The Industrial Internet Consortium (IIC) announced the publication of a white paper, IIC IoT Security Maturity Model: Description and Intended Use. Building on concepts identified in the IIC Industrial Internet Security Framework, the Security Maturity Model (SMM) defines levels of security deemed mature for a company to achieve, based on its security goals and objectives as well as its appetite for risk. The document is designed to help organizations invest in only those security mechanisms that meet their specific requirements.
|The illustration shows a model for analyzing security and creating a pathway to security maturity. (Image source: IIC)|
The SMM offers a rubric that can be used to measure the level of security that is appropriate for the individual organization. “It’s about how close you are to your goal. It’s not just technology. You have to understand the business considerations,” Frederick Hirsch, a consultant with Fujitsu speaking on behalf of IIC, told Design News. “We need a model that pulls together the security and the setting. We want to be applicable to people no matter what they’re trying to do.”
The Security Maturity Process
The IIC notes that organizations should apply the SMM by following a process. First, business stakeholders define security goals and objectives, which are tied to risks. Technical teams within the organization, or third-party assessment vendors, then map these objectives into tangible security techniques and capabilities and identify an appropriate security maturity level. Organizations then develop a security target that includes industry and system-specific considerations. That captures the current security level—or maturity—of the system.
| INSPIRE. COLLABORATE. INNOVATE.
Atlantic Design & Manufacturing, part of the largest advanced design and manufacturing industry event on the East Coast, is the annual must-attend trade show for discovering the latest in design engineering. Source from the region's most comprehensive collection of cutting-edge suppliers, deepen your expertise with free, conference-level education, and network with thousands of professionals who can help you advance your projects — and your career. From prototyping to full-scale production, one lap of the show floor will help you overcome your toughest manufacturing challenges and keep you up to speed on innovations transforming the industry. Everything you need to take projects to market faster and more cost effectively is here. Click here to register for your free pass today!
A mature security plan takes into account a wide range of considerations, from the individual industry to the organization’s goals and the nature of what needs to be protected. “Your security depends on your level of maturity. How you go about doing things, compliance. You can break it down into domains, like supply chains,” said Hirsch. “Threat modeling and risk assessment need to be included. Plus, each domain has its own practices. At any level, you can get a sense of what you’re doing and how well set-up you are. That process lets you get a handle on your security.”
Standards and Practices
In the IIC, individual organizations share their best practices, thus creating a pool of available knowledge. “It draws on a number of sources and standards of work in security,” said Hirsch. “The knowledge comes from a number of sources. We have participants at assessment companies. The IIC itself is a consortium of companies that participate voluntarily. The IIC has a number groups focused on different aspects of IoT. We have a core group that’s working on security, and we share our knowledge with other groups.”
Companies—even those not belonging to the IIC—can use the collected wisdom to assess the maturity of their security operations and use the assessment to create a path to security maturity. “By periodically comparing target and current states, organizations can identify where they should make improvements,” said Sandy Carielli, white paper co-author and director of security technologies at Entrust Datacard. “Organizations achieve a mature system security state by making continued security assessments and improvements over time. They can repeat the cycle to maintain the appropriate security target as their threat landscape changes.”
The white paper serves as an introduction to the SMM. The "IIC Security Maturity Model: Practitioners Guide" will be released in the coming months and will contain the technical guidance for assessment and enhancement of security maturity level for appropriate practices. “The practitioner’s guide will include visualization techniques to look at security gaps,” said Hirsch. “You might put all your effort into patch management and not look at governance. The guide will help make sure you don’t miss anything. It will tell you where you are and where you need to be. It will show you the trade-offs and how to get comprehensive.”
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.