As we connect more & more things to the internet, physical safety is an increasing concern that needs to be addressed by the InfoSec industry.
The traditional CIA Triad has been an amazing representation of three main areas of concern to InfoSec personnel (Confidentiality, Integrity and Availability). It’s proved, and continues to prove, to be very useful in a variety of ways.
One area, though, where the triad begins to fall short is in physical security. This is not the triad’s fault, as physical security has only become a recent issue of concern to the InfoSec industry. Historically, the basic assumption (and correct) assumption has been that no matter how bad the breach, at the end of the day it’s just data and won’t physically harm or kill anyone (at least directly).
The rise of IoT, however, now makes that assumption incorrect. A increasing plethora of IoT devices leads to physical issues like:
- Thermostats not heating homes
- Cars being hacked
- An oven overheating on in the middle of the night
- Door locks being broken into
- And more
In today’s world, InfoSec personnel now need to worry about data and peoples’ physical safety. To address this new issue, in this Article I propose an update CIA Triad (note: I’ve conducted a basic literature review and couldn’t find anything on this topic. As far as I know, this idea hasn’t been presented before like this).
The CIAS Triad
CIAS stands for:
Where the CIA Triad addresses the privacy, adequate access and correctness of data, the CIAS Triad addresses those concerns plus both individual & public safety.
I provide some examples of individual & public safety issues here, some of which have already happened:
Individual Safety Issues
- Medical devices (both implanted & at facilities, like life support)
- Fire-prevention systems
- Physical destruction of devices (e.g., Samsung Note 7 battery fires — this wasn’t a hack, but imagine if it had been intentional)
Public Safety Issues
- Supplies (vaccines, morphine, etc.)
- CDC/WHO (false warnings)
- Shipping (on water)
- Supply chain (if portions of it are shut down, there could be food & water shortages)
- PR for Nations (imagine if government officials’ Twitter accounts were hacked)
These are issues that we can successfully address. A new focus on safety provides InfoSec personnel & developers with a reminder to protect IoT devices.
If you have ways that this can be improved, please let me know. This is meant to be beneficial to the public, and I’d love to see it improved.