If we knew 30 years ago what we do now, how much further along would our technological literacy be? It is often mused that the Millennial generation grew up alongside the internet while Gen X and Gen Z are considered ill equip to rise to the technological challenges due to ignorance or negligence. However, regardless of what generation a person belongs to, the only thing consistent across time is the changes and advancements in technology. As we trudge along with the highs and lows of the future of data protection let’s consider what we have today.
The practicality of the CIA
(1) The CIA Triad is the balance between confidentiality, availability, and integrity; it is the guiding principle within information security. Think of it as three separate values that must equal up to 100 in total. Organizations manipulate these values based on the importance of each category. If they allotted 100 into data availability there would be an increased probability that the data could be easily seen and modified. Likewise, 50 points in confidentiality and 50 points in integrity would mean that the data would be difficulty and slow to use. In today’s interconnected world, the CIA Triad is used in varying degrees based on a needs analysis and return on investment.
C is for Confidentiality
Confidentiality refers to the privacy of data or the methods of ensuring that data does not get released and only those with certain criteria are authorized to access. The military uses levels of confidentiality that if disclosed would be a minor inconvenience to a national level threat. Each level would also increase encryption and the required authorization. Non-military organizations will sometimes use their own privacy labeling schemes and methods to safekeep data.
Integrity First!
Integrity, to some, is about doing the right thing when no one is looking; to have qualities of honesty and moral uprightness. In the US Air Force, this is part of their values: Integrity First, Service Before Self, Excellence in All We Do. However, definition of integrity in the cybersecurity world is internal consistency or lack of corruption in electronic data. Thus, the integrity in the CIA Triad is data that is non-repudiable, or essentially, it is authentic and it is what it says it always has been. Digital signatures, event logs, digital signatures, and removing accounts that no longer require access are various ways to ensure that the data being sent across the network remains unmodified.
What is your Availability?
Availability is how accessible data is to authorized individuals. While it is important to have an iron clad security policy and control protocol, the harder it is for authorized users to access data the lower the productivity and the increase in end user frustration. Imagine driving down a highway and having to stop at every exit to scan your driver’s license to ensure you are allowed access to drive on the highway. This would all but make driving anywhere come to a crawl and significantly slow down traffic. Availability is both active and potential. Backups and disaster recovery are also parts of availability. It is worth mentioning that availability is considered by some as the most important facet of the CIA Triad (Mir, Quadri 2016).
AA for CIA
In the paragraphs above authorization and authentication are mentioned to various degrees. Authorization is the access to data, systems, or areas that one can obtain based on their position or role within the organization while authentication is the proof that they are who they say they are. In the military, members are investigated and certified as to their identity and then given access cards as a means of standardizing their credentials. The card also acts their authentication and authorization into a given area or system. Having the card was not like a Willy Wonka Golden Ticket to the chocolate factory, but a form of security control that restricted access and allowances to what was deemed appropriate for their need to know and level of “importance.”
SCADA: and the Critical Infrastructure
Within these smart cities are critical infrastructure such as power plants, water, schools, and transportation (Ercan, 2021) which if compromised could lead to a disruption to the inhabitants as well as the businesses within these cities. Vulnerabilities exist in everything and the ones that can affect these infrastructures can be accomplished by people, nature, or malfunctions.
(2) An example of people affecting the infrastructure is the attack on the electrical grid in the Pacific North-West where it was reported that some people where shooting at the powerlines (Wilson, 2022). Natural disasters such as tornados, floods, and earthquakes are another vulnerability to these infrastructures where they could be destroyed or taken offline for days to weeks at a time. This disruption to the lives of those that rely on these critical infrastructures are what makes them a priority to secure. Not only from people but also from the elements as well as itself via system updates and patches.
SCADA stands for Supervisory Control and Data Acquisition; an application that is responsible for the collection and monitoring of data. This application can be used both commercially and industrially to allow end users the ability to review and act on the data collected either on site or remotely via the internet. The data that SCADA applications collect is sent to Human-Machine Interfaces for the operators. This level of access and information is paramount to maintain the uptime of critical infrastructures.
