The "CIA Triad" Is Insufficient In The Age of AI/OT/IoT

With the rise of Artificial Intelligence (AI) and autonomous technologies, the traditional Confidentiality, Integrity & Availability "CIA Triad" further demonstrates its insufficiency due to its avoidance of a safety component for cybersecurity practices. The CIA Triad does not adequately represent a digital world with embedded technologies (e.g., Internet of Things (IoT) and Operational Technology (OT)) and AI-powered capabilities.

It has been 6 years since ComplianceForge replaced references to the CIA Triad with a new model, the Confidentiality, Integrity, Availability & Safety (CIAS). Even back in 2017, before the rise in Artificial Intelligence (AI) and autonomous technologies, it was clear that digital security needed to have a safety component to guide risk management decisions.

Why Should You Drop CIA For CIAS?

Protecting an organization's data and the systems that collect, process and maintain this data is of critical importance. Commensurate with risk, cybersecurity and privacy measures must be implemented to guard against unauthorized access to, alteration, disclosure or destruction of data and systems, applications and services. This also includes protection against unauthorized modifications that would cause a technology to operate outside its safety profile and this is where SAFETY is added to the CIA Triad.

The security of systems, applications and services must include controls to offset possible threats, as well as controls to ensure Confidentiality, Integrity, Availability and Safety (CIAS):

• CONFIDENTIALITY – This addresses preserving authorized restrictions on access and disclosure to authorized users and services, including means for protecting personal privacy and proprietary information.
• INTEGRITY – This addresses protecting against improper modification or destruction, including ensuring non-repudiation and authenticity.
• AVAILABILITY – This addresses timely, reliable access to data, systems and services for authorized users, services and processes.
• SAFETY – This addresses reducing risk associated with technologies that could fail or be manipulated by nefarious actors to cause death, injury, illness, damage to or loss of equipment.

Risk Management Considerations

If your organization utilizes IoT/OT devices and/or is utilizing (or planning to) AI and autonomous technologies, risk management discussions should include considerations for how the technology could be used for nefarious purposes or how safety could be jeopardized from emergent behaviors:

• Device Tampering: Can this technology lead to harm? (e.g., turn off a pacemaker; too much/too little drug dispensing; open/close physical access; etc.)
• Cyber Stalking: Can this technology lead to real-world stalking risks? (e.g., geolocation; travel patterns; recent contacts; etc.)
• Physical Damage: Can this technology lead to real-world physical damage (e.g., Aurora Generator Test) that could lead to physical harm?
• Cyber Warfare: Can this technology be weaponized by a nation state to support military or intelligence-gathering gains?
• Terrorism: Can this technology be weaponized by terrorists?

About The Author

If you have any questions about this, please feel free to reach out.

Tom Cornelius is the Senior Partner at ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the Secure Controls Framework (SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.