IIC Announces Practitioner’s Guide for Assessing the Maturity of IoT System Security

Smart Blog

IIC Announces Practitioner’s Guide for Assessing the Maturity of IoT System Security

The Industrial Internet Consortium (IIC), now incorporating OpenFog just announced the Maturity Model (SMM) Practitioner’s Guide, which provides detailed actionable guidance enabling IoT stakeholders to assess and manage the maturity of IoT System Security.

Along with the publication of the SMM Practitioner’s Guide is an update to the „IoT SMM: Description and Intended Use White Paper“, which provides an introduction to the concepts and approach of the SMM. This white paper has been updated for consistency with the SMM Practitioner’s Guide, including revised diagrams and updated terminology.
As organizations connect systems to the internet, they become vulnerable to new threats, and they are concerned with IoT System Security. Addressing these concerns requires investment, but determining investment focus and amount is a difficult business decision. The SMM helps by enabling a structured top-down approach toward setting goals as well as a means toward assessing the current security stat. The SMM allows organizations to trade off investment against risk in a sensible manner.
Building on concepts identified in the IIC Industrial Internet Security Framework published in 2016, the SMM defines levels of security maturity for a company to achieve based on its IoT System Security goals and objectives as well as its appetite for risk. Organizations may improve their security state by making continued security assessments and improvements over time.

This is the first model of its kind to assess the maturity of organizations’ IoT systems in a way that includes governance, technology and system management,

said Stephen Mellor, CTO, IIC.

Other models address part of what is addressed by the SMM: they may address a particular industry, IoT but not security, or security but not IoT. The SMM covers all these aspects and points to parts of existing models, where appropriate, to recognize existing work and avoid duplication.

The practitioner’s guide includes tables describing what must be done to reach a given security comprehensiveness for each security domain, subdomain and practice and can be extended to address specific industry or system scope needs. Following each table is an example using various industry use cases to demonstrate how an organization might use the table to pick a target state or to evaluate a current state.
The practitioner’s guide contains three case studies that show how to apply the process based on realistic assessments: a smarter data-driven bottling line, an automotive gateway supporting OTA updates and security cameras used in residential settings.

Author: Tim Cole
Image Credit: IIC

Leave a Reply

Your email address will not be published. Required fields are marked *