As the industrial Internet of Things (IIoT) continues to gain traction among manufacturers, data protection has become a paramount concern for engineers, managers and business leaders. While the IIoT has enabled extensive innovation, it has also exposed companies to new threats that are constantly changing and evolving.
The Industrial Internet Consortium (IIC) has responded to this concern with its Data Protection Best Practices White Paper.
“Protecting IIoT data during the lifecycle of systems is one of the critical foundations of trustworthy systems,” said Bassam Zarkout, executive vice president, IGnPower and one of the paper’s authors. “To be trustworthy, a system and its characteristics, namely security, safety, reliability, resiliency and privacy, must operate in conformance with business and legal requirements. Data protection is a key enabler for compliance with these requirements, especially when facing environmental disturbances, human errors, system faults and attacks.”
The IIC recognizes that data protection is a concern across the entire organization—and the more complex, the greater the need for that protection. This includes data from onsite sensors, information exchanged with an IIoT-enabled device, customer information gathered through company websites, personal data of employees and clients, employee mobile devices and system audit data among others.
The white paper sets out recommendations for three areas of data protection. All quotes are from the paper unless otherwise noted.
Data Security
Data security covers key management, root of trust, authentication, access control and audit and monitoring.
The paper recognizes that IIoT adds “a vast number of new network enabled devices to corporate or field networks, thereby increasing their attack surface significantly.” IoT devices are generally designed for low cost and low resource consumption, making them harder to protect. The report recommends using a hardware-based root of trust and a defense-in-depth approach to securing those devices.
The also report recommends giving extra attention to the cryprographic algorithms used to create keys and strengthen authentication. It recognizes that business motivations and technical motivations can be at odds with each other, and recommends aligning goals with both sets of priorities before proceeding with product or systems designs—which would help determine what should, or shouldn’t, be encrypted.
Regarding access control, “the first step to data protection is to prohibit unauthorized access.” Implementing a secure authorization system where all data access paths go through a reference monitor—a proxy that enforces security policy and cannot be bypassed—would go a long way in keeping data protected.
And finally, the system must be monitored and audited to assess the current security state of the system, make sure it’s operating as it should, and that no incidents or policy violations have occurred. The report recognizes particular challenges in low-bandwidth and high-cost communications environments such as remote oil and gas refineries—and recommends pre-processing and compressing security logs to reduce the load on bandwidth and associated costs.
Data Integrity
This means maintaining the accuracy and validity of data across the organization, making sure it isn’t altered or destroyed inappropriately. The report states, “in industrial environments, data integrity and system integrity are closely related, as manipulation of industrial systems and communication channels can directly result in a loss of data integrity.”
The white paper recommends considering the data’s accuracy, timeliness, protection against tampering, and introduction of unintentional errors.
Cryptographic controls again come to play in this area, as they can detect integrity violations to help ensure the data doesn’t deteriorate. Application-level cryptographic processing can also provide confidentiality and integrity for highly sensitive data in motion from one user to another.
The IIC again recommends a security-in-depth strategy for securing IoT infrastructure and the data it generates—particularly when it comes to securing data in the cloud and protecting it as it travels over the public internet.
Data Privacy and Confidentiality
With the IIoT connecting more people and things online, the protection and appropriate use of personal data is becoming increasingly important. This is a particular priority in the fields of health care and smart cities. “Data privacy laws are proliferating in various jurisdictions, and they are becoming increasingly stringent,” according to the paper. “Thus the need for compliance with these laws is becoming a major concern.”
The paper recommends minimizing the personal data collected from subjects to the lowest levels necessary—in other words, only collect what you need and nothing more. Data anonymization—a data masking method that replaces data deemed to be personal with randomized data so it can’t be linked back to the individual who gave it—helps in this regard. Another useful tool is assigning security-level classifications to the data, which restricts data users from accessing data that isn’t directly relevant to their tasks.
Conclusion
With this set of guidelines the IIC proposes a common framework that IIoT users, operators and organizations can reference when building their data protection systems—whatever the industry or sector they may be working in. The paper identifies security of data as “the cornerstone of Data Protection. So we have focused on the measures and best practices needed to achieve a desired level of security for data.”
The white paper builds on the IIC’s Security Maturity Model (SMM), a common standard that could be applied by IIoT security professionals and organizations across market sectors.
To incorporate the SMM in their business, organizations would first define security goals and objectives to address risks. Next, technical experts—whether internal or third party—would identify real-world security techniques and capabilities to meet those goals. This would help determine an appropriate security maturity level. Finally, organizations would develop a security maturity target, compare it to their existing system, and implement a plan to make improvements and meet their target.
“The Security Maturity Model provides organizations with an informed understanding of security practices and mechanisms applicable to their industry and scope of their IoT solution,” said white paper co-author Ron Zahavi, Chief Strategist for Azure IoT Standards at Microsoft.
As industries across the globe become increasingly reliant on the IIoT for their operations, it is becoming more and more important to keep their data secure, private and reliable. The IIC’s recommendations may prove to be invaluable for the individuals and organizations tasked with safeguarding that data.
Read more about how industry is responding to data protection challenges at Is Data Centricity the New Frontier in Cybersecurity?