Cybersecurity fundamentals: The CIA Triad

In the ever-evolving landscape of cybersecurity, there exists a foundational principle that has stood the test of time: the “CIA Triad”. Consisting of three crucial components — confidentiality, integrity, and availability — this powerful framework forms the foundation and backbone of cybersecurity strategies worldwide. But what does the CIA Triad truly entail, and what are the potential impact if one of them are breached?

The basics

The CIA triad (picture by author)

The CIA Triad has been along for quite some time now, first mentioned in the 1970s. There haven’t been anyone claiming to have coined the term, rather it has evolved over time.

The abbreviation consists of the following three components:

• Confidentiality: the concept that only those who are authorized can access certain information, i.e. keeping information private.
• Integrity: the concept that the information can be trusted, that the authenticity is intact, and that nothing has been tampered with.
• Availability: that the information is readily available for those who need it, when they need it.

Let’s dive in to some examples where each one was breached.

Confidentiality: Vastaamo

Photo by Priscilla Du Preez on Unsplash

Imagine that you have experienced something you need to process, perhaps a life-changing event or dark secrets regarding your private life that you don’t want anyone to know about… Except your therapist.

Back in 2020, a Finnish psychotherapy clinic named Vastaamo announced that their patient database had been hacked. The result of the hack was that private health records for thousands of patients had been exfiltrated by cyber criminals. At first, the cyber criminals tried to extort the clinic itself, which refused to pay 40 bitcoins in ransom for the stolen data. Then, it took a darker turn, when the cyber criminals turned to the patients themselves. It is believed that around 30.000 people received a ransom demand for their health records, which contained highly private and sensitive information from therapy sessions, and that around 30 payments ended up in the cyber criminals wallet. It is, however, unclear whether their information was deleted as promised.

This case highlights the importance of data confidentiality, and the consequences when the confidentiality is breached.

Integrity: Stuxnet

Photo by Markus Spiske on Unsplash

When it comes to warfare, there has been a set of defined domains of operations, like land, sea, air, and also space. In July 2016, NATO declared their fifth domain of warfare operations, the cyber domain. At that point, it had been seven years since the release of what many considers the first cyber weapon.

Now, imagine yourself working in a factory, where there are lot of equipment that continuously fail and need to be replaced, even though the control screens in front of you display that everything is working as it should.

In 2002, Iranian dissidents revealed the existence of a secret nuclear facility in the desert outside the town of Natanz in Iran, buried underground and disconnected from the internet. This was under a year after 9/11, and concerns was raised regarding Iran’s nuclear ambitions. Iran used the following years to negotiate with EU regarding the legality of their nuclear program, and continued their program in 2005 after temporarily suspending it. At this time, especially the USA were deeply concerned, and multiple suggestions were made on what course of action that should be taken, ranging from diplomacy to the involvement of American troops. Diplomacy had not stopped the program, and the US troops were already stretched thin over the rest of the Middle East in Afghanistan and Iraq. The then President of the USA, George W. Bush, experienced pressure internally and from Israel as well, who had never been on good terms with Iran and also feared the development of nuclear weapons under the cover of developing nuclear power.

In 2007, a new plan was devised based on input from Keith Alexander in the NSA, and it would result in the first cyber weapon the world had seen. It took two years before the first version was finished, but in 2009 Stuxnet A was deployed targeting the Siemens SCADA systems responsible for controlling the nuclear centrifuges inside the Natanz facility. Around a year later, Stuxnet B was released with the objective of manipulating the centrifuges’ speed and thereby destroy them. What Stuxnet did, was record data from the centrifuges over the course of several weeks. Then, it would play that data to the control screens, while simultaneously altering the internal speed of the centrifuges. The consequences were that everything seemed normal on the screens in the control room, while the centrifuges were (literally) spinning out of control. Over the next years around 1000 centrifuges were destroyed, and it is believed this set back Iran’s nuclear program several years.

This event (and more!) is described in thorough detail in the excellent book “This is how they tell me that the world ends” by Nicole Perlroth — highly recommended!

Availability: Maersk vs. NotPetya

Photo by Galen Crout on Unsplash

When you buy or order something, chances are huge that you the things you are buying are being shipped by Maersk. Maersk is the largest container shipping company in the world, with over 110 000 employees, responsible for delivering goods to numerous ports all over the world. However, one afternoon in 2017, the company suddenly faced the consequences of an interruption in information availability.

NotPetya was malware (malicious software) that originated from the Russian cyber crime group Sandworm. The malware was targeted towards Ukrainian corporations by using a supply chain attack against the Ukrainian tax software MEDoc, which many Ukrainian corporations used. NotPetya was designed to mimic Petya (which was a ransomware), however, NotPetya did not have any recovery feature, hence being primarily destructive in nature, and therefore named NotPetya.

Maersk, being an international company, had an office in Ukraine and was thus affected by the malware. NotPetya itself contained so-called zero days (vulnerabilities that have not been disclosed yet, in other words, they have been known for “zero days”), which meant that the malware had the potential to spread fast without any resistance, which it did. Over the next few hours, Maersk’s whole operation worldwide grind to a halt. The consequences were massive: due to the lack of availability to information, no one knew the content of containers, who sent them, were they were going, and so forth. That in turn meant that the ports receiving the containers could not accept the containers, since the shipping manifests was unavailable. At the time, Maersk had hundreds of ships that suddenly weren’t allowed to deliver their containers, and on land, hundreds of trailers waiting to pick up the containers were left in mile-long queues. Maersk was responsible for shipping a wide variety of items, including perishable goods such as food and medicine with expiration dates. Now, these were going bad alongside other items that were expected to arrive by customers.

Maersk’s whole infrastructure had been affected, which included the domain controllers, and underlying systems and infrastructure. All of these were now encrypted by an undecryptable malware, which threatened the whole existence of the company. But luck would have it that one of their locations in Ghana was not affected that day.

A blackout is usually something that causes disruption and irritation. In this case, however, it meant that the servers on that specific location in Ghana were unaffected due to being offline during the power outage. Fortunately for Maersk, they managed to rebuild their whole infrastructure using that one domain controller, and although it took several months, they were finally able to resume normal operations. The attack, however, had an estimated cost of around $300 million, and in the end caused enormous problems for several corporations worldwide.

This event is also described in detail in “This is how they tell me that the world ends” by Nicole Perlroth — highly recommended read!

Summary

In cybersecurity, it is paramount to protect the confidentiality, integrity, and availability of information and systems. The potential consequences of disruption in either confidentiality, integrity, and/or availability might differ depending on the nature and operation of the affected company, but all three need to be properly safeguarded using the right people, processes and technology.

Disclaimer: This article contains affiliate marketing links, which means I may earn a commission — at no extra cost to you — if you make a purchase through these links. This helps support my work and enables me to continue providing valuable content. All opinions and recommendations expressed in this article are based on my personal experience and research. Thank you for your support!