The internet of things has forever altered what can be defined as a computer. Turn back the clock just 15 years and commercial smartphones did not exist. Tablets were far more limited and widespread driverless vehicle use still sounded like something from science-fiction. Now, an increasing number of devices are being given processing power and flash media data storage. From a productivity standpoint, industries have never had more data from which to make decisions.
The security aspect of computing today, however, is darker. Gone are the days when a hard disk drive degausser could completely sanitize every bit of unneeded data within a company. This new market is challenging, in part because it is constantly evolving. The IoT, for instance, now has a sizeable subset called the industrial internet of things. These devices are specific to creative industries such as manufacturing and other professional enterprises.
While the IIoT is similar to the IoT, businesses should anticipate some key differences and be ready to thoroughly destroy all potentially dangerous data before classified information can fall into unauthorized hands with malicious intent.
"IIoT devices are built to take more punishment than consumer IoT products."
What separates IIoT from IoT
The IoT includes all consumer-grade hardware. For instance, popular Apple and Samsung smartphones are part of the IoT. However, not every consumer device is designed to hold up in an industrial setting. A Google Glass headset would not last a year in a hazardous environment like an oil rig or a lumber mill, where chemicals and particles are constantly in the air and interacting with technology.
There are numerous safety and quality certifications for every piece of hardware in the IIoT. The Radio Technical Commission for Aeronautics, for instance, mandates security for airborne vehicles, specifically publishing the DO-254 hardware standards. ODG created augmented reality glasses built for use in inhospitable climates, complete with certifications in dust and water repellency.
All of this is to say that IIoT devices are hardy, built to take far more punishment than consumer IoT products. They are designed to work – to preserve their data – through challenging circumstances. Organizations cannot count on them simply breaking over time or short circuiting. All IIoT devices that store data must be thoroughly destroyed when being decommissioned.
Not all shredders are built equally for this task. No one would expect a paper shredder to destroy even hardware as small as a phone. While lesser technology may render the device inoperable, the asset is still a safety hazard for as long as the data remains accessible.
Just as organizations would not buy hardware lacking in proper industrial safety and performance certifications, so too should they not use data destruction equipment that has not been signed off on by various neutral parties. The ideal multimedia data shredder meets all NIST, HIPAA, FACTA and PCI standards. The device should preferably also meet DoD standards on sanitizing unclassified government data.
That said, the shredded nature of discarded material can be misleading. If even a bit of the data survives, an organization's network security can still be compromised. Data storage should be shredded multiple times before it is discarded, to ensure the highest likelihood of complete destruction.
The importance of offline-enabled equipment
It is more than hardiness that separates IIoT hardware from regular IoT devices. To return to the smartphone, while it saves some data, there are many tasks that it can no longer perform when disconnected from a network. Apps do not work and even necessities like the GPS struggle. That is because these consumer devices are not manufactured to store data as a backup. Students cannot keep playing their online games after service goes down – everything crashes.
Not so with most industrial equipment. Since efficiency is so valued, especially in industries like the warehouse supply chain, the majority of data-collecting software is designed to maintain functionality, even when internet connectivity is lacking. These means one of two things: either the hardware has data storage built in or there is a backup server receiving the data in the meantime.
In other words, every device that can exist and continue to function in offline mode must be sanitized. It is more than just a conduit for the data to flow through: It has storage, however small, that likely contains access to the larger network as a whole.
Factoring in the age of automation
Nearly every sector across industries is becoming automated. New technology has reduced the dependency on human operators. While this is a good thing, as it increases productivity cycles and eliminates casual error, it also means more advanced, autonomous devices are coming into use.
To return to the warehouse industry, Amazon has unveiled Prime Air, a delivery service that takes products from the shelves directly to a consumer's home via drone aircraft. While convenient, drones are hardly secure as one article from Futurity pointed out. In 2016, several university students a professor discovered three distinct methods to bring drones down and hack their data. Not only is this theft of hardware but it could signal a major security breach.
Unmanned aerial vehicles are network-connected devices that receive orders and transmit information back to central servers constantly. If one of these devices is stolen then, in theory, hackers could gain access to this connection. Unfortunately, data sanitization still has not evolved to effectively physically destroy the data on a drone, so software solutions remain the only line of defense. This danger serves to showcase how technology evolves faster than the means to effectively protect it.
Industries controlled by time
Breaches in network security are always serious. That said, IIoT operates in industries where time can make the difference between life and death. Part of the reason why hospitals and other health care institutions are so frequently targeted is due to the time-critical nature of their business. Should the network go down or be infiltrated, these institutions cannot simply stop their daily procedures – they must act immediately, which typically means caving into whatever demands have been made.
IIoT data security is a vital aspect of upgrading infrastructure to take advantage of new technology. These industries often can't afford to retroactively enhance data security after an attack happens. Proper data sanitization is part of effective cybersecurity. Given the enhanced hardiness of IIoT-enabled devices, as well as their frequent ability to store data in case of network outages, this hardware needs to be properly sanitized.