[New IIC white paper] Data Protection Best Practices
Protecting sensitive data created, stored and consumed by sensor-driven Industrial Internet of Things (IIoT) technology and applications is one of the foundations of trustworthy IIoT systems.
Broadly speaking, data protection measures resist internal and external disturbances and attacks on critical data and IIoT systems at large. These measures are applied over the entire lifecycle of the data from when the data is generated to when the data is destroyed or securely archived. Applying appropriate measures to data-at-rest, data-in-motion, and data-in-use, promotes confidence in the security of the broader IIoT system.
“Protecting IIoT data during the lifecycle of systems is one of the critical foundations of trustworthy systems,” said Bassam Zarkout, Executive Vice President, IGnPower and one of the paper’s authors. “To be trustworthy, a system and its characteristics, namely security, safety, reliability, resiliency and privacy, must operate in conformance with business and legal requirements. Data protection is a key enabler for compliance with these requirements, especially when facing environmental disturbances, human errors, system faults and attacks.”
Failure to apply proper data protection measures can lead to serious consequences for IIoT systems, such as:
- service disruptions that in turn affect the bottom-line,
- serious industrial accidents and
- significant regulatory fines, loss of IP, and negative impact on brand reputation, caused by data leaks, as well as the failure to detect them and report them in a timely fashion.
The Industrial Internet Consortium® (IIC™) announced the publication of the Data Protection Best Practices White Paper. Designed for stakeholders involved in cybersecurity, privacy and IIoT trustworthiness, the paper describes best practices that can be applied to protect various types of IIoT data and systems. The 33-page paper covers multiple adjacent and overlapping data protection domains, for example data security, data integrity, data privacy, and data residency.
Categories of Data to be Protected
Data protection touches on all data and information in an organization. In a complex IIoT system, this includes operational data from things like sensors at a field site; system and configuration data like data exchanged with an IoT device; personal data that identifies individuals; and audit data that chronologically records system activities.
Different data protection mechanisms and approaches may be needed for data at rest (data stored at various times during its lifecycle), data in motion (data being shared or transmitted from one location to another), or data in use (data being processed).
Data Security
“Security is the cornerstone of data protection. Securing an IIoT infrastructure requires a rigorous in-depth security strategy that protects data in the cloud, over the internet, and on devices,” said Niheer Patel, Product Manager, Real-Time Innovations (RTI) and one of the paper’s authors. “It also requires a team approach from manufacturing, to development, to deployment and operation of both IoT devices and infrastructure. This white paper covers the best practices for various data security mechanisms, such as authenticated encryption, key management, root of trust, access control, and audit and monitoring.”
Data Integrity
“Data integrity is crucial in maintaining physical equipment protection, preventing safety incidents, and enabling operations data analysis. Data integrity can be violated intentionally by malicious actors or unintentionally due to corruption during communication or storage. Data integrity assurance is enforced via security mechanisms such as cryptographic controls for detection and prevention of integrity violations,” said Apurva Mohan, Industrial IoT Security Lead, Schlumberger and one of the paper’s authors.
Data integrity should be maintained for the entire lifecycle of the data from when it is generated, to its final destruction or archival. Actual data integrity protection mechanisms depend on the lifecycle phase of the data.
Data Privacy
As a prime example of data privacy requirements, the paper focuses on the EU General Data Protection Regulation (GDPR), which grants data subjects a wide range of rights over their personal data. The paper describes how IIoT solutions can leverage data security best practices in key management, authentication and access control can empower GDPR-centric privacy processes.
The Data Protection Best Practices White Paper complements the IoT Security Maturity Model Practitioner’s Guide and builds on the concepts of the Industrial Internet Reference Architecture and Industrial Internet Security Framework.
The Data Protection Best Practices White Paper and a list of IIC members who contributed to it can be found on the IIC website.