The Industrial Internet Consortium (IIC) has announced the IoT Security Maturity Model (SMM): Practitioner’s Guide. The guide is designed to introduce the concepts and approach of SMM, as well as help organizations protect their connected systems.
While the consortium notes there is no silver bullet for addressing security needs, the SMM intends to determine an organization’s security priorities and the maturity level they need to achieve them.
“This is the first model of its kind to assess the maturity of organizations’ IoT systems in a way that includes governance, technology and system management,” said Stephen Mellor, CTO of IIC. “Other models address part of what is addressed by the SMM; they may address a particular industry, IoT but not security, or security but not IoT. The SMM covers all these aspects and points to parts of existing models, where appropriate, to recognize existing work and avoid duplication.”
The SMM is based off of the IIC’s Industrial Internet Security Framework that was published in 2016. As part of the framework, it defines certain levels of security maturity based on security goals, achievements, and appetite for risk. Organizations are able to improve their security maturity over time with continued security assessments, the IIC explained.
When creating the guide, the IIC looked at real-world applicability, different perspectives such as business and implementation views, appropriate security guidance, and adaptability to the changing threat environment.
The guide provides charts on each level of security maturity, and what must be done to achieve them given the security domains: governance, enablement and hardening. In addition, each table is accompanied by an industry example and use cases on how an organization can use a table to improve.
The guide also provides three case studies on how other IoT stakeholders applied the process based on realistic assessments.