16 April 2018

Internet of Things Security Maturity Model description to be published

The Industrial Internet Consortium® (IIC™) has announced the publication of an official Internet of Things Security Maturity Model description 

The goal of the Internet of Things (IoT) Security Maturity Model (SMM) is to provide a path for Internet of Things providers to know where they need to be and how to invest in security mechanisms that meet their requirements without over-investing in unnecessary security mechanisms. It seeks to help organizations identify the appropriate approach for effectively enhancing these practices where needed.

Not all IoT systems require the same strength of cybersecurity mechanisms and the same procedures to consider them secure and trustworthy. The priorities that determine the use of particular mechanisms and procedures are set at the business level. They drive the security enhancement process, making it possible for the mechanisms and procedures to fit the business-level goals without going beyond what is necessary.

The IIC IoT Security Maturity Model helps assess whether the security practices applied in an IoT system match the business goals and identify the most effective strategy to enhance the security of the system or service. The implementation of security mechanisms and processes is considered as mature if they are expected to be effective in addressing the business-level goals. It is whether the security mechanisms are appropriate to addressing the business goals, rather than their objective strength, that determines the maturity level.

The central concept of the model is the hierarchy of security mechanisms and processes. This hierarchy enables the maturity and gap analysis to be viewed at different levels of detail. The model classifies security mechanisms and processes in three top-level dimensions: governance, enablement, and hardening. Security priorities are defined for each of these dimensions. It is possible to add more details for every dimension considering underlying domains and security practices when necessary. The hierarchy is used to identify the security goals and priorities at the business level quickly and easily.

Another noteworthy feature of the model is its approach to assessing the security maturity. Other maturity models do not account for limitations introduced by the environment that may affect the implementation of security practices. For example, instrumental assessment of vulnerabilities in industrial systems can be restricted by the requirement of non-interference with the industrial process. IIC IoT SMM introduces two security maturity aspects to be measured. The first is the comprehensiveness level that captures the degree of depth, consistency and assurance of security measures. The second is the scope that reflects the degree of fit to the industry or system needs. This allows the criteria that should be met by an Internet of Things system that is mature from the security viewpoint to be tailored to any IoT domain or even a specific type of system.

The Industrial Internet Consortium unites over 250 participating companies from 30 countries. It is the world’s leading membership program transforming business and society by accelerating the Industrial Internet of Things (IIoT). The IIC delivers a trustworthy IIoT in which the world’s systems and devices are securely connected and controlled to deliver transformational outcomes.

The IIC IoT Security Model: Description and Intended Use white paper is an introduction to the IIC Security Maturity Model. The IIC Security Maturity Model: Practitioners Guide is to be released in the coming months and will provide guidance on assessing and enhancing the security maturity level of IoT systems.

The IoT Security Maturity Model was developed with an active involvement of Ekaterina Rudina, Senior System Analyst of Critical Infrastructure Defense Department, Kaspersky Lab.

Source:  Industrial Internet Consortium