An Improved CIA Triad: The CIAS Triad

As we connect more & more things to the internet, physical safety is an increasing concern that needs to be addressed by the InfoSec industry.

The traditional CIA Triad has been an amazing representation of three main areas of concern to InfoSec personnel (Confidentiality, Integrity and Availability). It’s proved, and continues to prove, to be very useful in a variety of ways.

The CIA Triad

One area, though, where the triad begins to fall short is in physical security. This is not the triad’s fault, as physical security has only become a recent issue of concern to the InfoSec industry. Historically, the basic assumption (and correct) assumption has been that no matter how bad the breach, at the end of the day it’s just data and won’t physically harm or kill anyone (at least directly).

The rise of IoT, however, now makes that assumption incorrect. A increasing plethora of IoT devices leads to physical issues like:

In today’s world, InfoSec personnel now need to worry about data and peoples’ physical safety. To address this new issue, in this Article I propose an update CIA Triad (note: I’ve conducted a basic literature review and couldn’t find anything on this topic. As far as I know, this idea hasn’t been presented before like this).

The CIAS Triad

CIAS stands for:

CIAS Triad
  • Confidentiality
  • Integrity
  • Availability
  • Safety

Where the CIA Triad addresses the privacy, adequate access and correctness of data, the CIAS Triad addresses those concerns plus both individual & public safety.

I provide some examples of individual & public safety issues here, some of which have already happened:

Individual Safety Issues

  • Cars
  • Thermostats
  • Medical devices (both implanted & at facilities, like life support)
  • Drones
  • Fire-prevention systems
  • Physical destruction of devices (e.g., Samsung Note 7 battery fires — this wasn’t a hack, but imagine if it had been intentional)

Public Safety Issues

Utilities

Medical Systems

  • Hospitals
  • Supplies (vaccines, morphine, etc.)
  • CDC/WHO (false warnings)
  • Pharmacy

Transportation System

  • Automobiles
  • Aviation
  • Shipping (on water)
  • Space
  • etc.

Other

  • Military
  • Supply chain (if portions of it are shut down, there could be food & water shortages)
  • Elections
  • PR for Nations (imagine if government officials’ Twitter accounts were hacked)

Conclusion

These are issues that we can successfully address. A new focus on safety provides InfoSec personnel & developers with a reminder to protect IoT devices.

Suggestions

If you have ways that this can be improved, please let me know. This is meant to be beneficial to the public, and I’d love to see it improved.

InfoSec & Privacy @RainFocusEvents. Esposo and dad to my favorite people😍 Provide security regulatory compliance & risk assessment consulting. Views are my own

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store