Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

The Role of Data Destruction in Industrial Security

Read More

Categories Arrow

All Posts

The Role of Data Destruction in Industrial Security

As you review cybersecurity practices this year, ensuring your industrial organization has appropriate data destruction methods in place is essential. Care must be taken when decommissioning devices in a complex IIoT (industrial internet of things) system. Data that falls into the wrong hands could compromise physical processes and pose safety risks.

How can organizations safeguard against unintentional data breaches as IT and OT (operational technology) converge, and what strategies should you consider as you discuss your overall cyber-physical security program?

Data Destruction Reduces Preventable Risks

Let's begin with an example from consumer electronics. Those who buy old computers or smartphones on Craigslist or eBay may get more than expected after discovering that their previous owners left data on them. Sometimes, that’s because the old users didn’t know any better. In other cases, they depended on third-party companies that did not destroy existing files as promised.

Most individuals are in the habit of shredding confidential papers and cutting up old credit cards, but they may be less diligent with their digital devices. That reality introduces potential cybersecurity threats, mainly because it’s not always easy or possible to confirm what happens to preowned data storage devices.

When it comes to the world of IIoT, an unauthorized party could also access data from a device later if someone does not successfully destroy it. Inadequate data destruction policies could also attract attention from regulatory bodies. In one 2024 case, the Federal Trade Commission asked a services and software provider to tighten its cybersecurity after evidence of insufficient data protection practices emerged. Those shortcomings culminated in a ransomware attack affecting millions of customers, resulting in the company agreeing to pay about 250,000 USD.

Part of the FTC’s proposed order against the company required it to delete unnecessary data. The notice about this event also mentions that when organizations create data retention policies, they should account for that information’s deletion. Otherwise, breaches could be extensive because they give unauthorized parties access to more records.

Creating or Updating Your Organization’s Data Destruction Policy

Implementing controls to ensure data integrity is an important part of a multilayered approach to OT cybersecurity. What steps should you take to make or review your company’s data destruction policies and procedures?

1. Review the Data Type and Location

Begin by categorizing your company’s data according to shared characteristics and verify the storage method. For example, is a particular file in the cloud, on a physical device or both? Those foundational details are necessary for helping you retrieve the information when needed.

After organizing the data, determine if your company must continue to hold it or if destruction is appropriate. It is also helpful to indicate the correct deletion date so the appropriate parties know when to dispose of the information responsibly.

2. Document Your Data Destruction Process

The steps to thoroughly destroy data are typically lengthy and potentially time-consuming. Creating documents to guide people through them is an ideal way to achieve consistency and ensure no necessities get overlooked.

Detailed destruction documentation is also helpful if your organization uses different methods depending on the type of information or device. Shredding is one of the most popular possibilities. It makes data unrecoverable by turning the storage medium into pieces as small as 2 millimeters and works on all devices. Alternatively, file wiping deletes the data but keeps the storage medium available for reuse. It’s a good choice if your organization wants to minimize unnecessary e-waste.

3. Account for Applicable Laws or Regulations

Some countries, states and industries have particular requirements for data destruction. For example, federal privacy laws in the United States for those handling health care information require organizations to develop and use compliant procedures to dispose of electronic records and storage media.

Anyone who destroys data or supervises those activities must receive appropriate training. Additionally, a nation’s data protection policies may require that companies delete customers’ data upon request.

People creating or updating data destruction policies should review the requirements of applicable regulations and ensure they meet or exceed them. Failures to do so have resulted in some parties being fined millions of US dollars for improper data destruction methods.

4. Choose Reputable Data Destruction Companies

Working with trustworthy service providers when having data and storage mediums destroyed is also important. One option is to insist on a certificate of destruction. It is a formal audit document that confirms the company used the requested method and has complied with all applicable data privacy laws. That document also provides leverage if anything unexpected happens years later that calls the original destruction process into question.

In one example, concerned staff members triggered an audit when they alleged that a data destruction and device recycling company allowed a third party unrestricted access to its warehouse. While there, they could choose any contents and buy them. However, this process did not account for clients’ data destruction or device disposal instructions. Indeed, the data destruction company sold computers meant for destruction. A certificate of destruction places the blame on the service provider rather than the company that previously held the data.

Data Destruction as Part of a  Holistic Cybersecurity Plan

If your company works with and stores data, it must also plan to responsibly destroy it at the right times. As IT and OT infrastructure continue to merge, this is an essential but often neglected aspect of cybersecurity plans. It may be time to look into how to strengthen your cyber-physical security policies and address gaps.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive regular emails with links to thought leadership, research and other insights from the OT cybersecurity community.
Zac Amos
Zac Amos
Zac Amos is the features editor at ReHack, where he covers trending tech news in cybersecurity and artificial intelligence. For more of his work, follow him on Twitter or LinkedIn.

    Recent Posts

    Brighten Your Automation Future with ISA Self-Paced, Modular Training

    Related Posts

    The Role of Data Destruction in Industrial Security

    As you review cybersecurity practices this year, ensuring your industrial organization has appropriate da...
    Zac Amos Jan 31, 2025 7:00:00 AM

    Strengthening Operational Technology Resilience: Nine Considerations

    Establishing robust network segmentation only scratches the surface of safeguarding operational technolog...
    Jatin Mannepalli Jan 24, 2025 7:00:00 AM

    ISAGCA's Top Blog Posts of 2024

    A few months ago, we shared the top-performing blog posts from the ISA Global Cybersecurity Alliance (ISA...
    Kara Phelps Jan 17, 2025 7:00:00 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2025 International Society of Automation. All rights reserved.