Aiming to make implementing IoT security more manageable, new guidance from the Industrial Internet Consortium (IIC) helps organizations map security mechanisms to maturity targets.
As IoT implementers seek to align appropriate security measures with limited security resources and budgets, it’s important to consider that not all IoT systems demand the same level of security, the authors of the “IIC IoT Security Maturity Model: Description and Intended Use” white paper said in an interview. The requirements for securing connected assets on the manufacturing floor are different than those required for, say, a smart light bulb.
In that light, the Security Maturity Model (SMM) provides a process to help organizations decide what their security target state should be and what their current state is, to help decision makers invest in security mechanisms to achieve those maturity targets. Not seeking to define what the appropriate security level of a system should be, the SMM instead provides guidance and structure for organizations to identify considerations for different maturity levels appropriate for their industry and system.
“There are so many things that can be done, and if you’re head of security, it’s not clear where to start,” said Ron Zahavi, IIC Security Applicability group co-chair, the white paper co-author and chief strategist for Azure IoT Standards at Microsoft. “We’re allowing them to see it in chunks they can manage.”
SMM builds on the concepts in the IIC Industrial Internet Security Framework (IISF), providing actionable guidance for specific IoT scenarios. First, business stakeholders define security goals and objectives, which are tied to risks, according to the white paper. Technical teams within the organization, or third-party assessment vendors, then map these objectives into tangible security techniques and capabilities and identify an appropriate security maturity level, according to the white paper. Organizations then develop a security maturity target, which includes industry and system-specific considerations. Security maturity is defined by the degree of confidence that the current security state meets all organizational needs and security-related requirements, according to the whitepaper.
“We really wrote this first document as a way of engaging all of those (stakeholders) and enabling them to get alignment on their process and their approach to security,” said Sandy Carielli, white paper co-author and director of security technologies at Entrust Datacard.
Most of the guidance currently available tells stakeholders what the mechanisms are, but doesn’t provide guidance on how to put them together for a specific scenario, Zahavi said. The SMM helps organizations understand and make intelligent choices about which mechanisms to use and the mechanism strengths needed considering their specific deployments.
For instance, “if you’re using encryption, how strong should it be, because not all connected systems need the same level of security,” Zahavi said.
As such, the document also aims to bring consistency to the manner in which security assessments are conducted by security assessment vendors, both broadly by incorporating the concept of maturity in that process, all the way through lending guidance on how results can be communicated to customers. IIC is working with vendors, and planning case studies with security assessment companies to that end.
In turn, in the next few months, IIC will release a practitioners guide for technical stakeholders.
In all, the efforts aim to help make a secure IoT a reality.
“With this type of work, we’re removing that barrier and were making great progress,” Zahavi said. “(IoT security) is something that can be addressed. It’s not something everyone needs to throw their hands up at and there are technologies and mechanisms available. What we’re doing here is making it actionable.”