Rethinking the Relevance of the Security Triad

A few weeks ago, I had the privilege of presenting at the Nordic OT Security Conference in Stockholm. My presentation centered on a topic I’ve coined “Deep Defense” which also serves as the focal point of the book I am currently authoring.

During the same conference, a variety of captivating presentations were on the agenda, including one that delved into the distinctions between Operational Technology (OT) and Information Technology (IT). Typically, this isn’t a subject that would pique my interest, but presenter Kevin Kumpf brought it to life with insightful analogies and an interactive approach, involving the audience through thought-provoking questions. As a result, the presentation took on an enjoyable, vibrant and engaging atmosphere.

One argument Kevin put forth, which garnered unanimous agreement from the audience, revolved around the CIA triad. In the realm of IT, the prevailing approach is to prioritize Confidentiality (C) above Integrity (I) and Availability (A). However, in the domain of OT, the priorities seem to shift, with Availability taking precedence, followed by Integrity, and Confidentiality assuming a lower priority. This intriguing contrast between CIA in IT and AIC in OT has sparked valuable discussions in the past. Some like to add safety or reliability, others add productivity.

In my view, security is fundamentally rooted in the assessment of risk and the subsequent strategic responses. The prioritization within any security triad should be intricately guided by risk assessment, determining the significance and sequencing of its elements. The crucial point to emphasize is that risk, by its very nature, is directly correlated with the potential impact or consequences it may have on the business.
I had the opportunity to provide consultancy services to a power generation plant in the past. In Europe, we rely on the European Power Exchange, which operates in numerous countries, including Austria, Belgium, Denmark, Finland, France, Germany, Great Britain, Luxembourg, the Netherlands, Norway, Poland, Sweden, and Switzerland.

The European Power Exchange employs a competitive and transparent market mechanism, which encompasses the day-ahead and intraday electricity markets. Within this framework, possessing insights into the operational status of a power plant holds significant financial value. As a result, confidentiality emerged as a paramount concern for this particular power generation facility. In this example loss of confidentiality does have a serious business impact so was a driving force in many of the security decisions.

Now, let’s consider the importance of availability and integrity. When we undertake the construction of a petrochemical plant and devise the automation system (known as the Industrial Control System or ICS), a step in the design process is what is referred to as the computer HAZOP. The computer HAZOP, or Hazard and Operability Study, is an examination of the potential hazards that the plant may encounter due to the process automation functions. These hazards encompass scenarios such as power outages, physical and cyber security breaches, or failures in cooling systems of the instrumentation rooms (very critical in countries with hot climates).

During the design phase, our primary objective is to establish inherent safety within the plant. Inherent safety means that even in cases of temporary disruptions to automation functions, we strive to prevent conditions that could pose risks to people or the environment.

However, it’s essential to acknowledge that achieving inherent safety isn’t always feasible, especially in brownfield installations where the process installation is significantly older than the automation systems. In such cases, retrofitting and modernizing older installations to align with modern safety standards can be a costly, complex and challenging endeavor.

In general, we can assert that availability is a significant element in the triad because it directly influences the financial aspects of the business. However, the design of the plant should be such that a brief interruption in the availability of process automation functions does not pose critical safety risks. It’s worth noting that specific sites, particularly those requiring forced cooling systems to prevent chemical overheating and potential explosions due to the resulting high pressure, may present unique challenges. Nonetheless, even these hazards can often be addressed through the design of a fundamentally safe plant using the principle of attenuation.

This principle has become standard design practice for storing significant quantities of ammonia and chlorine. It involves refrigeration at atmospheric pressure, as opposed to pressurizing them at ambient temperatures. When there’s a breach in the tank or connecting lines below the liquid level, the liquid’s flow rate through the breach is reduced, and because the liquid is cooler, a smaller portion tends to evaporate. On the other hand, if there’s a hole above the liquid level in the tank, the flow is minimal since there’s little or no pressure to drive it.

For other liquefied flammable gases (LFG) like propane, propylene, butane, butylene, ethylene oxide, vinyl chloride, and methylamines, it’s common practice to keep them stored at low temperatures. It’s undeniable that refrigerated storage is a safer option compared to pressurized storage. If, for instance, the material needs to be refrigerated, especially for export by ship, then that’s the recommended storage approach.

These considerations serve to mitigate the impact of both process safety accidents and cybersecurity incidents that may attempt to cause cyber-physical damage through targeted attacks. So reduce risk by increasing the resilience against full or partial loss of the automation functions. But as usual, it is risk that should drive the importance of the availability element in the triad.

