Is the CIA model useful for protecting process control systems?

I was prompted to write this post by a recent article and the subsequent discussion on the Tofino Security website on the issue of prioritizing the security features (confidentiality, integrity and availability) of information in an automated process control system.

And is this question correctly posed in relation to the process control system?

The CIA model (confidentiality, integrity, availability) has passed the test of time and cast doubt on it thankless task. But in connection with the specifics of the process control system, I think it is worth revising the applicability of this model. It is necessary to understand how adequately it describes the information security of the process control system, and whether any changes are required.

Take a look at confidentiality, integrity and accessibility in terms of managerial decision making. We need information to make informed decisions and their further implementation to achieve our goals.

If confidentiality is violated, our decisions become known to our opponents, which causes their response and does not allow us to achieve our goals. The result of all activity is negative, the goal has not been achieved.
In case integrity is violated, our decisions become erroneous, as they are based on distorted information. The situation is complicated by the fact that it is not known when we learn that the information was distorted. The result of the activity is the same.
In case accessibility is violated, we cannot make a decision at all. The good news is that we know that there is no information and if there is additional time, we still have a chance to get it. The result of the activity is the same.

A very general approach has been described above. This approach is not required to protect the process control system. It can be narrowed down by the specifics and specifics of the process control system. Namely:

  1. Technological information (occurring events, input data and output commands) is typical, operational and local in nature, that is, it is typical for such systems, loses its relevance very quickly and makes sense within the same system, respectively.
  2. Decisions are made by controllers and control system operators, as well as computing devices (for example: programmable logic controllers) according to a given algorithm (software), based on the events that occur and / or input data (information collection).
  3. Decisions (teams) are performed by duty or operational personnel, as well as executive mechanisms.
  4. Time to make and execute a decision is strictly limited.
  5. Process control can be either automated (with human participation) or automatic (without human participation).
  6. A process control loop (circuit) consists of a collection phase, a decision phase (automatic processing or calculations), and a command phase.
  7. The subject of information security of the process control system is protection against unauthorized access (other problems related to information are not new to the process control system and it can solve them, for example, using industrial safety).
  8. The process control system can process and store information of interest to criminals (for example, terrorists). For example, information on the accounting of technological process resources may be of interest to criminals seeking to gain illegal profit and hide the traces of their crimes.


Based on the first paragraph, the protection of confidentiality becomes unnecessary. Here it is necessary to give additional comments, since a number of studies are known devoted to determining the type of technological process (control object) as a result of the analysis of captured network traffic. But nevertheless, in this case, the knowledge obtained in this way cannot affect the achievement of the control system’s control goal, however, it can help an attacker to develop an attack on the control system. Then this knowledge should be attributed to the type of information about the process control system, and not to the technological information processed inside the process control system. And then it is necessary to protect the confidentiality of the information about the automated process control system. This type of information includes: design and operational documentation and other information that allows you to identify and describe an automated process control system (something like personal data,

In conditions of limited time (the fourth paragraph), accessibility and integrity in the control system become equivalent, since the consequences of a lack of a solution (a consequence of a violation of accessibility) or an erroneous decision (a consequence of a violation of integrity) are the same for the process. In the given time frames, only the right solution is acceptable.
Thus, all information security of an automated process control system degenerates in defense of one thing: integrity-availability or accessibility-integrity. Somehow unexpected! Is such a model useful?

Thus, arguing about the priority of confidentiality, integrity and accessibility is pointless. We got the answer to the question at the beginning of the post and asked a new one.

Let us leave our theoretical research and move on to practice. But in practice, we need to find technical means and organizational measures to ensure the information security of the process control system, namely, to protect against threats of unauthorized access for the holistic accessibility of the security information of the process control system . How many people will understand what needs to be done with such a statement of the problem? And most importantly, will the controllers and operators of the process control system feel the importance and adequacy of such “protection of the process control system” that is simply necessary for information security in the process control system? In my opinion, the answers to these questions are negative.

Therefore, I would suggest the protection of the process control system from unauthorized access based on the following model, based on the CIA, but more adequate in the process control system:

  • Closed loop process control - protecting the integrity and availability of technological information, as well as the integrity of the parameters and software of the entire control cycle.
  • - Visibility of the process - protection of the integrity and availability of technological information, as well as the integrity of the parameters and software of the information collection phase of the control cycle information.
  • - Process control - protection of the integrity and availability of technological information, as well as the integrity of the parameters and software of the control cycle command phase.
  • - Normality of the technological process - protection of the integrity of parameters and software of the phase of automatic processing of the control cycle
  • Continuity of process control - protection against accident, shutdown or critical delays
  • Special here is the prevention and disclosure of economic and criminal crimes (integrity, provability).




How much this model is adequate and practically useful to judge for you, the readers of Habrahabr.

Also popular now: