Private data in Critical Infrastructures: a security threat or a business opportunity?
This post has been written by Andrea Bartoli, Director of Innovation at Worldsensing.
(Barcelona, Spain), Feb. 28th
In the early 1990s, data breaches and the misuse of digital information were not considered a significant problem in standard IT and OT networks’ operation; distributed connected devices such as smartphones did not exist, nor did the social media, and the main activities were mostly human actions. Human-to-Human (H2H) or Human-to-Machine (H2M) was the main business paradigms at that time. In this context, people were not expected to have an endless memory for passwords and complex procedures, and today’s cybercriminal actions were not even an incipient risk.
Since then, data protection and privacy protection have steadily become a topic of major significance due to the continued propagation of Machine-to-Machine (M2M) business alternatives and the advent of new technology capabilities like IoT and Big Data. Although the adoption of such capabilities has actively contributed to finding solutions for operational issues in complex industrial environments, providing clear benefits in the efficiency of the use of resources, they have also opened the door to manifold cybersecurity threats. Besides, the digitalization of personal data has posed a yet-to-be-resolved dilemma for citizens: sharing or not their data in exchange for new add-value services, in detriment of the privacy.
Institutions are currently collecting more citizens’ data than ever before. Data linked to consumption, lifestyle and even browsing habits can be easily tracked and analyzed to target customers and adapt the products launched to the market in an efficient approach. As the Internet’s penetration steadily grows (e.g. use of smartphone or consolidation of Apple Pay, PayPal and other online payment tools), information becomes readily available and gains a greater business value position (Figure 1). Big Data and Business Intelligence are the tangible consequences of such paradigm, and they have already a great impact on today’s society.
Figure 1 -Analytics: A blueprint for value converting big data and analytics insights into results, IBM 2013
In more detail, data have become a key asset for the economy and the society of similar importance as traditional human and financial assets (Figure 2). Whether we are talking about geographical, weather, research, transport, energy consumption, or health data inputs, the need to process them is pushing the technology development on an accelerated path. Critical Infrastructures (CI) can become a unique source of valuable data, if they are correctly anonymized, protected and processed, helping to tackle some of the challenges of our society. To seize the associated business opportunity, the adequate protection technologies but also legal requirements (EU General Data Protection Regulation) need however to be adopted, shaping a market that forges a closer relationship between citizens and business actors. Although this adoption has only partially been implemented at the moment, the opportunity is there to be seized, and will become a high hanging fruit in the years to come.
Figure 2 –Data Economy in Europe – European Data Market study
Considering this new and complex scenario, the adoption of digital tools in CI to guarantee the resilience and the safety of the assets implies challenging risks in the field of security and privacy that need to be urgently addressed with the aim to minimize the impact of future attacks. With an increasing degree of connectivity and the introduction of Operational Technology capabilities in CIs, severe new vulnerabilities arise and exponentially grow, and for this reason, projects like CIPSEC are crucial to mitigate them.
CIPSEC exploits the latest capabilities of digital technologies and integrates heterogeneous solutions from different European companies and universities in a single framework to increase the security level in CIs, covering from anomaly detection, anti-malware, cyber-security detection and prevention, distributed denial of service, and hardware security. With pilots in real environments of the transportation, health and environmental monitoring sectors, the project offers a unique opportunity to validate a complex framework in real scenarios with the direct participation of stakeholders and end-users. Besides, CIPSEC paves the way to demonstrate that data can be adequately treated therein.
Although the new privacy-preserving security tools are potentially hard-hitting for the organizations, the benefits for the consumers are clear. Referred to by companies as “D-Day for security,” a clear and regulated market will provide personal data with a high standard of protection, allowing customers the right to complain and obtain redress if data are misused anywhere. In addition, it is an opportunity for stronger relationships to be forged between consumers and businesses as “social contracts” are to be created in the articulation of the data use. This increases the social initiative as “private data marketplaces” managed through third parties and guarantors which could provide benefits to users, who first understand the privacy risks and explicitly accept the private data use in return for a tangible benefit. In summary, institutions should start preparing themselves by putting policies in place and well-practiced procedures to meet the new standards. Furthermore, citizens will have the opportunity to increase their awareness about privacy-risks and privacy-policies to thus maximize the opportunities and paybacks by exploiting their personal data.
In conclusion, if the cyber-security and privacy-preserving challenges are effectively addressed from initiatives similar to CIPSEC project for CI but also for Smart City in general, a key but open question arises: How much of a real business opportunity do private data offer to European citizens?
CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.