Write-Up: The CIA Triad
September 22, 2024
The CIA Triad, Authentication, and Authorization
The CIA Triad stands for confidentiality, integrity, and availability, and is an essential cybersecurity model for creating policies that protect the security, accuracy, and access of sensitive information. Authentication and authorization are two processes commonly used in unison with the CIA Triad to verify who a user is, and what they are allowed to do respectively.
The CIA Triad is a cybersecurity concept comprised of confidentiality, integrity, and availability that serve as a guideline for how organizations should handle information and data. Confidentiality is the concept that sensitive information should be secure from unauthorized attempts to view it. Integrity refers to the rigidity of information, essentially making sure that information is not changed or tampered with in any unauthorized or unintended manner. Availability refers to the concept that sensitive information should be readily available to those who should have access to it and involves maintaining both the physical and digital systems that contain data. While the concepts within the CIA Triad may seem like common sense, it is important to have it as it clearly outlines the industry standard for cybersecurity. This discourages the usage of non-compliant systems and organizations ensuring that consumers’ and companies’ information is protected. However, the CIA Triad on its own is not enough, as having standards relies on the implementation of processes like Authentication and Authorization to enforce them.
Those unfamiliar with cybersecurity practices and principles may have a hard time differentiating between the processes of Authentication and Authorization. But when diving deeper there is a clear difference between the two, identity vs access. Authentication is the first process to occur when attempting to access protected information or networks and revolves around identifying who the user is by requesting one to three factors of Authentication. The first factor is something you know, most commonly login credentials like a username or password. The second factor is something you have, like a keycard, or in the case of universities like ODU, an app on your phone like DUO. The third factor is something you are, which would be some form of biometrics, like a fingerprint, facial, or voice recognition system. Systems can choose to use any combination of these factors to protect data depending on the sensitivity of the data, for instance, simply using a company’s service would probably only require one factor, but employee access would require two factors, while extremely important trade secrets only available to executives might be secured behind three factors. Authorization is the second process in accessing data, where once a user is identified, the system determines what information they are authorized to view or change. One common form of Authorization is role-based access control, where rather than individually assigning permissions, permissions are assigned to a role or position that is then assigned to users. The main benefit of this is that it cuts down on time when adding a new user or changing their access level, and also can cut down on accidentally granting permissions to unauthorized users.
Sources:
Chai, W. (2022)What Is the CIA Triad? Definition, Explanation, Examples. https://drive.google.com/file/d/1898r4pGpKHN6bmKcwlxPdVZpCC6Moy8l/vie
Auth0. (n.d.). Authentication vs. authorization. https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization
Write-Up: SCADA Systems
10/27/24
SCADA Systems
Critical infrastructure systems, such as water treatment facilities, power grids, and transportation networks, form the backbone of modern society. These are increasingly dependent upon Supervisory Control and Data Acquisition (SCADA) Industrial Control Systems for operational management. While these systems introduce immense efficiencies, they also present unique cybersecurity vulnerabilities that can threaten public safety and economic stability. Understanding the nature of these vulnerabilities and what can be done to mitigate them is paramount in securing critical infrastructure in the modern day.
The critical infrastructures based on SCADA systems are particularly vulnerable for many reasons: a combination of older technologies and network architecture, as well as human interactions. Most SCADA systems run on legacies developed well before cybersecurity was considered an important concern. Lacking the latest authentication, encryption, and intrusion detection capabilities, these systems become increasingly prone to unauthorized use. In addition, SCADA systems were initially isolated but now many are connected to IP-based networks to expand their data transmission capabilities, further increasing the amount of potential vulnerabilities from network-based threats. Another major risk factor is human error and insider threats, as SCADA systems heavily rely on operators, misconfigurations, accidental oversights, and potential malicious actions by insiders pose significant security risks.
Despite these vulnerabilities, SCADA systems have a few benefits within the realm of mitigating risks, through integrated automation, real-time monitoring, and responsive control processes. The SCADA controllers let operators oversee the process and monitor for anomalies that might reveal themselves as a security threat. For example, remote terminal units (RTUs) and programmable logic controllers (PLCs) constantly collect data from sensors, enabling speedy detection and response to irregularities.
