Fresh from joining forces with the OpenFog Consortium, the Industrial Internet Consortium (IIC) has launched the Security Maturity Model (SMM) Practitioner’s Guide, which provides a detailed guidance for assessing and managing the security maturity of Internet of Things (IoT) systems.
IIC said that as organizations connect their systems to the internet, they become vulnerable to new threats, and they are rightly concerned with security.
Building on concepts identified in the IIC Industrial Internet Security Framework published in 2016, the SMM Practitoner’s Guide defines levels of security maturity for a company to achieve based on its security goals and objectives as well as its appetite for risk.
“This is the first model of its kind to assess the maturity of organizations’ IoT systems in a way that includes governance, technology and system management,” said Stephen Mellor, CTO of IIC.
The guide includes descriptions of scenarios and what must be done to reach a given security comprehensiveness for each security domain, subdomain and practice.
An example given is an automotive manufacturer considering the possible threats interfering with the operations of a vehicle key fob.
The manufacturer sets its target maturity comprehensiveness level to “1” as it considers some IT threats, such as a Denial of Service attack that may prevent a driver from opening the car door using the key fob.
Over time, as new threats emerge, the manufacturer realizes it needs additional threat modeling and enhanced practices so raises its target maturity comprehensiveness level to a higher level “2.”
Along with the publication of the SMM Practitioner’s Guide is an update to the IoT SMM: Description and Intended Use White Paper, which provides an introduction to the concepts and approach of the SMM.
The white paper has been updated for consistency with the SMM Practitioner’s Guide, including revised diagrams and updated terminology, according to the IIC.
The IIC said it is collaborating with various industry groups to develop industry profiles that extend the model.
In a news release, Moscow-based cybersecurity and anti-virus provider Kaspersky Lab said it had joined forces with industry leaders in developing the SMM Practitioner’s Guide.
“The prioritization of security measures, goal setting, and the development of a strategy for making a system “secure enough” is an objective that affects organizations’ long-term economic planning, along with investment, the choice of insurance program, or any other task with conflicting stimuli,” said Ekaterina Rudina, senior system analyst at Kaspersky Lab ICS CERT.