Introducing the SRP Model

Safety in control systems...always

There are many who feel that information serves a more important role in securing control systems' data rather than controlling and safeguarding the physical operation. Some argue that the "CIA Triad" should incorporate safety into the information security model.

Majority might model the revised triad this way.

  • Safety
  • Availability
  • Integrity
  • Confidentiality
Others might swap the factors Confidentiality and Availability.

  • Safety
  • Confidentiality
  • Integrity
  • Availability

Availability of the information being processed by a control system is considered the most significant as without it, you have nothing to process; therefore, its availability is critical to successfully managing a given operation. Obviously, integrity would be next as if the data were corrupted; again, the operation would not be able to perform. Last, but not least, is confidentiality.

These factors make up on what many feel is the currently recognized security model for processing control systems.

However, we strongly disagree.

Operational security

For a plant’s operation we need a new model, one that describes where security matters. Security in this context means that the operation does exactly what is specified, designed, and configured to perform and nothing more.

It means that the process performs safely, without incidents involving lost of life, injury, or loss of final product.


This is called “operational security”.

Introducing the “SRP Triad”

Although this framework model is fairly new, as being introduced into the SCADA/ICS cybersecurity community, it is essentially what engineers who specified, designed, and implemented these operational systems have lived by.

  • Safety
  • Reliability
  • Performance

Safety always comes first.

Breakdown of each factor

We have broken each factor down into its respective definition, so as to make it more manageable and easier to remember.

What does this all mean?

Although this framework model is fairly new, as being introduced into the SCADA/ICS cybersecurity community, it is not completely foreign to engineers who specified, designed, and implemented these operational systems. Thus, we suspect that there will be revised versions to this model in the near future.