Industrial Internet Security Framework v 1.0 | Page 17
Security Framework
3: Key System Characteristics Enabling Trustworthiness
the physical processes of the system. Data integrity, a subset of integrity, ensures that
unauthorized parties cannot alter data and take control of the system without detection.
Availability is the property of on-demand, timely and reliable access to and use of information by
an authorized user. The systems responsible for controlling the physical process should provide
continuous control and oversight by human operators of the physical process. A human may need
to intervene in the case of an attack, for example to shut the system down. Availability controls
generally involve redundancy and engineering change control. Sometimes they include security
activities that find and mitigate software vulnerabilities that create unreliable execution,
visualization or resource consumption that negatively affect the systems.
In traditional operational technology (OT) systems, availability has been considered paramount,
followed by integrity, with confidentiality generally being the last consideration, leading to the
acronym AIC (also known as the security triad).
3.3
SAFETY
Safety is the condition of the system operating without causing unacceptable risk of physical
injury or damage to the health of people, either directly or indirectly, as a result of damage to
property or to the environment.
Assurance of safety endeavors to eliminate both systematic and probabilistic failures. Traditional
OT safety-assessment techniques focus on physical items and processes, then combine
empirically derived component failure probabilities into total system risk. Risk analysis to identify
hazards intends to prevent faulty operations and improve system resilience to unexpected
events.
However, a software component always behaves exactly as it is programmed; it is not possible
to make useful statistical characterizations of software failures. If a software component has
never misbehaved during testing, it may not have been exposed to a sequence of inputs that
would have uncovered the defect. Test coverage does not necessarily correlate to failure rate.
Approaches for managing probabilistic failures do not address threats because adversaries will
be able to exploit security-related systematic failures reliably once those vulnerabilities have
been discovered.
Traditional efforts for industrial software focused on functional correctness and did not assume
that an adversary was involved. In today’s connected systems, a remote attacker is able to exploit
weaknesses 1 to drive the system into an unsafe state. This contrasts sharply with traditional IT
security, where a security analysis of the threat and threat-actor skills and capabilities is used to
determine the likelihood of weaknesses that can be exploited.
Many of the same tools, techniques and practices used to produce safety-critical software can
also identify, remove and mitigate potential security weaknesses. Many safety regulations and
1
For a public collection of weaknesses, see [CWE]
IIC:PUB:G4:V1.0:PB:20160926
- 17 -