The Data Protection Best Practices White Paper published by the Industrial Internet Consortium (IIC) lays out the Data Protection Best Practices that manufacturers can take to secure their data in the industrial internet age.
Data can come in many different forms—including operational, personal, audit, configuration, and system—which can prove to be complicated when searching for the proper protection of your data, especially in a complex IIoT system.
Security is typically the first step an organization should take when it comes to data protection. In this white paper, security is covered in five sections—key management, root of trust, authentication, access control, and audit and monitoring. The paper then drills down into more specifics and establishes how organizations can use the information provided.
- Key Management: It’s important to understand that managing keys—like passwords—is an integral step to make sure that only authorized users can access the secured data. Though it may seem obvious, it’s important to create, rotate, and backup passwords with seemingly random characters, as this is the first step for proper protection.
- Root of trust: Make sure there are different levels of security each with built-in defense because, as most Internet of Things (IoT) devices are designed for low cost/low resource consumption, which makes them vulnerable to attacks.
- Authentication: As with key management, this may seem obvious, but it is often overlooked. Authentication, in this case, is combined with encryption. Data should be secure behind encryption which is only accessible to those with the proper credentials.
- Access Control: Data protection should, first and foremost, prohibit unauthorized access. As with authentication, only those with the proper key should be able to access specified data.
- Audit and Monitoring: This step, in the grand scheme, is about making sure that all steps are working as established. Make sure the system is running properly, ensure that everyone has proper access and validation, and continue to operate without incident.
“Security is the cornerstone of data protection. Securing an IIoT infrastructure requires a rigorous in-depth security strategy that protects data in the cloud, over the internet, and on devices,” said Niheer Patel, product manager, Real-Time Innovations (RTI) and one of the paper’s authors.
After it can be established that an organization’s data is secured following the steps laid out by the IIC in the paper, it’s time to be sure that the data is valid, accurate, and not tampered or destroyed in any unauthorized way.
Data integrity is important to ensuring that operations run smoothly. And because data passes through multiple phases throughout its lifecycle, violation of data integrity is likely—either by malicious actors or through unintentional corruption during communication or storage can lead to the loss of data integrity. So it is important to continuously verify data and ensure that it is intact and protected.
This is especially relevant when it comes to handling personal data, as this data must be protected in accordance with privacy laws and regulations, which are wide-ranging in scope and stringency. The IIC paper focuses on the EU General Data Protection Regulation (GDPR).
Because of the specificity of some laws regarding personal data, the IIC writes, “Personal data collected from data subjects must be reduced to the lowest levels necessary for the specific purpose of the processing.” This data should also be kept confidential and only be accessible by those with the right credentials.
Failure to keep personal data secure can lead to serious consequences—revenue and profit loss, non-compliance fines, financial and criminal exposure, or reputational damage—that can have long term effects on the organization.
“Protecting IIoT data during the lifecycle of systems is one of the critical foundations of trustworthy systems,” said Bassam Zarkout, executive vice president, IGnPower—another one of the paper’s authors. “To be trustworthy, a system and its characteristics, namely security, safety, reliability, resiliency and privacy, must operate in conformance with business and legal requirements. Data protection is a key enabler for compliance with these requirements, especially when facing environmental disturbances, human errors, system faults, and attacks.”