Data classification & protection needs
The central task for a threat-risk-assessment is the classification of data which is stored/processed in a zone and transmitted between zones via conduits.
This classification is done in two steps:
- Identification of the data available in your system.
- Classification of the data, i.e., determination of the protection needs of the identified data classes.
Data identification
Data class | Abbrev. | Description |
Configuration Data | CD | Configuration data is located on the devices used to build automation infrastructures and systems |
Log Data central | LD | Log data stored on a central Syslog server |
Log Data onboard | LO | Log data available on the device, logging can be configured |
Application Data | AD | Application data is located on the devices |
Process Data | PD | Process data transferred between the devices and processed there |
System Data | SD | System data (access data, keys, certificates) located on the devices |
Recipe Data | RD | Recipes (which may also include proprietary data and trade secrets) |
Parameter Data | PAD | Variable values (e.g., min, max) |
Backup Data | BD | Backed-up data |
Data classification (protection needs)
Based on the identified data classes, the protection needs can be determined. This classification is made under three aspects:
- A = Availability
- I = Integrity
- C = Confidentiality
Protection objective: Availability
To what extent must the information and processing functions be accessible to authorized users / resources, or what downtime is tolerable to the maximum?
Level | Description |
1 - Negligible | The processing of the information can be postponed for up to several days or can be carried out manually for this period of time without significant damage being incurred. |
2 - Moderate | The processing of the information may be up to one day or may be performed manually for that period without major damage. |
3 - Serious | The processing of information may fail only rarely and for short periods of time (up to 4 hours). Otherwise, high damage is to be expected. |
4 - Critical | The processing of the information must basically be continuous and may only fail for a very short period of time, not exceeding one hour. Otherwise (in case of failure for more than one hour) very high damages are to be expected. |
Protection objective: Integrity
To what extent must uncontrolled changes and deliberate manipulation be prevented, or must the (machine) processing work flawlessly and reliably? To what extent must the actions of the users or the generation of the information be traced?
Level | Description |
1 - Negligible | Deliberate or unintentional falsification of the processed information or information loss does not result in any significant damage. If the processed information is incomprehensible, no significant damage is to be expected. |
2 - Moderate | Intentional or unintentional falsification of the processed information or loss of information can cause only medium damage. If the processed information is not bindingly traceable or provable to third parties, only medium damages can occur. |
3 - Serious | Deliberate or unintentional falsification of the processed information or loss of information can cause serious damage. If the processed information is not legally binding or provable to a third party, it can cause serious damage. |
4 - Critical | Intentional or unintentional falsification of the processed information or loss of information can cause very high damage. If the processed information is not legally binding or provable to third parties, it can cause very high damages. |
Protection objective: Confidentiality
To what extent must unauthorized access to information and unauthorized disclosure and disclosure be prevented?
Level | Description |
1 - Negligible | The processed information can be brought to the attention of anyone without significant damage or are explicitly intended for publication. |
2 - Moderate | Information is processed whose access is restricted to authorized persons. If the information is disclosed to unauthorized persons, only moderate damage is to be expected. |
3 - Serious | Information is processed whose access is restricted to authorized persons. If the information becomes known to unauthorized persons, high damages are to be expected. |
4 - Critical | Information is processed whose access is restricted to authorized persons. If the information becomes known to unauthorized persons, I can expect very high damages. |