For special-purpose information systems such as Industrial Control Systems (ICS), it's important to consider not only confidentiality but also integrity and availability.

Imagine an information system A that measures the quantity and concentration of chemicals used for disinfection in water facilities and administers the chemicals.

The business information managed by information system A pertains to data on chemical quantity and concentration. If this information is affected by human error, mechanical failure, or cyber-attacks, it could impact public health and safety. Therefore, from a broader perspective, it is advisable to classify information system A as Class C(Classified). The C/S/O classification criteria suggested by the N²SF security guidelines are also based on the Information Disclosure Act and the Public Data Act, which instruct classifying systems impacting public health and safety as Class C.

Let's take a more detailed look by distinguishing business information and information systems and viewing them from the traditional security objectives of confidentiality, integrity, and availability.

First, let's examine business information. The business information handled by information system A (i.e., data on chemical quantity and concentration) is recommended to be classified as Class C from the perspective of integrity and availability. This is because if the data is corrupted, there is a risk of administering chemicals excessively (or insufficiently). If the data cannot be read (i.e., cannot be monitored), it becomes impossible to determine the appropriate level of chemical dosage, thus posing a risk of contaminated tap water supply. However, from the perspective of confidentiality, the business information might be classified as Class O(Open) to inform the public about water facility safety and utilize it as public data, considering societal benefits.

Next, let's look at the information systems processing the business information. Information system A, due to the potential risk of being targeted by an attack if its location and mechanical characteristics are disclosed, should be viewed as Class C from a confidentiality perspective. The perspectives of integrity and availability remain the same as discussed above.

As mentioned, the C/S/O classification for business information and the C/S/O classification for information systems can have different criteria based on their respective characteristics, which can maximize the application effect of N²SF.

Could organizations apply more detailed C/S/O classification criteria beyond the business information C/S/O classification criteria suggested by the N²SF security guidelines? Of course, in such cases, it is advisable to obtain judgment through prior consultation with the National Intelligence Service, which oversees security reviews.