There are also vulnerabilities with SCADA applications as they are indeed susceptible to hacks or human error. SCADA applications are not without its share of vulnerabilities. Either by LAN or WAN, if it is on a network, it can be attacked. In 2010, Iran was in the process of enriching uranium for the purpose of nuclear energy. However, their enrichment plant was hacked and proceeded to destabilize the centrifuges in order to have them break (Rhysider, 2019). This attack was called Stuxnet and was an extreme example but had this been an attack on a functional nuclear powerplant or critical infrastructure it would be catastrophic. Vendors work to incorporate virtual private networks as well as firewalls to address the risks of hacks.
SCADA applications are not only helpful in the daily operations of maintaining critical infrastructure, but it is also a gateway to sabotaging the critical infrastructure people require for their daily living. This is where CIA, authentication, and authorization would be beneficial. It is important to not only physical safeguard the infrastructure but to safeguard the mechanisms and controls of the internet connected systems like SCADA applications.
Rise of the Planet of the Humans
(3) Social engineering is one of if not the most used tactic to gain unauthorized access to networks/systems (Klimburg-Witjes & Wentland, 2021). Therefore, training and education should the priority as People’s technological literacy has not scaled with the advancements in technology. However, awareness in cybersecurity can sometimes feel like a full-time job thus impacting your job performance.
First and foremost, the network administrators will need to review and adjust the accounts on the system/network and the permissions/accesses the accounts have. Proper account management is important to ensure the spread of an attack is stifled. Simultaneously, I would implement a passphrase and multi factor authentication.
(4) Training is next as your entry level workers are sometimes ill-equipped to survive in the technological environment that is prevalent in our society. There will be a balance between tests and knowledge checks as to not bore the learner; the duration of the training will be short enough to be enjoyable but long enough to be impactful.
Finally, I would incorporate tests against the organization to probe their resilience. Phishing and social engineering scams as well as penetration testing will be used to find the weaknesses and shore them up. By providing an opportunity for the users to apply their newfound knowledge, we validate their time spent learning these new skills.
This is the end… or is it?
Many of today’s organizations require CIA Triad, authorization, and authentication. These are fundamental to cybersecurity. Also, it is important to not only physical safeguard the infrastructure but to safeguard the mechanisms and controls of the internet connected systems like SCADA applications. Finally, by reducing the reliance of technology to protect the organization and instead focus on the people that use said technology, we can improve the overall posture to a greater extent vice crutching on technology in the hopes that till will protect the organization.
References:
Chai, W. (2022, June 28). What is the CIA Triad? Definition, Explanation, Examples. WhatIs. Retrieved January 25, 2023, from https://www.techtarget.com/whatis/definition/Confiden tiality-integrity-and-availability-CIA?jr=on
Mir, S. Q., & Quadri, S. M. (2016). Information Availability: An Insight into the Most Important Attribute of Information Security. Journal of Information Security, 7(3), 185-194. https://doi.org/10.4236/jis.2016.73014
SCADA systems. SCADA Systems. (n.d.). from http://www.scadasystems.net/
Ercan, T. (2021). Solving Urban Infrastructure Problems Using Smart City Technologies. https://doi.org/10.1016/B978-0-12-816816-5.00024-3
Wilson, C., & Ryan, J. (2022, December 9). String of electrical grid attacks in Pacific Northwest is unsolved. opb. Retrieved March 26, 2023, from https://www.opb.org/article/2022/12/08/string-of-electrical-grid-attacks-in-pacific-northwest-are-unsolved/
Rhysider, J. (2019). EP 29: Stuxnet. Darknet Diaries. from https://darknetdiaries.com/episode/29/
Brueck, H. (2023). The newest version of CHATGPT passed the US medical licensing exam with flying colors – and diagnosed a 1 in 100,000 condition in seconds. Insider. https://www.insider.com/chatgpt-passes-medical-exam-diagnoses-rare-condition-2023-4
Klimburg-Witjes, N., & Wentland, A. (2021). Hacking Humans? Social Engineering and the Construction of the “Deficient User” in Cybersecurity Discourses. Science, Technology, & Human Values, 46(6), 1316–1339. https://doi-org.proxy.lib.odu.edu/10.1177/0162243921992844