Then how about Integrity, specifically data and system integrity? Loss of integrity results in the process automation function deviating from its design and operation intent. The system acts differently than anticipated. A very important concept in process automation is operating window integrity (see for example API 584).

Operating Window Integrity, as defined in API (American Petroleum Institute) RP 584, is a concept used in the field of process safety and risk management in the oil and gas industry. It refers to a set of conditions or limits within which a specific process or equipment must operate to ensure the safe and reliable functioning of a system. These conditions typically involve various process conditions such as level, pressure, temperature, flow rates, and other critical operating parameters.

The operating window in a process automation system is established through a set of configurable parameters for each control loop. These parameters must be in alignment with the physical attributes of the process installation. For instance, the level range defined within a control loop should match the physical size of the vessel within the process installation.

A process installation is constrained by both physical limitations and the inherent constraints imposed by the dynamics of the process itself. While these constraints are tangible in the installation, within the process automation system, they exist as data that are susceptible to cyber-attacks. These attacks have the potential to induce damage, trigger toxic leaks, or even lead to explosions, making it imperative to secure this data effectively.

In a cyber-physical system, system and data integrity are inherently connected to process safety, with the potential to impact human life and the environment directly. Consequently, within the industry, this aspect holds a top-tier priority. This prioritization stems from the fact that many of the risk criteria, which assess the potential for environmental harm or loss of life, are established by our society through regulatory bodies.

So based upon my background, I would say the OT cyber security triad should be IAC and not AIC.

However both choices are wrong because production processes and installations differ, the only prioritization valid is the prioritization derived from the risk evaluation and risk criteria. I personally wouldn’t add any additional elements like safety and productivity.

Productivity is fully covered by the availability element, without availability, there would be no productivity in a production process. As explained above, data and automation system integrity is a requirement for safety. Additionally safety is frequently used as a term by people without a process automation and safety engineering background.
Safety contains several elements, such as personnel safety which includes the use of personal protective equipment, safety training, and adherence to safety procedures and regulations.

And we have process safety. Process safety focuses on preventing and mitigating catastrophic incidents within industrial processes, particularly those involving hazardous materials. It involves the identification and management of potential hazards, such as chemical releases, fires, explosions, and equipment failures, that can result in harm to personnel, damage to property, and harm to the environment.
An element of process safety is what is called functional safety, functional safety is a specific aspect of safety engineering that deals with the design, implementation, and management of safety-related systems and functions within machinery, automation, and control systems. The primary goal of functional safety is to ensure that these systems operate correctly and reliably, even in the presence of faults or errors, to prevent dangerous conditions, protect people, and safeguard assets.

Functional safety functions are potentially “hackable”. Apart from functional safety systems we also have physical safety solutions, not “hackable” safety functions, for example a physical pressure relieve valve, check valves, a brake plate, etc.

Never the less I wouldn’t add functional safety as an element, because its importance is already covered by both the availability and integrity elements. Important is to build a library of attack scenarios against automation functions, resulting in different impact on this function which translates into different impact / consequences for the process installation. We can determine the risk for each of these scenarios and as such prioritize which element we consider more important.

Does this prioritization of CIA, IAC, AIC contribute to the security of a cyber physical system, I don’t think so. The argument is always risk and risk requires risk criteria. Risk criteria are an essential element of any risk evaluation method, it is here where priorities are defined.

Risk assessment should be scenario-based, especially in the context of cyber attacks targeting process automation functions. These scenarios must carry consequences that directly affect both the process installation and the dynamics of the production process. Engaging in any other form of risk analysis can be likened to a theatrical performance, where the risk analyst offers subjective opinions on potential events without a solid foundation in real-world implications.

Sinclair Koelemij

With 45 years of experience in process automation, Sinclair brings a wealth of expertise, with 25 years dedicated to process control and an additional 20 years specializing in networking, security, and risk management for process automation systems. During his extensive 43-year tenure at Honeywell, he played key roles in servicing, engineering, and securing diverse control and process safety solutions, spanning basic and advanced control systems. Sinclair also possesses hands-on experience in software development and the implementation of control and safety solutions for over 100 installations owned by various asset owners, varying in scale from smaller setups with fewer than 1,000 I/O points to large installations exceeding 100,000 I/O points. Furthermore, Sinclair holds several patents in the field of cyber-physical risk evaluation and mitigation..