Industrial Internet Security Framework v 1.0 | Page 19

Security Framework

3: Key System Characteristics Enabling Trustworthiness

should be performed for normal and abnormal scenarios and examined as to whether an attacker
could purposely disrupt a combination of components.
Software must also be able to transfer over to alternate functionality, implementations,
configurations, locations or network segments that may have different weaknesses so the same
threats and hazards are not as disruptive to the replacement capabilities.1

3.6

PRIVACY

Privacy is the right of an individual or group to control or influence what information related to
them may be collected, processed, and stored and by whom, and to whom that information may
be disclosed.
Assurance of privacy depends on whether stakeholders expect, or are legally required, to have
information protected or controlled from certain uses. It is important to stay up to date with
regulations and standards, such as the new framework for transatlantic data flows called the EUUS Privacy Shield and the EU General Data Protection Regulation (GDPR) 2.
In the US, the Federal Trade Commission (FTC) maintains many guidelines that apply in
commercial environments. Rules apply to firms in healthcare, finance, education, auto sales,
direct marketing, entertainment and consumer credit. In each case, firms must abide by specific
guidelines. For example, in healthcare environments HIPAA 3 rules must be followed when
handling patient-related information.
Care needs to be taken to minimize the use of data and to address risks associated with
establishing the identity of parties when those identities should not be revealed. Identity might
be revealed through the examination of metadata associated with the party (fingerprinting) or
the correlation of data about the party. Integrating IIoT systems might increase this risk. Security
systems themselves might increase privacy risks by increasing the amount of data collected and
associated with a party.
Privacy risks may increase as industrial systems are interconnected with other systems that
contain sensitive data. For example, if a customer relationship management (CRM) system is
integrated with a manufacturing system then information about the items produced for certain
customers might be revealed through a security breach of either system. Additional risks may
involve the inappropriate sharing and distribution of information by third parties, should they
decide to share the sensitive data.
There are a number of frameworks that may apply, depending on regulation, but all may be
useful in understanding privacy effects on business models. Examples are GAPP from AICPA, PPTF
from OECD, FIPPS from FTC and ‘Regulation 2016/679’ from EU.4

See [NIST-800-160]
See [EU-GDPR]
3
See [HHS-HIPAA]
4
See [AICPA-GAPP], [OECD-PPTF], [FTC-FIPPS] and [EU-2016/679]
1
2

IIC:PUB:G4:V1.0:PB:20160926

- 19 -