Safety with Control Systems…Always
There are many who feel that information, in some fashion, plays a role (significant or otherwise) with process control systems. Several have argued that the current “CIA Triad” be revised such that safety is at the top of the triad, while incorporating the original three.
However, there is a slight difference in its order:
Availability of the information being processed by a control system is considered the most significant as without it, you have nothing to process; therefore, its availability is critical to successfully managing a given operation. Obviously, integrity would be next as if the data were corrupted, again, the operation would not be able to perform. Last, but not least, is confidentiality.
These factors make up on what many feel is the currently recognized security model for processsing control systems.
However, we disagree.
For a given plant’s operation, we feel that there needs to be a new model, one that accurately describes what is important in terms of “security” to an operation. A secured operation does not mean either/both physical and/or cyber security. It means that the operation is performing as it was specified, designed, and built. This means that any given operation operates safety without incident, loss of life, loss of property, and loss of product.
This is called “operational security”.
Introducing the “SRP Triad”
At some point in history, engineering was both responsible and actually performed tasks on control systems equipment. Today, engineering is still responsible, but may or may not perform actual technical tasks on control systems equipment (aside from designing and revising designed processes).
The “SRP Triad” focuses on safety and availability of systems for processing, as opposed to information, priortizing most to least significant as:
We have created a diagram to demonstrate how “operational security” should be represented:
To identify what each factor is, we have broken each one down into simplified definitions that are manageable and fairly easy to remember:
- Safety pertains to several facets including - safety of personnel and staff, safety to the plant/facility, and maintaining a safely running operation.
- Reliability pertains to several facets including - consistent results for the operation, equipment is correctly calibrated, and maintaining current operation against safety standards.
- Performance pertains to several facts including - performance of the operation, equipment maintaining peak optimum use, adherence to safety standards and metrics used throughout the plant/facility, and performance to the overall operation to measured results.
What does this all mean?
Although this framework model is fairly new, as being introduced into the SCADA/ICS cybersecurity community, it is not completely foreign to engineers who specified, designed, and implemented these operational systems. Thus, we suspect that there will be revised versions to this model in the near future.
After the successful publishing of his First Edition book, Bob Radvanovsky teamed up with Allan McDougall and have produced three more editions together; the Fourth Edition (released in October 2018) presents a culmination of ongoing research and real-work experience, building upon previous editions.
Since the First Edition of this work, the domain has seen significant evolutions in terms of operational needs, environmental challenges and threats – both emerging and evolving. This work expands upon the previous works and maintains its focus on those efforts vital to securing the safety and security of populations.
The continued evolution of modelling critical business systems, their environments, and interactions with society, has played an important role with following social importance, along with its movement.
The latest version of their work may be found at Amazon.
Since the First Edition of their book, both Bob Radvanovsky and Jake Brodsky have continued expanding on their comprehensive handbook that covers fundamental security concepts, methodologies, and relevant information pertaining to supervisory control and data acquisition (SCADA) and other industrial control systems used in utility and industrial facilities worldwide. A community-based effort, it collects differing expert perspectives, ideas, and attitudes regarding securing SCADA and control systems environments toward establishing a strategy that can be established and utilized.
For the Second Edition, their book includes six new chapters, six revised chapters, and numerous additional figures, photos, and illustrations. The Second Edition serves as a primer or baseline guide for SCADA and industrial control systems security. The book is divided into five focused sections addressing topics in:
- Social implications and impacts
- Governance and management
- Architecture and modeling
- Commissioning and operations
- The future of SCADA and control systems security
The book also includes four case studies of well-known public cyber security-related incidents. The latest version of their work may be found at Amazon.