Safety, the 4th pillar of the CIA Triad?

October 30, 2015

Every security engineer is no doubt familiar with the critical principles of security, namely the CIA Triad:  Confidentiality, Integrity and Availability (or, AIC Triad). [1]  If the Gartner Group has its way, there soon will be a forth pillar to the CIA Triad:  Safety.   In CISSP terminology, safety is related to the term “safeguards,” countermeasures put in place to mitigate possible risks.

Earl Perkins, Research VP at Gartner, in a recent webinar (Top Security Trends for 2015-2016, September 1, 2015) opined that Safety is so important in the cybersecurity arena there will soon be four principles of security, e.g., CIAS. He made this remarks in the context of a discussion about the damage done to people, critical infrastructure and organizations by cyberattacks, cyber breaches and other cyber risks. What he calls the “enterprization” of devices and applications is making safety even more important than in the past. The scale is grander and the risks greater. In the context of the Internet of Things (IoT), many devices are sensor-based, and are connected to the Internet, which opens them up to attack.

Some of the more grievous safety concerns include identity theft and malicious tampering with medical devices (with both embedded and non-embedded) so as to cause bodily harm or even death. Not only can these hackers steal our identities, corrupt our health records and clean out our bank accounts, they now have the ability to take over the braking system of a car, as demonstrated recently on TV newscasts. Sci-Fi depictions of evil hackers tampering with heart monitors and pacemakers are not so far-fetched and have raised concerns at the FDA.  

This all raises the question as to what countermeasures are being put in place to mitigate these risks. Over the next few years, reactive monitoring will give way to proactive detection and predictive analysis of applications, apps and systems, including human users. Some of the solutions will be based on Software Defined Perimeter (SDP) technology, and, increasingly, “Software Defined Anything.”

So, safety will become increasingly demanded by end-users, as well as enterprises, for both have much to lose without it.

Contributed by: Judy Fincher

[1] Harris, Shon, CISSP Exam Guide, Fourth Edition, p. 61

Top