SCADA further fortifies its capability for risk mitigation with the use of HMI software, which provides operators with displays of real-time visual data and trend analyses to make fast and informed responses. The HMIs indicate to the operators the most important measures in response to incidents and the activation of system overrides as necessary. SCADA systems include redundant servers and distributed channels of communication for continuity of operation in case of partial component failure, a critical feature in places where infrastructure cannot afford operational downtime. In addition, contemporary SCADA systems employ secure communication protocols, like Modbus TCP and DNP3, which introduce encryption to the data sent, deterring unauthorized access. Also, industrial VPNs and firewalls can be introduced to provide an extra layer of security for the SCADA networks against cyber-attacks and minimize the risk of network attacks. These protections ensure greater control over system access and data integrity.
While somewhat vulnerable, SCADA systems offer a variety of instruments that are required for the safe and efficient management of critical infrastructures. SCADA offers protection against a wide range of cyber threats via centralized monitoring, robust operator interfaces, redundancy, and secure protocols for communication. Since the technology used in SCADA is continuously evolving, cybersecurity also needs to evolve to ensure that such systems will continue to support critical services on which society depends.
Sources:
https://docs.google.com/document/d/1DvxnWUSLe27H5u8A6yyIS9Qz7BVt_8p2WeNHctGVboY/edit?tab=t.0
https://www.techtarget.com/whatis/definition/SCADA-supervisory-control-and-data-acquisition
Write-Up: The Human Factor in Cybersecurity
11/10/2024
As a Chief Information Security Officer (CISO), I would prioritize investing in employee training over acquiring new cybersecurity technologies.
Without well-trained staff, the company would be unable to make the most of the new technologies. Human error continues to be one of the leading causes of cyber incidents, including mishandling data or falling prey to phishing scams. This makes training employees to not only be more vigilant of threats but to also properly utilize security technology like multifactor authentication a very important component of our defense strategy. Training the workforce at all levels to make them an active component of our defense and aware of their role in the security of the company, reduces breaches coming from uninformed or careless people. Whereas technology, even in its best-case scenario, can’t fix careless and unaware employees. In addition, by creating an internal culture of vigilance, we can reduce risk in ways that technology alone cannot. Moreover, while threats continue to evolve, employees with even basic knowledge about cybersecurity can adapt more readily, noticing unusual behavior even when the attack vectors change. This adaptability is a very important factor in the long run as cybercriminals are always finding new ways to attack organizations. On the other hand, cybersecurity technology by itself becomes outdated fairly quickly as cybercriminals find their way around it, forcing continuous investment in upgrades and new tools. Training, however, stands firm over time and transforms our employees from being potential liabilities to assets. Finally, where the budget is concerned, training costs much less than investing in high-end technology. By training our employees, we can achieve robust security without overspending. I would thus prioritize as much of the budget as needed on training and then support it by investing the remaining budget into necessary technologies. In this process, we get to maximize the capabilities of defense even with the strings attached to a limited budget.
The “Short Arm” of Predictive Knowledge Discussion
11/24/2024
BLUF: To combat the “short arm” of predictive knowledge, the development of cyber-policy and infrastructure should prioritize precaution, adaptability, and long-term responsibility in order to address the unpredictability of technological development and safeguard future generations.
Hans Jonas, in Technology and Responsibility: Reflections on the New Tasks of Ethics, suggests that modern technological development surpasses humanity’s ability to foresee its consequences, making ignorance a major flaw in ethical decision-making. Knowing this, cyber-policies and infrastructure should prioritize precaution in order to mitigate risks associated with unforeseen outcomes. Jonas goes on to state that the global and long-term impacts of technology necessitate “a new kind of humility” to reduce the risk of unintended consequences of technological development, acknowledging our limitations in foresight. This means that new policies and systems must be adaptive in their reach, allowing them to be applicable to new risks and information as systems evolve. Finally, Jonas highlights the moral obligation to ensure that technological actions do not compromise the conditions for humanity’s survival, suggesting that cyber-infrastructure must be designed not only for current utility but also to sustain future generations. In regards to making new policies and infrastructure, this requires a shift in what we prioritize as a society, from short-term gains to ensuring long-term stability. This may be the most important change, as the current profit-first alignment of our society is unsustainable, not only in regard to technological development but also for class division and wealth gaps.
Conclusion: In order to address risks associated with shortsightedness, cyber policies going forward must be precautionary, adaptive in coverage, and prioritize long-term sustainability.