In many Industrial Internet solutions, the guidelines that might apply for GRC are not as simply determined as one might think. Data might be captured from devices in multiple countries, transmitted over networks between countries, and reside in data centers in yet other countries.

The passenger airline industry provides a useful and extremely complicated scenario. As you no doubt realize, aircraft and aircraft components, such as engines, are very expensive. The aircraft are often leased. Efficient routing of planes and crew and scheduling of maintenance is critical to on-time performance. Passenger satisfaction is determined by their experience in airport and airline interactions.

It is a common scenario where the following activities take place:

• The aircraft is manufactured by Boeing, Airbus, or a regional jet manufacturer
• The engines are manufactured by GE, Pratt and Whitney, or Rolls Royce
• A jet lessor, such as GE's Gecas, owns the aircraft fleet
• An airline leases the aircraft and is the operator of the asset(s)
• The airline buys a long-term service contract with the aircraft manufacturer and the engineer manufacturer
• The aircraft depart from and land at many different airports, using the associated ground services
• Ground services, including baggage handling, fuel, catering, and tugs are provided by many different companies
• The airport is owned by the city/country or a private company
• Most airline passengers are not affiliated with any of the above-mentioned companies or entities
• Taxi, ride share, rail, and car rental companies facilitate transportation of the passengers
• Retail stores in the airport are owned and operated by different companies
• The security gates are staffed by government security specialists or private companies
• Immigration is staffed by government agencies

Gathering and analyzing IIoT data to make smarter decisions is often seen as key to optimizing the airline performance and passenger satisfaction and drove many early Industrial Internet projects. The following data can be relevant in this solution:

• Airline flight schedule
• Air crew scheduling data
• Air cargo scheduling
• Aircraft engine performance and maintenance data
• Aircraft parts locations
• Repair crew expertise and locations
• Weather data
• Airline passenger itinerary information
• Passenger movement from curbside, to terminals and then boarding
• Checked passenger baggage
• Security line passenger interaction and carry-on bags
• Purchases and interaction at the terminal, including duty-free stores

There are many parties who could be interested in this data. The airline, manufacturers of aircraft and aircraft components, the leasing company, airline services providers, and government agencies could all be interested in the performance and repair of planes and their ability to meet schedules. Passengers are probably interested in the outcome (especially whether the airline is on time), but not the same level of detail. However, passengers and the government might be concerned about who has access to personal identifiable information about their travels.

Ownership of such data is often not clear cut today given the many entities that might find the data useful and the many regulations that might or might not apply. That said, GRC rules usually must be applied to locations where data is being gathered and where it is stored and analyzed. Data must be protected during transmissions between sites along the way.

You might think that if a CSP meets the certifications and guidelines we outlined, you can be less concerned about the backend of your IIoT architecture. However, it is up to you to assure that the necessary controls are put in place. This is critical to prove the compliance if audited.

Industrial Internet architects must closely work with the security and compliance specialists and operational managers of the infrastructure to carefully review the applicable local laws, cloud-provider contracts, and management processes. The architect and security experts must also schedule conversations with all applicable LOB to gain an understanding of any GRC concerns they have and plan accordingly. Such due diligence is required to prevent surprises later.