3.1. Security objectives
The first part of this chapter introduces what are known as Information Technology (IT) security objectives and details them in the context of the industrial control system (ICS). The second part gives useful, precise definitions concerning the notion of risk. The principle of risk analysis, based on the assessment of impacts and their likelihood, is then described. The last part presents the evaluation process and shows how it fits into the PDCA continuous improvement process (Plan, Do, Check, Act).
3.1.1. The AIC criteria
In the world of information security, we often consider three properties of a system that must be guaranteed: the availability (A) of services, the integrity (I) of software and data and the confidentiality (C) of information. These criteria are called AIC criteria. They are seen as objectives to be achieved by security functions.
The importance of the first criterion, the availability of a service or information, is quite easy to perceive. Everyone can see this when they need a web service from their workstation or mobile phone.
This criterion is more or less important depending on the context and the user: the lack of an available mapping service used to locate a destination mentioned in a documentary will be less problematic than it will be if one is lost in a city, abroad and ...