery procedures minimize downtime in case of major disruptions.

Authenticity:

  • Example: Operators need to be sure they are communicating with the correct control system and not a spoofed version.
  • Implementation: Secure communication protocols and digital certificates verify the identity of devices and users on the network.

Non-repudiation:

  • Example: It’s crucial to track who made changes to system configurations or production settings for accountability and auditing purposes.
  • Implementation: Logging systems record all user activity and changes made to the OT system, with timestamps and digital signatures for verification.

Related Posts