Control system cybersecurity is CIAS not CIA (or IAC)

Aug. 23, 2015

For control systems, the CIA triad needs to add an additional term -“S” for safety. This is a real issue as there have been more than 50 actual control system cyber incidents that have injured or killed people. Because there is still gap between the Safety and control system cyber security communities, there will be a dedicated session specifically for safety at the 15th ICS Cyber Security Conference October 26-29 in Atlanta (www.icscybersecurityconference.com ).

 

The traditional security triad is C(onfidentiality), I(ntegrity), and A(vailability). As most people recognize, for IT applications, the security prioritization for CIA is in that order. Many people also realize that this priority listing is opposite for control systems. However, that is not sufficient to address control system cyber security because it misses arguably the most important aspect – safety!  Consequently, for control systems, it is not a triad (unless you want to eliminate C) but rather for control systems it needs to add an additional term -“S” for safety. This is a real issue as there have been more than 50 actual control system cyber incidents that have injured or killed people. Because there is still gap between the Safety and control system cyber security communities, there will be a dedicated session specifically for safety at the 15th ICS Cyber Security Conference October 26-29 in Atlanta (www.icscybersecurityconference.com ).

Joe Weiss