What Retailers Can Learn from Utilities About “Smart Automation” Security, Safety and Privacy

Intelligent automation and other Internet of Things (IoT) systems aren’t much different from closed-loop industrial operational technologies in terms of vulnerabilities and risk.

The Zebra EMA 50 enterprise mobile automation system navigates around two grocery store associates and a shopper in an aisle
by Marc Perrella
April 07, 2021

With brick-and-mortar retail stores quickly turning into online order fulfillment centers, associates who used to focus exclusively on keeping shelves stocked are now the ones depleting them alongside in-store shoppers. This is driving many retailers to put intelligent automation solutions such as the Zebra SmartSight® Enterprise Mobile Automation (EMA) system to work.

But as “smart automation” take to the aisles to track inventory turnover and, when needed, track down misplaced items, retailer’s IT and store operations teams must ensure people’s safety and privacy are prioritized as highly as data security. Quite frankly, so must technology innovators. That’s why Zebra innovators actually leveraged many of the best practices used for industrial operational technologies (OT) and enterprise IT when mapping out the security, safety and privacy criteria for our SmartSight intelligent automation solution.

The Convergence of OT and IoT Technologies

On the surface, the OT systems long used by utilities, oil and gas companies, energy producers, manufacturers and industrial organizations don’t have much in common with the sleek, modern IoT technologies being deployed by retailers today. OT networks are typically closed and self-contained, whereas IoT technologies are connected via open, cloud-based networks. But it’s that difference that actually leads to strikingly similar risk levels.

Industrial OT, like IoT, must migrate to the cloud to be effective in today’s digital age. That means that security and privacy policies must be implemented from the ground up – much like a new IoT platform – with a hardened end-to-end architecture that helps to prevent vulnerabilities.  

The most common security practice leverages the air gap, which separates the OT network from the outside world. However, this approach is quickly migrating to a converged IT security network approach that leverages proven security technologies such as firewalls and virtual private networks (VPNs) along with network segmentation, which allows the partitioning of edge devices on selected networks. In fact, many of the simple, straightforward approaches that have been proven in OT environments as best practice can also be leveraged by IoT security practitioners, including as asset discovery and monitoring, vulnerability management, patch management and endpoint device identification.

But, unlike industrial OT, the “newness” of intelligent automation systems enables you to architect in security, safety, and privacy features from the start.

The Recommended Approach: Security, Safety and Privacy “By Design”

When talking about security, safety, and privacy, you must consider the role and subsequent impact of people, processes, and technology equally. You don’t want to hinder operations, interfere with worker productivity, or degrade the shopper or store staff experience in any way. All security, safety and privacy measures must be implemented to fit into store associates’ normal workday, helping them serve customers, in a seamless and almost invisible way.

For example, intelligent automation must comply with data privacy regulations when operating in store environments in proximity to both shoppers and store associates. In the European Union (EU), and increasingly in North America, more stringent data privacy regulations are being implemented to protect citizens’ personally identifiable information from being improperly captured, stored and/or used without explicit permission. Steps must be taken to inform citizens of what personal data is being collected and how it is being used before securing each individual’s consent.

In the case of intelligent automation, the simplest way to comply with these increasingly complex privacy regulations is to avoid gathering personal information from the start. Fortunately, the Zebra SmartSight EMA system was designed with security and privacy in mind from day one. If a shopper or store associate comes near the smart (mobile) automation system, a 360-degree multi-zone intrusion prevention system automatically stops it from getting too close to the individual. The data capture mode is also built to focus in on shelf items and price tags, not people, to prevent individuals’ personally identifiable images from being captured. In the very low probability that an individual is able to slip in between the mobile system and store shelf and should his or her image be captured by the smart automation system, additional measures are utilized to anonymize the individual. This addresses any residual risk and privacy concerns.

As you can see, people, processes, and technology all had to be thoughtfully considered in this scenario. And it must be considered in all potential privacy and security scenarios involving any technology that utilizes computer vision, machine learning, artificial intelligence (AI) and/or more traditional cameras to capture visual data. So, as you’re evaluating intelligent automation solutions for your retail environment, be sure to consider these six things:

  1. The established health and safety protocol for your customers and store associates
  2. The required data privacy regulations to be compliant with government and industry mandates
  3. The IT security policy that are already in place and how employees are using them today
  4. Your open source software licensing policies
  5. Data security policy, governance, and management models
  6. The security of your physical assets and the formation of response plans should an incident occur, and swift action be needed

Some “by design” elements that we’ve found to be very effective when operating the Zebra SmartSight EMA system in retail stores include:

  • Configurable audio and visual cues to provide a worry-free shopper experience
  • Multiple safety systems to ensure safe and smooth operations throughout store operations schedules  
  • Automatic data capture shut-off to prevent the capture of shopper or store associate images or identifiable information
  • Built-in VPN, firewalls, and the highest level of encryption technology to help prevent cyber breach
  • Leverage Center for Internet Security Level 1 and Level 2 standards across the entire SmartSight EMA system 
  • Compliance with all open source licensing agreements to mitigate associated liability and insurance risk
  • Mechanical design that supports physical security policy and asset protection strategies

A Final Thought

We recommend that retailers carefully assess their privacy, safety, and security requirements in the context of retail store operations and risk tolerance first – beyond the implications of intelligent automation. Then, once these broad measures and mandates are understood, retailers can then go a level deeper to consider the additional measures that will be needed to comply with industry regulations and address concerns raised by employees and customers.

Intelligent mobile automation systems are still somewhat “novel” in many people’s minds yet growing in numbers very rapidly. That means shopper and store staff’s perception of the privacy, safety and security risks posed by the smart automation systems seen in store aisles is very real. We must work together to demonstrate how those risks are being minimized or eliminated. It’s the only way to build trust in these transformative solutions and secure support for the work intelligent automation is doing to improve the retail experience for shoppers and store associates alike. 

null
Marc Perrella
Marc Perrella is currently part of EMC’s Portfolio Strategy & Management group where he is the business lead for Zebra’s Enterprise Mobile Automation system. Marc has more than 25 of experience within the IT and Automation industries, implementing large complex multi-million IT and business transformation programs,. He also has extensive experience designing and developing automation systems, leading start-ups as well as turning around underperforming business units.