Information security and cybersecurity in the ISC/SCADA sector have different characteristic of the same aspect in ICT sector. The cybersecurity in the two domains has different priorities. Experts that come from ICT usually take in consideration three main aspects for security, the protection of Confidentiality, Integrity and Availability with same importance and priority. If we want to be more precise, an ICT security expert normally prefers the protection of Confidentiality with respect to the other two previously mentioned parameters. The opinion of expert from the industrial world rightly criticizes this approach and sometimes says that cybersecurity in the industrial world is quite another thing because the priorities are on Reliability and Safety. Addressing cybersecurity in the industrial world with the same approach used in ICT is wrong! The ICT and the industrial sectors environments have very different characteristics. In my opinion cybersecurity in the industrial world follows the same general principles of the ICT world but with different priorities. Let’s try to explain better the statement just made.
When we move into the industrial world there are three important changes. The first change adds a fourth parameter that is Safety. Safety for personnel working inside the plant and for the people in the surrounding areas that can be impacted by potential incidents. When we are in the ICT domain Safety usually is not a direct parameter that a security expert takes in consideration for security but is an indirect parameter (i.e. loss of confidentiality of an information could has an impact on safety). The Safety parameter is included in the analysis only in particular contexts such as the health-saving devices. The second change is on the devices’ life cycle and in the lifetime. The industrial sector includes the industry, energy, oil & gas and so on. If we think, for example, to a car factory we have that the machines used for the production will be quite recent because they efficiency is important; if instead we think of a power plant, we have that the useful life of the plant is very long so it is easy to find devices that have a few decades.
About Reliability, we agree on the importance of this aspect; it’s the same in ICT but Reliability is part of the Availability together with Maintainability. So, we think that is not a new parameter but already present when we consider the Availability like in the ICT world. The last important change is that we move from the three peer aspects (in terms of importance) in the ICT world to a shift in importance towards the Availability parameters (which includes, as mentioned, Reliability) and Safety. The security expert overshadow Integrity and Confidentiality compared to Availability and Safety (see figure). In the industrial world, therefore, a parameter is added and the priorities between the four aspects are changed. We do not want to go here to discuss and analyses whether it is more of an increase the importance of Availability compared to Confidentiality or a decrease of the latter. The balance between the four aspects of security in the OT sector will depend on the industrial organization and the sector in which it operates. There may also be important differences if one speaks of an industry that operates in the production of consumer goods or a production plant of electricity (even worse if based on nuclear power).
Changing priorities with the addition of Safety can result in unwilling or not being able to take security measures to protect Confidentiality because they could have a negative impact on maintaining an adequate level of Availability and/or Safety. Making an example the introduction of encryption on a transmission channel could have an impact (potential impact) on Availability, potentially reducing it. A risk Analysis in the contest of OT world could have an important change on the residual risks acceptable level especially when the impact will be on Safety or Availability. A possible risk analysis’ result could avoid some technical measures because the risk (although limited) linked to Safety and Availability is not acceptable.